What is aad3b435b51404eeaad3b435b51404ee?

Posted on 2013/07/26 by Felix

The short answer is that it is a cryptographically hashed representation of a password.

The blank LM hash

The string “aad3b435b51404eeaad3b435b51404ee” is the LM hash for ‘no password’.  In other words, its empty.  Typically it could be seen at the top of a hash dump from windows and would look something like this:

Administrator:500:aad3b435b51404eeaad3b435b51404ee:8118cb8789b3a147c790db402b016a08:::

(before anyone asks – no, that’s not a real administrator hash)

What format is a pwdump in?

That excerpt is from a pwdump file generated by a tool commonly used in penetration tests and other cyber security assessments. It is just text-based output and so is just about human readable. The pwdump file has the following format:

<Username>:<User ID>:<LM hash>:<NT hash>:<Comment>:<Home Dir>:

More details about the LM hash

The hash above indicates that there is no LM hash for that user, but that there is an NTLM hash.  Typically if you see lots of  “404ee” at the end of the LM part you are up against a Windows 2008 (or later) domain which never required backwards compatibility.  This is because LM hashes are very easy to crack and are now considered obsolete. For this reason they are disabled by default in newer installations.  The file format still has them for backwards compatibility.

You might have also noticed that these is some repitition in the LM hash:

aad3b435b51404eeaad3b435b51404ee

In the LM hash above there are two sets of “aad3b435b51404ee”. This repetition is present because in Microsoft systems, this hash is actually two different hashes concatenated together. The result of this repetition from a user’s perspective is that their password is split into two chunks at a maximum length of 7 characters each and only contains uppercase characters. Both of these qualities make LM hashes very easy to crack.

The blank NTLM hash

The following text is the same thing, but for the newer NTLM hash:

31d6cfe0d16ae931b73c59d7e0c089c0

The blank hash in a Linux shadow file

Similarly, on Linux the following shows a user account with a blank password in the shadow file:

guest:U6aMy0wojraho

Linux is much more capable that Microsoft Windows in this area and so the ways to represent a user with a blank password can vary.

More reading…

If you are still interested in this topic, you can find lots of detail in this Wikipedia article.

This entry was posted in How do I test for ..., Lessons Learnt. Bookmark the permalink.