Ophcrack No Go. Worth Trying Usb?

[NegativeSpace]

So I have a friends Vista (Basic!!!WTF?) laptop. She gave it to me because she forgot her password. It's a perfectly fine, working condition machine, and even has a working guest account. I want to crack her admin level account password, rather than resetting it, mostly because i've not done it before. ophcrack live gives blinking _, even after using several different iso writers. It's possible that the op drive doesn't work. I haven't tried a bootable USB for ophcrack.

Should I try a bootable USB (something which I will have to learn to do)? Should I use something else to crack the password? Should I forget it and just reset the damn thing?

Congrats for coming this far, considering all of the other threads and google results already in existence. Ten dollars to the paypal account of the first person to give me exact specific instructions that result in me knowing the password without spending any more than the ten dollars ill give you, or more than about an hour.

By the way, I am a grown man with self respect, and so I have no desire to steal anything, much less a Vista password that I would just as soon smash with my TIBAR (if only it physically existed!). When I said that I have a friends computer to crack her password, it's because she gave it to me and asked me to crack her password.

I think this is gonna be fun!

Update: Optical drive does not work.

Another update: Just realized I should have titled this thread "Ophcrack LIVE no go".....

Edited December 6, 2011 by NegativeSpace

[nemo_nihil]

my suggestion is to just reset that password. while you could crack it it will probably take a long time. you could burn i to a live usb (http://unetbootin.sourceforge.net/) but i would suggest stealing the password hash and then running it on a more powerful machine maybe amazon cloud?

[NegativeSpace]

my suggestion is to just reset that password. while you could crack it it will probably take a long time. you could burn i to a live usb (http://unetbootin.sourceforge.net/) but i would suggest stealing the password hash and then running it on a more powerful machine maybe amazon cloud?

The password is very likely to be a very short, all under case, common word. Besides, I don't mind if it takes a week to crack, as long as I can get it going soon.

I considered copying the hash file to a better computer, but I don't know how to retrieve the password hash from a Vista machine, and without administrator privileges. If I did know how, I would not know (though I'm pretty sure I could learn pretty easily) how to apply the has file to a password cracker.

Explain the technique/procedure and, if I decide to use it and it works, I will give you ten dollars.

[digip]

Boot backtrack off USB or even ophcrack, dump the hashes, crack them on another machine or while in the live environment. Other though, pull the HDD, mount in another system, dump hashes and then crack them that way, bypassing USB and dvd drive.

[nemo_nihil]

ok option one:

turn off anti virus

boot into backtrack on a separate machine on the network

start Social Engineering Tool kit

set up browser based attack (numbers 1, 1, 2, 1, 1, 2, 2, 16, then just follow the instructions)

login into guest account and navigate to the ip of your browser attack

wait for exploit to run

getsystem

hashdump

then take the hash to an online hashcracker OR check out this http://project-rainbowcrack.com/tutorial.htm

option two

download from http://unetbootin.sourceforge.net/

select disk image

select USB drive

select drive letter

click "ok"

then boot into USB and from there i assume you know what you are doing

if you need help on a specific step i hang out in the IRC just pm me and i will do my best

[NegativeSpace]

I don't want your money, I just would like you to do your own research. If you want to boot USB drives I would recommend unetbootin for windows... Download the program, run it, set the operating system to download ophcrack, it will then download and install the ISO onto the USB drive and set up a syslinux file. Once it's done it will ask for a reboot and then you will go into ophcrack and recover the passwd. Next time go on google, if your a grown man you should be able to do this for yourself.

I sense an "I'm better than you" attitude. When is the last time you offered to pay someone on a forum for helping you? You have only stated obvious instructions that I have been familiarized with thousands of times.

If you assume that I haven't been on google, you must be an idiot. As far as your comment on me being a grown man; if you were standing in front of me I would smack the shit out of you. I'm asking you to leave this discussion.

[NegativeSpace]

my suggestion is to just reset that password. while you could crack it it will probably take a long time. you could burn i to a live usb (http://unetbootin.sourceforge.net/) but i would suggest stealing the password hash and then running it on a more powerful machine maybe amazon cloud?

Do you think it could take more than a week, considering the probability that the password is short and a common word?

What would be the best way to extract the password hash and run it on a better machine?

