    
          THIS PROGRAM IS COMMERCIAL SOFTWARE.  AFTER 15 DAYS YOU
	  MUST REGISTER IT TO CONTINUE USING IT.

                         L0phtCrack 2.01
                         Released 2/13/98

          Available at http://www.l0pht.com/l0phtcrack/

                         mudge@l0pht.com
                         weld@l0pht.com 



Introduction

L0phtCrack is designed to recover passwords for Windows NT.  NT does not
store the actual passwords on an NT Domain Controller or Workstation. 
Instead it stores a cryptographic hash of the passwords.  L0phtCrack can 
take the hashes of passwords and generate the cleartext passwords from
them.

Password are computed using 2 different methods.  The first, a dictionary
lookup, called dictionary cracking, uses a user supplied dictionary file.
The password hashes for all of the words in the dictionary file are
computed and compared against all of the password hashes for the users.
When there is a match the password is known.  This method is extremely
fast. Thousands of users can be checked with a 100,000 word dictionary 
file in just a few minutes on a PPro 200.  The drawback to this method
is that it only finds very simple passwords.

The second method is the brute force computaion.  This method uses a
particular character set such as A-Z or A-Z plus 0-9 and computes the
hash for every possible password made up of those characters.  This 
method will always compute the password if it is made up of the character
set you have selected to test.  The only downside to this method is
time. It is a very computation intensive and the larger the character
set the longer it takes.  The character set A-Z takes about 24 hours on a
PPro 200.  A-Z and 0-9 takes about 10 days.

Many of L0phtCracks features are designed to make these long brute force 
computations feasible.  It takes advantage of multiprocessor machines
and runs with lower than normal priority so you can use it on servers that
have idle CPU.  It can save and restore its state during a brute force
computation so that previously computed work is not lost.  L0phtCrack
will automatically save its state every 5 minutes in case of power loss or
reboots. The saved .LC file is in ASCII so it can be inspected over the
network to check on progress.


Installation

Unzip the distribution archive, lc2exe.zip into a directory.  Create a
shortcut to the executable l0phtcrack.exe (or l0phtcrack95.exe for Win95)
and you are done unless you want to use the network sniffing feature.

Network sniffer only works on NT so skip this is you are on Win95.
To do network sniffing you need install an NDIS network driver.  This 
driver will only work on ethernet network devices.  Go to the
Network settings in the Control Panel.  Select the Protocols tab and
press the Add.. button.  Press Have Disk... and specify the directory
where you installed L0phtCrack.  This is where the Oemsetup.inf file
is.  You will need to restart before the new driver takes effect.

Accessing the Password Hashes

Before the passwords can be computed you need to retrieve the password
hashes.  There are 3 main methods to get the password hashes: from the
registry directly, from a SAM file on disk, or by sniffing the network.


Dumping From the Registry

If you have administrator priviledges you can get the password hashes
using the 'Tools Dump Passwords form Registry' command.  Specify a
computername or IP address in the format \\computername or \\ipaddress.
NT can be configured to disallow access to the registry remotely over the
network so you may need to be on the local machine if this is the case. 
Microsoft introduced the SYSKEY utility in NT SP3. If SYSKEY is running
the password hashes are encrypted and cannot be retrieved in this manner.

If you are using a non-english language version of NT your version may
use a different word for Administrators.  If so you need to modify a
registry key to get Dump Passwords to work.  Run regedit.exe and
edit the value of the key:

HKEY_CURRENT_USER\Software\LHI\L0phtCrack\AdminGroupName

Set it to your language version of 'Administrators'.


Extracting From a SAM File

The next method is new for L0phtCrack 2.0.  You can retrieve the password
hashes from the SAM file on the hard disk, from an NT Emergency Repair
Disk, or from a backup tape.  The NT registry is actually stored in
several different files on the system disk in the
d:\winnt\system32\config directory.  

These files cannot be accessed while NT is running since they are
opened exlusively by the operating system.  If you have physical
access you can boot the machine with a DOS floppy and use a program
such as NTFSDOS (http://www.ntinternals.com/ntfs20r.zip) to copy the SAM
file from d:\winnt\system32\config to a floppy disk.  You can then 
use the L0phtCrack command 'File Import SAM' to extract the password
hashes from the SAM file.

Another place to find the SAM file that doesn't require rebooting the
machine is in the d:\winnt\repair directory or on an Emergency Repair
floppy disk.  Whenever a repair disk is made the contents of the SAM in 
the registry is saved and compressed into the file 'sam._'. This file
can be uncompressed with the command:

     expand sam._ sam

The expanded SAM file can be imported into L0phtCrack.


The SAM file is also backed up onto tape when a full backup is
performed. If you have access to a backup tape you can restore the SAM file
from d:\winnt\system32\config to another machine and import it into
L0phtCrack.

If SYSKEY from NT 4.0 SP3 is installed all of the SAM files are 
encrypted and cannot be read by L0phtCrack.

