Q1: Why does Hybrid mode appear to be super slow? The status bar only shows a new word being cracked against every few seconds
Hybrid mode can "appear" to be so slow in environments where there are no LANMAN hashes. In reality the number of crypts/sec is remaining relatively constant in hybrid mode. The options in Hybrid mode very quickly and drastically increase the number of word variants that LC is comparing against.
Assuming the default of two (2) letters appended in hybrid mode this immediately creates the test per word by 1225 permutations (35^2).
Now let's assume a very low-ball estimate on the number of substitutable letters (if you had that box checked in the session options) and assume there were 4 substitutable characters. This produces 16 more variants.
Without LANMAN hashes L0phtCrack also needs to perform case sensitivity checks. Assuming a 7 character word being tested this is another 128 variants ( 2^7).
As you can see in this trivial example 1225 * 16 * 128 = 2,508,800 message digest attempts - and this would be for a "single" word in our progress display.
By comparison, if a LANMAN hash were present, this would only require 1225 * 16 = 19,600 to determine the case insensitive password and then an additional 2^strlen number of checks (strlen may be only up to 7 as LANMAN breaks the password into two 7 character chunks) to derive the case sensitive variant. Assuming a 7 character word, this would be 19,600 + 128 = 19,728. If a LANMAN hash is not present we're back to having to run through > 2million.
Certain words have more substitutable characters than others and the length of the word also directly affects the case sensitivity checks ( 2^(strlen) number of checks ).
The numbers in this example aren't "precisely" accurate and there are some subtle variations that are performed for optimizations, but in general this is how things work and why the hybrid mode may appear to be very slow if there are no LANMAN hashes available.
Q2: Doing a pentest you might end up with several thousand accounts, is there any way to weed out the accounts you do not want audited?
At the moment, the best way is to select 'all' accounts (ctrl-a, or click first, shift-click last), and hold ctrl and deselect the ones you do want to audit. hit the delete key, and the accts that you don't want to audit will disappear leaving you with the ones you want to crack. There's no way to 'deactivate cracking' on particular users at the moment other than this removal method.
Q3: What do the risk levels (ratings) of High, Medium, and Low mean?
The risk ratings signify the type of attack that was able to determine the password. Attacks requiring more time and compute effort to successfully accomplish result in lower risk levels.
Attacks that are easier to accomplish result in a higher risk rating.
For L0phtCrack 6 this results in the following types of ratings:
High Risk - password was found through dictionary attacks
Medium Risk - password was found through Hybrid attacks
Low Risk - password was found through exhaustive attacks (brute force etc.)
Q4: Can I run Scheduled Audits and/or Scheduled Tasks in the Consultant version?
No. Schedule functions (Schedule Audit and Schedule Tasks) are available only in the Administrator licensed version. The different license capabilities are listed on the purchase page.
They are listed here as well although the web page should be considered the more definitive source.
All versions of L0phtCrack include:
Brute force support
International character support
Password quality scoring
Windows & Unix support
Remote system scans
500 User Accounts (Professional Version)
Administrator version adds:
Pre-computed hash (rainbow) table support
Consultant version adds:
Multi-client installation with one license
Q5: I launch LC6 and the splash screen appears but the program does not run.
There are two things that seem to address this issue - reboot the system. If that does not fix the problem you may also try disabling UAC (User Access Control) in Vista / Windows 7.