Windows 2003 NoLMHash
Testing the NoLMHash on Windows 20003 to check on the following from MS to add the NoLMHash dword value for 2003/XP:
To add this DWORD value by using Registry Editor, follow these steps:
| 1. | Click Start, click Run, type regedit, and then click OK. |
| 2. | Locate and then click the following key in the registry: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa |
| 3. | On the Edit menu, point to New, and then click DWORD Value. |
| 4. | Type NoLMHash, and then press ENTER. |
| 5. | On the Edit menu, click Modify. |
| 6. | Type 1, and then click OK. |
| 7. | Restart your computer, and then change your password. |
Notes
| • | This registry change must be made on all Windows Server 2003 domain controllers to disable the storage of LM hashes of users' passwords in a Windows 2003 Active Directory environment. If you are a domain administrator, you can use Active Directory Users and Computers Microsoft Management Console (MMC) to deploy this policy to all domain controllers or all computers on the domain as described in Method 1 (Implement the NoLMHash Policy by Using Group Policy). |
| • | This DWORD value prevents new LM hashes from being created on Windows XP-based computers and Windows Server 2003-based computers. The history of all previous LM hashes is cleared when you complete these steps. |
Pasted from <http://support.microsoft.com/kb/299656>
Of interest to me is the second note (and if it really needs a reboot, since the article describes using Group Policy, which shouldn't need a reboot.
So again using PWDump v6 and a 2003 R2 SP2 server I set off.
1. First I made sure it is configured to store LM Hash values. I also configured the password history for 6 passwords. I created a test user and set an initial password (no secrets here - I used MS' old standby of P@ssw0rd). I'll add a sequential number at the end for each step in the process.
LMHash:1016:921988BA001DC8E138F10713B629B565:AE974876D974ABD805A989EBEAD86846:::
2. To get some data, I'll increment the password (2) before configuring the data.
LMHash:1016:921988BA001DC8E1F96F275E1115B16F:C9AB9D08CC7DA5A55D8A82D869E01EA8:::
LMHash_history_0:1016:921988BA001DC8E138F10713B629B565:AE974876D974ABD805A989EBEAD86846:::
3. Configure registry value \hkey_lm\system\currentcontrolset\control\lsa\nolmhash = 1. No reboot. And, just because I want to know, I havent changed the password yet.
LMHash:1016:921988BA001DC8E1F96F275E1115B16F:C9AB9D08CC7DA5A55D8A82D869E01EA8:::
LMHash_history_0:1016:921988BA001DC8E138F10713B629B565:AE974876D974ABD805A989EBEAD86846:::
Cool, same result as expected. As advertised (and noted in my W2k testing) the hash doesn't get removed until the next password change.
4. So, I'll increment the password (3), still no reboot since enabling Nolmhash.
LMHash:1016:NO PASSWORD*********************:6BE408F1E80386822F4B2052F1F84B4E:::
LMHash_history_0:1016:7D9641FA8D37296E7D5BDDB1587689AA:C9AB9D08CC7DA5A55D8A82D869E01EA8:::
LMHash_history_1:1016:E051521C5D74C519A270B65CEDEC4F90:AE974876D974ABD805A989EBEAD86846:::
Hey, the hash is not being stored even without a reboot.!
How about the part that after a reboot all LMHash history is cleared?
5. Rebooting my test server and dumping the hash.
LMHash:1016:NO PASSWORD*********************:6BE408F1E80386822F4B2052F1F84B4E:::
LMHash_history_0:1016:7D9641FA8D37296E7D5BDDB1587689AA:C9AB9D08CC7DA5A55D8A82D869E01EA8:::
LMHash_history_1:1016:E051521C5D74C519A270B65CEDEC4F90:AE974876D974ABD805A989EBEAD86846:::
6. So it looks like the hash is still there? I'll increment my password again (4).
LMHash:1016:NO PASSWORD*********************:766B62D3DB023F90443469D86393CA66:::
LMHash_history_0:1016:E70E280FA98E2E78009CAFFCA733E4D7:6BE408F1E80386822F4B2052F1F84B4E:::
LMHash_history_1:1016:399D9D8A8FF1594979E19C1ED80068C4:C9AB9D08CC7DA5A55D8A82D869E01EA8:::
LMHash_history_2:1016:23E25AEA44552753FEC0A9C59960B2C0:AE974876D974ABD805A989EBEAD86846:::
Very strange? The LMHash_history_0:1016: now has a LM hash history?
7. Lets try that again (5)
LMHash:1016:NO PASSWORD*********************:5E5C04A4181FCFFA0BF8C1034C5E30A6:::
LMHash_history_0:1016:703308D2B49F8CF59EB8B94EB12FBA04:766B62D3DB023F90443469D86393CA66:::
LMHash_history_1:1016:1A0EE7421E727FF3BE1C0F07B2C68D2B:6BE408F1E80386822F4B2052F1F84B4E:::
LMHash_history_2:1016:BCB0164EC204C101F1FE1BF9C1F1ADA3:C9AB9D08CC7DA5A55D8A82D869E01EA8:::
LMHash_history_3:1016:6DDD93A604AC5E1075ACFDB263333D11:AE974876D974ABD805A989EBEAD86846:::
Weird… We'll have to crack these to see what it reveals - could the last tow really be valid LM hash values? Since I have more history I've reset the password again a few times using the original password in step 1.
LMHash:1016:NO PASSWORD*********************:AE974876D974ABD805A989EBEAD86846:::
LMHash_history_0:1016:F2F1C88E528B6BDBE7D81BE1954B5F3A:AE974876D974ABD805A989EBEAD86846:::
LMHash_history_1:1016:5F032D3561978BA198A2F00236616269:AE974876D974ABD805A989EBEAD86846:::
LMHash_history_2:1016:B27C478CE8BCC5D182FB6DF05CE5BF8D:5E5C04A4181FCFFA0BF8C1034C5E30A6:::
LMHash_history_3:1016:7C94EFC91201576D73E913B413A1F1DD:766B62D3DB023F90443469D86393CA66:::
LMHash_history_4:1016:BBB47337AE975957F430D86E2D7C5EDE:6BE408F1E80386822F4B2052F1F84B4E:::
I'll be back to reveal these shortly.
