Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium


Did a password has dump in 2008 domain - why some LM and not all NT hashes?

Posted on 2012-08-28
Medium Priority
Last Modified: 2012-09-19
I'm trying to better understand cracking passwords on my domain.  I used a utility to dump all the passwowrd hashes to a file, and then going through them with ophcrack to see if i can break any of them.

My question is some of the passwords have LM hashes and NT hashes, and so of course they're broken in seconds.
Others are JUST NT hashes, so they're taking longer to crack.

Why do some accounts have both NT and LM hashes and others just NT?
Question by:Mystical_Ice
  • 2
  • 2
LVL 16

Expert Comment

by:Bruno PACI
ID: 38344780

These accounts where probably already existing when your domain was a NT4 domain, and survived to the migration to AD domain.
In that case, these account were having a NT hash and this attribute has been conserved until today.

There's a Group Policy that permits you to prohibit storing of LM hashed password on domain accounts (look at http://support.microsoft.com/kb/299656) but as it does not remove existing "hashes" it will only become efficient on next password change.

So in your case, you should use this policy and add it to "Default Domain Policy" and "Domain Controllers Default Policy" and force everyone to change its password.

Have a good day.

Author Comment

ID: 38346363
If we have a few domain controllers that are running windows 2003, would that make a difference?  It shouldn't, right?

Our FSMO roles are all held on windows 2008 r2 servers

Author Comment

ID: 38346364
Also, some of the newest accounts have LM hashes.  There's one account that's 8 years old (the oldest one we have) and it has no LM hash
LVL 16

Accepted Solution

Bruno PACI earned 1000 total points
ID: 38346717

As far as I remember, a brand new domain directly created under Windows 2003 will not store LM hash by default... Domains migrated from NT4 will continue to store LM Hash until you force the policy I told you about in my previous post.

I don't know why some recent accounts have LM hash and old accounts don't... anyway, use the policy as explained in the Microsoft article to definitly prohibit LM hash generation.
Then, force users to change their password by any way you want (password expiration, check the box "user must change password at next connection", ...).

Have a nice day.

Featured Post

The Firewall Audit Checklist

Preparing for a firewall audit today is almost impossible.
AlgoSec, together with some of the largest global organizations and auditors, has created a checklist to follow when preparing for your firewall audit. Simplify risk mitigation while staying compliant all of the time!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The conference as a whole was very interesting, although if one has to make a choice between this one and some others, you may want to check out the others.  This conference is aimed mainly at government agencies.  So it addresses the various compli…
In this article, we’ll look at how to deploy ProxySQL.
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
Suggested Courses

578 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question