Tuesday, July 15, 2014

LM Hashing Policy - Changes to the same password

No password set for account:
  blah1(current):1019:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::

Password of 'Password1' when LM is allowed
  blah2(current):1021:e52cac67419a9a2238f10713b629b565:64f12cddaa88057e06a81b54e73b949b:::

Password of 'Password1' when LM is disabled
blah3(current):1020:aad3b435b51404eeaad3b435b51404ee:64f12cddaa88057e06a81b54e73b949b:::

Basically if LM is disabled then the machine will substitute a "blank" value for the LM field (aad3b435b51404eeaad3b435b51404ee) and then continue on normally with the NTLM portion.

If the password is larger than 14 characters, the LM portion will have the blank value (aad3b435b51404eeaad3b435b51404ee). This is regardless of whether or not LM is disabled.

LM hashing is enabled/disabled by the existence of a DWORD reg key 'NoLMHash' in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa that is set to '1'

No comments:

Post a Comment