nt-part2_61
Analysis of the Security of Windows NT
1 March 1999
61
Result. This attempt was successful. To produce a password file, we used the SAM-
Dump Utility on the expanded copy of the SAM database found under the repair folder.
Comment. The Lan Manager password is padded with NULLs if it is not 14 charac-
ters long. This together with the encryption method used, creates recognizable patterns
if the password contains less than eight characters.
7.7.5.3 L0phtCrack 2.x
Description. See appendix D.1.1 for a description of L0phtCrack.
Intent. We will use the program readsmb that comes with L0phtCrack 2.0 to snatch
encrypted passwords from the network. After that we will use L0phtCrack to try and
get the clear-text passwords.
Result. We ran readsmb for 24-hours and got 10 different encrypted passwords, among
them the administrator password (readsmb where used on our live network and not
on the experimental network so wee believe that the results from this is not biased).
After that, L0phtCrack 2.0 was run on the file from the sniffer.