18 Apr 2010

How to Crack Windows passwords

What is Rainbow Crack and How to do it: The Time-Memory Tradeoff Hash Cracker : 
How to Crack Windows passwords
This article has been posted by our fellow members Mr.Amey Anekar, Mr.Rahul and Mr Sachin.

Before going ahead with the discussion let us first explain to you why it is so difficult to crack windows passwords.

Windows uses NTLM, LM or MD5 algorithm to encrypt the plain text passwords and saves it in system32/config folder. The encrypted passes that are saved in the SAM file under system32/config are called hashes. Now dont just browse the SAM file and attempt opening it. It's useless doing this under windows. Even if you get to open this file using another OS eg. a live linux distro, you need the keyhive, coz the SAM file is further encrypted with it's key in the 'system' under the same dir as SAM.

The algorithms NTLM, LM or MD5 are not proprietary. So the first thing you might think is, WOW!! then just get the hashes apply the reverse algorithm on them and recover the password. But it's not so easy smart ass. Read further.

Common features of NTLM, LM and MD5 algo:
  1. The hashes once formed it is computationally infeasible to recover the original string from the cipher. In layman's lang, the algorithm is irreversible.
  2. No two strings can ever have the same hashes.
  3. A minor change in the string causes a considerable change in the hash. This is known as avalanche effect.
So when you login to your box and enter the password, the password you entered gets encrypted in one of the forms above and then the so formed hashes are compared to the saved hashes and if they match you are allowed into the system. So from this you can know that even your computer is not aware of your real password.

The passes of your email accounts are also stored in the similar fashion. That's the reason when you say you forgot your password, the website resets your password and cant show you your original password coz even they dont know it. Click the link below to read the rest of the post.

So the only way to crack the hashes is using brute-force. This is where rainbow tables come into the scene. Rainbow tables sound fancy but are very simple to understand. Rainbow tables are a collection of strings and their relative pre-compiled hashes. Each of the hash in the rainbow table is checked with the original hash and one which matches has it's corresponding string as the password. Sounds complicated?? Don't worry script kiddies. Hacktivism has already binded all that you need to crack these hashes.

One of the most widely used tools for hash cracking is Rainbow Crack. You can download it from http://project-rainbowcrack.com or if you are using backtrack, it is already installed.

Well rainbow crack takes hashes as inputs. So first you have to extract those hashes from the SAM file. Now we assume that you are using BackTrack 4. If you are not, download it and then come back.

In backtrack to make things easy, go to the media where windows is installed, browse to the WINDOWS/System32/config folder and then copy the SAM and system file and place it on the desktop.

Open the terminal and type the following command:

samdump2 SAM system

This will give the following output
Now copy the part which shows all the accounts and their respective hashes and save them in a file, say, hashes.txt

Now you can either use rainbowcrack, john the ripper or ophcrack.

To use rainbowcrack you need the appropriate raindow tables. These rainbow tables are very huge, sometimes ranging in GBs. So they are bulky to download. Alternately, you can make your own Rainbow Tables using RTGen (more on this in the next post) but you can consider downloading some light-weight RT until then.

Download RT from

To start cracking place the downloaded RT in /pentest/passwords/rcrack

Syntax for cracking hashes using rcrack. Go to the BackTrack Menu>Privilege Escalation>Password Attacks>Offline Attacks>Rainbow Crack

Now type

./rcrack rainbow-table-name -f hashes.txt

It may take a long time before finding the correct hash and the corresponding pass. So take a nap and come back...

If you want an easier but less effective way of cracking windows passes refer this post

This post may not be up to the mark, but this is how things are. The methodology can get better. You have to figure out ways to allay the steps. If you want to be a hacker, there is no spoon feeding. So research is the only way to successful hacking.

Happy Hacking!!!

Too lazy to say Thanks or comment here? Why not too lazy to read my post?? If you like this post and want us to post similar articles, Pls give us a feedback and leave a comment here.

0 comments:

Posting Komentar