1
00:00:00,520 --> 00:00:03,550
‫Now, this is a typical Windows local hash.

2
00:00:04,330 --> 00:00:06,240
‫The columns are separated by colons.

3
00:00:07,120 --> 00:00:09,130
‫The first column is the username.

4
00:00:09,910 --> 00:00:15,460
‫Second field is the user I.D. It can be thought of as a user group.

5
00:00:16,000 --> 00:00:22,930
‫Five hundred is for the administrators five zero two ideas for the current accounts, et cetera.

6
00:00:24,050 --> 00:00:29,450
‫The third field is the Elm Hash, and the fourth is the end hash.

7
00:00:30,880 --> 00:00:36,580
‫As you saw on the previous slide, two different hashing methods exist in a local Windows password hash

8
00:00:36,580 --> 00:00:36,950
‫table.

9
00:00:37,450 --> 00:00:45,640
‫Elam hashes and indium hashes The Eleme hash is a very weak one way function used for storing passwords.

10
00:00:46,030 --> 00:00:52,900
‫Originally invented for the Land Manager operating system, but the Elm hash was included in Windows

11
00:00:52,900 --> 00:00:58,120
‫NT for backward compatibility, and it still included for backward compatibility.

12
00:00:58,150 --> 00:01:03,550
‫However, it is disabled by default since Windows Vista and Windows Server 2008.

13
00:01:06,150 --> 00:01:10,020
‫So let's see the properties of these methods, comparatively.

14
00:01:11,480 --> 00:01:19,460
‫Both types of hashes, generator, 128 bit stored value the Elm Hash has a limited character set of

15
00:01:19,460 --> 00:01:21,150
‫only 142 characters.

16
00:01:21,770 --> 00:01:27,980
‫While the hash supports almost the entire Unicode character set of sixty five thousand five hundred

17
00:01:27,980 --> 00:01:29,240
‫thirty six characters.

18
00:01:30,190 --> 00:01:39,220
‫While Elm allows cyphers up to 14 characters in length, and TLM allows ciphers up to 256 characters

19
00:01:39,220 --> 00:01:39,640
‫in length.

20
00:01:40,790 --> 00:01:47,600
‫Well, you can specify a password consisting of more than 14 characters, but the Elm algorithm takes

21
00:01:47,600 --> 00:01:51,140
‫only the first 14 characters of the password into account.

22
00:01:52,440 --> 00:01:59,190
‫And moreover, while in TLM Hash calculates the hash based on the entire password, the user entered

23
00:01:59,640 --> 00:02:05,760
‫the realm hash splits the password into two seven character chunks padding as necessary.

24
00:02:06,360 --> 00:02:12,660
‫That means you will crack to seven character passwords instead of one 14 character password.

25
00:02:13,170 --> 00:02:16,890
‫It makes it dramatically easier to track elm hashes.

26
00:02:18,390 --> 00:02:22,650
‫Now, furthermore, elm hashes are case insensitive.

27
00:02:23,550 --> 00:02:30,180
‫The password you specified is converted to all upper cases and then the hash is calculated.

28
00:02:31,140 --> 00:02:33,810
‫Let's give an example for the Illinois algorithm.

29
00:02:34,530 --> 00:02:41,280
‫Suppose that you specified a password as my secret password with some uppercase and lowercase characters,

30
00:02:41,670 --> 00:02:44,490
‫and the hashes are active in that system.

31
00:02:45,540 --> 00:02:49,260
‫The system first convert all characters to uppercase.

32
00:02:50,430 --> 00:02:57,270
‫Then it splits the password into two seven character chunks, ignores the 15th and the following characters.

33
00:02:58,200 --> 00:03:10,380
‫So here we have M.y S E C, R E and T possessed W o strings, and the hard part is ignored.

34
00:03:11,350 --> 00:03:14,590
‫Unless the hash values of these parts are calculated.

35
00:03:15,900 --> 00:03:19,230
‫You can crack a seven character length password in seconds.

36
00:03:19,620 --> 00:03:24,630
‫That means you can crack any hash in minutes as a result.

37
00:03:24,870 --> 00:03:28,980
‫Never, ever enable LM hash algorithm and windows systems.