Cracking windows passwords with ophcrack and rainbow tables

Our company specializes in both system administration and also computer forensics. One skill that I find useful in both areas is the ability to reverse passwords residing in a windows domain.

As you may know, NT passwords are created using a one way hash algorithm, which means, they can not be decrypted to obtain the plaintext password. But, what if you had a listing of the hashes of every password? Then you would just be able to compare the hashes until you found one that matched, right?

Well, this is certainly possible. To crack windows XP and server 2003 passwords that are less that 14 characters and contain letters, numbers and symbols, you’ll need about 7.5GB of “rainbow tables.” These tables are the listings of plaintext passwords and their corresponding hash. The entire process will require a few tools:

  • pwdump or the newer fgdump: This will export the password files from a local computer or a windows domain to a .pwdump file.
  • Ophcrack: This is a utility that is used to compare the .pwdump file to the rainbow tables.
  • Rainbow Tables: these were explained earlier. They can be purchased or you can download a utility to create them yourself.

Once you have all the tools, the process is pretty simple. The recovery rate is pretty high for Windows XP and Server 2003. Password hashes have change for Vista, Windows 7 and Server 2003 so you’ll need a different set of rainbow tables that can be acquired similarly to the XP tables.