Johnny Helpdesk

Let's consider one final scenario. What if we have an account we need to recover that is using EFS, but we don't have any proactive password recovery measures we can utilize such as a Microsoft password reset file, or an EFS certificate key backup?

At this point, we pretty much need to "crack" the password somehow. On Windows NT, 2000 and XP systems, this actually isn't such a difficult task. Passwords stored on these system use a fairly weak cryptographic hashing scheme named LM or the LanManager hashing algorithm.

LM hashes are quite insecure due to a number of algorithm details which greatly reduce the keyspace, such as: converting all characters to upper-case, null padding or truncating passwords to 14 bytes length, and splitting each fixed length password into two 7 byte halves.

Modern computers are quite capable of mounting a brute-force attack on an LM keyspace and succeeding within several hours. Cryptographic optimization routines such as Rainbow Tables will allow extremely efficient cracking of LM hashed passwords. User friendly implementations of Rainbow Tables, such as Ophcrack allow a user to simply insert a boot CD into a system and automatically crack all the LM hashed accounts--usually within a few minutes!

One thing Microsoft was being honest about was the fact that Vista is more secure... At least when it comes to passwords anyway. Windows Vista has disabled the weaker LM password hashing scheme and enabled NTLM password hashing as the default. NTLM passwords are much, much more difficult to crack than LM hashed passwords. This is ultimately due to the keyspace which is many orders of magnitude larger for NTLM hashes.

Brute force cracking attempts of NTLM hashed password are possible--especially on short, weak passwords--but become much more difficult if the password is long and/or strong. For instance, there are publicly available Rainbow Tables available for NTLM which will crack passwords of up to 6 alphanumeric characters with symbols.

However, if you have a stronger password, say of 10 or more characters with symbols mixed in, then good luck! You might think that you can generate your own NTLM Rainbow Tables with a tool such as Winrtgen available in the Cain and Abel security package, and you can! However, take a look at Figure 20. On my modern computer, in order to generate the Rainbow Tables for an 8 character password with mixed alphanumerics and symbols it will take approximately 24 Terabytes of hard drive space and 96 years of computation time. Definitely not worth it!

Figure 20

You might be able to try a distributed computing attack, but in the end you'd probably have to resort to some very expensive third-party services specializing in cryptography if you want to have any hope at all.

If there is an easier solution to cracking strong NTLM password hashes that I haven't mentioned, then please tell me about it!