Jump to content


Photo
- - - - -

Ophcrack Vista Free Tables, Useless?


  • Please log in to reply
13 replies to this topic

#1 H@L0_F00

H@L0_F00

    HAL0_F00

  • Active Members
  • PipPipPipPipPipPipPip
  • 835 posts
  • Gender:Male
  • Location:Sin city!

Posted 06 October 2009 - 01:33 AM

With more and more people using Vista and Win7, I decided it was time to get my NT hash cracking on. So, I installed Windows 7 in a VM, setup up some lame test accounts:

Username:Password

Test:seven
lame:lame
lamepass:lamepass
yourmom:yourmom
18j4:18j4

I then ran it through Ophcrack. What came up? Nothing but "lame" and "l8j4" and they were only found because Ophcrack bruteforces from 1-4 characters. I was quite surprised that the other passwords couldn't be found... I know Ophcrack exploits the weak LM hash used in XP and preceding, while the Vista Free tables are based on a dictionary and mutations, but I still figured that it would find all of those lame passwords... Yet, it didn't.

I was just wondering, if any of you have cracked some NT hashes, be it from Vista or Windows 7, did you use Ophcrack? What was the password? What tables did you use? And, how long did it take?

If you use something other than Ophcrack (JTR, Cain, etc.), what do you use? What tables do you use and how large are they? On average, how long does it take you to crack an NT hash?
QUOTE (Pablo Picasso)
Computers are useless. They can only give you answers.



#2 moonlit

moonlit

    Hak5 Junkie

  • Active Members
  • PipPipPipPipPipPipPipPipPipPipPipPip
  • 4,207 posts
  • Gender:Male
  • Location:irc://England:6667

Posted 06 October 2009 - 01:43 AM

Rainbow tables are a waste of time and space when it comes to getting into a Windows box, unless you're trying to access encrypted files. If you have access to the machine, it's yours in less than 5 minutes.

#3 Netshroud

Netshroud

    Hak5 Enthusiast

  • Active Members
  • PipPipPipPipPipPipPipPipPip
  • 1,321 posts
  • Gender:Male
  • Location:meterpreter>

Posted 06 October 2009 - 01:45 AM

I cracked school LM hashes using Ophcrack. Haven't gotten anything with NTLM.
"Why is it 'marketing' when a company helps itself to my information against my will and 'piracy' or 'industrial espionage' if I helped myself to THEIR information against their will ?"

#4 Lord Necron

Lord Necron

    Hak5 Fan ++

  • Members
  • PipPipPipPip
  • 66 posts

Posted 06 October 2009 - 07:55 AM

QUOTE (H@L0_F00 @ Tue, 06 Oct 2009 01:33:27 +0000) <{POST_SNAPBACK}>
With more and more people using Vista and Win7, I decided it was time to get my NT hash cracking on. So, I installed Windows 7 in a VM, setup up some lame test accounts:

Username:Password

Test:seven
lame:lame
lamepass:lamepass
yourmom:yourmom
18j4:18j4

I then ran it through Ophcrack. What came up? Nothing but "lame" and "l8j4" and they were only found because Ophcrack bruteforces from 1-4 characters. I was quite surprised that the other passwords couldn't be found... I know Ophcrack exploits the weak LM hash used in XP and preceding, while the Vista Free tables are based on a dictionary and mutations, but I still figured that it would find all of those lame passwords... Yet, it didn't.

I was just wondering, if any of you have cracked some NT hashes, be it from Vista or Windows 7, did you use Ophcrack? What was the password? What tables did you use? And, how long did it take?

If you use something other than Ophcrack (JTR, Cain, etc.), what do you use? What tables do you use and how large are they? On average, how long does it take you to crack an NT hash?

I haven't had any luck with the Vista one, either.

QUOTE (moonlit @ Tue, 06 Oct 2009 01:43:40 +0000) <{POST_SNAPBACK}>
Rainbow tables are a waste of time and space when it comes to getting into a Windows box, unless you're trying to access encrypted files. If you have access to the machine, it's yours in less than 5 minutes.

So how would one go about this? Keep in mind that in my case these are customer machines. All too often the during the intake process the non-technical office manager forgets to ask for the password. We trying calling the customer first, but sometimes you get one that doesn't call back for days (vacation, whatever). It would be nice if I could get the PW as easy as removing it.



#5 H@L0_F00

H@L0_F00

    HAL0_F00

  • Active Members
  • PipPipPipPipPipPipPip
  • 835 posts
  • Gender:Male
  • Location:Sin city!

Posted 06 October 2009 - 10:19 AM

I agree, getting into a Windows box is easy, but you can't always remove/reset the password or use Kon-Boot, and sometimes you'd just like to know the password. When trying to access a machine more passively, you cannot remove the password or change it.
QUOTE (Pablo Picasso)
Computers are useless. They can only give you answers.



