Elliott C. Back: Technology FTW!

Cracking Windows Passwords with Ophcrack and Rainbow Tables

Posted in Computers & Technology, Cracking, Hacking, Hashes, Microsoft, Password Hashes, Passwords, Security, Windows, XP by Elliott Back on April 26th, 2006.

This is a guide for cracking passwords in Windows under XP, 2000, 98, and 95, all of which use roughly the same architecture. As you know, passwords are stored in windows in a weak hash form, the first kind of which is called the LM (Lan Manager) Hash. Passwords longer than 7 characters are broken up into 7-character chunks, made uppercase, and then hashed with DES. This means there are only about 237 8-bit hashes instead of 283 16-bit hashes; a good thing for an attacker looking to break a password.

The tool we’ll be using is called Ophcrack, an open-source password cracker. The technology it uses to break Windows passwords is called “rainbow tables” and was described by Philippe Oechslin in Making a Faster Cryptanalytic Time-Memory Trade-Off. A rough way to describe this technique is to say that tables of possible hashes are precomputed so that you can iteratively compare the windows hashes to precomputed bits and piece together the hash and its value more quickly than brute-force guessing.

Please note that federal law prohibits the possession of unauthorized access codes to computer systems. If you want to try cracking passwords, please obtain hashes from your own machine, or use the example hashes I provide here.

1) Setting up shop

The first thing you need is the software and rainbow table sets. You can download Ophcrack 2.2 from Sourceforge, and then browse to LASEC to download the SSTIC04-5k rainbow table. You’ll need a significant amount of memory to load this rainbow table. If you have less than 1 GB of RAM, try the smaller table.

The installation of Ophcrack 2.2 should go smoothly. Make sure you choose to download the tables seperately:

ophcrack-installer.jpg

You’ll notice a lot of GTK* files being installed–that’s nothing to worry about. GTK is the Graphical Tool Kit, a way for linux programs to create graphical interfaces.

2) Dude, where’s my hash?

Now that you’ve got Ophcrack and rainbow tables installed, you’ll need hashes. There are three places to find them on Windows XP:

  • In the folder C:\windows\system32\config. This folder is locked to all accounts (including an Administrator account) while running, except the special System account.
  • In a SAM file from C:\windows\repair if rdisk has ever run
  • In the registry, under HKEY_LOCAL_MACHINESAM, which is locked to all accounts

This doesn’t look good for retreiving the windows hashes! Well, to work around the built-in windows protections, we can recover hashes by the following techniques:

  • Boot to linux and copy the file directly from C:\windows\system32\config. This is probably too troublesome for most users, but with a liveCD it’s trivial.
  • Run pwdump2, including in Ophcrack, to trick out the registry values. If you didn’t change any settings, it should be installed in C:\Program Files\ophcrack\win32_tools. Here’s an example session from the command line (start, run, type “cmd” and hit enter):

C:\Documents and Settings\Elliott Back>cd “C:\Program Files\ophcrack\win32_tools”
C:\Program Files\ophcrack\win32_tools>pwdump2
Administrator:499:aabbcc:3311dd:::
Elliott Back:234:aabbcc:3311dd:::
C:\Program Files\ophcrack\win32_tools>

Naturally, I’ve censored the hashes and the number of users. If you’d like some hashes to play with, here are hashes for users with passwords varying from length from 1 to 7 characters long: test-hashes.txt.

3) Let’s get cracking!

Hashes in hand, start up Ophcrack:

ophcrack-run-01.jpg

Then click “load, PWDump file,” and select either the hashes you got from pwdump2, my sample hash file, or some other source of SAM hashes:

ophcrack-run-02.jpg

The last thing we need to do is load our rainbow tables. Click “Tables” and select the location and type of rainbow hash table you’re using, in our case the 5k tables:

ophcrack-run-03.jpg

Now you can click the big “Launch” button and wait. It will first load the tables (0-3 in my case) into memory, a process that takes several minutes. When this is complete, it will begin trying passwords:

ophcrack-run-04.jpg

The final screen gives a breakdown on how long it takes to actually find these passwords–some of which are quite hard:

ophcrack-run-05.jpg

All in all, it took 178 seconds on average to crack a windows password–only 3 minutes per hash! In the process it performed 89,030,630 hash-redux calculations and 199,548 fseek operations. It also couldn’t find the password for one of the hashes, which is to be expected. Rainbow tables are non-deterministic and won’t always work. Still, our success rate of 6/7 or 86% is high.

Conclusion

Now you know how to crack windows passwords. When is this a good idea?

  1. When you buy a computer on Ebay and the owner forgets to give you an Admin account
  2. When you forget your password
  3. When a friend forgets their password
  4. When the security of the country is in danger

When is this a bad idea?

