Rethink Security

Windows Hashes

security windows hash

Estimated reading time: 2 minutes

All the different types of Windows hashes can be confusing sometimes. So to clear thinks up a little bit, I wrote some Key points to help understand what most of the stuff like LM, NTLM and DCC is all about. An excellent writeup for NTLM relaying1 is from byt3bl33d3r. All the other sources2 3 4 can be found in the footnotes.

Hash types

LM Hashes5

  • Since OS/2 (ca. 1980) in use
    • Limited character set - everything is an CAPS and a 7 char character-limit
    • When hashing, the PW is padded to 14 characters with zeros and encrypted with DES
    • Very easily crackable - found only in exceptions in NTDS.dit or locally

NTLM Hashes6

  • Current mechanism
  • Uses MD4 over a UTF-16 LE(%Password%)
  • Crackable or usable for Pass the Hash (PTH)7

NTLMv1

  • Not a hash algorithm but an authentication mechanism
  • Challange Response based
  • Uses LM or NTLM hash (both possible - depending on configuration)
  • Can also be cracked

NTLMv2

  • Not a hash algorithm but an authentication mechanism
  • Challange Response based
  • Often uses the NT hash
  • Can be cracked - however complex

DCC Hashes

  • Use the username as SALT
  • Not usable for PTH
  • DCC Algorithm
    • NTLM-hashing of the password
    • Convert the (lowercase) username to Unicode
    • NLTMHash+Unicode rotate once through MD4
    • Result up to then DCCv1
    • Applying PBKDF28 with SHA1 as HMAC9 with 10240 iterations, the old DCC serves as PW and the Unicode Username serves as SALT
    • The result are 160bits - of which the first 128bits are used as DCCv2

Kerberos

  • DES - deactivated since Windows 7 (default)
  • RC4 - Default
  • AES128-CTS-HMAC-SHA1-96
  • AES256-CTS-HMAC-SHA1-96

Windows Creds

In the Windows registry everything is under HKLM

Hive SAM -> local SAM database10

  • Manages local users
  • Dump for users on the client

Hive System -> General System Settings

Hive Security -> Contains hashes and passwords of users

  • Contains hashes
  • By default even Administrators aren’t able to read it
  • Is also used for saving at the login process
  • Contains also the Hive cache - this one contains credentials for “offline” login - can be dumped with mimikatz11 (but only directly from the system)

  1. https://byt3bl33d3r.github.io/practical-guide-to-ntlm-relaying-in-2017-aka-getting-a-foothold-in-under-5-minutes.html ↩︎

  2. https://docs.microsoft.com/en-us/previous-versions/tn-archive/dd277300(v=technet.10)?redirectedfrom=MSDN#ECAA ↩︎

  3. https://docs.microsoft.com/de-de/windows-server/security/windows-authentication/credentials-processes-in-windows-authentication ↩︎

  4. https://hashcat.net/wiki/doku.php?id=example_hashes ↩︎

  5. https://en.wikipedia.org/wiki/LAN_Manager ↩︎

  6. https://en.wikipedia.org/wiki/NT_LAN_Manager ↩︎

  7. https://en.wikipedia.org/wiki/Pass_the_hash ↩︎

  8. https://en.wikipedia.org/wiki/PBKDF2 ↩︎

  9. https://en.wikipedia.org/wiki/HMAC ↩︎

  10. https://en.wikipedia.org/wiki/Security_Account_Manager ↩︎

  11. https://github.com/gentilkiwi/mimikatz ↩︎