How to crack LM Hash online

LMHash is algorithm to encrypt password in some MS windows versions. Almost every administrator knows that LMhash is not safe way to keep paswords, but some ppl still use it especially for backwards compatibility. I would call it stupidity, but you can call it however you want.
There are tons of tools over the internet to extract those hashes from windows machines, from ldap databases and so on.
There are also tons of cracking tools and cracking engines that can crack those extracted hashes. Some of them are brute force, some of them are dictionary based, but my favourite ones are rainbow tables based.

Rainbow tables for LMhash with all alpha, all numeric, all special characters and space takes about 50GB of storage. It's quite big amount of hdd space, not everybody likes to keep it on their drive.
But I use rainbow tables cracking tool for performance testing and always have those tables around. One day I was a bit borred so I decided to make web framework for rcracki_mt to let ppl know how easy is to crack windows LMhash. I guess some ppl that got their administrator account locked (unknown password) could use it. But using it for cracking someone else password is totally unethical.
There are tons of online crackers, but most of them are not fully online and even more crack hashes whey you pay for it. Some of them store hashes to crack and let other ppl crack them with their CPUs. All approches are good in some situations, but I preffer mine :).
I got some spare CPU power so why not to let ppl check how strong their passwords are.
It took me like 2h to get it done (I'm not a programmer), maybe it looks terrible but it works :).
The big advantage of my little engine is that all cracked hashes are stored in db and when someone else is trying the same hash result is available in less then 1 second.
If hash is not it database, it's going to be cracked with rcracki_mt using 2 threads of Atom D510 CPU which takes average about 300 seconds for 2 hashes. Engine uses all latin alpha, all numeric, all special characters and space rainbow tables, so only passwords that include special diacritic characters are safe.

You can check it out here.
There are like 4 hashes submited by me, rest are submitted by users. It's nice not to crack more then 2 hashes at once, but if you like waiting a bit even 40 shouldn't be very long. But submitting more than 100 is rather for really patient ppl :).


Its like you read my thoughts! You appear to understand so much about this, like you wrote the guide in it or something. I think that you can do with some p.c. to drive the message house a bit, however other than that, that is great blog. An excellent read. I will certainly be back.

Add new comment

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.

Main menu

Article | by Dr. Radut