4. Jeremy Allison released pwdump on 3/24/1997
Inspired to reverse engineer for Linux to NT interoperability for SAMBA
Can dump password hashes from Windows NT registry but not crack
Jonathan Wilkins released NTCrack on 3/28/1997
Can crack LANMAN hashes only
Mudge released L0phtCrack on 4/11/1997
Cracks both LANMAN and NTLM hashes
Origins of L0phtCrack
5. For each user, LANMAN hashes
stored alongside NTLM for
backwards compatibility.
LANMAN Passwords uppercased
and split into two 7 character
passwords for hashing.
This scheme persisted until
Windows Vista shipped Jan 2007!
Windows NT Password Hash Refresher
6. L0PHTCRACK 1.0 4/11/1997
• Core engine written by
Mudge
• GUI version written by
Weld Pond
• Imports hashes from
Jeremy Allison's
PWDUMP
• Microsoft responds with
SYSKEY on 5/15/1997 in
NT4 SP3
7. • Windows administrators need a GUI
• Put the tools for password cracking in one program
L0phtCrack 1.5 Pivots from POC
to Administrator/Pen Tester Tool
8. L0PHTCRACK 1.5 7/12/1997
• GUI update to fix Brute
Forcing bugs
• Challenge/Response hash
cracking added
• Built-in hash dumping
• Shareware license
• U.S. Government
Accounting Office
becomes first paying
customer
9. L0PHTCRACK 2.0 2/16/1998
• Built-in sniffing for
challenge/response
• Ability to import SAM
registry hive added
• First commercial version
with 14-day trial license
10. L0PHTCRACK 2.5 1/13/1999
• DilDog joins L0pht as to
work on L0phtCrack full-
time.
• DES core rewritten with
optimized assembly
algorithm.
• Hybrid dictionary/brute
attack added
12. L0PHTCRACK 3.0 (PRE) 1/24/2000
• Never Released
• Last Version with L0pht
branding
• Added session-based
interface
• Added L0phtCrack Wizard
• Added import from
remote registry
13. LC3 (SST) 4/6/2001
• Released by "Security
Software Technologies"
• Added 'distributed'
cracking
• SST not allowed to use
L0pht name on
L0phtCrack, 'LC' used
instead.
15. LC4 (@stake) 5/14/2002
• Rob Cheyne added to
team
• GUI improvements:
sorting, exporting, SCBS
code pages
• Hybrid mode improved to
use more combinations
• Multiple dictionary
support
16. LC5 (@stake) 9/2/2004
• Ian Melven added to
team, uncredited
• Windows 2003 update,
better packet sniffer
• Rainbow Tables added
• Audit Scheduling
• Windows Domain
Remediation
• Support Options
20. L0phtCrack 6 3/11/2009
• Original development
team, DilDog, Weld Pond,
Mudge, purchase LC back
from Symantec.
• UI Modernization
• 21 Service releases and
updates through to 2015
• Support for 64-bit,
Windows Vista, and
Windows 7, and Windows
Server up to 2012r2
• Basic Unix Hash Support
21. Goals Of L0phtCrack Today
• Put all the tools for password auditing in one program
• Make it easy for the enterprise to adopt with remediation and
reports
• Support modern hardware, operating systems, and hash
formats
• Support more than just Windows
• Include more of the security community!
22. Challenges
• Better ways to extract hashes.
• Remote extraction is more difficult these days, remote UAC,
firewalls
• Sniffer out of date
• GPU challenges: Keeping the GPU fully busy. Not all GPUs are
that fast, CPU can be faster!
24. L0phtCrack 7 Early 2016
• Complete code overhaul
by DilDog. 100% new
codebase.
• Converted from MFC to Qt
for eventual portability
• New cracking engine
based on John The Ripper
• Multi-GPU OpenCL, CUDA
and CPU multi-core
• SSSE3, SSE4.1, AVX, XOP,
AVX2 optimizations,
25. L0phtCrack 7 Early 2016
• JtR complex wordlist
rules
• Full Unicode and
character set support
• Queue-based operation
• Completely overhauled
scheduler
• Full Unix support for
Linux, Solaris, BSD and
AIX hashes w/ssh remote
extraction.
• Automatic update
notification
26. L0phtCrack 7 Early 2016
Calibration selects which
hardware and algorithms
fastest
27. Completely Pluggable API
• Open Source API allows third-party plugins to work with L0phtCrack.
Beginning of a software ecosystem
• All features in L0phtCrack are implemented as plugins using the API.
• API is beta, will be released shortly after launch, available on
GitHub.
• Non-core features to be moved to plugins
Pluggable Units of IBM 604 calculator from 1948.
Ran at 50 kHz.
28. Future Directions
• Mac OS X support.
• Port GUI to OS X and Linux
• Support for other cracking engines.
• Hint: hashcat and oclHashcat now open source
• Enterprise reporting/analytics
• More import modules, such as creddump, mimikatz, volume
shadow copy, etc.
• Wireshark plugin for sniffing
• Database hashes
• More than just password cracking!
• Add support for Nmap
• Network inventory
Personal intro
Its been a bit of a cat and mouse game with Microsoft over many years. Surprisingly L0phtCrack has been owned by 5 organizations over the years.
I saw this sign on my way home from the pub last night in Cambridge so of course I had to use it.
Many think windows password crackers started with Jeremy Allison but Hobbits research was a precursor. Dan Farmer’s pwc which was part of COPS in 1990 and Alec Muffet’s crack (1993) were the first password crackers for Unix.
NTLM is easy once you have the LANMAN as you can just cycle through all the casing posibilities.
Microsoft had originally claimed it would take years to crack. Even though they used no salt. Reverse engineering and attack tools are a requirement for assessing security. Making the theoretical practical.
SYSKEY of course was just security theater. It took 10 years for microsoft to remove lanman hash by default
Creating a GUI enabled another class of users. Windows administrators.
Samdump functionality. Of course the licensing was cracked right away.
Revenue from selling L0phtCrack now allows some of the L0pht members to become full time employees.
Didn’t sell any tools or technology. Just the people and brand.
Not allowed to use the l0pht brand.
You can see from the look and feel it is losing its underground edge. And frankly it was falling a bit behind the state of the art. John the ripper had better wordlist rules.
This almost doomed L0phtCrack. A funny thing happened along the way. McAfee started flagging lc5 as a malicious tool!
Symantec End of Lifes LC5. We approach Symantec and purchase the technology and name.
L0phtCrack gets its name back! In the transaction we also got the l0pht name back.
So I am happy to say L0phtCrack is alive and well today and we are still developing it.
So you can tell from the investment we are making in L0phtCrack 7 that we think passwords in Windows and Unix will be around for a long time. It was 10 years before Microsoft felt safe removing LM hash.