Cracking Hashes with Rainbow Tables and Ophcrack

You may have heard of dictionary password attacks or brute force attacks but recently a popular way of cracking a Windows password uses a rainbow table. This method was made popular by Philippe Oechslin one of the creators of the program Ophcrack a tool for cracking Windows passwords. {loadposition adposition5}You can use Ophcrack in a few different ways. Firstly, you can download the Ophcrack program and run it on your computer. Used this manner you will need to download the tables separately, save them to your hard drive, install them into the Ophcrack program, and then run the program which compares the hashed password to the hashes in the rainbow table searching for a match. Secondly, you can download an Ophcrack LiveCD .iso file, burn it as a bootable image, and booting to the CD use it to search for a system’s password by comparing hashes in a similar manner. In this method the CD loads the password hashes directly from the Windows SAM (security accounts manager) files. This can be helpful for someone who has forgot their password, and needs to recover it. However, you do not want to use this method to attack a user’s computer. You can download XP, and Vista / Windows 7 versions of Ophcrack.

Ophcrack website: http://ophcrack.sourceforge.net/ (download)
About Ophcrack: http://en.wikipedia.org/wiki/Ophcrack

Hash functions: http://en.wikipedia.org/wiki/Hash_function  

Network Authentication Protocols (one aspect of these protocols is to turn clear text passwords into a hash)

  • Windows LM hash (Lan Manager ) a flawed implementation based on DES, which was particularly easy to crack: http://en.wikipedia.org/wiki/LM_hash
  • Windows NTLM (NT Lan Manager) – little to no improvement over LM hash partially due to backwards compatibility issues allowing the LM hash along with the NTLM hash; http://en.wikipedia.org/wiki/NTLM
  • Windows NTLMv2 – an improvement is still used in Windows Vista and Windows 7 in work group environments
  • Kerberos – Open Source project, MIT – Secure network authentication protocol used in Windows Domains and Active Directory; http://en.wikipedia.org/wiki/Kerberos_%28protocol%29

Ophcrack step by step

  1.  When I installed the program I installed it to my Program Files folder so consequently it was not able to automatically download any rainbow tables. No matter, you can download the tables and install them after installing the program. Go to the Ophcrack.sourceforge.net website click on tables and download the free tables or just click here to go there directly: http://ophcrack.sourceforge.net/tables.php. I downloaded the xp free small and the Vista free tables. Once you have downloaded the tables you will need to unzip them in separate folders. I made a folder called "hash-tables" and then made 2 more folders within for each table to unzip to. 
  2. Run the program and click on "Tables" button. Select the table you downloaded and click "Install", navigate to the folder where you unzipped the table, select it and then click "ok." You should see green lights next to the tables you installed.
  3. You need to supply the program with a hash for it to try and crack. For testing purposes you can generate one at this website. Go to http://objectif-securite.ch/en/products.php? scroll to the bottom of the page and submit a password using the web tool. The tool will output a hash that you can copy to a text file or copy to memory by selecting and pressing (Ctrl+C).
  4. On the website, I submitted the password "BlockMe" with the capital letters and I got the hash output: 9d79790fa072b69baad3b435b51404ee:facbe3fa7932e0d024590e0633d28510 
    On the Ophcrack program I clicked "Load" > "Single hash", pasted in the hash, clicked "ok", and then clicked "Crack" to start the process. It took a few minutes but Ophcrack was able to crack the password, from the hash, with the "XP Small Free" table installed and loaded into Ophcrack. I also installed the "Vista free" table but that must have been a non matching table to hash because it was unable to crack the password. One thing I learned was that you need the right kind of table to crack the right kind of hash.
  5. I want you to play with the program get it working and test out 5 different passwords of increasing complexity. Can you find a website that will generate a Vista NTLMv2 hash? 
  6. Post your experience and results using Ophcrack, in a comment at the bottom of this page.
    Note: You have to have a user account in order to login and post comments. You can create a user account on this site by going to the home page, or by clicking here.

Video Tutorial

 

Author: Dan

Dan teaches computer networking and security classes at Central Oregon Community College.

Leave a Reply

Your email address will not be published. Required fields are marked *