  1. When you buy a computer from government surpluss and want to find its secrets
  2. When you want to hack up your friends
  3. When your little sister’s account is too tempting
  4. When you go visit your girlfriend’s dorm room

Another problem with releasing a tool like Ophcrack is that it becomes usable by anyone. In fact, this guide or tutorial to cracking windows passwords even makes it easier. Pretty much anyone can crack any windows password now, which could be a problem if used the wrong way. However, windows passwords are by nature insecure; there are dozens of other tools to crack windows passwords. Ophcrack is just the fastest.

This entry was posted on Wednesday, April 26th, 2006 at 5:28 pm and is tagged with philippe oechslin, cracking passwords, windows passwords, memory trade, cracking windows, linux programs, time memory, lan manager, graphical tool, graphical interfaces, hashes, access codes, sourceforge, ophcrack, brute force, chunks, attacker, tool kit, unauthorized access, hash. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback.

Viewing 67 Comments

    • ^
    • v
    Or use Winternal ERDCommander (400 bucks I believe) to change the admin password in no time. So MS does have a backdoor for "trusted" parties to get into windows. Doesn't matter, I have my stuff on GDrive but will probably move it off somewhere if the china gov start asking google like they did with Yahoo.
    • ^
    • v
    Lots of (free, even) apps will simply reset an admin password and let you log in. This is relatively trivial. However, EFS encrypted folders, etc will be lost. This is where you would want to recover the current passwords, or you'd basically lose all hope of ever accessing said folders. Or how about for intrusion .. the user would be alerted because the password was changed.
    • ^
    • v
    Sir,

    I saw your cracking tutorial on http://elliottback.com/wp/archives/2006/04/26/c... and I downloaded
    live CD and burned it CORRECTLY as an ISO image and wanted to test it on my desktop. I went into the BIOS and set to start from CD ROM and it loaded the
    LIVE CD interface and then it said something like Uncompressing Linux,... Ok,

    and it would FREEZE right there and DO NOTHING for half an hour. I tested it (the same CD) on my laptop and it worked PERFECTLY!

    My Desktop system is Compaq Presario Windows XP Home Edition Version 2002 Service Pack 2, AMD Sempron Processor, 3200+, 1.79GHz and 960MB RAM,


    Can you please tell me why the Live CD will not boot up and work on my Desktop?

    My laptop is a DELL and it works perfectly on it.

    Thanks,
    Bo
    • ^
    • v
    Blazing fast, works good on Windows server 2003!
    It is also possible to avoid downloading rainbow tables separately, by choosing "Download alphanumeric tables from Internet" while installing ophcrack - works flawlessly too.
    • ^
    • v
    i have net , i can see some systems in network neighbour hood,
    how can i get in to them
    • ^
    • v
    To Bo Chen,
    The reason linux won't work on your computer is that it is a Compaq, and everyone knows that they are crap.
    • ^
    • v
    One question, using ophtcrack can I use other rianbow tables. I've doenloaded a set of 6 tables including special chars. How can I use these with ophtcrack, or does it only work with the specifed char sets? Basically I've got 6 2GB tables:
    lm_all_1-7_0_J_ATHIAS_all.rt
    lm_all_1-7_1_J_ATHIAS_all.rt
    etc to
    lm_all_1-7_5_J_ATHIAS_all.rt

    but can I get the buggers loaded?

    Any help ratefully recieved.

    Thx
    • ^
    • v
    I have one question, Let's say i forget my AOL password can u find that password file and crack that?
    • ^
    • v
    How good is Ophcrack as against other password cracking software. Probably a comparison would help.
    • ^
    • v
    I don't think you can use other Rainbow tables like lm_all_1-7_5_J_ATHIAS_all.rt with ophcrack because the tables made for ophcrack are perfect rainbow tables which are way faster in the cracking process than regular ones. Starting from version 2.3 Ophcrack also supports NTLM hash.
    • ^
    • v
    I am searching for somebody can help me to get password of the following hotmail account

