Recovering Windows Passwords with the Ophcrack Live-CD
I occasionally have the need to either audit the passwords on Windows domains or individual systems and use a few different methods of accomplishing this. With the advent of “time/memory trade off cracking” standard Windows passwords on systems using Lan-Man or NTLM hashes (the Windows default) can typically be cracked in less than an hour, often in just few minutes. I’ve discussed these vulnerabilities in the past but this post will deal with a few more specific tools instead of “cracking theory”.
Time/Memory cracking uses pre-computed tables of password variations encoded with LM or NTLM hashes. For example, a windows password of “password”, when encoded with the LM hash, looks like this “E52CAC67419A9A22″. One of my favorite tools for cracking Windows hashes is called “Ophcrack” and it can be installed on Linux or Windows. Ophcrack has a simple GUI interface and uses a set of optimized precomputed Rainbow Tables for cracking. If you enter the password hash mentioned above (E52CAC67419A9A22) into Ophcrack the program will search it’s precomputed table for a match, when it finds the hash it knows what plain text password generated it in the table and returns that to you as “password”.
The Ophcrack Project has recently released a Linux Live-CD based on SLAX that can be used to retrieve and crack passwords from Windows machines with little or no effort. As an example, just yesterday I had someone ask me if I could get them access to their laptop as they had changed the password and promptly forgotten it. I said, sure, bring it over and broke out my Ophcrack Live-CD.
The routine is simple, place the Live-CD in the CDROM drive and boot the Windows machine. The Live CD will boot from the CDROM, load SLAX linux into RAM and bring you to a text based “boot prompt”. The prompt will say “press enter to continue booting”, if you simply press enter the SLAX OS will boot up and load the Fluxbox desktop. As soon as Fluxbox begins to load a Linux terminal window will appear and give you updates as Ophcrack locates and retrieves the password hashes. If the hashes are found Ophcrack will launch it’s application GUI, with no user interaction, and begin to crack the password hashes it located.
I booted the CD in the laptop provided to me, recovered the administrator password in 287 seconds (Ophcrack has a timer) and returned the laptop to it’s owner shortly thereafter.
Another very useful tool for this sort of work is called “Cain & Able” which consists of a robust network sniffer, password cracker and hash generator (among other things). I use it in conjunction with Ophcrack to test password complexity strength. Be aware that most Anti-Virus clients will mark these tools as “Hack-Tools” (duh!) and try and remove them so you will want to white-list these applications if you want them to work properly.