L0phtCrack
Is a password cracker that will
take encrypted Windows NT
passwords and compute the
plain text password.
L0phtCrack – SANS GIAC LevelOne ©2000, 2001

1

Thank you, and welcome to SANS LevelOne. We will be covering L0phtCrack. Hello, my name is
Eric Cole and I will be explaining L0phtCrack to you. If you have any questions or comments
regarding L0phtCrack please contact me at

1


Password Cracker Details
• Name: L0pht Crack
• Operating System: Microsoft NT
• Methods: dictionary attack, brute
force attack and hybrid attack.
• Brief Description: A password
cracker that will take encrypted NT
passwords and compute the plain
text password.
L0phtCrack – SANS GIAC LevelOne ©2000, 2001

2

L0phtCrack (zero, not the letter O) is an NT password auditing tool. It will compute NT user
passwords from the cryptographic hashes that are stored by the NT operating system. The operating

system does not store the user passwords in their original clear-text form for security reasons. The
actual user passwords are encrypted because they are sensitive information that can be used to
impersonate any user, including the Administrator of the operating system. L0phtCrack computes
the password from a variety of sources using a variety of methods. The end result is a state-of-theart tool for recovering the passwords that users use.
L0phtCrack operates in three attack modes to crack a user’s password. They are a dictionary
attack, a brute force attack, and a hybrid attack. Each of these will be covered in detail in later
slides.

2


Checklist
• The following are the objectives for this course. After
completion a user should understand the following:
–
–
–
–
–
–
–
–
–
–

what password cracking is
why it is important
methods of password cracking
weaknesses in Windows NT’s implementation of encryption
what L0phtCrack is

how to install and run L0phtCrack
how L0phtCrack works
how to protect against password cracking on Windows NT
password security features in Windows NT
features of a strong password

L0phtCrack – SANS GIAC LevelOne ©2000, 2001

3

This page intentionally left blank.

3


How are passwords stored on
a system?
• User passwords must be protected
against:
– unauthorized disclosure
– unauthorized modification
– unauthorized removal

• Solution: Store only encrypted
password
L0phtCrack – SANS GIAC LevelOne ©2000, 2001

4

In most companies, passwords are the first and only line of defense to protecting their information

and servers. Since most user IDs consist of the first initial / last name of an employee or some
combination, it is fairly easy to find out valid user IDs for individuals at a company. Based on this,
the only other piece of information you need to gain access is a user password. Therefore, they need
to be protected and very hard to guess.
The key things passwords need to be protected against are: unauthorized disclosure, unauthorized
modification, and unauthorized removal. If users write down their passwords or share them with
other people, then the user’s password is compromised and can be used as an entry point into the
system. Being able to modify a password is just as risky because as long as an attacker knows what
password is associated with a user ID, they can use it to gain access. It does not matter if the real
user knows it or not. This is potentially dangerous [for the attacker] because if the user tries to get in
and cannot, they might be suspicious of foul play.
In order to protect passwords, operating systems use encryption, which basically hides the originally
content so if someone gets the encrypted password they will not be able to determine what the
original password was.

4


Encryption 101
• Encryption is the process of converting
plain text into cipher text.
• The goal is the make the original text
unreadable.
• Three basic methods:
– symmetric - single key
– asymmetric - two keys (public and private)
– hash - one way algorithm, no key
L0phtCrack – SANS GIAC LevelOne ©2000, 2001

