1
00:00:00,520 --> 00:00:03,560
‫Now, this is a typical Windows local hash.

2
00:00:04,300 --> 00:00:06,310
‫The columns are separated by colons.

3
00:00:07,120 --> 00:00:09,130
‫The first column is the username.

4
00:00:09,880 --> 00:00:15,460
‫Second field is the user I.D. It can be thought of as a user group.

5
00:00:16,000 --> 00:00:22,930
‫500 is for the administrators, five zero two ideas for the Kerberos accounts, et cetera.

6
00:00:23,990 --> 00:00:29,540
‫The third field is the Elim hash and the fourth is the a.T.M hash.

7
00:00:30,850 --> 00:00:36,610
‫As you saw on the previous slide, two different hashing methods exist in a local Windows password hash

8
00:00:36,610 --> 00:00:40,150
‫table, L.M. hashes and Indium hashes.

9
00:00:40,750 --> 00:00:47,830
‫Yelm hash is a very weak one, wavefunction used for storing passwords originally invented for the land

10
00:00:47,830 --> 00:00:49,360
‫manager operating system.

11
00:00:50,110 --> 00:00:56,650
‫But the Elim hash was included in Windows and T for backward compatibility, and it's still included

12
00:00:56,650 --> 00:00:58,140
‫for backward compatibility.

13
00:00:58,150 --> 00:01:03,580
‫However, it is disabled by default since Windows Vista and Windows Server 2008.

14
00:01:06,120 --> 00:01:10,050
‫So let's see the properties of these methods comparatively.

15
00:01:11,450 --> 00:01:19,670
‫Both types of hashes generate a 128 bit stored value, the M Hash has a limited character set of only

16
00:01:19,670 --> 00:01:29,270
‫140 characters, while the Hash supports almost the entire Unicode character set of 65000 536 characters.

17
00:01:30,220 --> 00:01:39,250
‫While L.M. allows cyphers up to 14 characters in length, Nehalem allows cyphers up to 256 characters

18
00:01:39,250 --> 00:01:39,670
‫in length.

19
00:01:40,790 --> 00:01:47,630
‫Well, you can specify a password consisting of more than 14 characters, but the L.M. algorithm takes

20
00:01:47,630 --> 00:01:51,170
‫only the first 14 characters of the password into account.

21
00:01:52,410 --> 00:01:59,220
‫And moreover, while until Masche calculates the hash based on the entire password the user entered,

22
00:01:59,640 --> 00:02:04,350
‫the Yelm hash splits the password into two seven character chunks.

23
00:02:04,620 --> 00:02:05,790
‫Padding is necessary.

24
00:02:06,360 --> 00:02:12,670
‫That means you will crack to seven character passwords instead of one 14 character password.

25
00:02:13,140 --> 00:02:16,920
‫It makes it dramatically easier to crack L.M. hashes.

26
00:02:18,390 --> 00:02:22,680
‫Now, furthermore, L.M. hashes are case insensitive.

27
00:02:23,550 --> 00:02:30,180
‫The password you specified is converted to all uppercase and then the hash is calculated.

28
00:02:31,080 --> 00:02:38,430
‫Let's give an example for the algorithm, suppose that you specified a password as my secret password

29
00:02:38,730 --> 00:02:44,490
‫with some uppercase and lowercase characters and the L.M. hashes are active in that system.

30
00:02:45,510 --> 00:02:49,290
‫The system first converts all characters to uppercase.

31
00:02:50,400 --> 00:02:57,300
‫Then it splits the password into two seven character chunks, ignores the 15th and the following characters.

32
00:02:58,170 --> 00:03:10,410
‫So here we have Amawi s, e, c, r, e and T, Piast W o strings, and the hard part is ignored.

33
00:03:11,320 --> 00:03:14,590
‫Unless the harsh realities of these parts are calculated.

34
00:03:15,900 --> 00:03:22,470
‫You can crack a seven character length password in seconds, that means you can crack any L.M. hash

35
00:03:22,470 --> 00:03:29,010
‫in minutes as a result, never, ever enable L.M. hash algorithm and Windows systems.