How to Crack Passwords | by federation

How to crack passwords !

Cracking Passwords Version 1.1

This document is for people who want to learn to the how and why of password cracking. There is
a lot of information being presented and you should READ IT ALL BEFORE you attempted
doing anything documented here. I do my best to provide step by step instructions along with the
reasons for doing it this way. Other times I will point to a particular website where you find the
information. In those cases someone else has done what I attempting and did a good or great job
and I did not want to steal their hard work. These instructions have several excerpts from a
combination of posts from pureh@te, granger53, irongeek, PrairieFire, RaginRob, stasik, and
Solar Designer. I would also like to thank each of them and others for the help they have provided
me on the BackTrack forum.
I will cover both getting the SAM from inside windows and from the BackTrack CD, DVD, or
USB flash drive. The SAM is the Security Accounts Manager database where local usernames and
passwords are stored. For legal purposes I am using my own system for this article. The first step
is to get a copy of pwdump. You can choose one from http://en.wikipedia.org/wiki/Pwdump.
Update: I used to use pwdump7 to dump my passwords, however I have come across a new utility
called fgdump from http://www.foofus.net/fizzgig/fgdump/ This new utility will dump passwords
from clients and Active Directory (Windows 2000 and 2003 for sure, not sure about Windows
2008) where pwdump7 only dumps client passwords. I have included a sample hash.txt that has
simple passwords and should be cracked very easily. NOTE: Some anti-virus software packages
flag pwdump* and fgdump as trojan horse programs or some other unwanted program. If
necessary, you can add an exclusion for fgdump and/or pwdump to your anti-virus package so it
won't flag them. However it is better for the community if you contact your anti-virus vendor and
ask them to not flag the tool as a virus/malware/trojan horse.
You can find the latest version of this document at http://www.backtrack-linux.org/
Contents
1 LM vs. NTLM
2 Syskey
3 Cracking Windows Passwords
 3.1 Extracting the hashes from the Windows SAM
 3.1.1 Using BackTrack Tools
 3.1.1.1 Using bkhive and samdump v1.1.1 (BT2 and BT3)
 3.1.1.2 Using samdump2 v2.0.1 (BT4)
 3.1.1.3 Cached Credentials
 3.1.2 Using Windows Tools
 3.1.2.1 Using fgdump
 3.1.2.2 Using gsecdump
Cracking Passwords Version 1.1 file:///D:/password10.html
1 of 45 2/15/2010 3:48 PM
 3.1.2.3 Using pwdump7
 3.1.2.4 Cached Credentials
 3.2 Extracting the hashes from the Windows SAM remotely
 3.2.1 Using BackTrack Tools
 3.2.1.1 ettercap
 3.2.2 Using Windows Tools
 3.2.2.1 Using fgdump
 3.3 Cracking Windows Passwords
 3.3.1 Using BackTrack Tools
 3.3.1.1 John the Ripper BT3 and BT4
 3.3.1.1.1 Cracking the LM hash
 3.3.1.1.2 Cracking the NTLM hash
 3.3.1.1.3 Cracking the NTLM using the cracked LM hash
 3.3.1.1.4 Cracking cached credentials
 3.3.1.2 John the Ripper - current
 3.3.1.2.1 Get and Compile
 3.3.1.2.2 Cracking the LM hash
 3.3.1.2.3 Cracking the LM hash using known letter(s) in known location(s) (knownforce)
 3.3.1.2.4 Cracking the NTLM hash
 3.3.1.2.5 Cracking the NTLM hash using the cracked LM hash (dumbforce)
 3.3.1.2.6 Cracking cached credentials
 3.3.1.3 Using MDCrack
 3.3.1.3.1 Cracking the LM hash
 3.3.1.3.2 Cracking the NTLM hash
 3.3.1.3.3 Cracking the NTLM hash using the cracked LM hash
 3.3.1.4 Using Ophcrack
 3.3.1.4.1 Cracking the LM hash
 3.3.1.4.2 Cracking the NTLM hash
