Link to home
Start Free TrialLog in
Avatar of Mystical_Ice
Mystical_Ice

asked on

Did a password has dump in 2008 domain - why some LM and not all NT hashes?

I'm trying to better understand cracking passwords on my domain.  I used a utility to dump all the passwowrd hashes to a file, and then going through them with ophcrack to see if i can break any of them.

My question is some of the passwords have LM hashes and NT hashes, and so of course they're broken in seconds.
Others are JUST NT hashes, so they're taking longer to crack.

Why do some accounts have both NT and LM hashes and others just NT?
Avatar of Bruno PACI
Bruno PACI
Flag of France image

Hi,

These accounts where probably already existing when your domain was a NT4 domain, and survived to the migration to AD domain.
In that case, these account were having a NT hash and this attribute has been conserved until today.

There's a Group Policy that permits you to prohibit storing of LM hashed password on domain accounts (look at http://support.microsoft.com/kb/299656) but as it does not remove existing "hashes" it will only become efficient on next password change.

So in your case, you should use this policy and add it to "Default Domain Policy" and "Domain Controllers Default Policy" and force everyone to change its password.

Have a good day.
Avatar of Mystical_Ice
Mystical_Ice

ASKER

If we have a few domain controllers that are running windows 2003, would that make a difference?  It shouldn't, right?

Our FSMO roles are all held on windows 2008 r2 servers
Also, some of the newest accounts have LM hashes.  There's one account that's 8 years old (the oldest one we have) and it has no LM hash
ASKER CERTIFIED SOLUTION
Avatar of Bruno PACI
Bruno PACI
Flag of France image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial