lm2ntcrack : NT Hash cracker from LM Password

October 19th, 2008 by admin in News, Password Info, windows

lm2ntcrack provides a simple way to crack instantly Microsoft Windows NT Hash (MD4) when the LM Password is known. lm2ntcrack is Free and Open Source software.
This software is entirely written in Perl, so its easily ported and installed.

Pen-testers often encounter a problem during Windows penetration testing and password assessment.
Dumping Windows passwords hashes, permits to crack many LM passwords but cracked password cannot be used as is (uppercase version of the Windows password).
On the other hand, password cracking on NT hash is long and after few days it cracks only some password.

So you’ve got the LM password but it is only in UpperCase because LM Hashes are not case sensitive. So, these passwords cannot be reuse in this form.

Example : Password cracker output for “Administrator” account

* LM password is ADMINISTRAT0R.
* NT password is ?????????????.

I’m not so lucky because the case-sensitive password isn’t “administrat0r” or “Administrat0r”. So I cannot use this to connect on the audited Windows system.

This password contains 13 characters but launching my password cracker on the NT hash is a waste of time and there is a poor chance of success.

Note :

* Password length : 13 characters.
* Details : 1 number + 12 case-sensitives letters.
* Possibilities : 2^12 = 4096 choices. (Cannot test them all manually)

In this example, lm2ntcrack will generate the 4096 possibilities for the password ADMINISTRAT0R and, for each one, the associated NT MD4 hash. Then, search for matching with the dumped hash.

Execution time : < 2 seconds to crack more than 1200 NT Hashes To read more about this and download the script visit

Leave a reply