 3.3.1.4.3 Cracking the NTLM hash using the cracked LM hash
 3.3.2 Using Windows Tools
 3.3.2.1 John the Ripper
 3.3.2.1.1 Cracking the LM hash
 3.3.2.1.2 Cracking the NTLM hash
 3.3.2.1.3 Cracking the NTLM hash using the cracked LM hash
 3.3.2.1.4 Cracking cached credentials
 3.3.2.2 Using MDCrack
 3.3.2.2.1 Cracking the LM hash
 3.3.2.2.2 Cracking the NTLM hash
 3.3.2.2.3 Cracking the NTLM hash using the cracked LM hash
 3.3.2.3 Using Ophcrack
 3.3.2.3.1 Cracking the LM hash
 3.3.2.3.2 Cracking the NTLM hash
 3.3.2.3.3 Cracking the NTLM hash using the cracked LM hash
 3.3.2.4 Using Cain and Abel
 3.3.3 Using a Live CD
 3.3.3.1 Ophcrack
4. Changing Windows Passwords
 4.1 Changing Local User Passwords
 4.1.1 Using BackTrack Tools
 4.1.1.1 chntpw
 4.1.2 Using a Live CD
Cracking Passwords Version 1.1 file:///D:/password10.html
2 of 45 2/15/2010 3:48 PM
 4.1.2.1 chntpw
 4.1.2.2 System Rescue CD
 4.2 Changing Active Directory Passwords
5 plain-text.info
6 Cracking Novell NetWare Passwords
7 Cracking Linux/Unix Passwords
8 Cracking networking equipment passwords
 8.1 Using BackTrack tools
 8.1.1 Using Hydra
 8.1.2 Using Xhydra
 8.1.3 Using Medusa
 8.1.4 Using John the Ripper to crack a Cisco hash
 8.2 Using Windows tools
 8.2.1 Using Brutus
9 Cracking Applications
 9.1 Cracking Oracle 11g (sha1)
 9.2 Cracking Oracle passwords over the wire
 9.3 Cracking Office passwords
 9.4 Cracking tar passwords
 9.5 Cracking zip passwords
 9.6 Cracking pdf passwords
10 Wordlists aka Dictionary attack
 10.1 Using John the Ripper to generate a wordlist
 10.2 Configuring John the Ripper to use a wordlist
 10.3 Using crunch to generate a wordlist
 10.4 Generate a wordlist from a textfile or website
 10.5 Using premade wordlists
 10.6 Other wordlist generators
 10.7 Manipulating your wordlist
11 Rainbow Tables
 11.1 What are they?
 11.2 Generating your own
 11.2.1 rcrack - obsolete but works
 11.2.2 rcracki
 11.2.3 rcracki - boinc client
 11.2.4 Generating a rainbow table
 11.3 WEP cracking
 11.4 WPA-PSK
 11.4.1 airolib
 11.4.2 pyrit
12 Distributed Password cracking
 12.1 john
 12.2 medussa (not a typo this is not medusa)
13 using a GPU
 13.1 cuda - nvidia
 13.2 stream - ati
14 example hash.txt
1 LM vs. NTLM
The LM hash is the old style hash used in MS operating systems before NT 3.1. It converts the password to
Cracking Passwords Version 1.1 file:///D:/password10.html
3 of 45 2/15/2010 3:48 PM
uppercase, null-pads or truncates the password to 14 characters. The password is split into two 7 character
halves and uses the DES algorithm. NT 3.1 to XP SP2 supports LM hashes for backward compatibility and is
enabled by default. Vista supports LM hashes but is disabled by default. Given the weaknesses in the LM
hash it is recommended to disable using LM hashes for all MS operating systems using the steps in
http://support.microsoft.com/kb/299656
NTLM was introduced in NT 3.1 and does not covert the password to uppercase, does not break the password
apart, and supports password lengths greater than 14. There are two versions of NTLM v1 and v2. Do to a
weakness in NTLM v1 is should not be used. Microsoft has included support for NTLM v2 for all of its
operating systems either via service pack or the Directory Services client (for windows 9X). You enable
NTLM v2 by following the instructions at http://support.microsoft.com/kb/239869. For maximum security
you should set the LMCompatibility to 3 for Windows 9X and LMCompatibilityLevel to 5 for NT, 2000, XP,
and 2003. Of course you should test these changes BEFORE you put them into a production environment.
