#StandWithUkraine
Andrey “Rarst” Savchenko —  — Software — hash, livecd, password, registry, security

Recovering Windows logon passwords with Ophcrack

ophcrack_icon There are few tasks users fail easier than remembering their logon password. Unfortunately Windows is relatively secure in keeping it safe. Fortunately you can still crack it. :)

Ophcrack is perfect tool for this.

How passwords are stored

SAM is not supposed to be accessed while Windows is running - it is locked on kernel level.

Editing or recovering

There are two ways to handle lost password. Both require access to SAM which can be done with some hacking tools under running Windows (troublesome) or by accessing disk drive offline (booting from other media like CD or another HDD).

  1. Editing SAM to change hash and in that way password to known one. This method is destructive . It works (mostly) but it can backfire rendering OS unbootable. Also if Windows encryption was used - all encrypted files from account edited are lost.
  2. Reading hash and discovering corresponding password . This one make no changes to the SAM and is perfectly safe .

Ophcrack uses second.

So what is Ophcrack?

Ophcrack is software for calculating passwords by known hash . It uses rainbow tables method. Math (lots of it) to really understand what it is. Skipping that.

Basically rainbow tables trade memory and disk space for time.

  • Bruteforcing (trying all possible passwords) require little resources but may take years .
  • Rainbow tables require lots of resources but take minutes .

How to use Ophcrack

  1. Download LiveCD version of Ophcrack.
  2. Burn it to blank CD (CDBurnerXP is nice app for that).
  3. Boot from that disc.

ophcrack_interface

Ophcrack will:

  1. automatically boot (LiveCD version is based on Linux)
  2. launch
  3. locate SAM on available HDD
  4. recover hashes from it
  5. and try to calculate passwords for them

Zero-click solution. Cool, isn’t it?

Alternatively you can play with installable Windows version.

Downsides

Ophcrack itself is free and open source but not all of the tables for it are. Simple tables that fit on CD and can crack most alpha-numerical passwords are free (included in LiveCD version). Bigger and more complex tables must be purchased or found (not easy) or made (if you have few extra years of computing time).

Overall

One of the best applications to recover Windows passwords. Free tables won’t manage to crack really paranoid passwords but shall easily handle usual ones.

Home&download page http://ophcrack.sourceforge.net/

Related Posts

7 Comments

  • TechZoomIn #

    Good one yar..I desperately need this one. I need to give a try over it on my laptop :)

  • Rarst #

    @Lax (right? :) ) Yeah, it's really good to have this one close. Especially if you have to mess with users a lot. Good luck with your field-laptop test. :)

  • Ben Tremblay #

    That linux distribution is really awesome. I had to use it a while ago and it really works like a charm...and it's a bit worrying ;)

  • Rarst #

    @Ben Well, I'll have to do "Windows passwords paranoid way" follow-up post later then. :)

  • Ben Tremblay #

    haha you might have to! ;)

  • Jim Sefton #

    Good review there. That solution is great if you are really trying to "crack" a password, that is to find the password of another user without them knowing. If you just want access and have forgotten your password then I believe there is another linux based live cd that resets the admin password. I used it 2 years ago but for the life of me I can't remember what it was called. It basically reset the password to nothing.

  • Rarst #

    @Jim Well, see post. :) Reseting password works but in my opinion editing SAM is looking for trouble. It's always better to try safer way first.