Did a password has dump in 2008 domain - why some LM and not all NT hashes?

Posted on 2012-08-28
Last Modified: 2012-09-19
I'm trying to better understand cracking passwords on my domain.  I used a utility to dump all the passwowrd hashes to a file, and then going through them with ophcrack to see if i can break any of them.

My question is some of the passwords have LM hashes and NT hashes, and so of course they're broken in seconds.
Others are JUST NT hashes, so they're taking longer to crack.

Why do some accounts have both NT and LM hashes and others just NT?
Question by:Mystical_Ice
    LVL 16

    Expert Comment


    These accounts where probably already existing when your domain was a NT4 domain, and survived to the migration to AD domain.
    In that case, these account were having a NT hash and this attribute has been conserved until today.

    There's a Group Policy that permits you to prohibit storing of LM hashed password on domain accounts (look at but as it does not remove existing "hashes" it will only become efficient on next password change.

    So in your case, you should use this policy and add it to "Default Domain Policy" and "Domain Controllers Default Policy" and force everyone to change its password.

    Have a good day.

    Author Comment

    If we have a few domain controllers that are running windows 2003, would that make a difference?  It shouldn't, right?

    Our FSMO roles are all held on windows 2008 r2 servers

    Author Comment

    Also, some of the newest accounts have LM hashes.  There's one account that's 8 years old (the oldest one we have) and it has no LM hash
    LVL 16

    Accepted Solution


    As far as I remember, a brand new domain directly created under Windows 2003 will not store LM hash by default... Domains migrated from NT4 will continue to store LM Hash until you force the policy I told you about in my previous post.

    I don't know why some recent accounts have LM hash and old accounts don't... anyway, use the policy as explained in the Microsoft article to definitly prohibit LM hash generation.
    Then, force users to change their password by any way you want (password expiration, check the box "user must change password at next connection", ...).

    Have a nice day.

    Featured Post

    Enabling OSINT in Activity Based Intelligence

    Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

    Join & Write a Comment

    By default, Carbonite Server Backup manages your encryption key for you using Advanced Encryption Standard (AES) 128-bit encryption. If you choose to manage your private encryption key, your backups will be encrypted using AES 256-bit encryption.
    Phishing is at the top of most security top 10 efforts you should be pursuing in 2016 and beyond. If you don't have phishing incorporated into your Security Awareness Program yet, now is the time. Phishers, and the scams they use, are only going to …
    Internet Business Fax to Email Made Easy - With eFax Corporate (, you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
    Here's a very brief overview of the methods PRTG Network Monitor ( offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

    734 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    18 Experts available now in Live!

    Get 1:1 Help Now