If LM hashes are disabled on your system the output of pwdump and/or the 127.0.0.1.pwdump text file will
look like:
Administrator:500:NO PASSWORD*********************:00AB1D1285F410C30A83B435F2CA798D:::
Guest:501:NO PASSWORD*********************:31A6CAE0D36AD931B76C59D7E1C039C0:::
HelpAssistant:1000:NO PASSWORD*********************:BF23C2595478A6279F7CB53EF76E601F:::
SUPPORT_3845a0:1002:NO
PASSWORD*********************:0C8D62E10A6240BACD910C8AB295BB79:::
ASPNET:1005:9F07AE96CA4310752BDC083AAC960496:A99C1C3DB39E3C732EF5C2F63579AF96:::
The first field is the username. The second field is the last four numbers of the SID for that username. The
SID is a security identifier that is unique to each username. The third field is the LM hash. The forth field is
the NTLM hash.
If you do not have a ASPNET user account do not worry about it. If you do have a ASPNET user account do
NOT change the password as I am told that will break something. What I did was delete the account and then
recreate it using: systemroot%\Microsoft.NET\Framework\v1.1.4322\aspnet_regiis.exe /i
2 Syskey
To make it more difficult to crack your passwords, use syskey. For more information on syskey see
http://support.microsoft.com/kb/310105. The short version is syskey encrypts the SAM. The weakest option
but most convenient is to store a system generated password locally; locally means the registry. The up side is
the SAM gets encrypted and you can reboot the server remotely without extra equipment. The next option is
password startup. This is slightly more difficult to get around, but if you remotely reboot the server, it will
stop and wait for someone to enter the password. You will need a KVM over IP or a serial port concentrator
so you can enter the password remotely. The most secure option is the system generated password stored on a
floppy disk. The downside to this option is floppy disks fail, you misplace the floppy disk, newer equipment
does not have a floppy disk drive, no remote reboots, and you will probably leave the floppy in the drive so
you can remote reboot and that defeats security. I use a system generated password stored locally, weak but
better than not doing it. To disable syskey use chntpw and follow its instructions.
3 Cracking Windows Passwords
3.1 Extracting the hashes from the Windows SAM
3.1.1 Using BackTrack Tools
Cracking Passwords Version 1.1 file:///D:/password10.html
4 of 45 2/15/2010 3:48 PM
3.1.1.1 Using bkhive and samdump2 v1.1.1 (BT2 and BT3)
# mount /dev/hda1 /mnt/XXX
mount your windows partition substituting hda1 for whatever your windows partition is
1.
if the syskey password is stored locally you need to extract it from the registry so you can decrypt the
SAM. If syskey is setup to prompt for a password or the password is on a floppy, stop now and read the
syskey documentation in this document for more information about syskey. If you installed windows to
something other C:\WINDOWS please substitute the correct path. WARNING the path is case
sensitive. The filenames of sam, security, and system are case sensitive. On my system these files are
lowercase. I have come across other XP systems where they are uppercase. On the Vista system I have
used the filenames are uppercase.
BackTrack 2 users use the following:
# bkhive-linux /mnt/XXX/WINDOWS/system32/config/system syskey.txt
BackTrack 3 users use the following:
# bkhive /mnt/XXX/WINDOWS/system32/config/system syskey.txt
2.
# samdump2 /mnt/XXX/WINDOWS/system32/config/sam syskey.txt >hash.txt
samdump2 will dump the SAM to the screen and the > character redirects the output to a file called
hash.txt
you can also run samdump2 with the -o parameter to write the output to a file
# samdump2 -o hash.txt /mnt/XXX/WINDOWS/system32/config/sam syskey.txt
3.
