H@L0_F00 Posted October 6, 2009 Share Posted October 6, 2009 With more and more people using Vista and Win7, I decided it was time to get my NT hash cracking on. So, I installed Windows 7 in a VM, setup up some lame test accounts: Username:Password Test:seven lame:lame lamepass:lamepass yourmom:yourmom 18j4:18j4 I then ran it through Ophcrack. What came up? Nothing but "lame" and "l8j4" and they were only found because Ophcrack bruteforces from 1-4 characters. I was quite surprised that the other passwords couldn't be found... I know Ophcrack exploits the weak LM hash used in XP and preceding, while the Vista Free tables are based on a dictionary and mutations, but I still figured that it would find all of those lame passwords... Yet, it didn't. I was just wondering, if any of you have cracked some NT hashes, be it from Vista or Windows 7, did you use Ophcrack? What was the password? What tables did you use? And, how long did it take? If you use something other than Ophcrack (JTR, Cain, etc.), what do you use? What tables do you use and how large are they? On average, how long does it take you to crack an NT hash? Quote Link to comment Share on other sites More sharing options...
moonlit Posted October 6, 2009 Share Posted October 6, 2009 Rainbow tables are a waste of time and space when it comes to getting into a Windows box, unless you're trying to access encrypted files. If you have access to the machine, it's yours in less than 5 minutes. Quote Link to comment Share on other sites More sharing options...
Netshroud Posted October 6, 2009 Share Posted October 6, 2009 I cracked school LM hashes using Ophcrack. Haven't gotten anything with NTLM. Quote Link to comment Share on other sites More sharing options...
Lord Necron Posted October 6, 2009 Share Posted October 6, 2009 With more and more people using Vista and Win7, I decided it was time to get my NT hash cracking on. So, I installed Windows 7 in a VM, setup up some lame test accounts: Username:Password Test:seven lame:lame lamepass:lamepass yourmom:yourmom 18j4:18j4 I then ran it through Ophcrack. What came up? Nothing but "lame" and "l8j4" and they were only found because Ophcrack bruteforces from 1-4 characters. I was quite surprised that the other passwords couldn't be found... I know Ophcrack exploits the weak LM hash used in XP and preceding, while the Vista Free tables are based on a dictionary and mutations, but I still figured that it would find all of those lame passwords... Yet, it didn't. I was just wondering, if any of you have cracked some NT hashes, be it from Vista or Windows 7, did you use Ophcrack? What was the password? What tables did you use? And, how long did it take? If you use something other than Ophcrack (JTR, Cain, etc.), what do you use? What tables do you use and how large are they? On average, how long does it take you to crack an NT hash? I haven't had any luck with the Vista one, either. Rainbow tables are a waste of time and space when it comes to getting into a Windows box, unless you're trying to access encrypted files. If you have access to the machine, it's yours in less than 5 minutes. So how would one go about this? Keep in mind that in my case these are customer machines. All too often the during the intake process the non-technical office manager forgets to ask for the password. We trying calling the customer first, but sometimes you get one that doesn't call back for days (vacation, whatever). It would be nice if I could get the PW as easy as removing it. Quote Link to comment Share on other sites More sharing options...
H@L0_F00 Posted October 6, 2009 Author Share Posted October 6, 2009 I agree, getting into a Windows box is easy, but you can't always remove/reset the password or use Kon-Boot, and sometimes you'd just like to know the password. When trying to access a machine more passively, you cannot remove the password or change it. Quote Link to comment Share on other sites More sharing options...
moonlit Posted October 6, 2009 Share Posted October 6, 2009 No-one really said why they were cracking Windows boxes, I was just thinking about removing the password, which is easy as pie. Gotta do what you gotta do, right? Besides, if you back up the SAM, you can set the password to nothing, do what you need to do, then put the old SAM back and the original password will be reinstated. Quote Link to comment Share on other sites More sharing options...
H@L0_F00 Posted October 6, 2009 Author Share Posted October 6, 2009 Wow... I'm kind of disappointed in myself for not realizing such a thing was possible... I mean, that's what I do with DeepFreeze... Anyways, thanks for that Moonlit. I'm still interested in hearing a bit about what everybody else uses for cracking passes though, as I think I'm going to try to learn more about such things. Quote Link to comment Share on other sites More sharing options...
555 Posted October 7, 2009 Share Posted October 7, 2009 I have used orphcrack, not too much with vista but with the 120GB of full data hak5 rainbow tables on torrent i should be able to crack any of them right? will LM also crack MD5 and SHA1 as well? Does Hak5 offer rainbow tables for md5 and sha-1? I did not know orphcrack only bruted up to 4 chars that is good to know, do LM tables even work with vista and 7? Quote Link to comment Share on other sites More sharing options...
Lord Necron Posted October 7, 2009 Share Posted October 7, 2009 No-one really said why they were cracking Windows boxes, I was just thinking about removing the password, which is easy as pie. Gotta do what you gotta do, right? Besides, if you back up the SAM, you can set the password to nothing, do what you need to do, then put the old SAM back and the original password will be reinstated. *blink blink* Oooohhhhh! Put it back! What a novel idea... Never thought of that. In my case I didn't need to, though. Just let 'em know we removed it to do our work. Every once in a while I get the "you can do that?!" Quote Link to comment Share on other sites More sharing options...
555 Posted October 7, 2009 Share Posted October 7, 2009 I have heard of and know what SAM files are but never really knew its location on the drive, so i googled it and here is what i got, just incase some other people dont know where it is.. c:\windows\system32\config\sam (windows dir may vary) c:\windows\repair\sam (possible backups in subfolders) i am guessing for windows 7 and ultimate it is different.. does anyone know? and is the file name just SAM. with no extention? Quote Link to comment Share on other sites More sharing options...
Netshroud Posted October 7, 2009 Share Posted October 7, 2009 Yep, no extension, just 'SAM'. For those who dont know, the SAM is encrypted with a key, which is stored in 'SYSTEM'. Quote Link to comment Share on other sites More sharing options...
H@L0_F00 Posted October 7, 2009 Author Share Posted October 7, 2009 C:\Windows\System32\config is where the SAM and SYSTEM files can be found on Windows 7 so I'm pretty sure it's the same for Vista. Quote Link to comment Share on other sites More sharing options...
Netshroud Posted October 8, 2009 Share Posted October 8, 2009 Same for Vista and XP. 2K I think it's C:\Winnt\System32\Config Quote Link to comment Share on other sites More sharing options...
The Sorrow Posted October 14, 2009 Share Posted October 14, 2009 Ive had issues with ophcrack as well, simple seven alphanumerical characters. I dont know why but ophcrack has become not so useful. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.