I ran metasploit\'s smart_hashdump module against my (2008r2) domain controllers
ID: 661521 • Letter: I
Question
I ran metasploit's smart_hashdump module against my (2008r2) domain controllers, trying to find any accounts that may still have lanman hashes in place. These should have been disabled long ago. I'm just doing some cleanup before this years penetration testing and I wanted to find anything that had been missed.
I'm a bit confused by the output I'm seeing. All of my accounts have exact same hash in that column - aad3bb43....404ee.
I've seen a couple references to hashes beginning with aad3b43 being blank, but nothing about all these hashes being identical.
I take it that this value corresponds to some kind of internal 'disabled' state? I just want to be sure I'm understanding what I'm viewing.
Explanation / Answer
The LM hash does not use a salt, and therefore any identical passwords will have identical hash values.
Another thing to bear in mind is that the LM hash doesn't process the password as a whole. Instead, it null-pads it to 14 characters (if needed), then splits that value into 7-character chunks and hashes each before sticking them back together. Thus, if the first 7 characters are identical to the last 7, the first 8 bytes of the LM hash will match the last 8.
The LM hash value for 7 null characters is AAD3B435B51404EE. Therefore a password less than 8 characters long will end with AAD3B435B51404EE, and an empty password will always (since LM hashing doesn't use salt) be exactly AAD3B435B51404EEAAD3B435B51404EE.
There is one more caveat, however. LM hashing does not at all support passwords of 15 characters or greater. When this is encountered, the user may receive a prompt asking them to confirm they want to use a password that will be incompatible with older (LM hash dependent) software. Then, the system will store a null LM hash for that user. I personally recommend that people use 15+ characters in their passwords for precisely this reason.
So, it is possible that those accounts you're looking at have completely empty passwords. In that case, those users probably deserve a stern talking to. It's also possible (and perhaps more likely) that those accounts are actually using longer passwords than most others, which should be applauded!