Cracking Windows Passwords

To crack Windows XP and Windows Vista passwords, we will use the

program called ophcrack. Ophcrack is a Windows only password cracker, and it
uses rainbow tables to get the job done quickly. It cracks passwords for both
Windows XP and Vista but it is more powerful on XP because Vista fixed the
security hole that allowed XP to crack passwords easily. Windows uses a couple a
couple types of hashes. One of them is the LM (Lan Manager) hash. If a password
is longer than seven characters, then it is split into seven character chunks, made
into all uppercase, and then hashed with the DES encryption. Because it is split
into parts and made all uppercase, the total number of different password
combinations goes down significantly, and makes it easier for hackers to crack the
password. The Windows password hashes are stored in a couple places:

 In the C:\WINDOWS\system32\config directory where it is locked to all
            accounts but the system account which you don’t have access to.

 In the registry: HKEY_LOCAL_MACHINESAM where it is also locked for all
            users.

So you might be wondering, how can I get a copy of those hashes? There are a couple ways.

•  Boot from a Linux live CD and copy the SAM file onto a USB or floppy
            disk.

•  Use the PWDUMP program that comes with ophcrack to trick the
            registry into giving up the hashes.

First download and install ophcrack, It's a free program. As you can see there are two

versions. In this example we will be using the program itself in windows, so download the first option. Once you have it downloaded, install it. When the option comes up to
download rainbow tables, unclick them all and just install the program.
It is better to download the rainbow tables separately.

 Once it is installed, go to the ophcrack website and click on Tables in the
navigation. This will display all the tables you can download. As you can
see, the more characters covered, the bigger the table gets. Choose the
correct table for your operating system.

             

4.  In the example, I chose the largest possible free table. Next run

ophcrack and click on tables. Select the table you downloaded and click Install to locate the file on your computer. Hit OK to continue.

5.  Next we will be running PWDUMP to obtain the password hashes. Make
sure all of your anti-virus and anti-spyware programs are disabled
because most anti-virus programs mistake PWDUMP for a malicious
program since it accesses the system files. If you don’t disable the anti-
virus program PWDUMP will fail in retrieving the hashes.

6.  Click Load and select Local SAM. This will load all the password hashes
            for all the users on your computer and display them.

7.  Next click Crack and the program will begin to crack the password
            hashes.

8.  Once the program finishes cracking, you should see a screen similar to
            the following:

9.  As you can see, two out of three of my account passwords were cracked
in a matter of a couple minutes.

•  Bob : lolcats

•  David M: not found

•  Pushkin: Christmas02

Ophcrack LiveCD

The next method to crack the Windows hashes I will show you is through an ophcrack LiveCD.

1.  Go to the ophcrack website and choose the correct operating system
            LiveCD to download.

2.  With the downloaded .ISO, create a LiveCD the same way you did with
            the Ubuntu LiveCD in the Linux chapter.

3.  Put the CD in your CD-Drive and restart to boot from the CD.

4.  You will see the following screen:

5.  Hit <ENTER> or wait six seconds to boot into the Ophcrack Graphic

mode. If something goes wrong and the screen won’t show the

Graphics, restart and go into the Ophcrack Graphic VESA mode. If this also fails, go into Ophcrack Text mode.

6.  Once it ophcrack loads completely, it will automatically get your
            Windows password hashes and begin the cracking process