Atelier Web

.Trust our experience in High-Power network tools and communication tools.

From NTLM Hashes to Windows Passwords

Till our days (i.e. until Windows 10), NTLM (NT LAN Manager) has been used for Windows logon authentication on stand-alone systems. This protocol has been around since Windows NT 4 SP 4.

Until Windows XP times, another protocol was used as well for authentication, the LM (LAN Manager).

One characteristic of both of these protocols is that Windows does not store the user passwords inside the system, it stores a hash of the passwords.

The hash is not salted and, in theory, it is always possible to recover the password from the hash (given adequate means, of course).

LM hashes made life relatively easy for password-cracking software, so with Windows Vista and later, the LM hashes are not computed and stored anymore by the operating system, only NTLM hashes are used.

In general, NTLM hashes are almost impossible to crack within a reasonable time frame if the corresponding passwords are:

  • At least eight characters long.
  • Do not contain your user name, real name, or company name.
  • Do not contain a complete word.
  • Contain characters from at least three (prefereably 4 or even all) of the following five categories:


    Category Example
    Lowercase letters a, b, c, ...
    Uppercase letters A, B, C, ...
    Numerals 0, 1, 2, 3, 4, 5, 6, 7, 8, 9
    Non-alphanumeric (symbols) ( ) ` ~ ! @ # $ % ^ & * - + = | \ { } [ ] : ; " ' < > , . ? /
    Unicode characters €, Γ, ƒ, and λ

It is a fact of life that most users use weak passwords and are not aware that it constitutes a security risk for their system and eventually the companies they work for.

So, it is important, namely for System Administrators and Forensics Analysts, to have means to audit the strength of passwords.

At this point there are two questions that need an answer:

  • How to obtain the NTLM hashes from the computers we want to audit.
  • How to work over such NTLM hashes in order to obtain the passwords.

NTLM hashes can be obtained without any effort, across the network, with our tool AWRC Pro from running systems (32-bit or 64-bit).

To crack the passwords from the NTLM hashes there are roughly 3 techniques:

  • Brute force cracking through a dictionary of common words and a small number of characters. Usually does not work.
  • Rainbow Table cracking. This is an ingenious process but does not work within a reasonable time frame for strong passwords, particularly if they contain Unicode characters.
  • The third technique is to use a database. We use here this approach. Our giant 205 GB Online Database contains over 5 billion passwords from published lists of easy passwords, common password, English and foreign language dictionary words, foreign language common passwords, and also compilation of short passwords built according to various strategies. If a given NTLM hash has a corresponding password, it will be retrieved in a matter of milliseconds. Moreover, our database grows dinamically with user input, so every day it becomes larger and larger.

How to proceed?

In the box below, NTLM hashes can be entered either as a 32 character hexadecimal string like: 86119259E6CCA5C93D53D2F7F7F44D00 or in PWDump format like: Steve:D478C5B5AB58795A69BCF9B0C065DEBA:86119259E6CCA5C93D53D2F7F7F44D00:::

When you press the Search Passwords button the database will be queried and the results shown almost instantly. Hashes entered in invalid format will be discarded.


Query up to 100 NTLM Hashes per Day: (used 0/100):



© 1999 - 2020 AtelierWeb Software. All Rights Reserved.