#6 moonlit

moonlit

    Hak5 Junkie

  • Active Members
  • PipPipPipPipPipPipPipPipPipPipPipPip
  • 4,207 posts
  • Gender:Male
  • Location:irc://England:6667

Posted 06 October 2009 - 11:12 AM

No-one really said why they were cracking Windows boxes, I was just thinking about removing the password, which is easy as pie. Gotta do what you gotta do, right? Besides, if you back up the SAM, you can set the password to nothing, do what you need to do, then put the old SAM back and the original password will be reinstated.

#7 H@L0_F00

H@L0_F00

    HAL0_F00

  • Active Members
  • PipPipPipPipPipPipPip
  • 835 posts
  • Gender:Male
  • Location:Sin city!

Posted 06 October 2009 - 05:40 PM

Wow... I'm kind of disappointed in myself for not realizing such a thing was possible... I mean, that's what I do with DeepFreeze... Anyways, thanks for that Moonlit.

I'm still interested in hearing a bit about what everybody else uses for cracking passes though, as I think I'm going to try to learn more about such things.
QUOTE (Pablo Picasso)
Computers are useless. They can only give you answers.



#8 555

555

    Hak5 forum junky

  • Active Members
  • PipPipPipPipPipPip
  • 418 posts
  • Gender:Male

Posted 06 October 2009 - 07:21 PM

I have used orphcrack, not too much with vista but with the 120GB of full data hak5 rainbow tables on torrent i should be able to crack any of them right? will LM also crack MD5 and SHA1 as well? Does Hak5 offer rainbow tables for md5 and sha-1? I did not know orphcrack only bruted up to 4 chars that is good to know, do LM tables even work with vista and 7?

#9 Lord Necron

Lord Necron

    Hak5 Fan ++

  • Members
  • PipPipPipPip
  • 66 posts

Posted 06 October 2009 - 07:38 PM

QUOTE (moonlit @ Tue, 06 Oct 2009 11:12:10 +0000) <{POST_SNAPBACK}>
No-one really said why they were cracking Windows boxes, I was just thinking about removing the password, which is easy as pie. Gotta do what you gotta do, right? Besides, if you back up the SAM, you can set the password to nothing, do what you need to do, then put the old SAM back and the original password will be reinstated.

*blink blink* Oooohhhhh! Put it back! What a novel idea...
Never thought of that. In my case I didn't need to, though. Just let 'em know we removed it to do our work.
Every once in a while I get the "you can do that?!"



#10 555

555

    Hak5 forum junky

  • Active Members
  • PipPipPipPipPipPip
  • 418 posts
  • Gender:Male

Posted 07 October 2009 - 12:23 PM

I have heard of and know what SAM files are but never really knew its location on the drive, so i googled it and here is what i got, just incase some other people dont know where it is..

c:\windows\system32\config\sam (windows dir may vary)
c:\windows\repair\sam (possible backups in subfolders)

i am guessing for windows 7 and ultimate it is different.. does anyone know?
and is the file name just SAM. with no extention?

#11 Netshroud

Netshroud

    Hak5 Enthusiast

  • Active Members
  • PipPipPipPipPipPipPipPipPip
  • 1,321 posts
  • Gender:Male
  • Location:meterpreter>

Posted 07 October 2009 - 05:07 PM

Yep, no extension, just 'SAM'. For those who dont know, the SAM is encrypted with a key, which is stored in 'SYSTEM'.
"Why is it 'marketing' when a company helps itself to my information against my will and 'piracy' or 'industrial espionage' if I helped myself to THEIR information against their will ?"

#12 H@L0_F00

H@L0_F00

    HAL0_F00

  • Active Members
  • PipPipPipPipPipPipPip
  • 835 posts
  • Gender:Male
  • Location:Sin city!

Posted 07 October 2009 - 06:46 PM

C:\Windows\System32\config is where the SAM and SYSTEM files can be found on Windows 7 so I'm pretty sure it's the same for Vista.
QUOTE (Pablo Picasso)
Computers are useless. They can only give you answers.



#13 Netshroud

Netshroud

    Hak5 Enthusiast

  • Active Members
  • PipPipPipPipPipPipPipPipPip
  • 1,321 posts
  • Gender:Male
  • Location:meterpreter>

Posted 07 October 2009 - 07:57 PM

Same for Vista and XP. 2K I think it's C:\Winnt\System32\Config
"Why is it 'marketing' when a company helps itself to my information against my will and 'piracy' or 'industrial espionage' if I helped myself to THEIR information against their will ?"

#14 The Sorrow

The Sorrow

    Sad...so sad....

  • Active Members
  • PipPipPipPipPipPip
  • 289 posts
  • Gender:Male
  • Location:Las Vegas, NV

Posted 14 October 2009 - 03:49 PM

Ive had issues with ophcrack as well, simple seven alphanumerical characters. I dont know why but ophcrack has become not so useful.
Posted ImagePosted Image
Posted ImagePosted Image
Posted ImagePosted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users