3.1.1.2 Using new samdump2 v2.0 (BT4)
The current version is 2.0.1 and has the benefit of being able to extract the syskey on its own. This means
dumping the hashes in now a 1 step process instead of two. To upgrade and run sampdump2 v2.0.1:
1. download the current sampdump2 from http://sourceforge.net/project/showfiles.php?group_id=133599
2. # tar -xjvf samdump2-2.0.1.tar.bz2
3. # cd samdump2-2.0.1
4. # make
# cp samdump2 /usr/local/bin/samdump20
this will keep the existing version. If you want to overwrite the existing version do:
# cp samdump2 /usr/local/bin/
5.
mount your windows partition substituting hda1 for whatever your windows partition is
# mount /dev/hda1 /mnt/XXX
6.
if the syskey password is stored locally samdump2 v2.0 will extract it from the registry so it can decrypt
the SAM. If syskey is setup to prompt for a password or the password is on a floppy, stop now and read
the syskey documentation in this document for more information about syskey. If you installed
windows to something other C:\WINDOWS please substitute the correct path. WARNING the path is
case sensitive. The filenames of sam, security, and system are case sensitive. On my system these files
are lowercase. I have come across other XP systems where they are uppercase. On the Vista system I
have used the filenames are uppercase.
7.
# samdump2 /mnt/XXX/WINDOWS/system32/config/system /mnt/XXX/WINDOWS/system32
/config/sam >hash.txt
samdump2 will dump the SAM to the screen and the > character redirects the output to a file called
hash.txt
you can also run samdump2 with the -o parameter to write the output to a file
# samdump2 -o hash.txt /mnt/XXX/WINDOWS/system32/config/sam syskey.txt
8.
Cracking Passwords Version 1.1 file:///D:/password10.html
5 of 45 2/15/2010 3:48 PM
3.1.1.3 Cached Credentials
The only Linux based application to dump cached credentials I found is creddump which can be found at
http://code.google.com/p/creddump/. samdump v2.0.1 couldn't do this so I wrote the code to dump cached
credentials. I have submitted it upstream so I hope to see this feature in the next version.
3.1.2 Using Windows Tools
3.1.2.1 Using fgdump
To dump local passwords:
Login to the system as an administrator and get to a command prompt (Start, Run, cmd). Since this my
system I know administrator password. You could also try to use metasploit to attack your system to
get to a command prompt.
1.
Download one of the fgdump files from http://swamp.foofus.net/fizzgig/fgdump/downloads.htm and
unzip it.
2.
run the fgdump utility you downloaded
C:\> fgdump -v
3.
copy the 127.0.0.1.pwdump file to a floppy or USB thumb drive if you are going to use BackTrack to
crack the hashes
4.
You can dump passwords from remote systems but only if you know the remote local administrator password
or have domain administrator privledges.
Login to the system as an administrator and get to a command prompt (Start, Run, cmd). Since this my
system I know administrator password. You could also try to use metasploit to attack your system to
get to a command prompt.
1.
Download one of the fgdump files from http://swamp.foofus.net/fizzgig/fgdump/downloads.htm and
unzip it.
2.
run the fgdump utility you downloaded
C:\> fgdump -v -h hostname -u Username -p Password
where hostname is the name or ip of the remote system you want to retreive the passwords from
Username is the username of the account to connect to the remote system with; usually Administrator
or Domain\Administrator or an account with Domain Administrator privledges.
Password is the password of the above account
NOTE: If you have a firewall installed on the remote system this will not work.
3.
copy the 127.0.0.1.pwdump file to a floppy or USB thumb drive if you are going to use BackTrack to
crack the hashes
4.
3.1.2.2 Using gsecdump
Thanks to williamc for pointing out another password dumping tool. These instructions are based on the
Exploitation part of his Intranet Exploitation tutorial.
Login to the system as an administrator and get to a command prompt (Start, Run, cmd). Since this my
system I know administrator password. You could also try to use metasploit to attack your system to
get to a command prompt.
1.
Download the gsecdump file from http://www.truesec.com/PublicStore/catalog
/categoryinfo.aspx?cid=223. You have to click on the Hamta filen link to download it. Once
downloaded, unzip it.
2.
Cracking Passwords Version 1.1 file:///D:/password10.html
6 of 45 2/15/2010 3:48 PM
Download the psexec tool from http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx and
unzip it
3.
run as follows:
C:\> psexec \\hostname -u username -p password -s -f -c gsecdump.exe -s > hash.txt
hostname is the name of the PC where you want psexec to run. AKA the target.
username is the username to login to the remote PC.
password is the password of the above username. If you don't put in it here you be prompted to enter it.