5


This section will cover a brief overview of encryption so that you can understand why and how password
cracking works. For additional details, there are several good cryptography books on the market. (Editor’s
Note: Applied Cryptography by Bruce Schneier is generally considered one of the best references on
cryptography. - JEK)
In its most basic form, cryptography is the process of converting plaintext into ciphertext with the goal of
making the original [plain] text unreadable. Basically, plaintext is the original, “human readable” message
and ciphertext is the unreadable message in its encrypted form.
Therefore, since the goal of passwords is to make them unreadable, they are stored in encrypted form.
There are three basic type of encryption. Symmetric encryption uses a single key to encrypt and decrypt the
message. If two people wanted to communicate, they would both have to have the same key and one person
would use it to encrypt the message and the other person would use the same key to decrypt it. (Editor’s note:
Symmetric encryption is also known as private key cryptography because a single, private key is used for
encryption and decryption. – JEK)
Asymmetric encryption uses two keys, a public and a private key. The public key is given to everyone and is
used to only encrypt The private key is known by only the owner and is used to decrypt messages. (Editor’s
note: Asymmetric encryption is also known as public key cryptography because it uses both a private key and
a public key to encrypt and decrypt information. – JEK)
Hash functions are considered one-way functions because they perform a one-way transformation of
information that is irreversible. Basically, given an input string, the hash function would produce a fixedlength output string, and from the output string there is no way to determine the original input string. NT uses
hashing to store its passwords. Basically, it would take a user’s password, run it through a hash algorithm, and
store the hash of the password. When someone tries to log on to the system, it takes the passwords the user
enters, runs it through the hash, and if there is a match then it is the same password.

5


What is password cracking?
• Guessing someone's plain text
password when you only have the

encrypted password.
• General method one:
• find valid user ID
• create list of possible passwords
• try typing in each password
• if system allows you in - success
• if not try again
L0phtCrack – SANS GIAC LevelOne ©2000, 2001

6

Password cracking is the process of trying to guess or determine someone’s plaintext password
when you only have there encrypted password.
The general method for this is the following:
• find a valid user ID
• create list of possible passwords
• try typing in each password
• if the system allows you in – success!!
• if not – try again.
(Editor’s note: A distinction is sometimes drawn between password guessing, where the attacker
actually tries to log in with various passwords; and password cracking (discussed in the next slide),
where the attacker obtains a copy of the encrypted password file or database and attempts to derive
passwords from their encrypted form (i.e., “crack” the encryption, generally by taking a group of
passwords, generating the hash values, and comparing the generated hashes to those in the
password database to see if there is a match). – JEK)

6


What is password cracking? (cont)

• General method two:
• find valid user ID
• find encryption algorithm used
• obtain encrypted password
• create list of possible passwords
• encrypt each password
• see if there is a match

• Tips
• pre-compute dictionary
• pre-compute encrypted passwords
• automate
L0phtCrack SANS GIAC LevelOne â2000, 2001

7

Another method is to:
ã find a valid user ID
• find encryption algorithm used
• obtain encrypted password
• create a list of possible passwords
• encrypt each password
• see if there is a match.
So, tips for speeding this process up include:
• pre-compute a password dictionary
• pre-compute a list of encrypted passwords
• automate the process.

7



Methods of Password Cracking
• Dictionary attack
• Hybrid attack
• Brute force attack

L0phtCrack – SANS GIAC LevelOne ©2000, 2001

8

The fastest method for cracking passwords is a dictionary attack. This is done by testing all the
words in a dictionary or word file against the password hashes. When it finds the correct password,
it displays the result. There are lots of sites that have downloadable dictionaries you can use.
The second method to crack passwords is called a hybrid attack. This builds upon the dictionary
method by adding numeric and symbol characters to dictionary words. Many users choose
passwords such as "bogus11" or ”he11o!!” (where the letter “l”s are replaced by numeric ones).
These passwords are just dictionary words slightly modified with additional numbers and symbols.
The hybrid crack rapidly computes these passwords. These are the types of passwords that will pass
through many password filters and policies, yet still are easily crackable.
The final and most powerful cracking method is the brute force method. This method will always
recover the password, no matter how complex. It is just a matter of time. Really complex passwords
that use characters that are not directly available on the keyboard may take so much time that is not
feasible to crack them on a single machine using today's hardware. But most complex passwords
can be cracked in a matter of days. This is usually much shorter than the time most administrators
set their password policy expiration time to. Using a real-world cracking tool is the only good way
to know what time one should set for password expirations.

8



Why is password cracking useful?
•
•
•
•
•

Audit strength of passwords
Recover forgotten password
Recover unknown password
Migrate users
Checks and balances

L0phtCrack – SANS GIAC LevelOne ©2000, 2001

9

There are many uses for computing user passwords. First and for most is for a system administrator
to audit the strength of the passwords that their users are using. There are password filters for NT,
but how do you know how well you have chosen a filter? Without testing the passwords generated
by users against a real-world password cracker, you are guessing at the time it will take an external
attacker or malicious insider to uncover the passwords. Other uses include recovering a forgotten
password, retrieving the password of a user in order to impersonate them, or migrating NT users to
another platform such as Unix.

