Discover the best of the web!
Learn more about Digg by taking the tour.
Windows account password cracks
ophcrack.sourceforge.net — Ophcrack is the fastest Windows NT, 2000, XP and 2003 password cracker. Download and burn!! Ophrack 2.1 comes with a GTK+ Graphical User Interface and runs on Windows as well as on Linux.
appumaster- 3352 diggs
- digg it
- GlassCasket, on 10/12/2007, -29/+6Neato!
- johnvm, on 10/12/2007, -1/+27Rainbowcrack is actually far faster - but requires the rainbow tables (which are very large and take a long time to produce) to actually crack the pw's. OPHCrack (this program) has support for rainbow tables, which is nice, and I'd imagine that it uses them moderately efficiently - perhaps even faster than rainbowcrack itself.
Nonetheless, I just wanted to point out that brute forcing PW's on the fly is not the fastest way to crack pw's. Employment of Philippe Oechslin's faster time-memory trade-off technique is currently the state of the art.
More information can be found here, at the RainbowCrack page: http://www.antsight.com/zsl/rainbowcrack/ - LoneWlf, on 10/12/2007, -0/+1@johnvm
It's been a while since I used ophcrack but I think when I read the site it says it does use time-memory trade-off. That's why the larger tables actually break the passes faster and more efficiently than the smaller tables. Something like that. - HappyScrappy, on 10/12/2007, -0/+7ophcrack uses rainbow tables too. It's just a different program.
- skyshock21, on 10/12/2007, -1/+6I've used Rainbow crack to crack an entire dump of LM hashes from a domain controller with 120+ user accounts. It took about 45 minutes, and pegged them all. I think I only had to use about 10 gigs worth of rainbow tables. You do have to have admin account access to the domain controller to do the LM hash dump though.
Disclosure: I'm a sysadmin who was doing a user account password audit to recommend new password-strength requirements. - skyshock21, on 10/12/2007, -0/+8I should also add there's a registry tweak to disable LM hashes so windows will use the NT hash which is MUCH MUCH MUCH stronger and harder to crack.
Microsoft has a knowledge base article on what key to change (or change it through group policy in Active Directory) - http://support.microsoft.com/?kbid=299656 - johnvm, on 10/12/2007, -0/+1Even NTLM-only (disabling LM) isnt that hard to crack w/ rainbow crack. See www.plain-text.info for how easy it is.
- johnvm, on 10/12/2007, -1/+27Rainbowcrack is actually far faster - but requires the rainbow tables (which are very large and take a long time to produce) to actually crack the pw's. OPHCrack (this program) has support for rainbow tables, which is nice, and I'd imagine that it uses them moderately efficiently - perhaps even faster than rainbowcrack itself.
- Sidnak, on 10/12/2007, -18/+0Downloading it now. Thanks
- absoluteczech, on 10/12/2007, -15/+4is this 2.1 a new version? if not its been around for quite sometime
- FCon4, on 10/12/2007, -3/+10Per TFA, it 2.2.
- rushfan, on 10/12/2007, -5/+7This is actually useful because people have messed with my windows passwords in the past. Fortunately I'm on linux right now anyhow, but I do require windows access from time to time.
- oslointhesummer, on 10/12/2007, -18/+0And it comes on a LiveCD too? Damn, son...
[Slax rules.] - MyScreenname, on 10/12/2007, -2/+11I've been using this product for a while; i think its been on digg a few times but always cool if it catches a new eye each time....
- TheG2, on 10/12/2007, -2/+7SysAdmins everywhere now have a new problem. Good to have though incase you forget your password one time though.
- ditoa, on 10/12/2007, -0/+5Providing your password is over 14 characters (a good passphrase will be) Ophcrack will take a long time to crack it, in most cases longer than someone can get access to a system without the owner knowing about it (e.g a few days). It is great for
- VashTSPD, on 10/12/2007, -0/+7Responding to the comment below,
actually no, I've used this program for a long time, and if your password is fifteen characters or longer OPHcrack will not be able to recognize the password at all, this is because XP doesn't store a LAN-Manager hash for passwords over 14 characters, thanks to The Broken episode 3 for pointing that out :P - MateyO, on 10/12/2007, -0/+2@ditoa. Not necessarily. If your domain is in LANMAN compatibility mode, that 14 character password is UPPCASE converted and split into two 7 character passwords...and anything between 8 and 14 charaters is space padded.
We cracked a third of our passwords in less time than would register on the app with a good dictonary and a copy of the SAM. - tehgooch, on 10/12/2007, -0/+1Just had a sudden spasm of dyslexia with ditoa's name. Came out as idiota for a second ;) Perhaps it's just the pain drugs I'm on right now.
- john608, on 10/12/2007, -0/+4Yep. I have used the bootable commandline on a floppy version of this for a while - a total life saver. I have been in a jam so many times where a customer forgot the password, and was able to reset without a hitch.
- CrazyZ, on 10/12/2007, -3/+1A nice free alternative to ERD Commander (which by the way works wonders too.)
Me like!- ditoa, on 10/12/2007, -0/+6ERD Cmdr does not crack the password, it resets it. The problem with doing this is that for EFS you are screwed if you reset the password whereas with Ophcrack you can crack the password rather than reset it.
- Phaedruss, on 10/12/2007, -1/+6Ophcrack uses rainbow tables - http://en.wikipedia.org/wiki/Rainbow_tables
There's a general purpose project for generating rainbow tables with support for lm (windows), md5, and sha1 - http://www.antsight.com/zsl/rainbowcrack/
Now, generating effective tables for md5 and sha1 would take a single computer several months, so it's not for your casual password cracker. (Windows passwords are much easier though) - 2L84ME, on 10/12/2007, -2/+16"Good to have though incase you forget your password one time though."
That ol' excuse. - cybercat, on 10/12/2007, -0/+5I've used the boot cd of this several times, and it works quite well.
It was able to decrypt a simple password in about 2 minutes and complex 14 char password in about 10 minutes. It was unable to decrypt a 17 char complex password. It takes about 25 minutes to go through the whole rainbow table off cd on a 1Ghz machine.
Another solution I've used a lot is www.loginrecovery.net. They have a nice little program you put on a floppy, boot on the machine you want to recover passwords for, then upload the txt file from the floppy to their website. It takes about 1 minute for them to recover the password, but they make you wait 48 hours if you just use the free version.
In my experience, the best way to defeat programs like this is to use at least 18 char passwords, containing upper and lowercase letters, symbols and numbers.- VashTSPD, on 10/12/2007, -1/+3you only need a 15 character pasword for a windows login, after 14 characters it only stores the password as an NT-Hash and not the lm hash which is much, MUCH stronger.
- benjaminrayburn, on 10/12/2007, -0/+1Does anyone know enabling "Network security: Do not store LAN Manager hash value on next password change" under Local Security Settings will relax the 15+ character password recommendation?
If that fixes the problem what happens to the hash for the old password? Is it left in place or erased?
(I do understand longer passwords would still be more robust) - skyshock21, on 10/12/2007, -0/+1@ benjaminrayburn
I used MS's registry tweak to disable storage of the LM hash on my laptop, and I think the password hash was re-generated using NT hash. I didn't have to change anything, it just worked.
- habys, on 10/12/2007, -1/+1Anyone have a torrent or know how to generate the WS-20k tables?
- bflfab, on 10/12/2007, -0/+2From Phaedruss' link above you can go create your own charset: http://www.antsight.com/zsl/rainbowcrack/
- habys, on 10/12/2007, -0/+0The WS-20k tables seem more compressed than rainbow tables, since claiming to support alpha-numberic and special characters and being only 7.5GB, there doesn't seem to be anything that corresponds on the rainbow tables site.
- pcronin, on 10/12/2007, -0/+3At work when someone uses a non-standard admin pass, or it was one of the old ones that no one remembers, we use that other boot cd (link escapes me now) to just blank the admin pass, then log in and set it to our standard.
From an admin/sercurity POV, if it's your machine, why 'recover' when a reset takes about a minute? The only reason you 'need' to recover without reseting is if you don't want the owner of the box to know you were there.- VashTSPD, on 10/12/2007, -0/+4or if you encrypt some data with the Windows Encryption File System (EFS), if you reset the password, you can't access any of the EFS files.
- pcronin, on 10/12/2007, -0/+2encryption? bah.. if that gets turned on, it's by accident around here :P
besides, I wasn't refering to users (who's data is on the server in our case) but to the admin passwords...
- dapperdrake, on 10/12/2007, -0/+13I like the NSAcrack approach: get Microsoft to build a backdoor in for you.
- feanor512, on 10/12/2007, -0/+2Just make your password longer than 14 characters.
http://geeksaresexy.blogspot.com/2006/05/preventing-xp-from-storing-lm-hash-of.html- VashTSPD, on 10/12/2007, -0/+1check out my reply on that site too, it's a good article to read.
- julielacombe, on 10/12/2007, -0/+1Yeah, password stored in the LMhast presentation are pretty weak. This site provides a good ways to force your computer to store your passwords in NT Hash.
- ChiKoo, on 10/12/2007, -1/+2Old news, but still a great program to use.
- tetfsu, on 10/12/2007, -1/+1yeah this is WAY OLD NEWS, but I agree still a good tool. I'm not sure about the new version, but the old version had a setting to stealth the program so it wouldn't show up in the task manager, in a window, or the task bar. You could create a "secret" key combo to show and hide the window.
