3

To get rid of LM hashes in local SAM databases, one can rely on the famous NoLMHash domain GPO, which instructs clients not to store password hashes with the LM algorithm locally ("Do not store LAN Manager hash value on next password change").

However, as the policy's label clearly mentions, it has no immediate effect to hashes already stored in various clients' SAM databases. Of course, each user will have to change his password in the next few weeks, and the NoLMHash policy will be enforced such that their new password's LM hash won't be stored anymore, but this isn't true for any other user who logged in on that same station in the past (think of IT staff, help-desk support, user who previously owned that same computer, etc.). These passwords will never be changed on that same workstation again, and thus are still vulnerable to LM hash reversal (or did I missed something?). Even if these reversed passwords are not valid anymore because of the rotation policy, an attacker could probably easily find a pattern among all users (if a given LM hash is reversed to, say, "Colorado$04-2014" and this password has expired, there's still a chance that this user's subsequent password has been set to something like "Colorado$07-2014").

My question is: is there a way (a command, a script, whatever) to find out if there still are LM hashes stored on a given computer? Said in another way, I would like to make sure that, on a given computer, only NTLMv2 hashes are stored.

Thanks for your help!

Romain
  • 131
  • 1
  • 4

1 Answers1

2

The reliable way to check this, I think, is to put yourself into attacker's position, dump hashes, and see if LM hashes show in those dumps. You can do this with variety of pwdump-like tools.

I haven't done this in a while, but if memory serves, output file contains user name and id, along with LM and NTLM hashes. If LM hash isn't present, it will be clearly visible in the file.

Andrey
  • 2,226
  • 16
  • 14
  • [See my answer here for more info on dumping hashes](http://security.stackexchange.com/a/63909/8340) – SilverlightFox Aug 22 '14 at 12:48
  • 1
    And another [answer](http://security.stackexchange.com/a/63896/11250) in that thread even shows how "no LM" hash will look. – Andrey Aug 22 '14 at 12:52
  • Thanks for your answers! I feared there would not be any other way than using hacking tools. I was hoping for something more like "scripting for IT guys", maybe a command line tool that would not necessarily give out the actual LM hashes, but just issue a "yes/no" answer, plus maybe the names of vulnerable accounts for example... – Romain Aug 22 '14 at 14:33
  • Can you clarify whether users and IT staff are logging into client computers using domain credentials or local computer credentials? – PwdRsch Aug 22 '14 at 15:29
  • @pwdrsch: users usually log on client computers using domain credentials. – Romain Aug 26 '14 at 11:54