13

I have recently dumped some hashes from my local machine because I'm trying to understand the process in which Windows 7 hashes it's passwords.

I have discovered my local password hash that looks (similar) to this: Jason:502:aad3c435b514a4eeaad3b935b51304fe:c46b9e588fa0d112de6f59fd6d58eae3:::

Now what I would like to know is what the different sections mean, so:

We have this hash: Jason:502:aad3c435b514a4eeaad3b935b51304fe:c46b9e588fa0d112de6f59fd6d58eae3::: that looks to be separated by : if we separate this by the : we end up with this: 

[Jason, :, 502, :, aad3c435b514a4eeaad3b935b51304fe, :, c46b9e588fa0d112de6f59fd6d58eae3, :, :, :]
  • I'm assuming the first part Jason is the username, that's the most logical to me.
  • The third part aad3c435b514a4eeaad3b935b51304fe is the ntlm hash would be my best guess.

If my assumption is correct then that leaves c46b9e588fa0d112de6f59fd6d58eae3 and 502 left.

  • I'd guess that the other hash (c46b9e588fa0d112de6f59fd6d58eae3) is the derived key, that is created from the password itself.
  • The 502 would be the binary data of the user.
  • And the : is just a separator or a padding.

Now for my question, am I correct in my assumptions on what each part of the hash represents? If not can someone please explain to me what each part represents?

13aal
  • 265
  • 1
  • 2
  • 8

1 Answers1

16

Using 

[Jason, :, 502, :, aad3c435b514a4eeaad3b935b51304fe, :, c46b9e588fa0d112de6f59fd6d58eae3, :, :, :]

as the example

  • Jason is the user name

  • 502 is the relative identifier (500 is an administrator, 502 here is a kerberos account.) (adsecurity.org/?p=483)

  • aad3c435b514a4eeaad3b935b51304f is the LM hash

  • c46b9e588fa0d112de6f59fd6d58eae3 is the NT hash

Details on difference between the hashes can be found here: LM / NT Hashes

Community
  • 1
iainpb
  • 4,142
  • 2
  • 16
  • 35
  • So that would make this entire hash the NTLM hash, correct? – 13aal Jun 13 '17 at 15:45
  • 1
    What do you mean by "this entire hash"? The NTLM hash is only the string `c46b9e588fa0d112de6f59fd6d58eae3` as @iain explained. – PwdRsch Jun 13 '17 at 15:51
  • Why is there an NTLM & LM hash. I thought NTLM hash superceded an LM hash as it was not secure? – rusty009 Apr 02 '18 at 18:38
  • You can prevent it with a NoLM Hash Policy https://support.microsoft.com/en-gb/help/299656/how-to-prevent-windows-from-storing-a-lan-manager-hash-of-your-passwor – iainpb Apr 04 '18 at 14:16
  • 2
    I can see @13aal's confusion. If there's a more secure hashing algorithm to LM being utilised on a system (NTLM), then why still implement LM hashes instead of completely replacing it with the newer, more secure one? Why maim the security benefits of a stronger hash algorithm by including it alongside a weaker one that can be used to easily compromise the system anyway? – Hashim Aziz Oct 12 '18 at 23:49
  • 1
    Adding to this, even though it's a long time since it was opened. The link that ~@iainpb posted explains it all. [link](http://www.adshotgyan.com/2012/02/lm-hash-and-nt-hash.html) `The LM hash is stored for backward compatibility reasons. Many environments no longer need it and can disable storage of that value.` In my experience, the LM hash is always disabled on newer versions of Windows. – Chris S Aug 21 '19 at 04:20