- roostishaw, on 10/12/2007, -10/+2wtf, how many times will this make the front page?
how many times will all the bandwagon digg users put this old news up there? - sezzme, on 10/12/2007, -7/+1Great... now all we need is an easy way to crack the supervisor password on an old Thinkpad without having to crack open the case and soldering some pins on the motherboard. (doesn't seem possible)
- connectjunkie, on 10/12/2007, -0/+1Since L0phtcrack is no longer commercially available (since Symantec end of lifed it), this tool is not a bad one to use instead. You can also use LCP from http://www.lcpsoft.com/english/index.htm which supports most of the non-rainbowcrack stuff that LC5 did...
- Invizion, on 10/12/2007, -1/+2Does anybody know where I can get a .torrent for the Ophcrack Live CD ISO?
- clickwir, on 10/12/2007, -1/+4***** the torrent. They have a dozen different sites to download it from
- julielacombe, on 10/12/2007, -0/+4While browsing the link that feanor512 provided, I stumbled upon this nice OphCrack howto.
Cracking your Windows SAM Database in Seconds with Ophcrack 2
http://geeksaresexy.blogspot.com/2006/04/cracking-your-windows-sam-database-in.html - SuperNick, on 10/12/2007, -0/+1This is good to have. I found a site (loginrecovery) that'll give the password to you for free (after 2 days) or you can get it immediately by paying money and I've been using that. This seems neat though.
- porsche922, on 10/12/2007, -0/+3does any one know which "alt num" characters are valid in passwords in windows ?
- DS513, on 10/12/2007, -0/+2The previous version of Ophcrack was featured on Digg before, but I dugg it again because it's such an awesome utility that really works well. If you haven't seen it before, be sure to check it out.
- farksucks, on 10/12/2007, -1/+3For anyone who is interested, "windows password recovery" and "ntfs password recovery" are two of the most expensive search keywords with Google's Adwords program *and* Yahoo's Overture sales.
Do a search for this topic and you'll see dozens of for-sale applications as well as horrendously expensive services to find a windows password. Most of the time something goes wrong and people panic is at a business on a machine with important documents, and they'll pay absurd abouts of money, RIGHT NOW, with a credit card, to get it fixed.
Windows passwords and NTFS recovery are also one of the highest targets for the SEO crowd who attempt to game google to get high ranking on the organic search results.
Here's a hint- now that you guys have this free program, why dont you start selling your services to people who aren't bright enough to figure it out on their own? It's basically printing money.
BTW- mesothelioma (asbestos lung cancer), divorce lawer and malpractice round up the priciest keywords. - HappyScrappy, on 10/12/2007, -0/+4Note that if you turn off the LMHASH passwords in your Windows (as I have), then this program can't crack your passwords (as I just found out). When I first read the link, it didn't mention LMHASH, so I figured it was cracking NTHASH passwords, which it isn't.
http://support.microsoft.com/?kbid=299656 - ramsinks.com, on 10/12/2007, -0/+2Yap, Slax based.
Love it, I use it sometimes instead of calling clients.
;)
It's standard rainbow, BF. - SuperFarStucker, on 10/12/2007, -0/+2All this rainbow table nonsense is easily circumvented by adding a system-wide 10 character unicode salt to password hashes. Even the shortest passwords (6 - 7 chars) will take an eternity to crack then.
- SuperFarStucker, on 10/12/2007, -0/+1Of course this doesn't make the passwords any more secure except against time-memory tradeoff attacks.
- ramsinks.com, on 10/12/2007, -0/+2Well sure, but nobody does.
Even if they did, it' time for "NTpassword'.
;)
- ASoggyWaffle, on 10/12/2007, -0/+2this is a nice program cause the live CD leaves no evidence hehehe
however it would be nice if it would do a dictionary and hybrid attack first, they take so little time and often find the passwords, another thing that would be cool is an ISO with a better rainbow table that you could burn to a bootable dvd - rockdave, on 10/12/2007, -0/+3Yeah... this is pretty old, but still very cool. For password cracking on-the-fly, install OphCrack on the target computer without downloading the rainbow tables. Run the utility and save the .oph file. It will be full of password hashes (not cracked), which you could just crack using their website http://lasecwww.epfl.ch/~oechslin/projects/ophcrack/
This eliminates the need to boot up Ubuntu, and is extremely useful if you have only a few minutes to get a password or two. I love to keep the OphCrack installer on my pen drive. Hehe... I got my school's admin in less than two minutes :)
Great tool. - dhughes, on 10/12/2007, -0/+3 I've used Ophcrack and it worked except on a 64-bit system I tried, it would just hang, I didn't try it again I didn't have time and it wasn't my system.
- ASoggyWaffle, on 10/12/2007, -1/+3does anyone know of a program that will just dump the hashes into a textfile without an installer or anything?
- muffinmanpoo, on 10/12/2007, -0/+2I use pwdump. ( http://www.foofus.net/fizzgig/pwdump/ )
- CoolWind, on 10/12/2007, -0/+3I've learned a few things about passwords from this discussion.