If you are prompted the password won't be displayed.
-s tells the process to runas the system account
-f copies the program to the target pc even if it exists
-c copies the program to the target pc
gsecdump.exe is the utility you want to run
-s tells gsecdump to dump the SAM/AD hashes
the > character redirects the output to a file called hash.txt
NOTE: If you have a firewall installed on the remote system this will not work.
4.
copy the hash.txt file to a floppy or USB thumb drive if you are going to use BackTrack to crack the
hashes
5.
3.1.2.3 Using pwdump
1. Download one of the pwdump files from http://en.wikipedia.org/wiki/Pwdump and unzip it.
Login to the system as an administrator and get to a command prompt (Start, Run, cmd). Since this my
system I know administrator password. You could also try to use metasploit to attack your system to
get to a command prompt.
2.
run the pwdump utility you downloaded
C:\> pwdump7 >c:\hash.txt
pwdump7 will dump the SAM to the screen and the > character redirects the output to a file called
hash.txt
3.
copy the hash.txt file to a floppy or USB thumb drive if you are going to use BackTrack to crack the
hashes
4.
3.1.2.4 Cached Credentials
When a user logs into a domain their password is cached in the registry so that in the event that the Domain
Controller or network goes down the user can still login to their PC. To export these registry keys you need a
tool call cachedump. It can be downloaded from ftp://ftp.openwall.com/john/contrib/cachedump/
The readme.txt in the zip contains everything you want to know about where the cached credentials are
stored, how cached credentials work, how they are hashed, and how the tool works. Cachedump does not
work on Windows Vista. Vista changed the way that cached creditionals work.
You can also download the fgdump with source file from http://www.foofus.net/fizzgig/fgdump/ and get
cachedump and its source code.
To use:
1. Extract the cachedump.exe from the zip
2. Login to the PC as an administrator
3. Goto a cmd prompt (Start, Run, cmd)
4. C:\> cd \path to cachedump.exe
5. C:\> cachedump.exe -v
Cracking Passwords Version 1.1 file:///D:/password10.html
7 of 45 2/15/2010 3:48 PM
This runs cachedump.exe in verbose mode. I suggest running cachedump in verbose the first time you
use it so you know what is going on and can identify any problems. Once you have good information
displayed on the screen you can use:
C:\> cachedump.exe >cache.txt
and this will redirect the output from the screen to a file called cache.txt
Now you can use John The Ripper or Cain and Abel to crack the hashes. Please note that Cached Credentials
use a different hash than LM or NTLM. The lowercase username is salted with the password.
The best way to protect yourself from this is to disable cached credentials. Change the value of the following
registry key: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS
NT\CURRENTVERSION\WINLOGON\CACHEDLOGONSCOUNT to 0. You can do this manually or with
Group Policy.
3.2 Extracting Windows Password hashes remotely
3.2.1 Using BackTrack Tools
3.2.1.1 Using ettercap
You can use ettercap and the man in the middle attacks to sniff the username and password of a user over the
network. DO NOT ATTEMPT THIS WITHOUT PERMISSION OF THE USER WHOSE ACCOUNT YOU
WANT TO SNIFF.
You can read an ettercap tutorial at http://openmaniak.com/ettercap.php which covers the basics on how to
use ettercap. There so much that ettercap can do and there are many tutorials covering how to use it I am not
going to duplicate the effort. Just do a quick search using your favorite internet search engine for ettercap
tutorials and read.
3.2.1.2 Using hashdump (metasploit)
I am not going to cover this in great detail. To use hashdump you first have to use metasploit to compromise
the PC from which you want the password hashes. There are already a number of tutorials that explain how
to use metaspolit. The best documentation is at http://www.metasploit.com/framework/support/. Once you
have compromised the PC using metasploit you can extract the hashes doing:
use priv
hashdump
3.2.2 Using Windows Tools
3.2.2.1 Using fgdump
Download one of the fgdump files from http://swamp.foofus.net/fizzgig/fgdump/downloads.htm and
unzip it.
1.
Login to the system as an administrator and get to a command prompt (Start, Run, cmd). Since this my
system I know administrator password. You will need the administrator password or the username and
password of a an account that is in the local Administrators group on the PC from which you want the
hashes.