Sniffing on the Network

If SYSKEY is installed and you have no network access to the registry or
physical access don't fret. There is a 3rd method for obtaining the
password hashes, network sniffing.  Network sniffing requires that you
are on a physical segment of the user or the resource they are accessing.
The sniffer, readsmb.exe, included with L0phtCrack 2.0 will only work
on Windows NT 4.0.

Follow the instructions in the Install section for installing the network driver
necessary for using the network sniffer.

The network sniffer is a command line program named readsmb.exe.  Run
it and redirect its output to a file with the command:

     readsmb > passwd

You probably want to let this run for a day or so to collect enough
password hashes.  You can then open this file into L0phtCrack using the
command File Open.

Readsmb.exe also has a verbose mode that can be enabled by using the -v
command: readsmb -v
This output is not formatted properly for opening with L0phtCrack but it
may be useful to you.  On slow machines the -v option may cause readsmb
to miss some packets so it is really just for debugging and exploring.

Computing Passwords

So now that you have the password hashes loaded into L0phtCrack you want
to start computing.  You start computing by using the command Tools
Run.  The default options are set to first run a dictionary computation
using the default dictionary, words-english that comes with the L0phtCrack
distribution and then run a Brute Force computation using the default
character set, A-Z.

L0phtCrack will save the state of the computation every 5 minutes to
a .LC file.

The Tools Options menu command lets you select whether you want to do
a dictionary attack and/or brute force attack



PERFORMANCE

Dictionary cracking is extremely fast.  L0phtCrack running on a Pentium Pro
200 checked a password file with 100 passwords against a 8 Megabyte dictionary
file in under one minute.

Brute forcing is always an extremely CPU intensive operation.  We have worked
to optimize this in L0phtCrack 1.5.  L0phtCrack running on a Pentium Pro
200 checked a password file with 10 passwords using the alpha character set
(A-Z) in 26 hours.  The graphical verion of L0phtCrack 1.5 features a 
percentage done counter and a time remaining estimate so you can gauge when 
the task will be complete.

L0phtCrack 1.5 allows you to select one of 5 character sets to brute force
passwords that use more characters than A-Z.  As the character sets increase
in size from 26 characters to 68 the time to brute force the password
increases exponentially.  

This chart illustrates the relative time for larger character sets. 

Char    	        Relative 
Size    Iterations      Time

26	8353082582	1.00
36	80603140212	9.65
46	4.45502E+11	53.33
68	6.82333E+12	816.86

So if 26 characters takes 26 hours to complete, 36 characters (A-Z,0-9) would
take 250 hours or 10.5 days.  Now of course this is the worst case senario of
the password being 99999999999999. A password such as take2asp1r1n would 
probably be computed in about 7 days. 
 
Technical Notes

NT Server Challenge Sniffing

Here is a description of the challenge that takes place over the network
when a client, such as a Windows 95 machine, connects to an NT Server.

        [assuming initial setup etc...]

           8byte "random" challenge
     Client <---------------------- Server
     OWF1 = pad Lanman OWF with 5 nulls
     OWF2 = pad NT OWF with 5 nulls
     resp = E(OWF1, Chal) E(OWF2, Chal)
           48byte response (24byte lanman 24byte nt)
     Client -----------------------> Server

The client takes the OWF ( all 16 bytes of it) and pads with 5 nulls. 
From this point it des ecb encrypts the, now 21byte, OWF with the
8byte challenge. The resulting 24byte string is sent over to the
server who performs the same operations on the OWF stored in it's
registry and compares the resulting two 24byte strings. If they 
match the user used the correct passwd.

What's cool about this? Well, now you can take your sniffer logs
of NT logons and retrieve the plaintext passwords. This does not
require an account on the NT machine nor does it require previous
knowledge of the ADMINISTRATOR password. 

So even if you have installed Service Pack 3 and enabled SAM encryption 
your passwords are still vulnerable if they go over the network.
 
Special thanks go out to:

 - Dmitry Andrianov for providing the SAMDUMP code for inclusion

 - Eric Young (eay@mincom.oz.au) for much of the cypto lib code 

 - MD4 Algorithm is "RSA Data Security, Inc. MD4 Message-Digest
   Algorithm"  this program is derived from the RSA Data Security,
   Inc. MD4 Message-Digest Algorithm

 - Thank you anonymous for some LANMAN sorting code

 - Hobbit@avian.org for all the cool ideas and bare feet. Especially
   for his monster paper on CIFS problems.

 - Jeremey Allison jra@cygnus.com - for the fantastic sleuthing with
   PWDump.

 - tuebor@l0pht.com for a some nice little code tips and generall coolness.

 - the people who did SAMBA for being nuts!

 - the people who did libdes for being nuts!

 - Tweety Fish (tfish@l0pht.com) for doing an awesome logo!

 If anyone makes modifications / improvements please mail the diffs to
 mudge@l0pht.com.

