This is a guide for cracking passwords in Windows under XP, 2000, 98, and 95, all of which use roughly the same architecture. As you know, passwords are stored in windows in a weak hash form, the first kind of which is called the LM (Lan Manager) Hash. Passwords longer than 7 characters are broken up into 7-character chunks, made uppercase, and then hashed with DES. This means there are only about 237 8-bit hashes instead of 283 16-bit hashes; a good thing for an attacker looking to break a password.
The tool we’ll be using is called Ophcrack, an open-source password cracker. The technology it uses to break Windows passwords is called “rainbow tables” and was described by Philippe Oechslin in Making a Faster Cryptanalytic Time-Memory Trade-Off. A rough way to describe this technique is to say that tables of possible hashes are precomputed so that you can iteratively compare the windows hashes to precomputed bits and piece together the hash and its value more quickly than brute-force guessing.
Please note that federal law prohibits the possession of unauthorized access codes to computer systems. If you want to try cracking passwords, please obtain hashes from your own machine, or use the example hashes I provide here.
1) Setting up shop
The first thing you need is the software and rainbow table sets. You can download Ophcrack 2.2 from Sourceforge, and then browse to LASEC to download the SSTIC04-5k rainbow table. You’ll need a significant amount of memory to load this rainbow table. If you have less than 1 GB of RAM, try the smaller table.
The installation of Ophcrack 2.2 should go smoothly. Make sure you choose to download the tables seperately:
You’ll notice a lot of GTK* files being installed–that’s nothing to worry about. GTK is the Graphical Tool Kit, a way for linux programs to create graphical interfaces.
2) Dude, where’s my hash?
Now that you’ve got Ophcrack and rainbow tables installed, you’ll need hashes. There are three places to find them on Windows XP:
- In the folder C:\windows\system32\config. This folder is locked to all accounts (including an Administrator account) while running, except the special System account.
- In a SAM file from C:\windows\repair if rdisk has ever run
- In the registry, under HKEY_LOCAL_MACHINESAM, which is locked to all accounts
This doesn’t look good for retreiving the windows hashes! Well, to work around the built-in windows protections, we can recover hashes by the following techniques:
- Boot to linux and copy the file directly from C:\windows\system32\config. This is probably too troublesome for most users, but with a liveCD it’s trivial.
- Run pwdump2, including in Ophcrack, to trick out the registry values. If you didn’t change any settings, it should be installed in C:\Program Files\ophcrack\win32_tools. Here’s an example session from the command line (start, run, type “cmd” and hit enter):
C:\Documents and Settings\Elliott Back>cd “C:\Program Files\ophcrack\win32_tools”
Naturally, I’ve censored the hashes and the number of users. If you’d like some hashes to play with, here are hashes for users with passwords varying from length from 1 to 7 characters long: test-hashes.txt.
3) Let’s get cracking!
Hashes in hand, start up Ophcrack:
Then click “load, PWDump file,” and select either the hashes you got from pwdump2, my sample hash file, or some other source of SAM hashes:
The last thing we need to do is load our rainbow tables. Click “Tables” and select the location and type of rainbow hash table you’re using, in our case the 5k tables:
Now you can click the big “Launch” button and wait. It will first load the tables (0-3 in my case) into memory, a process that takes several minutes. When this is complete, it will begin trying passwords:
The final screen gives a breakdown on how long it takes to actually find these passwords–some of which are quite hard:
All in all, it took 178 seconds on average to crack a windows password–only 3 minutes per hash! In the process it performed 89,030,630 hash-redux calculations and 199,548 fseek operations. It also couldn’t find the password for one of the hashes, which is to be expected. Rainbow tables are non-deterministic and won’t always work. Still, our success rate of 6/7 or 86% is high.
Now you know how to crack windows passwords. When is this a good idea?
- When you buy a computer on Ebay and the owner forgets to give you an Admin account
- When you forget your password
- When a friend forgets their password
- When the security of the country is in danger
When is this a bad idea?
- When you buy a computer from government surpluss and want to find its secrets
- When you want to hack up your friends
- When your little sister’s account is too tempting
- When you go visit your girlfriend’s dorm room
Another problem with releasing a tool like Ophcrack is that it becomes usable by anyone. In fact, this guide or tutorial to cracking windows passwords even makes it easier. Pretty much anyone can crack any windows password now, which could be a problem if used the wrong way. However, windows passwords are by nature insecure; there are dozens of other tools to crack windows passwords. Ophcrack is just the fastest.