2.
3. run the fgdump utility you downloaded
Cracking Passwords Version 1.1 file:///D:/password10.html
8 of 45 2/15/2010 3:48 PM
C:\> fgdump -v -h hostname or IP_Address_of_Target -u username -p password
where username and password are an account with administrator privileges.
copy the 127.0.0.1.pwdump file to a floppy or USB thumb drive if you are going to use BackTrack to crack
the hashes
3.2.2.2 Using pwdump6
1. Download pwdump6 from http://en.wikipedia.org/wiki/Pwdump and unzip it.
Login to the system as an administrator and get to a command prompt (Start, Run, cmd). Since this my
system I know administrator password. You will need the administrator password or the username and
password of a an account that is in the local Administrators group on the PC from which you want the
hashes.
2.
run the utility you downloaded
C:\> pwdump6 -u username -p password hostname or IP_Address_of_Target>c:\hash.txt
where username and password are an account with administrator privileges.
pwdump6 will dump the SAM to the screen and the > character redirects the output to a file called
hash.txt
3.
copy the hash.txt file to a floppy or USB thumb drive if you are going to use BackTrack to crack the
hashes
4.
3.3 Cracking Windows Passwords
3.3.1 Using BackTrack Tools
My strategy for cracking windows passwords is like this:
1. Get/Develop a really good wordlist/dictionary
2. Find the password policy that is enforced for the account you are trying crack
3. Crack the LM hash using John the Ripper
Crack the NTLM hash with the results of the cracked LM hash and the password policy information
using mdcrack
4.
If there is no LM hash to crack I proceed to cracking with John the Ripper using the password policy
information and my wordlist. Then I use rainbowtables if the tables match the password policy. http://plaintext.info
is back up and running so I check if they have the cracked password already. To successfully use a
rainbow table you need to know the password policy. No sense downloading a rainbow table that contains
letters and numbers when the password policy requires a symbol (!@#$%^&* etc).
3.3.1.1 John the Ripper BT3 and BT4
Version 1.7.2 shipped with BackTrack 3. Version 1.7.3.1 with jumbo patch 5 shipped with BT4. The john the
ripper that ships with BT4 requires at least a P4 with SSE2 instructions. If you don't have a processor that
supports SSE2 then you have download and compile john yourself. See the next section for instructions on
how to do this.
3.3.1.1.1 Cracking the LM hash
john only needs to know the path to the hash.txt to begin bruteforcing and return the uppercase password
# /usr/local/john/john hash.txt
Cracking Passwords Version 1.1 file:///D:/password10.html
9 of 45 2/15/2010 3:48 PM
3.3.1.1.2 Cracking the NTLM hash
john only needs to know the path to the hash.txt to begin bruteforcing and return the password
# /usr/local/john/john --format:NT hash.txt
will begin to bruteforce the NTLM hashes
3.3.1.1.3 Cracking the NTLM hash using the cracked LM hash
Stasik told me it is much easier to crack the NTLM hash if you know the character set. This way you do not
need to bruteforce all possible characters combinations. Once you have TESTTEST, feed a custom character
set of tesTES to john and it will return the proper case password much faster than if you did not limit the
character set. The issue is john has no easy way to limit the character set. You will have to modify the
john.conf file and include the following code that Solar Designer has kindly published to the john-users mail
list:
[List.External:customcharset]
int running; // Are we already running?
int last; // Last character position, zero-based
int c0, c[0x100]; // Cyclic charset
void init()
{
 int length, cm, i;
 length = 10; // password length
 c[c0 = 't'] = 'e'; // change the t and the e to the first and second letters of the custom character set
 c['e'] = 's'; // change the e and the s to the second and third letters of the character set
 c['s'] = 'T'; // change the s and T to the third and fourth letters
 c['T'] = 'E'; // etc
 c['E'] = 'S'; // etc
 c[cm = 'S'] = c0; // change the S to the last letter of the character set
 // If you cannot see the pattern then do not bother with this trick.