9


NT Password Cracking
• All passwords are crackable

• NT’s design just makes it easier
– passwords broken into two sevencharacter pieces
– no salt (or randomness): two
identical passwords will be encrypted
the same way
L0phtCrack – SANS GIAC LevelOne ©2000, 2001

10

All passwords are crackable from a brute force perspective. The question is, how long does it take? The goal
with encryption is to make the time needed to perform a brute force attack so long that it is unfeasible for
someone to do – or make the time long enough that by the time they crack it the usefulness of the information
has expired.
NT has two major design flaws in how they implement their encryption that allows someone to crack
passwords quicker than would normally take. The first thing is that since they make there operating systems
downward-compatible with previous versions of Windows, they use the LAN Manager storage scheme which
breaks a password down into two seven-character words. This incredibly weakens the strength of a password.
Now, instead of trying to crack someone's password that is 10 or 12 characters long, you only have to crack
two seven-character [or less] passwords, which is much easier. Also, cracking passwords with just letters is
much easier than cracking passwords with numbers and special symbols. Therefore, a single password with
numbers and special characters is very hard to crack. But because NT breaks up the password and because
most people put number or special characters at the end, it makes it easier to crack. For example, to crack
password#7, you have to crack passwor (which is fairly easy) and you have to crack d#7 (which is harder,
but since it is so short it is still easy to do).
The second issue is when you encrypt a password there is something used called a salt which is meant to make
passwords a little harder to guess. A salt is a random string that is combined with a password before it is
encrypted. This is meant to randomize the password. This way, if two people have the same password, they
would have different salts and there passwords would be stored differently. Microsoft does not use a salt, so if
two users have the same passwords they will be encrypted the same way. This is a tremendous cost savings
because now you only have to encrypt each word once, and if a user has that password there will be a match.

If salts were used, I would have to find out the salt for the user; and then encrypt all possible passwords with
that salt to see if there was a match; and once there was, I would have to move on to the next user and do the
same thing. As you can see, this would take a much longer time to perform.

10


L0phtCrack
• Available from www.l0pht.com
(number zero after the letter l)
• 15 day free trial - $100 full version
• Features
– Password cracking
– Dump passwords from Registry
– Sniff passwords off of the network
L0phtCrack – SANS GIAC LevelOne ©2000, 2001

11

L0phtCrack (letter o is replaced by number zero) is one of the best NT password cracking programs
on the market for several reasons. First, it is easy to use and has a nice GUI. Second, it takes
advantage of the two design flaws in Microsoft and can crack passwords extremely quickly.
It has a 15 day trial version which lets you “try before you buy,” and then requires a registration fee
of $100.
Some of the key features are:
• password cracking;
• capable of dumping passwords from the Registry;
• sniffs passwords off of the network.

11



L0phtCrack 2.5 New Features
• Speed increase
• Hybrid cracking
• Added SMB packet capture
• SMB packet capture works on
Windows 9x
• Custom character set
ã Accurate cracking status
L0phtCrack SANS GIAC LevelOne â2000, 2001

12

The latest version of L0phtCrack is version 2.5 and they have added some new features that make it
run faster and make it easier to use. Some of the features are the following:
From the L0pht’s web site ( />• Major speed increase. The DES routines have been highly optimized in assembler for Pentium,
Pentium MMX, Pentium Pro, and Pentium II specific processors. This results in a 450% speed
increase. All alphanumeric passwords can be found in under 24 hours on a Pentium II/450.
• A new hybrid cracking method combines the best qualities of dictionary cracking with that of
brute force cracking. Passwords that are dictionary words which have numbers and symbols
appended to them are found in minutes.
• SMB Packet Capture is built into the L0phtCrack graphical interface. Choose a menu item and
start collecting LANMAN password hashes as they travel over the network.
• The SMB Packet Capture now works on Win95/98 machines.
• Custom character sets for brute forcing are supported with an easy UI to set them.
• More accurate cracking status is displayed. This includes the number and percentage of cracked
passwords and the key rate of the crack attempts.

