    
          COMMERCIAL AND GOVERNMENT USERS PLEASE SEE THE END
          OF THIS FILE FOR LICENSING INFORMATION. FOR YOU THIS
          PROGRAM IS SHAREWARE, FOR ALL OTHERS IT IS FREE.

                         L0phtCrack 1.5
                         Released 7/12/97

          Available at http://www.l0pht.com/advisories.html

                         mudge@l0pht.com
                         weld@l0pht.com 

OVERVIEW

L0phtCrack 1.5 is a tool for turning Microsoft LANMAN and NT password
hashes back into the original clear text passwords.  The program
does this using dictionary cracking and also brute force.  L0phtCrack
1.5 returns not just the LANMAN passord but the NT password up to 14
characters in length.

Version 1.0 of L0phtCrack was deficient because the graphical version
of the program did not support the brute force method.  This has been
fixed for version 1.5.  The brute force efficiency has been improved
and an option to select the character set that makes up the password
has been added.

The default behavior of L0phtCrack is to do a dictionary attack on the
password file and then brute force the remaining uncracked passwords.
Sample password files are named pwfile.txt, pwfile2.txt, pwfile3.txt
and pwfile4.txt.  A 28000 word dictionary file is included named
wfile.txt.  You can dump passwords directly from L0phtCrack if you have
administrator rights.

L0phtCrack 1.5 includes the ability to dictionary attack or brute force
the network NT server challenge that is used to prevent the OWF from
going across the wire in its plaintext format.  Sample network sniffed
challenges are in files sniff.txt and sniff2.txt.  This means you
can get NT passwords without administrator privileges if you have network
access between the client and the server.

You can build the sniff files by hand using your favorite network analyzer
or wait for our tool which sniffs the network and builds these files.
The sniffing tool will be made available shortly.  

Also to be made available shortly is a commercial multiprocessor
version, L0phtCrack/SMP 1.5 for NT and Solaris.  Contact l0phtcrack@l0pht.com
for more information.

FILES IN THE EXECUTABLE DISTRIBUTION - LC15EXE.ZIP

lc_cli.exe is the command line version of the program.  Run this if you 
think little status counters are sucking up all you performance. Source
code for this program that will build on Win95/NT or Unix is included in the
source code distribution: lc15src.zip or lc15src.tar.gz

lc_gui.exe is the NT graphical version of L0phtCrack.

lc_guipro.exe is the NT graphical version of L0phtCrack that has been compiled
with Pentuim Pro optimizations turned on.

lc_gui95.exe is Win95 graphical version of L0phtCrack. This version does not
support password dumping due to Win95 limitations.

FILES IN THE SOURCE DISTRIBUTION - LC15SRC.ZIP or LC15SRC.TAR.GZ

This archive contains all the source to build the command line version of
L0phtCrack 1.5.

PERFORMANCE

Dictionary cracking is extremely fast.  L0phtCrack running on a Pentium Pro
200 checked a password file with 100 passwords against a 8 Megabyte dictionary
file in under one minute.

Brute forcing is always an extremely CPU intensive operation.  We have worked
to optimize this in L0phtCrack 1.5.  L0phtCrack running on a Pentium Pro
200 checked a password file with 10 passwords using the alpha character set
(A-Z) in 26 hours.  The graphical verion of L0phtCrack 1.5 features a 
percentage done counter and a time remaining estimate so you can gauge when 
the task will be complete.

L0phtCrack 1.5 allows you to select one of 5 character sets to brute force
passwords that use more characters than A-Z.  As the character sets increase
in size from 26 characters to 68 the time to brute force the password
increases exponentially.  

This chart illustrates the relative time for larger character sets. 

Char    	        Relative 
Size    Iterations      Time

26	8353082582	1.00
36	80603140212	9.65
46	4.45502E+11	53.33
68	6.82333E+12	816.86

So if 26 characters takes 26 hours to complete, 36 characters (A-Z,0-9) would
take 250 hours or 10.5 days.  Now of course this is the worst case senario of
the password being 99999999999999. A password such as take2asp1r1n would 
probably be computed in about 7 days. 
 
NT Server Challenge Sniffing

Here is a description of the challenge that takes place over the network
when a client, such as a Windows 95 machine, connects to an NT Server.

        [assuming initial setup etc...]

           8byte "random" challenge
     Client <---------------------- Server
     OWF1 = pad Lanman OWF with 5 nulls
     OWF2 = pad NT OWF with 5 nulls
     resp = E(OWF1, Chal) E(OWF2, Chal)
           48byte response (24byte lanman 24byte nt)
     Client -----------------------> Server

The client takes the OWF ( all 16 bytes of it) and pads with 5 nulls. 
From this point it des ecb encrypts the, now 21byte, OWF with the
8byte challenge. The resulting 24byte string is sent over to the
server who performs the same operations on the OWF stored in it's
registry and compares the resulting two 24byte strings. If they 
match the user used the correct passwd.

What's cool about this? Well, now you can take your sniffer logs
of NT logons and retrieve the plaintext passwords. This does not
require an account on the NT machine nor does it require previous
knowledge of the ADMINISTRATOR password. 

So even if you have installed Service Pack 3 and enabled SAM encryption 
your passwords are still vulnerable if they go over the network.
 
Special thanks go out to:

 - Hobbit@avian.org for all the cool ideas and bare feet. Especially
   for his monster paper on CIFS problems.

 - Jeremey Allison jra@cygnus.com - for the fantastic sleuthing with
   PWDump.

