LM Hash different on WinXP and Win7

[stking]

I noticed that the LM hash of the same password on WinXP is different than the one on Win 7. Using Metasploit (run hashdump) for example with the password "pass-w0rd", we got the following hashes:
WinXP:
a824903ef6ab871802657a8d8ef025e2:fac374e2461f3e432 cd4c560dd183671

On Win 7 systems, they are all different:
ae6b29b9f354a26d6e29f53173b0c7a1:d4dd8cd6f14c445e0 a16b3c08a2bf341
or
be7248be0caf22327a7798efba346fb7:1a9d81b177c19a206 5eaee8cbe9689ce

Anyone?

[Renek]

A quick Google will answer this question. Also this topic has nothing to do with Backtrack.

[Kx499]

Did you ever find out the answer? This one sparked my curiosity and sure couldn't find anything out by googling it. I don't have any windows 7 systems, but it was my understanding that they still don't salt the hash, although lm is disabled by default. On my xp and vista box the nt hashes match for the same password.

Do you get the same result using pwdump?

[falseteeth]

Windows Vista and up uses NTLM for hashing, which is much more secure.

Windows XP and below uses LM hashing, which is very insecure.

[lupin]

Windows Vista and up uses NTLM for hashing, which is much more secure.

Windows XP and below uses LM hashing, which is very insecure.

Actually, most versions of Windows since Windows NT have supported both hashing protocols, with passwords being stored in both formats. LM hashes have been disabled by default in Vista and above, so unless specifically enabled, passwords will not be stored in LM formats on these systems. There are also settings an admin can use to disable LM storage of passwords in a number of these older Windows systems.

See here.

[Kx499]

I didn't realize both has types were used as far back as Windows NT...learn something new everyday

Here's my .02 cents on it: Although the NT hash is a step in the right direction I'd be hard pressed to call it secure until M$ decides to implement a salt. Until then I guess a long password is our best defence in the windows world. I believe anything less than a length of 8 can be cracked pretty easily using rainbow tables right now.

Anyways, I still wonder why th OP is getting different results with hashdump on the two boxes. I noticed a similar question on the metasloit mailing list, makes me want to go grab a copy of 7 and try it out myself....

[stking]

I suggest that someone actually get two Win 7 systems - one 32-bit and one 64-bit to test out our findings. Notice that both Win 7 and the Win XP were part of the AD domain in our tests where no specific Group Policy were set to disable LM authentication. We used the Metasploit psexec exploit with the "Domain Admin" account and password to "compromise" all 3 systems. When in the meterpreter sessions, run the "run hashdump" script. Now u will see none of the three hashes (LM:NTLM hashes) are the same.
Let assume for a moment that the Win 7 systems only allow NTLM authentication, then why even the NTLM part of the hashes from the Win 7 systems are different ? Check it out.

[JowBlow55]

I noticed that the LM hash of the same password on WinXP is different than the one on Win 7. Using Metasploit (run hashdump) for example with the password "pass-w0rd", we got the following hashes:
WinXP:
a824903ef6ab871802657a8d8ef025e2:fac374e2461f3e432 cd4c560dd183671

On Win 7 systems, they are all different:
ae6b29b9f354a26d6e29f53173b0c7a1:d4dd8cd6f14c445e0 a16b3c08a2bf341
or
be7248be0caf22327a7798efba346fb7:1a9d81b177c19a206 5eaee8cbe9689ce

Anyone?

I am having the exact issue - only I'm using FGDump. Many of the accounts have the same NT hash, and the same password, but the LanManager hashes are different. These were dumped from a Server 2008 domain controller. Very strange.