12



L0phtCrack Performance
• Results for large high tech
company:
• Cracked 90% of the passwords in under 48
hours
• 18% of the passwords cracked in under 10
minutes
• Most domain admin accounts cracked
• Password policy require min of 8 characters
with one numeric or special character.
L0phtCrack – SANS GIAC LevelOne ©2000, 2001

13

The above results are from the L0pht’s web site, />
13


Benchmark Results
• Brute force attack on Quad Xeon
400 Mhz
– alpha-numeric characters - 5.5 hours
– alpha-numeric-some symbols - 45
hours
– alpha-numeric-all symbols - 480
hours
L0phtCrack – SANS GIAC LevelOne ©2000, 2001


14

The above results are from the L0pht’s web site.

14


Using L0phtCrack
• Installation
• Running L0phtCrack
– pull password file
– load dictionary file
– configure options
– run program

• Analyze results
L0phtCrack – SANS GIAC LevelOne ©2000, 2001

15

This page intentionally left blank.

15


Installation
• Download executable zip file from:
/>
• Unzip the file
• Run setup

– select location of install
– read instructions and follow the defaults

• Double-click on L0phtCrack icon to start
the program
L0phtCrack – SANS GIAC LevelOne ©2000, 2001

16

To install L0phtCrack, go to and download the zip file that contains the
executable. Once you download the zip file, use pkunzip or any other compression program to
uncompress the files into a directory. Once the files are uncompressed, run the setup program. The
install program is very straightforward and will walk you through the installation. Once the
installation is complete, you just double click the L0phtCrack program to run it.
The version you download is a 15-day trial version. In order to continue using L0phtCrack after 15
days and to get additional features, you should register the program. If you look at what you are
getting for $100 it is an unbelievable deal.
L0phtCrack is licensed per machine. Each machine will have a unique L0phtCrack serial number.
The L0pht offers online, telephone and fax registration. When you register you will receive the
unique unlock code for your machine. You enter this code in the L0phtCrack Registration dialog to
unlock the product. In the event you need to move your license to a new machine or OS, you need to
contact and they will send a new unlock code. Therefore if you run
L0phtCrack on multiple machines, you need to get multiple unlocking codes.

16


Start L0phtCrack

L0phtCrack – SANS GIAC LevelOne ©2000, 2001


17

When L0phtCrack starts, the main window appears. The menu bar contains five main menu options.
The following slides will briefly cover each menu item. Since the Edit menu is not used, it will not
be covered.

17


File Menu
• The File menu contains the
following options:
– Open Password File
– Open Wordlist File
– Import SAM file
– Save and Save As
– Exit
L0phtCrack – SANS GIAC LevelOne ©2000, 2001

18

The Open Password File is used to open the file containing the password hashes. This file can be in
either L0phtCrack format (*.lc) or in the format that programs such as PWDUMP create. (Editor’s
note: PWDUMP and PWDUMP2 are tools that can be used to extract password hashes from a
Windows NT system. PWDUMP2 will work even on SYSKEY-enabled systems and on Windows 2000
Active Directory; however, Administrator-level permissions are required to run the software.
PWDUMP can be found by doing a search on the Web; the more powerful PWDUMP2 is available
from – JEK)
The Open Wordlist File opens the file containing all of the words to be used in the dictionary

attack. This type of file is also referred to as a dictionary file. The default dictionary file that comes
with the L0phtCrack distribution is a file named words-english. You should open this file unless you
have your own custom dictionary file you want to use.
The Import SAM file opens a SAM [Security Accounts Manager] file and loads the password
hashes from it. If the file is a compressed file named SAM._ then it will be automatically expanded
on NT but will have to manually be done on Windows 95/98.
The Save and Save As saves the current state of the passwords, whether they are uncracked,
partially cracked or cracked. The file is saved in the L0phtCrack (*.lc) format. This is an ASCII file
that can be edited or imported into various editors and database programs. This file can later be
reloaded into L0phtCrack and continue to be cracked by continuing an interrupted cracking session
or by restarting a new crack session with different crack options.
The Exit option terminates the crack session if any and exits the program.