[NegativeSpace]

My apologies to all of the other members for having to be rude.

[NegativeSpace]

Boot backtrack off USB or even ophcrack, dump the hashes, crack them on another machine or while in the live environment. Other though, pull the HDD, mount in another system, dump hashes and then crack them that way, bypassing USB and dvd drive.

I like the idea of mounting the HDD in another machine and dumping then cracking the hashes. I'm not sure how to dump the hashes and crack them, though. Which technique/software would be good to use for extracting and cracking, in this scenario?

[digip]

I like the idea of mounting the HDD in another machine and dumping then cracking the hashes. I'm not sure how to dump the hashes and crack them, though. Which technique/software would be good to use for extracting and cracking, in this scenario?

Backtrack can dump the hashes for you. Basically, you need the sam file, something that is locked when booted into windows, but easily read when booted off live media, or mounted in another system. Booting off a backtrack thumbdrive would be one way, or just off Ophcrack on USB, which someone suggested to use use Unetbootin to make a bootable thumbdrive, I would reccomend that as well. Give you something to try out. Removing the HDD is kind of last resort, but always an option.

[NegativeSpace]

Backtrack can dump the hashes for you. Basically, you need the sam file, something that is locked when booted into windows, but easily read when booted off live media, or mounted in another system. Booting off a backtrack thumbdrive would be one way, or just off Ophcrack on USB, which someone suggested to use use Unetbootin to make a bootable thumbdrive, I would reccomend that as well. Give you something to try out. Removing the HDD is kind of last resort, but always an option.

I am right now making a bootable backtrack USB drive. It's about time anyway. If I don't have the password by the time I leave my computer tonight, I will just reset it.

[NegativeSpace]

ok option one:

turn off anti virus

boot into backtrack on a separate machine on the network

start Social Engineering Tool kit

set up browser based attack (numbers 1, 1, 2, 1, 1, 2, 2, 16, then just follow the instructions)

login into guest account and navigate to the ip of your browser attack

wait for exploit to run

getsystem

hashdump

then take the hash to an online hashcracker OR check out this http://project-rainbowcrack.com/tutorial.htm

option two

download from http://unetbootin.sourceforge.net/

select disk image

select USB drive

select drive letter

click "ok"

then boot into USB and from there i assume you know what you are doing

if you need help on a specific step i hang out in the IRC just pm me and i will do my best

Thanks for the reply. I'm going to try this, provided I'm understanding correctly that I can use a tool within Backtrack to crack the password hash. Is that correct?

[NegativeSpace]

Backtrack can dump the hashes for you. Basically, you need the sam file, something that is locked when booted into windows, but easily read when booted off live media, or mounted in another system. Booting off a backtrack thumbdrive would be one way, or just off Ophcrack on USB, which someone suggested to use use Unetbootin to make a bootable thumbdrive, I would reccomend that as well. Give you something to try out. Removing the HDD is kind of last resort, but always an option.

I am downloading "BT5-GNOME-32.iso". Is that the right file for making a bootable backtrack USB, because it's going to take quite a while to download, and don't want to continue to download the wrong image.

[digip]

I am downloading "BT5-GNOME-32.iso". Is that the right file for making a bootable backtrack USB, because it's going to take quite a while to download, and don't want to continue to download the wrong image.

as long as it isn't the ARM based one. Be sure its x86 based, and not ARM. Otherwise, you won't be able to do anything with it.

[NegativeSpace]

as long as it isn't the ARM based one. Be sure its x86 based, and not ARM. Otherwise, you won't be able to do anything with it.

Roger. Was sure to double check for X86 instead of ARM.

[digip]

Can give this a try too. http://boreditguy.com/blog/?p=364 I think it requires a known admin password though to login to the machine(which is in the nmap cli commands).

edit: just reread the link, needs to be win2000 or 2003 with valid admin user account. Still good link to have handy though.

Edited December 7, 2011 by digip

[Infiltrator]

Can give this a try too. http://boreditguy.com/blog/?p=364 I think it requires a known admin password though to login to the machine(which is in the nmap cli commands).

edit: just reread the link, needs to be win2000 or 2003 with valid admin user account. Still good link to have handy though.

Wouldn't PWdump be picked up by an AV?

