<<< Date Index >>>     <<< Thread Index >>>

Rainbow tables for LM/NTLMv1 authentication




Hello,

I would recommend to read a Robert Hensing article.
Why you shouldn't be using passwords of any kind on your Windows networks . . .
http://blogs.msdn.com/robert_hensing/archive/2004/07/28/199610.aspx

And, I don't recommend to rely on NoLMHash.
http://www.securityfriday.com/Topics/winxp1.html

Kind regards,
Urity

RainbowCrack with a SMB server throwing a fixed challenge:

// for rainbowcrack-1.2-src-algorithmpatch
// Ophcrack? for your homework.

// for HashRoutine.h
// LM authentication
void HashNetLM(unsigned char* pPlain, int nPlainLen, unsigned char* pHash);
// NTLMv1 authentication
void HashNetNTLM(unsigned char* pPlain, int nPlainLen, unsigned char* pHash);

// for HashRoutine.cpp
// LM authentication
AddHashRoutine("netlm", HashNetLM, 24);
// NTLMv1 authentication
AddHashRoutine("netntlm", HashNetNTLM, 24);

// for HashAlgorithm.cpp
// LM authentication
void HashNetLM(unsigned char* pPlain, int nPlainLen, unsigned char* pHash)
{
  int i;
  for (i = nPlainLen; i < 14; i++)
    pPlain[i] = 0;

  static unsigned char magic[] = {0x4B, 0x47, 0x53, 0x21, 0x40, 0x23, 0x24, 
0x25};
  static unsigned char chllng[8] = {0}; // the fixed challenge of SMBRelay
  des_key_schedule ks;
  unsigned char lm[21];

  setup_des_key(pPlain, ks);
  des_ecb_encrypt((des_cblock*)magic, (des_cblock*)lm, ks, DES_ENCRYPT);
  setup_des_key(&pPlain[7], ks);
  des_ecb_encrypt((des_cblock*)magic, (des_cblock*)&lm[8], ks, DES_ENCRYPT);
  setup_des_key(lm, ks);
  des_ecb_encrypt((des_cblock*)chllng, (des_cblock*)pHash, ks, DES_ENCRYPT);
  setup_des_key(&lm[7], ks);
  des_ecb_encrypt((des_cblock*)chllng, (des_cblock*)&pHash[8], ks, DES_ENCRYPT);
  if (nPlainLen < 8)
  {
    pHash[16] = 0x57; pHash[17] = 0xE9; pHash[18] = 0xA1; pHash[19] = 0xB7;
    pHash[20] = 0x95; pHash[21] = 0x40; pHash[22] = 0xC3; pHash[23] = 0x74;
  }
  else
  {
    lm[16] = lm[17] = lm[18] = lm[19] = lm[20] = 0;
    setup_des_key(&lm[14], ks);
    des_ecb_encrypt((des_cblock*)chllng, (des_cblock*)&pHash[16], ks, 
DES_ENCRYPT);
  }
}
// NTLMv1 authentication
void HashNetNTLM(unsigned char* pPlain, int nPlainLen, unsigned char* pHash)
{
  unsigned char UnicodePlain[MAX_PLAIN_LEN];
  int len = (nPlainLen < 127) ? nPlainLen : 127;
  int i;
  for (i = 0; i < len; i++)
  {
    UnicodePlain[i * 2] = pPlain[i];
    UnicodePlain[i * 2 + 1] = 0x00;
  }

  static unsigned char chllng[8] = {0}; // the fixed challenge of SMBRelay
  des_key_schedule ks;
  unsigned char lm[21];

  MD4(UnicodePlain, len * 2, lm);
  lm[16] = lm[17] = lm[18] = lm[19] = lm[20] = 0;
  setup_des_key(lm, ks);
  des_ecb_encrypt((des_cblock*)chllng, (des_cblock*)pHash, ks, DES_ENCRYPT);
  setup_des_key(&lm[7], ks);
  des_ecb_encrypt((des_cblock*)chllng, (des_cblock*)&pHash[8], ks, DES_ENCRYPT);
  setup_des_key(&lm[14], ks);
  des_ecb_encrypt((des_cblock*)chllng, (des_cblock*)&pHash[16], ks, 
DES_ENCRYPT);
}