While it is not common some older environments still use the LM hashing algorithm for some of their credentials. This is typically for environments that require backwards compatibility to very old machines.

The LM hashing algorithm is fundamentally flawed in its design due to the following:

· Passwords have a maximum value of 14 characters

· Passwords are converted to upper case

· Passwords are broken into two 7 character passwords

These design flaws mean that even if a user has applied good password practice, the hashing algorithm itself is going to reduce their protection

‍

When cracking LM hashes, tools such as John the Ripper can be used as we have seen before and will follow the standard format as shown below:

John <hash> --wordlist=<wordlist> --format=LM

It is important to be aware that the output of cracking an LM password is likely to be displayed on two lines due to the hash being broken into the two 7 character passwords.

For example, if Oscar’s password is password, the output to cracking attempts may look like the below:

PASSWOR (Oscar:1)

D (Oscar:2)

This is because Oscar technically has two different passwords with 7 characters in each. We can see that the 2nd hash only had 1 character in it (this is because password is 8 characters in length). Once an LM hash has been cracked, as a tester, we need to use our understanding of the hashing algorithm to be aware that passwor and d are not valid passwords, but that we need to put the two together.

‍