HOWTOThis howto assumes you have already installed ophcrack 3 and downloaded the ophcrack rainbow tables you want to use. It also assumes that you understand how to use third party tools like to dump the SAM of a Windows system.Ophcrack and the ophcrack LiveCD are available for free at the.Ophcrack rainbow tables are avaible at. The XP free small, XP free fast and Vista free rainbow tables are free. The others ophcrack rainbow tables are sold by Objectif Securite. First stepThis step is optional but will speed up the cracking process.Run ophcrack and set the number of threads under the Preferences tab to the number of cores of the computer running ophcrack plus one.For example, for an old processor set the number of threads to 2, for a Core 2 Duo to 3 and for a Core 2 Quad to 5. If you change this value, you have to exit ophcrack and to restart it in order to save the change.
Cracking four Linux hashes took about 20 seconds using a dictionary of 500 words when I did it, but as you will see, you can crack four.
If you don't exit and restart, the new number of threads will not be taken into account by the program. Second stepThis step is mandatory.Load hashes using the Load button. You can either enter the hash manually (Single hash option), import a text file containing hashes you created with pwdump, fgdump or similar third party tools (PWDUMP file option), extract the hashes from the SYSTEM and SAM files (Encrypted SAM option), dump the SAM from the computer ophcrack is running on (Local SAM option) or dump the SAM from a remote computer (Remote SAM option).For the Encrypted SAM option, the SAM is located under the Windows system32/config directory and can only be accessed for a Windows partition that is NOT running.
For the Local SAM and Remote SAM options, you MUST logged in with the administrator rights on the computer you want to dump the SAM. Third stepThis step is optional but will speed up the cracking process.Delete with the Delete button every user account you are not interested in (for exemple the Guest account). You can use the Ctrl key to make multiple selection. Ctrl-a will select every loaded hash.Keep in mind that the time needed to crack password hashes with rainbow tables is proportional to the number of hashes loaded.
With a brute force attack the cracking time is NOT dependant on the number of unsalted hashes loaded. That's why it's advisable to remove any unnecessary user account with the Delete button.
Fourth stepThis step is mandatory.Install (Tables button), enable (green and yellow buttons) and sort wisely (up and down arrows) the rainbow tables your are going to use. Keep in mind that storing the rainbow tables on a fast medium like a hard disk will significantly speed up the cracking process.Here are a few guidelines:.If you want to crack LM hashes as found on Windows XP by default (the LM Hash column is never empty on the ophcrack main window), first install and enable either the XP free small (if you have less than 512MB of free RAM) or the XP free fast (if you have more than 512MB of free RAM). Do NOT enable both of them since this is generally useless and will slow down the cracking process. Then install and enable the Vista free tables set. Finally install and enable the other XP rainbow tables you may have (XP special, XP german) and Vista one (Vista special).
Sort the rainbow tables with the up and down arrows the following way: first the XP free then the Vista free then the XP special after that the Vista special and finally the XP german.If you want to crack NT hashes as found on Windows Vista by default (the LM Hash column is always empty on the ophcrack main window), first install and enable the Vista free tables set. Then install and enable the Vista special tables set. Disable every other XP tables sets since they are useless and slow down the cracking process. Sort the enabled rainbow tables with the up and down arrows the following way: first the Vista free then the Vista special.If you want to crack a mix of LM and NT enabled hashes (some accounts have their LM column empty, others have both the LM and NT columns filled with hashes) proceed the same way as 'If you want to crack LM enabled hashes'.Fifth stepThis step is mandatory.Click on the Crack button to start the cracking process.
You'll see the progress of the cracking process in the bottom boxes of the ophcrack window. When a password is found, it will be displayed in the NT Pwd field. You can then save the results of a cracking session at any time with the Save button.
When using pwdump on SAM and SYSTEM files from Windows 10 from anniversary the local password is always 31d6cfe0d16ae931b73c59d7e0c089c0 which john cracks to ' (empty string).This has started happening recently and I suspect it's only applicable to password that were changed AFTER anniversary update, because it's not happening on all, but only on some of anniversary machines.It also happened on a clean win 10 anniversary install, despite setting a password when creating an account it shown hash of an empty string. The relevant commit is 823d376d8044e112acd1e03225a5eba0e97d0397 (previous one is abaa6ca9b1c4bd76d75a5bdfef8b35cbe82603ce if you want to diff).This tweet seems to indicate that main changes are getSamKey and getHash:What he calls sam key from the F binary in sam is called hbootkey (and what he calls sys key is called boot key) in creddump7.Format of that F binary field changed and it's visible in the diff, there is a switch there for revision in function kuhlmlsadumpgetSamKey in modules/kuhlmlsadump.c. The code then goes to kullmcryptogenericAES128Decrypt in modules/kullmcrypto.c to decrypt the new sam key but then I get stuck since there are many calls to Crypt. functions in the win api. I didn't try to work out exactly how that would all map to AES in Python.In getHash there is also a new switch for decoding the hash via kullmcryptogenericAES128Decrypt again instead of the old method.Another resource describing this stuff that I used a little but not too extensively was this, it of course doesn't describe the new format. In case someone wants to work with new SAM and SYSTEM hives on Linux.I tested mimikatz and it works, extracts the hashes, even on wine (on Fedora 24). No problem, my question: does Mimikatz work or not?If Mimikatz doesn't work (disable your AV), then there is something wrong with your deductions and not with this program.
Because Mimikatz just uses the Windows API's that Windows itself, usesTry this: open cmd (as administrator) and type 'net user test test /add', this will add a user 'test' with password 'test'. Then run mimikatz/creddump/ whatever and get the hash.
To be sure: go to e.g. Crackstation.net and crack the hash or to tobtu.com/lmntlm.php to generate them there and verify that the hash is indeed for 'test' (0CB6948805F797BF2A8287).