 // If you can make the necessary changes to suit you environment.
 running = 0;
 last = length - 1;
 i = 0;
 while (i < length) word[i++] = cm; word[i] = 0;
}
void generate()
{
 int i;
 i = last;
 while ((word[i] = c[word[i]]) == c0)
 if (!i--) {
 if (running++) word = 0;
 return;
 }
}
Once you make the necessary changes begin cracking using:
# /usr/local/john/john -external=customcharset --format:NT hash.txt
Cracking Passwords Version 1.1 file:///D:/password10.html
10 of 45 2/15/2010 3:48 PM
Some notes from Solar Designer:
Being an external mode, this is not the fastest way to generate candidate passwords, although its
performance is acceptable. Some further optimizations are possible (e.g., cache the last character
outside of the word[] array). Also, be careful when you edit it (such as for a different charset) - errors
in the way the cyclic charset is defined may result in the "while" loop in generate() becoming endless.
1.
In order to actually crack an NTLM hash with this, you need a build of JtR with support for NTLM
hashes. You may do a custom build with the latest jumbo patch (john-1.7.2-all-9.diff.gz), which means
that you will need to install Cygwin on your Windows system, or you can download such a build made
by someone else (one is linked from the JtR homepage - it is for an older version of the patch, though,
so it is many times slower at NTLM hashes).
2.
On a modern system, with a recent jumbo patch, and with the proper "make" target for your system,
this should complete its work against an NTLM hash (or against many such hashes) in just a few
minutes.
3.
3.3.1.1.4 Cracking cached credentials
john only needs to know the path to the hash.txt to begin bruteforcing and return the password
# /usr/local/john/john --format:mscash hash.txt
3.3.1.2 John the Ripper - current
The current version of John the Ripper doesn't ship with BT4. It adds some new features (dumbforce and
knownforce) and speeds up several algorithms. However given the way BT4 handles updates I don't
recommend updating the package yourself unless your processor doesn't support SSE2 instructions (i.e.
something less than a P4). I recommend going to http://www.backtrack-linux.org/forums/tool-requests/ and
requesting they update the package to the latest version. Do NOT ask them to drop the SSE2 requirement.
The SSE2 instructions provide real benefits to the cracking process. If you need to compile your own version
here is how.
3.3.1.2.1 Get and Compile
We first have to remove the existing package and then we can download and compile the program.
1. open a terminal window
2. # dpkg -r john
3. # wget http://www.openwall.com/john/g/john-1.7.4.2.tar.bz2
goto ftp://ftp.openwall.com/john/contrib/
and look for something like john-1.7.4.2-jumbo-1.diff.gz
This is version 1 of the jumbo patch for john 1.7.4.2. Download the latest version that is there.
4.
5. # tar -xvf john-1.7.4.2.tar.bz2
6. # cd john-1.7.4.2
# zcat ../john-1.7.4.2-jumbo-1.diff.gz | patch -p1 -Z
You should see a long list of patching file XXX. If you see X out of Y hunk ignored it means that the
patch did not apply correctly. You either downloaded the wrong version of john or the jumbo patch.
Start over and make sure the jumbo patch matches the version of john you download.
7.
8. # cd src
# make
This will display the various systems you can compile john for. I have a P3 that supports MMX so I will
use the command: make linux-x86-mmx. To see which options your CPU supports do a: cat
9.
Cracking Passwords Version 1.1 file:///D:/password10.html
11 of 45 2/15/2010 3:48 PM
/proc/cpuinfo and look at the flags. If you have a P4 you probably have SEE2 (check the cpuinfo flags)
then you would use: make linux-x86-see2.
