I’ve been wanting to do this for a while, but never got around to it. This is a list of common operating systems and the password hashing algorithms they use. This list is by no means comprehensive.

LM HASH (Lan Manager)
Windows NT to Windows 2003 systems store both LM HASH and NT HASH, starting in Windows Vista one is disabled. LM Hash is not really a hash, “A hash is a mathematical function used to summarize or probabilistically identify data. LM instead uses a cryptographic one-way function (OWF). Instead of encrypting the password with some other key, the password itself is the key.” The Hash is generated by:

  1. Convert all lower case characters in the password to upper case, thus it’s case insensitive
  2. Pad the password with NULL characters until it is exactly 14 characters long, anything after is trimmed
  3. Split the password into two 7 character chunks
  4. Use each chunk separately as a DES key to encrypt a specific string (KGS!@#$%).
  5. Concatenate the two cipher texts into a 128-bit string and store the result

LMHASH passwords are limited on the characters that can be used, common alphanumeric set only. This hash is stored in the SAM file.

NTLM
This hash is also pretty basic, the hash is generated by converting the password to Unicode, then create a MD4 hash using that text. This password hash is also stored in the SAM file.

MSCACHE
By default on Windows Systems on an Active Directory domain, the last 10 users to login to the systems credentials are cached on the system, and are stored using the MSCache hash. These hashes are stored in the Registry, under HKEY_LOCAL_MACHINESECURITYCACHENL$1 through NL$10. In order to view them you need to have system rights, or you have to change the ACL to view them. These hashes are generated by:

  1. NTLM Algorithm is applied to the password
  2. Convert the username lowercase and to unicode
  3. Combine 1 and 2 and generate a MD4 hash

MSCACHE2
Was released with Windows Vista is an improvement over MSCACHE. It is generated by:

  1. MSCACHE is applied
  2. Apply PBKDF2 with SHA1 as HMAC, an iteration count of 10240, the old DCC hash as password and the Unicode username as salt in order to generate the DCC2 (MSCash2) hash. Only the first 128 bits of the resulting 160 bits are used.

Active Directory
Good write-up is available here

Linux
It depends on how you have your system configured, but most distributions use MD5 with a salt. If you look at your /etc/shadow file you will see something like the following:
root:$6$yRJDeAzg$YuDyESgHmzhqpuB/siFWaNXWZQ.O7KE8foVdmLRDy23xiQnPSXJ2yY5b1MB7VH4MgHGgraiYEKOc4UletZfye/:15104:0:99999:7:::
We are only concerned with what is after root:. The first $ represents the hashing algorithm. 1 is for MD5, 2 is for Blowfish, 5 is SHA-256, and 6 is SHA-512. The next $ is the salt, then finally the password hash. You can change it to whatever you want it to be by editing PAM or using the command authconfig. When changing your password the system uses the crypt library, and if you set it to a algorithm that the system doesnt support, it will default to MD5. GLIBC2 supports more hashing algorithms.
The salt is generated randomly (I think, couldnt really find much on this) and is used when creating the hash. Here is an example
crypt("toor","$6$yRJDeAzg$");

Sources:
http://technet.microsoft.com/en-us/library/dd277300.aspx
http://download.microsoft.com/download/f/4/a/f4a67fc8-c499-461d-a025-8155fb4f7a0f/Windows%20Passwords%20Master%201.5%20Handout%20-%20Jesper%20Johansson.ppt
http://technet.microsoft.com/en-us/magazine/2006.08.securitywatch.aspx
http://www.arsitech.com/cryptography/windows/password/
http://www.skullsecurity.org/blog/2008/lanman-and-ntlm-not-as-complex-as-you-think
http://www.irongeek.com/i.php?page=security/cachecrack
http://openwall.info/wiki/john/MSCash
http://psyphi.net/blog/2010/05/generating-mscache-ntlm-hashes-using-perl/
openwall.info/wiki/john/MSCash2
http://hashcrack.blogspot.com/2010/07/cacheebr-ms-cache-cpu-bruteforcer.html
http://www.digitalpeer.com/id/understanding

Advertisements