18


Tools Menu
• The Tools menu contains the
following options:
– Dump Passwords from Registry
– SMB Packet Capture
– Run Crack
– Stop Crack
– Options
L0phtCrack – SANS GIAC LevelOne ©2000, 2001

19

The Dump Passwords from Registry opens a dialog box which accepts an NT computer name or IP
address. The computer specified is queried through remote Registry calls to dump the password hashes

contained in the SAM section of the Registry. Administrator privileges and remote Registry access is
required to dump the password hashes in this way.
The SMB Packet Capture launches the network packet capture window. SMB packet capture
promiscuously monitors your Ethernet for SMB network authentication packets. When it captures an
authentication session, it will display the authentication parameters (username, challenge, and hashes) in the
window. The contents of the window can be saved at any time to a *.lc file using the Save Capture button,
or they can be cleared using the Clear Capture button. When you close the window or press Done the
capture session is terminated.
The Run Crack starts the cracking engine going to work on the password hashes you have loaded. A
progress display shows the status.
The Stop Crack stops a current cracking session. It can be restarted at any time.
The Options dialog contains all the different settings for modifying how L0phtCrack tries to crack the
password hashes. The default configuration is a compromise between yielding most complex passwords vs.
taking significantly more time. Most people will not need to modify the Options until they have tried out the
default settings. Dictionary Attacks are enabled by checking the LANMAN and NTLM checkboxes. These
are checked by default. Dictionary/Brute Hybrid Enabled is checked by default and will yield many simple
dictionary and number/symbol combinations. The default number of numbers and symbols to try
concatenated to each dictionary word is two. This number can be increased, but it will take significantly
longer to crack.
The Brute Force Attack is checked Enabled by default. The default character set is the alphanumeric
characters. You can select one of four predefined character sets ranging from alpha only to all alphanumeric
plus all symbol characters. The larger character sets take a significantly longer time when chosen. You can
also enter in your own custom character set in the combo box by typing each character in. This custom set is
saved with the *.lc file.

19


Window and Help Menu
• The Window menu contains the

following options:
– Minimize to tray
– Hide, Ctrl+Atl+l to show

• The Help menu contains the following
options:
– About L0phtCrack
– L0phtCrack web site
– L0pht web site
L0phtCrack – SANS GIAC LevelOne ©2000, 2001

20

The following are the two options are available under the Windows menu:
The Minimize to tray option minimizes the program to a small icon in the system tray. The
program window is reactivated by clicking on the small icon. This is useful when you are intending
to crack for several days.
If the SMB Packet Capture window is open it is minimized also.
The Hide, Ctrl+Alt+L so show command hides the program window completely. It does not show
up as a program in the task manager. You can make the program visible again using the Ctrl+Alt+L
key combination. If the SMB Packet Capture window is open it is hidden also.
The following are three options are available under the Help menu:
The About L0phtCrack command shows the program version information, serial number, and
registration code (if any).
The L0phtCrack Website command launches your browser and brings you to the L0phtCrack
website where you can find updates an additional program information when it becomes available.
The L0pht Website command launches your browser and brings you to the L0pht home page where
you can find out about other L0pht products, search our archives, and read our security advisories.

20



Extracting the Password Hashes

L0phtCrack – SANS GIAC LevelOne ©2000, 2001

21

L0phtCrack must first retrieve the password hashes to start the cracking process. If you have Administrator
rights, you can use the Tools → Dump Passwords from Registry command on the L0phtCrack menu to
retrieve the hashes. You can dump the password hashes from you local machine or over the network if the
remote machine allows network Registry access. Enter the NT machine name or IP address into the Dump
Passwords from Registry dialog box and press OK. The usernames and password hashes are now loaded into
L0phtCrack. If this is the way you have retrieved the password hashes, you may now proceed to crack the
password hashes. This method is shown in the above slide.
NOTE: L0phtCrack 2.5 is limited to dumping and opening 65K users. In addition, large numbers of users can
take a long time. Be prepared to wait a few minutes for greater than 10,000 users.
The second method is to access the password hashes from the file system. Since the operating system holds a
lock on the SAM file where the password hashes are stored on the file system, it is not possible to just read
them from this file while the operating system is running. Sometimes a backup of this file is made on tape or
on an Emergency Repair Disk or in the repair (%systemroot%\repair) directory of the system hard drive. Also,
another operating system such as DOS can be booted from a floppy and the password hashes can be read
directly from the file system. This is especially useful if you have physical access to the machine and it has a
floppy drive.
You load the password hashes from a "SAM" or "SAM._" file into L0phtCrack by using the File → Import
SAM File menu command and specifying the filename. L0phtCrack will automatically expand compressed
"SAM._" files on NT. (NOTE: If you are running on Windows 95/98 you will need to expand the "SAM._"
file to "SAM" using the expand utility on an NT system. The command is expand sam._ sam).
The final method L0phtCrack offers is to capture the encrypted hashes over the network. That will be covered
in the next slide..