But if somebody boots into a different operating system from a CD, or if they put your hard drive in another computer, your Windows password is useless.
So you'd better encrypt any sensitive data. - darshil, on 10/12/2007, -4/+0just asking. will this work in a school network without knowing admin username and password?
- julielacombe, on 10/12/2007, -0/+0Hmm, probably not.. but if the user database is hosted locally, it might. If the sam Database is local, you would be better off just resetting the admin password using something like this: http://geeksaresexy.blogspot.com/2006/01/forgot-your-windows-password-no.html
- rockdave, on 10/12/2007, -0/+1In theory, yes... you'll get a list of all the user names, so you'll need to guess which one is the admin username.
- Flex, on 10/12/2007, -0/+3Ha! Yeah,"just asking."
- wolf202, on 10/12/2007, -3/+2very old news
- xfTwitch, on 10/12/2007, -2/+1wow, I admin a small network of windows machines and this wouldn't work because we have group policy set to lock out after 3 attemtps in 10 minutes. Admin required to unlock.
- Ithaycu, on 10/12/2007, -0/+2You have misunderstood what this process does. It does not use a brute force login technique, it copies the sam database and then cracks the hash created and stored there when the admin set the password.
Cheers,
Ithaycu
- Ithaycu, on 10/12/2007, -0/+2You have misunderstood what this process does. It does not use a brute force login technique, it copies the sam database and then cracks the hash created and stored there when the admin set the password.
- rmccs0x, on 10/12/2007, -0/+3i still have no idea what a rainbow table is, but i've used this program many times and love it.
- PhiL666, on 10/12/2007, -0/+2i already have slax iso ... is there anyway to get just the module ?
- peterw99, on 10/12/2007, -0/+3hmm. I tried this. seemed to load ok, got an ophcrack boot promt, then it continued to load. lots of device loading messages. lots of CD activity. then my monitor just shuts off because there is no input. wth? even while CD is still active. I have a pretty common vid card (geforce4). anyone have a clue what is wrong? list of boot options somewhere to tell it to do osmething specific (like crack the hashes it finds) on load?
- ve39, on 10/12/2007, -0/+1How do i make this work:
I boot for Ophcrack Live CD and all I get is black "Launch.sh;bash" window open - ve39, on 10/12/2007, -0/+1How do i make this work:
I boot of Ophcrack Live CD and all I get is blank window of "Launch.sh;bash" and a toolbar
(sorry was in a rush when posted above) - DonPMitchell, on 10/12/2007, -0/+1The problem is the old-fashion LM hashing scheme. The modern scheme is not vulnerable, but the old LM hash is still stored for backward compatability reasons. Dumb.
If you are sure your administrator will never need to crack lost passwords, you can close this hole on the domain controller and local machines thus
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlLsa
Set the nolmhash value to 0x1 - mavsman78, on 10/12/2007, -0/+1My laptop this week didn't have the option to log into a domain, which was my main account, and I couldn't figure out what the administrator password was. I used the Offline NT Password & Registry Editor and I was able to reset and blank the Administrator password. It uses a linux boot disk that fits on a floppy. Check out an old digg here: http://digg.com/security/Offline_NT_Password_Registry_Editor
- tonyd22, on 10/12/2007, -0/+0From the ophcrack website (http://ophcrack.sourceforge.net/) :
"The main difference between rainbowcrack and ophcrack is that the tables stored in a more compact way. Storing one chain in ophcrack takes about 7 bytes whereas rainbowcrack uses 16.
Another difference is that we generate "perfect tables", that is tables where we remove chains that merge and that are largely indentical.
As a result, ophcrack makes a much better use of the memory and since you can trade memory for time, it is much faster. "
I've just seen that Ophcrack 2.3 is able to crack NTLM (NThash tables) passwords as well. - jameshacksu, on 10/12/2007, -1/+0check out my site http://jamespinto.awardspace.com for learning to hack, tutorials tools and lots of other stuff on hacking
- Tripacer, on 11/19/2007, -0/+1=O
- board2, on 03/10/2008, -0/+1That's great find
http://www.nasavo.com
http://www.nasavo.com/acne
http://www.nasavo.com/forex
http://car.nasavo.com
http://tire.nasavo.com/
http://www.jurugan.com
http://health.jurugan.com
http://www.vrid.net
http://laptop.vrid.net
http://projector.vrid.net
http://tire.vrid.net
http://hyip.ej.am
http://car.ej.am
http://hyipnews.freehostia.com
http://hyipnews.freehostia.com/hyip
http://nano-tech.freehostia.com
http://www.p812.com
http://www.r563.com
Digg is coming to a city (and computer) near you! Check out all the details on our 
© Digg Inc. 2008 —
Content posted by