To crack Windows XP and Windows Vista passwords, we will use the program called ophcrack. Ophcrack is a Windows only password cracker, and it uses rainbow tables to get the job done quickly. It cracks passwords for both Windows XP and Vista but it is more powerful on XP because Vista fixed the security hole that allowed XP to crack passwords easily. Windows uses a couple a couple types of hashes. One of them is the LM (Lan Manager) hash. If a password is longer than seven characters, then it is split into seven character chunks, made into all uppercase, and then hashed with the DES encryption. Because it is split into parts and made all uppercase, the total number of different password combinations goes down significantly, and makes it easier for hackers to crack the password. The Windows password hashes are stored in a couple places:
• In the C:\WINDOWS\system32\config directory where it is locked to all accounts but the system account which you don’t have access to.
• In the registry: HKEY_LOCAL_MACHINESAM where it is also locked for all users.
So you might be wondering, how can I get a copy of those hashes? There are a couple ways.
• Boot from a Linux live CD and copy the SAM file onto a USB or floppy disk.
• Use the PWDUMP program that comes with ophcrack to trick the registry into giving up the hashes.
1. First download and install ophcrack. As you can see there are two versions. In this example we will be using the program itself in windows, so download the first option.
2. Once you have it downloaded, install it. When the option comes up to download rainbow tables, unclick them all and just install the program. It is better to download the rainbow tables separately.
3. Once it is installed, go to the ophcrack website and click on Tables in the navigation. This will display all the tables you can download. As you can see, the more characters covered, the bigger the table gets. Choose the correct table for your operating system.
4. In the example, I chose the largest possible free table. Next run ophcrack and click on tables. Select the table you downloaded and click Install to locate the file on your computer. Hit OK to continue.
5. Next we will be running PWDUMP to obtain the password hashes. Make sure all of your anti-virus and anti-spyware programs are disabled because most anti-virus programs mistake PWDUMP for a malicious program since it accesses the system files. If you don’t disable the anti-virus program PWDUMP will fail in retrieving the hashes.
6. Click Load and select Local SAM. This will load all the password hashes for all the users on your computer and display them.
7. Next click Crack and the program will begin to crack the password hashes.
8. Once the program finishes cracking, you should see a screen similar to the following:
9. As you can see, two out of three of my account passwords were cracked in a matter of a couple minutes.
• Bob : lolcats
• David M: not found
• Pushkin: Christmas02
Ophcrack LiveCD
The next method to crack the Windows hashes I will show you is through an ophcrack LiveCD.
Ophcrack LiveCD
1. Go to the ophcrack website and choose the correct operating system LiveCD to download.
2. With the downloaded .ISO, create a LiveCD the same way you did with the Ubuntu LiveCD in the Linux chapter.
3. Put the CD in your CD-Drive and restart to boot from the CD.
4. You will see the following screen:
5. Hit <ENTER> or wait six seconds to boot into the Ophcrack Graphic mode. If something goes wrong and the screen won’t show the Graphics, restart and go into the Ophcrack Graphic VESA mode. If this also fails, go into Ophcrack Text mode.
6. Once it ophcrack loads completely, it will automatically get your Windows password hashes and begin the cracking process.
• In the C:\WINDOWS\system32\config directory where it is locked to all accounts but the system account which you don’t have access to.
• In the registry: HKEY_LOCAL_MACHINESAM where it is also locked for all users.
So you might be wondering, how can I get a copy of those hashes? There are a couple ways.
• Boot from a Linux live CD and copy the SAM file onto a USB or floppy disk.
• Use the PWDUMP program that comes with ophcrack to trick the registry into giving up the hashes.
1. First download and install ophcrack. As you can see there are two versions. In this example we will be using the program itself in windows, so download the first option.
3. Once it is installed, go to the ophcrack website and click on Tables in the navigation. This will display all the tables you can download. As you can see, the more characters covered, the bigger the table gets. Choose the correct table for your operating system.
4. In the example, I chose the largest possible free table. Next run ophcrack and click on tables. Select the table you downloaded and click Install to locate the file on your computer. Hit OK to continue.
5. Next we will be running PWDUMP to obtain the password hashes. Make sure all of your anti-virus and anti-spyware programs are disabled because most anti-virus programs mistake PWDUMP for a malicious program since it accesses the system files. If you don’t disable the anti-virus program PWDUMP will fail in retrieving the hashes.
6. Click Load and select Local SAM. This will load all the password hashes for all the users on your computer and display them.
7. Next click Crack and the program will begin to crack the password hashes.
8. Once the program finishes cracking, you should see a screen similar to the following:
9. As you can see, two out of three of my account passwords were cracked in a matter of a couple minutes.
• Bob : lolcats
• David M: not found
• Pushkin: Christmas02
Ophcrack LiveCD
The next method to crack the Windows hashes I will show you is through an ophcrack LiveCD.
Ophcrack LiveCD
1. Go to the ophcrack website and choose the correct operating system LiveCD to download.
2. With the downloaded .ISO, create a LiveCD the same way you did with the Ubuntu LiveCD in the Linux chapter.
3. Put the CD in your CD-Drive and restart to boot from the CD.
4. You will see the following screen:
5. Hit <ENTER> or wait six seconds to boot into the Ophcrack Graphic mode. If something goes wrong and the screen won’t show the Graphics, restart and go into the Ophcrack Graphic VESA mode. If this also fails, go into Ophcrack Text mode.
6. Once it ophcrack loads completely, it will automatically get your Windows password hashes and begin the cracking process.