21


Capturing Passwords off
the Network

L0phtCrack – SANS GIAC LevelOne ©2000, 2001

22

The final method L0phtCrack offers is to capture the encrypted hashes over the network. Your
machine must have one or more Ethernet devices to access the network. Use the Tools → SMB
Packet Capture command to bring up the SMB Packet Capture window which is shown above.
You will now be capturing any SMB authentication sessions that your network device can capture.
If you are on switched network, you will only see sessions originating from your machine or
connecting to your machine.
NOTE: If you have a previous version of L0phtCrack installed, you must remove the NDIS packet
driver from the Protocols tab in the Network Control Panel. Other low-level packet drivers that are
known to cause problems are the Asmodeus and ISS packet drivers. You will want to remove them
also.
As SMB session authentications are captured, they are displayed in the SMB Packet Capture
window. The display shows source and destination IP addresses, the user name, the SMB challenge,
the encrypted LANMAN hash and the encrypted NTLM hash, if any. The capture can be saved at
any time using the Save Capture button. To crack these hashes, you must save the capture and then
open the captured file using the File → Open Password command. You can capture and crack other
passwords at the same time.

22



Extracted Password Hashes

L0phtCrack – SANS GIAC LevelOne ©2000, 2001

23

The above screen shows the extracted password hashes.

23


Loading a Dictionary File

L0phtCrack – SANS GIAC LevelOne ©2000, 2001

24

In order to run a dictionary attack, you must select a dictionary file for L0phtCrack to use.
L0phtCrack comes with a small dictionary file called words-english but can use any dictionary.
There are several sites on the Internet that contain large dictionary files you can download.

24


Options for Cracking Passwords

L0phtCrack – SANS GIAC LevelOne ©2000, 2001

25


This slide shows the options for configuring L0phtCrack. The first method L0phtCrack uses to crack
passwords is called a dictionary attack. This method tries to encrypt each word in a dictionary or word file.
It then tests each encrypted word against the password hash. If it gets a match, it knows the user's password is
that dictionary word. L0phtCrack comes with a nice 25,000-word file named words-english that contains
many common words. This file or another word file is loaded into L0phtCrack using the File → Open
Wordlist menu command. The default dictionary file is the words-english file.
After the dictionary attack is completed the hybrid attack begins. The hybrid attack uses simple patterns that
users use when creating passwords from common words. By slightly modifying dictionary words the way
users do, L0phtCrack is able to make educated guesses to decide which passwords to try. An example would
be to try 'BOGUS11'. Many users just append a few numbers or symbols to a dictionary word in an attempt to
make it a non-guessable password. L0phtCrack can guess these passwords quickly – in much less time than it
would take for a brute force attack. L0phtCrack 2.5 checks to see if any number of number and symbol
characters are appended to each word in the word file you have selected. The default number of number and
symbol characters is two. This can be changed editing the characters box under dictionary/bruce hybrid under
the the Tools → Options command.
After the dictionary and hybrid attacks have completed, the brute force attack begins. Brute force can take a
long time, but it usually takes far less time than most password policies specify for password changing. This
makes passwords found during the brute force attack still too weak. You may configure the character set that
the brute force attack uses with the Tools → Options command. The default character set is all the
alphanumeric characters and the numbers 0 through 9. The general rule is that passwords’ change interval
should be less than the time it takes to brute force a password.

25