As opposed to unix, windows password hashes can be calculated in advance 

because no salt or other random information si involved. This makes so 

called time-memory trade-off attacks possible. This vulnerability is not 

new but we think that we have the first tool to exploit this.



At LASEC (lasecwww.epfl.ch) we have developed an advanced time-memory 

trade-off method. It is based on original work which was done in 1980 but 

has never been applied to windows passwords. It works by calculating all 

possible hashes in advance and storing some of them in an organized 

table. The more information you keep in the table, the faster the 

cracking will be.



We have implemented an online demo of this method which cracks 

alphanumerical passwords in 5 seconds average (see 

http://lasecpc13.epfl.ch/ntcrack). With the help of 0.95GB of data we can 

find the password after an average of 4 million hash operation. A brute 

force cracker would need to calculate an average of 50% of all hashes, 

which amounts to about 40 billion hases for alphanumerical passwords 

(lanman hash).



More info about the method can be found at in a paper at 

http://lasecwww.epfl.ch/php_code/publications/search.php?ref=Oech03.



  Philippe Oechslin