 - tuebor@l0pht.com for a some nice little code tips and generall coolness.

 - the people who did SAMBA for being nuts!

 - the people who did libdes for being nuts!

 - Yobie for always fighting giants.

 If anyone makes modifications / improvements please mail the diffs to
 mudge@l0pht.com.

 We hope this tool is useful,

 mudge@l0pht.com , weld@l0pht.com





LICENSING INFORMATION LICENSING INFORMATION LICENSING INFORMATION 
 LICENSING INFORMATION LICENSING INFORMATION LICENSING INFORMATION

LHI TECHNOLOGIES, LLC  SOFTWARE LICENSE AGREEMENT 

THIS IS A LEGAL AGREEMENT BETWEEN YOU AND LHI TECHNOLOGIES, LLC ("LHI").
CAREFULLY READ ALL THE TERMS AND CONDITIONS OF THIS AGREEMENT PRIOR TO USING
THE SOFTWARE. BY USING THE SOFTWARE YOU CONSENT TO BE BOUND BY THE TERMS OF
THIS AGREEMENT. IF YOU DO NOT AGREE TO ALL THE TERMS OF THIS AGREEMENT, DO
NOT USE THE SOFTWARE. 

***************************************************************************
IF YOU ARE A COMMERCIAL OR GOVERNMENTAL ENTITY THE GRAPHICAL EXECUTABLE
VERSIONS OF THIS SOFTWARE, ("L0PHTCRACK 1.5") ARE NOT FREE OF CHARGE.  IF
YOU USE THE SOFTWARE BEYOND THE EVALUATION PERIOD OF 7 DAYS YOU MUST MAKE A
PAYMENT OF $50 TO LHI.  PAYMENT MUST BE SENT TO: LHI, PO BOX 990857, BOSTON,
MA 02199. 
****************************************************************************

THE GRAPHICAL EXECUTABLE VERSIONS ARE THE FILES NAMED: lc_gui.exe, 
lc_guipro.exe and lc_gui95.exe CONTAINED IN THE ARCHIVE FILE lc15exe.zip

IF YOU ARE A NEITHER A COMMERCIAL NOR GOVERNMENTAL ENTITY YOU MAY USE THIS
SOFTWARE FREE OF CHARGE.

1.TITLE AND OWNERSHIP. The Software is owned by LHI
The Software is protected by United States and international copyright and
other laws. You may not remove, obscure, or alter any notice of
patent, copyright, trademark, trade secret, or other proprietary rights.
You may not reverse engineer, disassemble or de-compile the
Software nor may you permit anyone else to do so. 

This license and your right to use the Software terminate automatically
if you violate any part of this Agreement. 

3.DISCLAIMER OF WARRANTY AND LIMITATION OF LIABILITY.
THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY
OF ANY KIND, WHETHER EXPRESS OR IMPLIED. WITHOUT
LIMITATION, LHI DISCLAIMS ALL IMPLIED
WARRANTIES WITH RESPECT TO THE SOFTWARE, ITS
MERCHANTABILITY AND FITNESS FOR ANY PARTICULAR
PURPOSE. YOU ASSUME ALL RISK IN USING THE SOFTWARE.
IN NO EVENT WILL LHI BE LIABLE FOR INDIRECT,
INCIDENTAL OR CONSEQUENTIAL DAMAGES, INCLUDING,
WITHOUT LIMITATION, LOSS OF INCOME, LOSS OF USE, OR
LOSS OF INFORMATION. IN NO EVENT WILL LHI BE
LIABLE FOR ANY DAMAGES, EVEN IF LHI SHALL HAVE
BEEN INFORMED OF THE POSSIBILITY OF SUCH DAMAGES
OR FOR ANY CLAIM BY ANY OTHER PARTY. CERTAIN STATES
DO NOT PERMIT EXCLUSIONS OF IMPLIED WARRANTIES OR
LIMITATIONS OF LIABILITY, SO THIS DISCLAIMER MAY NOT
APPLY TO YOU OR MAY APPLY TO YOU ONLY IN PART. YOU
MAY HAVE OTHER LEGAL RIGHTS WHICH VARY FROM STATE
TO STATE. 

4.EXPORT COMPLIANCE. You may not export or reexport the
Software except in full compliance with all United States and other
applicable laws and regulations, including laws and regulations
pertaining to the export of computer software. 

5.GENERAL. This Agreement constitutes the entire agreement between
you and LHI and supersedes any prior written or oral agreement
concerning the Software. It shall not be modified except by written
agreement dated subsequent to the date of this Agreement and signed
by an authorized LHI representative. LHI is not bound by any
provision of any purchase order, receipt, acceptance, confirmation,
correspondence, or otherwise, unless LHI specifically agrees to
the provision in writing. This Agreement is governed by the laws of
the State of Massachusetts as if the parties hereto were both Massachusetts
residents; and you consent to exclusive jurisdiction in the state and
federal courts in Boston in the event of any dispute. 

6.U.S. GOVERNMENT RESTRICTED RIGHTS. The Software is
provided with RESTRICTED RIGHTS. Use, duplication, or disclosure
by the Government is subject to restrictions as set forth in
subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer
Software clause at DFARS 252.227-7013 or subparagraphs (c)(1) and
(2) of the Commercial Computer Software Restricted Rights at 48
CFR 52.227-19, as applicable. Contractor/manufacturer is LHI
Technologies, LLC, PO Box 990857, Boston, MA 02199. 
 
   
