Password cracking is the act of trying to guess or decode encrypted passwords. Windows uses passwords to authenticate users, services, and computers. Third-party applications can have their own passwords as well. Passwords can be found in many locations, all of which are vulnerable to attack. A few passwords are stored in cleartext, but most are stored as a hashed value. One of the biggest constraints to effective password cracking is having the necessary CPU power, or a sufficiently large password dictionary or rainbow table.
From a broader perspective, not all authentication is done through passwords. Some credentials are stored as private keys, certificates, or Kerberos tickets. Those too can be targeted. The Windows Local Security Authority (LSASS) uses LSA secrets to store a variety of user, service, and application passwords. In some cases, such as with Kerberos or LSA secrets, they can be found in memory after the user logs on or the computer boots up.
Since Windows NT 4.0, Windows has stored local user names and passwords in the Security Account Manager (SAM). This is a Registry hive that is stored on disk in %WINDIR%\System32\config\SAM and loaded into memory on bootup. Passwords are stored as two types of hashes:
- LanMan (LM) hash—Before hashing, passwords are converted to uppercase and then either truncated or padded to become 14 characters long. The actual value that is stored is not the password hash itself. Instead, the hash is divided into two 7-byte parts, each of which is used as a 56-bit DES key to encrypt the fixed string "KGS!@#$%". Because the hash is unsalted, it is susceptible to dictionary and rainbow table attacks.
- NT hash—This is a simple MD4 hash of the password (encoded as UTF-16 little endian). It is unsalted, but allows passwords up to 128 characters long.
In the days of NT 4.0, Microsoft introduced a special utility called SYSKEY to make decrypting hashes more difficult. Administrators used it to encrypt the SAM, LSA secrets, and cached domain passwords. During bootup you could provide an unlock password, insert a floppy disk, or store the key in the Registry so the computer would boot with no special intervention. If the SYSKEY is stored in the Registry, it can be found in four parts in SYSTEM\CurrentControlSet\Control\Lsa\, in the subkeys JD, Skew1, GBG, and Data. These parts, however, can be extracted and used to generate the necessary RC4 key to decrypt the LM and NT hashes. It is also possible to use a special boot disk to delete the SYSKEY.
Active Directory Hashing Algorithms
The following hashes are stored in the ntds.dit Active Directory database file.
MD4 (aka NT Hash)
Used for NTLM authentication.
Used for LM authentication. Disabled by default since Windows Server 2003.
Used for Kerberos authentication. Salted with user logon name and hashed 4,096 times using MD5.
Salted with user logon name and hashed 4,096 times using HMAC-SHA1. Since Windows Server 2008, used for Kerberos authentication.
29 variants, each using a different combination of login and domain name. Used for WDigest authentication.
Reversibly encrypted cleartext password
Used for MS-CHAPv1 RADIUS authentication. Disabled by default.