 We hope this tool is useful,

 mudge@l0pht.com , weld@l0pht.com




LICENSING INFORMATION LICENSING INFORMATION LICENSING INFORMATION 
 LICENSING INFORMATION LICENSING INFORMATION LICENSING INFORMATION

LHI TECHNOLOGIES, LLC  SOFTWARE LICENSE AGREEMENT 

THIS IS A LEGAL AGREEMENT BETWEEN YOU AND LHI TECHNOLOGIES, LLC ("LHI").
CAREFULLY READ ALL THE TERMS AND CONDITIONS OF THIS AGREEMENT PRIOR TO USING
THE SOFTWARE. BY USING THE SOFTWARE YOU CONSENT TO BE BOUND BY THE TERMS OF
THIS AGREEMENT. IF YOU DO NOT AGREE TO ALL THE TERMS OF THIS AGREEMENT, DO
NOT USE THE SOFTWARE. 

***************************************************************************
THE GRAPHICAL EXECUTABLE VERSIONS OF THIS SOFTWARE, ("L0PHTCRACK 2.0") IS NOT
FREE OF CHARGE.  IF YOU USE THE SOFTWARE BEYOND THE EVALUATION PERIOD OF 15
DAYS YOU MUST MAKE A PAYMENT OF $50 TO LHI.  PAYMENT MUST BE SENT TO:

LHI
PO BOX 990857
BOSTON, MA 02199

or if you prefer online registration is available at:
http://www.l0pht.com/l0phtcrack/registration.html


****************************************************************************

THE GRAPHICAL EXECUTABLE VERSIONS ARE THE FILES NAMED: l0phtcrack.exe 
and l0phtcrack95.exe CONTAINED IN THE ARCHIVE FILE lc2exe.zip

1.TITLE AND OWNERSHIP. The Software is owned by LHI Technologies, LLC
The Software is protected by United States and international copyright and
other laws. You may not remove, obscure, or alter any notice of
patent, copyright, trademark, trade secret, or other proprietary rights.
You may not reverse engineer, disassemble or de-compile the
Software nor may you permit anyone else to do so. 

This license and your right to use the Software terminate automatically
if you violate any part of this Agreement. 

3.DISCLAIMER OF WARRANTY AND LIMITATION OF LIABILITY.
THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY
OF ANY KIND, WHETHER EXPRESS OR IMPLIED. WITHOUT
LIMITATION, LHI DISCLAIMS ALL IMPLIED
WARRANTIES WITH RESPECT TO THE SOFTWARE, ITS
MERCHANTABILITY AND FITNESS FOR ANY PARTICULAR
PURPOSE. YOU ASSUME ALL RISK IN USING THE SOFTWARE.
IN NO EVENT WILL LHI BE LIABLE FOR INDIRECT,
INCIDENTAL OR CONSEQUENTIAL DAMAGES, INCLUDING,
WITHOUT LIMITATION, LOSS OF INCOME, LOSS OF USE, OR
LOSS OF INFORMATION. IN NO EVENT WILL LHI BE
LIABLE FOR ANY DAMAGES, EVEN IF LHI SHALL HAVE
BEEN INFORMED OF THE POSSIBILITY OF SUCH DAMAGES
OR FOR ANY CLAIM BY ANY OTHER PARTY. CERTAIN STATES
DO NOT PERMIT EXCLUSIONS OF IMPLIED WARRANTIES OR
LIMITATIONS OF LIABILITY, SO THIS DISCLAIMER MAY NOT
APPLY TO YOU OR MAY APPLY TO YOU ONLY IN PART. YOU
MAY HAVE OTHER LEGAL RIGHTS WHICH VARY FROM STATE
TO STATE. 

4.EXPORT COMPLIANCE. You may not export or reexport the
Software except in full compliance with all United States and other
applicable laws and regulations, including laws and regulations
pertaining to the export of computer software. 

5.GENERAL. This Agreement constitutes the entire agreement between
you and LHI and supersedes any prior written or oral agreement
concerning the Software. It shall not be modified except by written
agreement dated subsequent to the date of this Agreement and signed
by an authorized LHI representative. LHI is not bound by any
provision of any purchase order, receipt, acceptance, confirmation,
correspondence, or otherwise, unless LHI specifically agrees to
the provision in writing. This Agreement is governed by the laws of
the State of Massachusetts as if the parties hereto were both Massachusetts
residents; and you consent to exclusive jurisdiction in the state and
federal courts in Boston in the event of any dispute. 

6.U.S. GOVERNMENT RESTRICTED RIGHTS. The Software is
provided with RESTRICTED RIGHTS. Use, duplication, or disclosure
by the Government is subject to restrictions as set forth in
subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer
Software clause at DFARS 252.227-7013 or subparagraphs (c)(1) and
(2) of the Commercial Computer Software Restricted Rights at 48
CFR 52.227-19, as applicable. Contractor/manufacturer is LHI
Technologies, LLC, PO Box 990857, Boston, MA 02199. 
 
   
