Cracking windows passwords with ophcrack and rainbow tables

Our company specializes in both system administration and also computer forensics. One skill that I find useful in both areas is the ability to reverse passwords residing in a windows domain.

As you may know, NT passwords are created using a one way hash algorithm, which means, they can not be decrypted to obtain the plaintext password. But, what if you had a listing of the hashes of every password? Then you would just be able to compare the hashes until you found one that matched, right?

Well, this is certainly possible. To crack windows XP and server 2003 passwords that are less that 14 characters and contain letters, numbers and symbols, you’ll need about 7.5GB of “rainbow tables.” These tables are the listings of plaintext passwords and their corresponding hash. The entire process will require a few tools:

  • pwdump or the newer fgdump: This will export the password files from a local computer or a windows domain to a .pwdump file.
  • Ophcrack: This is a utility that is used to compare the .pwdump file to the rainbow tables.
  • Rainbow Tables: these were explained earlier. They can be purchased or you can download a utility to create them yourself.

Once you have all the tools, the process is pretty simple. The recovery rate is pretty high for Windows XP and Server 2003. Password hashes have change for Vista, Windows 7 and Server 2003 so you’ll need a different set of rainbow tables that can be acquired similarly to the XP tables.

Sophos Automated Software Rollout

I recently had to install the Sophos Anti-Virus suite at a client office and had issues with a few PCs during the automated rollout of the software. The problem seemed to be that the server with Sophos Control Center was not able to remotely administer several client PCs. The way I was able to test this out was by using Computer Manager to test connecting to each one of the PCs I was having problems installing the software on.

On each PC experiencing the issue, I was not able to remotely connect with Computer Manger. Once I was able to connect with Computer Manager, the Sophos software installed successfully.

There were two reasons this was failing in our environment consisting of Windows XP and Windows 7 workstations.

The problem with Windows XP was that the XP firewall as blocking remote administration. I solved this problem by setting the firewall to allow remote administration through group policy. To do this:

  1. From the server desktop, click Start, click Run, type mmc, and then click OK.
  2. On the File menu, click Add/Remove Snap-in.
  3. On the Standalone tab, click Add.
  4. In the Available Standalone Snap-ins list, click Group Policy Object Editor, and then click Add.
  5. In the Select Group Policy Object dialog box, click Browse.
  6. In the Browse for a Group Policy Object, click the Group Policy object that you want to update with the new Windows Firewall settings. I decided to choose Default Domain Policy since then it would apply to all PCs in the domain.
  7. Click OK.
  8. Click Finish to complete the Group Policy Wizard.
  9. In the Add Standalone Snap-in dialog box, click Close.
  10. In the Add/Remove Snap-in dialog box, click OK.
  11. In the console tree, open Computer ConfigurationAdministrative TemplatesNetworkNetwork Connections, Windows Firewall, and then Domain Profile.
  12. Edit the properties for Windows Firewall: Allow Remote Administration Exception.
  13. Select enable and enter the IP of your server so that you don’t open up remote administration to everyone.

After a restart of the PC, you should be able to deploy Sophos or any other remotely installed software.

For Windows 7 PCs, the problem was that remote administration and installation of software requires the remote registry service to be running. It is set to Automatic startup on Windows XP but set to Manual startup on Windows 7. After changing the startup type to Automatic and starting the service I was able to easily deploy Sophos.