[NegativeSpace]

Boot backtrack off USB or even ophcrack, dump the hashes, crack them on another machine or while in the live environment. Other though, pull the HDD, mount in another system, dump hashes and then crack them that way, bypassing USB and dvd drive.

I now have the machine running backtrack LIVE USB. I don't know what to do from here. Could you help me? I understand that I need to dump the hashes, but I don't how. Once I have dumped the hashes, then which tool within backtrack do I use to crack them?

[Infiltrator]

then which tool within backtrack do I use to crack them?

If you have an Nvidia graphics card, you could use this utility to crack it,

http://www.cryptohaze.com/multiforcer.php

[NegativeSpace]

If you have an Nvidia graphics card, you could use this utility to crack it,

http://www.cryptohaze.com/multiforcer.php

I do have an nvidia graphics card, but I am running backtrack live on the machine with the unknown windows admin level user account, and it does not have one. I don't mind waiting on it to take a lot of time to crack the password as long as were talking hours or days and not weeks. The password is probably a short word, as opposed to random characters. At this point I am stuck on how to 'extract?' the SAM hash, and how to then apply/give that hash to which tool that will use the computer to crack the password.

I prefer to use the machine in question, rather than giving the hash to another more powerful machine. I still want to learn to do that, but only after I have learned how to use the machine in question to crack it's windows account's password first.

So then, how do I extract the hash? Which tool do i give the hash file too, and how do I do that?

Edit; I have just seen the instructions below. I will try that and report back. Can't thank you all enough for helping me to learn!

Edited December 7, 2011 by NegativeSpace

[digip]

In backtrack, type "man samdump2" for instructions. You need to mount the windows drive, point to the proper location for the file system/os in use, then the sam file to crack. Ophcrack is also in the latest bt5r1 and will pull it for you, but if the tables used in bt are too small to find it, you would have to copy the hashes off to another system with larger tables to crack against.

[NegativeSpace]

Thanks to everyone who has helped or tried to help so far!! This is good stuff! Feels like the good old days of learning DOS and Windows 3.1, except much more useful and fun!

[NegativeSpace]

Here is an update. I was able to load SAM Directory (/config) into ophcrack. default admin account and guest account passwords were immediately found to be empty. The Created admin account password, after 25 seconds of brute forcing, was not found. Unfortunately, I had to do all of this graphically, but hey, I just started using BT 12 hours ago, and been asleep for 7 of them. So, I assume that the default (rainbow tables?) included with BT/ophcrack are pretty much for example, and that is the reason the password was not found after only 25 seconds of trying?

What next?

Update on the update: Password Cracked.

While I feel I have learned a great deal from this, I also feel like I have opened many more questions to myself (as is always true when I work with new things digital). If anyone would like to explain anything to me, like things I may have missed, things I may have done wrong, etc, I would really appreciate that.

About that ten dollars. I will explain the "process" that I followed, and then I will need everyone who participated to vote on who helped most. I am also going to go back and read all the responses, and compare them with what I did to see who I think helped the most, and then, based on those two outcomes I will decide who deserves to say they helped most. Thanks again to everyone, by the way! I do understand that we are not a group of people who are here to teach/learn and get paid/pay for it. I just felt it was appropriate in this case because I wanted very specific and accurate information based on facts, very quickly, and it was something I very well could have learned on my own, if I wanted to read potentially thousands of google results. If you helped me more than anyone else and you don't want the money, I will double it and give it to a charity of your choice in your name.

Edited December 7, 2011 by NegativeSpace

[nemo_nihil]

Get bigger/better rainbow tables/wordlists the links that have provided already should give you a good starting point

[digip]

Use backtrack to dump the same hashes, save them to the thumbdrive(if not writable, you need to make a partition on the thumbdrive that is writable, or remount the system as RW and save it) or another location, upload to another PC on the network, etc(you should be able to copy and paste the hash into a browser, might already be found via google (hint)). Once you have the dump of the sam file, then you can boot into ophcrack(full version, not from backtrack) from another machine and read the sam file for cracking. If then it doesn't work, you need to go to the ophcrack page and find the links for the other tables to download and crack against. XP uses different tables than Vista/7, so make sure you don't waste time downloading the wrong ones. http://ophcrack.sourceforge.net/tables.php

Edited December 7, 2011 by digip