Disable Lanman Hashes

GovernmentSecurity.org > The Archives > General Network Security

nuorder

May 20 2004, 06:16 AM

These days its all too easy for people to crack LM hashes which are used to store passwords for windows user accounts.
sarcaprj.wayreth.eu.org, JTR, proactive password explorer, cain, lc5, sam inside, etc have demonstrated this with fast cracking routines for LM and exploiting other flaws in this crappy encryption method

So most people can turn off LM hashes you dont need them as they are only there for backwards compatibility for older windows versions like windows 98. you only need the "more" secure NTLM hash

run "%SystemRoot%\system32\secpol.msc /s" (Local Security Policy - also found in Administrative Tools in the control panel)

then goto Local Policies -> Security Options

there is a setting called
"Network Security: Do not store LAN Manager hash value on next password change"
enable it. then change your password, windows will now store a dummy LM hash and the real NTLM

next change
"Network Security: LAN Manager authentication level"
to "Send NTLM response only"
because by default windows will send the password hash of the current logged in user first when accssing a remote host over the network, so if that remote host is sniffing passwords (with cain & abel for example) then they only get your NTLM hash + challenge, not your easy to crack LM hash + challenge

as far as compatiabiliy goes with windows 98 the host running win2k/xp, etc can still access the win98 box, its the win98 box who is left in the dark when trying to access the other machine. there may be a patch/reg fix from MS to add NTLM support to win98 but i never really looked - google it maybe, also ntlm v2 is good but not really important for the average user
theres some info in these MS articles
http://support.microsoft.com/default.aspx?...;EN-US;q299656&
http://support.microsoft.com/default.aspx?...b;en-us;Q239869

i didnt set out to fully explain the LSA as theres other things such as restrictanonymous, etc that have been mentioned here before.
if theres any flaws in this or you have something to add just post it

daguilar01

May 20 2004, 06:35 AM

thx man, just went through this and did it on my system, good post,

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.


Help - Search - Member List - Calendar Full Version: Disable Lanman Hashes GovernmentSecurity.org > The Archives > General Network Security nuorder May 20 2004, 06:16 AM These days its all too easy for people to crack LM hashes which are used to store passwords for windows user accounts. sarcaprj.wayreth.eu.org, JTR, proactive password explorer, cain, lc5, sam inside, etc have demonstrated this with fast cracking routines for LM and exploiting other flaws in this crappy encryption method So most people can turn off LM hashes you dont need them as they are only there for backwards compatibility for older windows versions like windows 98. you only need the "more" secure NTLM hash run "%SystemRoot%\system32\secpol.msc /s" (Local Security Policy - also found in Administrative Tools in the control panel) then goto Local Policies -> Security Options there is a setting called "Network Security: Do not store LAN Manager hash value on next password change" enable it. then change your password, windows will now store a dummy LM hash and the real NTLM next change "Network Security: LAN Manager authentication level" to "Send NTLM response only" because by default windows will send the password hash of the current logged in user first when accssing a remote host over the network, so if that remote host is sniffing passwords (with cain & abel for example) then they only get your NTLM hash + challenge, not your easy to crack LM hash + challenge as far as compatiabiliy goes with windows 98 the host running win2k/xp, etc can still access the win98 box, its the win98 box who is left in the dark when trying to access the other machine. there may be a patch/reg fix from MS to add NTLM support to win98 but i never really looked - google it maybe, also ntlm v2 is good but not really important for the average user theres some info in these MS articles http://support.microsoft.com/default.aspx?...;EN-US;q299656& http://support.microsoft.com/default.aspx?...b;en-us;Q239869 i didnt set out to fully explain the LSA as theres other things such as restrictanonymous, etc that have been mentioned here before. if theres any flaws in this or you have something to add just post it daguilar01 May 20 2004, 06:35 AM thx man, just went through this and did it on my system, good post, This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.