    didierschi@hotmail.com

    Nobody can help me?
    This is a vital loving reason

    Thank you
    Paolo
    • ^
    • v
    I copyer sam file from c:\windows\system32\config to a separate dir, using a bootable ntfsdos floppy ( freeware write on floppies) but I CAN'T GET my hashes. What soft to use for this? I not have admin rights and pwdump2 NOT work . I need help. I can provide sam file ( 262 kb ).
    • ^
    • v
    Paolo, you have no idea what you're talking about. you can't get an hash of a hotmail password and this page is not about that kind of cracking.
    • ^
    • v
    Ok I did everything i possibly could, now tom will not answer my emails at all, I keep having someone hack into my myspace account and it is truely getting on my nerves, and he will not help me, i tried and tried to creat something complex enough where they cant get it but simple enough for me to remember it, i sent or clicked the i forgot my password thingy and it was suppose to email it to me can someone help me get my password without messing with my fan numbers? i know this is like totally way out , on the limb of trust but you guys have no reason to delete my account or mess with my number can someone help me my signing is care26t@aol.com and this is on myspace, please help before i loose my friggen mind!!!!!!!!!!!!!!!!!!!!!!!!!!!!! you can email me at sexypink29@yahoo.com
    • ^
    • v
    it is easy to crack the password with the oph crack but getting the hashes to crack are the hard bit. A easy way to work around this is to download linux at this site http://www.slax.org/download.php then the image to a cd using your fav cd burner e.g. nero. once the cd is ready make sure u have a usb drive handy go find your target computer if on insert cd and restart the Computer if not on turn on comp and very quickly put the cd in. the comp should no start booting with linux if it does not go into the bios and tell the computer to boot from cd before the hard disk. once the computer is booting from cd. only type in stuff when it tells you to it will ask for a login and password wich if you look at the top of the screen it tells you what to type in there then type in startx and then press enter. linux will load into a nice gui that is similar to what windows lookes like. now insert your thumb drive and then clik on the icon that looks like my computer then click storge and then go into the harddisk wich has wibdows installed on it (usually c:\) no go into windows then system32. once you have done this open another window and go in to storage and select ur usb drive. now go back to the other window and find config and drag it into the other window a menu will pop-up and select copy here DO NOT SELECT MOVE OR THE COMPUTER MAY NOT START UP BACK INTO WINDOWS. safly eject your thumb drive then put back in comp, and have a look in to see if the folder config copied by going into usb drive then open config folder and i down the bottom it says somthing like "total files 20mb" it copied correctly if it says 0kb it did not work and try and copy again.
    now press the restart button and get the cd back out
    now go to another comp u have access to and start using ophcrack when u press load select "from encrypted SAM" and select the config folder onm your usb drive now load tables and press luanch and what till the password is cracked if it fails download this cracking programe from http://www.lcpsoft.com/english/index.htm and this will use bruit force so it can take hours or even days but probably will crack it
    • ^
    • v
    so i actually used the live cd for ophcrack, however, my original password was revealed and not the updated one which had additional characters to it. my question is what do i need to do for the entire phrase to show up? b/c it's not showing the additional characters which i have forgotten. help?! thanks!
    • ^
    • v
    if i were you i would use a brute force password cracker i downloaded one but it is on a dvd and i do not have access to a dvd reader but when u do get one remember to look in the options and ensure it is going to test all characters (on the one i got u could enter in the characters u wanted it to test for) also i would look for a program that resest the password i am not sure if they only reset admin passwords.
    also if when you log in you click on a picture and enter in the password then to get looked in as the admin give it the old ctrl+alt+del twice over then a box should come up and for the login type administrator (make sure u spell it correct i am not sure if that is correct) and now just press enter with no password and u should be in create a new account and if u can being the adimin copy all your important files over to the new account and delete your old one (i don't know how to delete a account and if u cant delet the files from that account but u will have to work out for your self how to get the programs over if u need to) if the admin acount does not have rights to your old account then boot with Linux like i said above and copy the files into another place ie thumb drive or maybe onto a different part on the hd that your new account has accesses to
    • ^
    • v
    ok, so i really don't know what to do. i tried the nt offline password program and it didn't do anything either. at first it just showed the admin and my account to be locked and disabled. everytime i tried it, it still took me back to the log in screen expecting me to remember the password even though i had selected to blank it (which only showed the guest account to be blanked but not accessible on the log in screen)

    i really don't know what to do. i am the administrator. i think my laptop just doesn't like me anymore. which other programs or suggestions would you advise? ophcrack sure didn't work. i want to be able to log in in such a way without having to reformat it. is this possible?
    • ^
    • v
    update for those who care: i tried the nt prgm again and it worked. i noticed something funky though. i had changed the password. (sort of reverted to the original phrase without the additional characters). this morning, i seemed to have been locked out of it again! so now i'm in and left it without a password. i'm wondering if this is going to happen each time i put in a password or if it only happened b/c it was similar to the previous one? any ideas?
    • ^
    • v
    Download Ultimate Boot CD for Windows (UBCD4Win) build a boot CD,run "Password renew", create new administrator account.
    • ^
    • v
    i installed ophcrack and dl the rainbow tables and now the only thing i need is the password hash files. the problem is that i don't know how to run pwdump6 on my computer, i did what the instructions above tell me to but in the cmd window it says its now reconized and i can't open the pwdump6 exe
    • ^
    • v