7 CommentsRecovering Windows logon passwords with Ophcrack
There are few tasks users fail easier than remembering their logon password. Unfortunately Windows is relatively secure in keeping it safe. Fortunately you can still crack it. :)
Ophcrack is perfect tool for this.
How passwords are stored
- passwords are not stored. Stored is their
- hash (LM and/or NTLM ) which is saved in
- Security Account Manager (SAM) which is part of
- Windows registry
SAM is not supposed to be accessed while Windows is running – it is locked on kernel level.
Editing or recovering
There are two ways to handle lost password. Both require access to SAM which can be done with some hacking tools under running Windows (troublesome) or by accessing disk drive offline (booting from other media like CD or another HDD).
- Editing SAM to change hash and in that way password to known one. This method is destructive . It works (mostly) but it can backfire rendering OS unbootable. Also if Windows encryption was used – all encrypted files from account edited are lost.
- Reading hash and discovering corresponding password . This one make no changes to the SAM and is perfectly safe .
Ophcrack uses second.
So what is Ophcrack?
Ophcrack is software for calculating passwords by known hash . It uses rainbow tables method. Math (lots of it) to really understand what it is. Skipping that.
Basically rainbow tables trade memory and disk space for time.
- Bruteforcing (trying all possible passwords) require little resources but may take years .
- Rainbow tables require lots of resources but take minutes .
How to use Ophcrack
- Download LiveCD version of Ophcrack.
- Burn it to blank CD (CDBurnerXP is nice app for that).
- Boot from that disc.
Ophcrack will:
- automatically boot (LiveCD version is based on Linux)
- launch
- locate SAM on available HDD
- recover hashes from it
- and try to calculate passwords for them
Zero-click solution. Cool, isn’t it?
Alternatively you can play with installable Windows version.
Downsides
Ophcrack itself is free and open source but not all of the tables for it are. Simple tables that fit on CD and can crack most alpha-numerical passwords are free (included in LiveCD version). Bigger and more complex tables must be purchased or found (not easy) or made (if you have few extra years of computing time).
Overall
One of the best applications to recover Windows passwords. Free tables won’t manage to crack really paranoid passwords but shall easily handle usual ones.
Home&download page http://ophcrack.sourceforge.net/
Get updates via RSS
Good one yar..I desperately need this one.
I need to give a try over it on my laptop :)
@Lax (right? :) )
Yeah, it’s really good to have this one close. Especially if you have to mess with users a lot.
Good luck with your field-laptop test. :)
That linux distribution is really awesome. I had to use it a while ago and it really works like a charm…and it’s a bit worrying ;)
@Ben
Well, I’ll have to do “Windows passwords paranoid way” follow-up post later then. :)
haha you might have to! ;)
Good review there. That solution is great if you are really trying to “crack” a password, that is to find the password of another user without them knowing. If you just want access and have forgotten your password then I believe there is another linux based live cd that resets the admin password. I used it 2 years ago but for the life of me I can’t remember what it was called. It basically reset the password to nothing.
@Jim
Well, see post. :) Reseting password works but in my opinion editing SAM is looking for trouble. It’s always better to try safer way first.