SAM ‘lm’ Hash Types

TL;DR

The hashes labeled ‘lm’ in a SAM database dump (often obtained using mimikatz) aren’t always standard NTLM hashes. They can be DES, MD4, or even empty strings. Understanding this is crucial for accurate password cracking and cyber security assessments.

Identifying Non-NTLM Hashes

1. Understand the SAM Database: The Security Account Manager (SAM) database stores user account information, including password hashes. Mimikatz can extract these hashes.
2. Recognise Hash Labels: When mimikatz dumps the SAM database, it labels hashes as ‘ntlm’ and ‘lm’. Traditionally, ‘ntlm’ holds NTLM hashes, and ‘lm’ holds LAN Manager hashes (older, less secure). However, this isn’t always true.
3. Check Hash Lengths: Different hash algorithms produce different length outputs.
   • NTLM: Typically 16 bytes (32 hexadecimal characters)
   • LAN Manager (DES): Typically 8 bytes (16 hexadecimal characters). These are *very* weak.
   • MD4: Typically 16 bytes (32 hexadecimal characters), but structurally different from NTLM.
4. Use Hash Analysis Tools: Several tools can help identify hash types.
   • Hashcat’s Format Strings: Hashcat supports various hash formats. Use the --format option to specify a format and attempt cracking. If it fails, try other formats.

     hashcat -m   ?a?a?a?a... wordlist.txt

   • John the Ripper: John the Ripper can auto-detect hash types and attempt cracking.

     john --break-len= 

   • CyberChef: CyberChef offers a ‘Hash Identifier’ operation to analyze individual hashes.
5. Examine the Hash Structure (Hex Editor): Open the hash in a hex editor (like HxD). NTLM hashes have a specific structure that differs from DES or MD4.
   • NTLM: Often contains repeating patterns and identifiable byte sequences.
   • DES: Will be shorter and lack the complexity of NTLM.
   • MD4: Will also appear different, often with a distinct pattern when viewed in hex.

Dealing with Non-NTLM ‘lm’ Hashes

1. DES Hashes: These are extremely vulnerable and should be cracked quickly.
   • Use tools optimized for DES cracking (e.g., Hashcat with the --format 0 option).
2. MD4 Hashes: Less common but still crackable.
   • Attempt cracking with Hashcat using the appropriate format (typically --format 3200).
3. Empty Strings: Indicate a passwordless account. These are a significant cyber security risk and should be addressed immediately.
4. Mixed Hashes: Some systems might store multiple hash types in the ‘lm’ field (rare). Thorough analysis is required to identify each type correctly.

Important Considerations

• System Age: Older Windows versions are more likely to use LAN Manager hashes.
• Group Policy Settings: Group policies can influence the hash types stored. Check for settings related to LAN Manager compatibility and password complexity.
• Cyber security Implications: The presence of weak hashes (DES) indicates a potential vulnerability that needs remediation.