# make linux-x86-mmx
You should see the following when john is done compiling:
gcc DES_fmt.o DES_std.o DES_bs.o BSDI_fmt.o MD5_fmt.o MD5_std.o MD5_apache_fmt.o
BFEgg_fmt.o BF_fmt.o BF_std.o AFS_fmt.o LM_fmt.o NT_fmt.o XSHA_fmt.o DOMINOSEC_fmt.o
lotus5_fmt.o oracle_fmt.o MYSQL_fmt.o mysqlSHA1_fmt.o KRB5_fmt.o KRB5_std.o md5_go.o
rawMD5go_fmt.o md5_eq.o PO_fmt.o md5.o hmacmd5.o hmacMD5_fmt.o IPB2_fmt.o
rawSHA1_fmt.o NSLDAP_fmt.o NSLDAPS_fmt.o OPENLDAPS_fmt.o base64.o md4.o smbencrypt.o
mscash_fmt.o NETLM_fmt.o NETNTLM_fmt.o NETLMv2_fmt.o NETHALFLM_fmt.o mssql_fmt.o
mssql05_fmt.o EPI_fmt.o PHPS_fmt.o MYSQL_fast_fmt.o pixMD5_fmt.o sapG_fmt.o sapB_fmt.o
NS_fmt.o HDAA_fmt.o batch.o bench.o charset.o common.o compiler.o config.o cracker.o crc32.o
external.o formats.o getopt.o idle.o inc.o john.o list.o loader.o logger.o math.o memory.o misc.o
options.o params.o path.o recovery.o rpp.o rules.o signals.o single.o status.o tty.o wordlist.o mkv.o
mkvlib.o unshadow.o unafs.o undrop.o unique.o x86.o x86-mmx.o sha1-mmx.o md5-mmx.o -s -L/usr
/local/lib -L/usr/local/ssl/lib -lcrypto -lm -o ../run/john
rm -f ../run/unshadow
ln -s john ../run/unshadow
rm -f ../run/unafs
ln -s john ../run/unafs
rm -f ../run/unique
ln -s john ../run/unique
rm -f ../run/undrop
ln -s john ../run/undrop
gcc -c -Wall -O2 -fomit-frame-pointer -I/usr/local/include -L/usr/local/lib -funroll-loops genmkvpwd.c
gcc -c -Wall -O2 -fomit-frame-pointer -I/usr/local/include -L/usr/local/lib -funroll-loops
-D_JOHN_MISC_NO_LOG misc.c -o miscnl.o
gcc genmkvpwd.o mkvlib.o memory.o miscnl.o -s -lm -o ../run/genmkvpwd
gcc -c -Wall -O2 -fomit-frame-pointer -I/usr/local/include -L/usr/local/lib -funroll-loops
mkvcalcproba.c
gcc mkvcalcproba.o -s -lm -o ../run/mkvcalcproba
gcc -c -Wall -O2 -fomit-frame-pointer -I/usr/local/include -L/usr/local/lib -funroll-loops calc_stat.c
gcc calc_stat.o -s -lm -o ../run/calc_stat
make[1]: Leaving directory `/root/john-1.7.4.2/src'
10.
11. # cd ..
12. # mv run /pentest/passwords/john
You now have the latest version of John the Ripper and it supports more algorithms than the vanilla John the
Ripper thanks to the jumbo patch.
3.3.1.2.2 Cracking the LM hash
john only needs to know the path to the hash.txt to begin bruteforcing and return the uppercase password
# /usr/local/john/john hash.txt
3.3.1.2.3 Cracking the LM hash using known letter(s) in known location(s) (knownforce)
I haven't figured out how to use this feature. John the Ripper is a very powerful tool however it is not very
intuitive to use. I can point you to the John the Ripper wiki which has maillist excerpts cover how to use
dumbforce and knownforce. The url is http://openwall.info/wiki/john/mailing-list-excerpts
Cracking Passwords Version 1.1 file:///D:/password10.html
12 of 45 2/15/2010 3:48 PM
3.3.1.2.4 Cracking the NTLM hash
john only needs to know the path to the hash.txt to begin cracking and return the password
# /usr/local/john/john --format:NT hash.txt
will begin to bruteforce the NTLM hashes
3.3.1.2.5 Cracking the NTLM hash using the cracked LM hash (dumbforce)
I haven't figured out how to use this feature. John the Ripper is a very powerful tool however it is not very
intuitive to use. I can point you to the John the Ripper wiki which has maillist excerpts cover how to use
dumbforce and knownforce. The url is http://openwall.info/wiki/john/mailing-list-excerpts
3.3.1.2.6 Cracking cached credentials
john only needs to know the path to the hash.txt to begin bruteforcing and return the password
# /usr/local/john/john --format:mscash hash.txt
3.3.1.3 Using MDCrack
For whatever reason I have been unsuccessful in getting mdcrack-183 to work with any version of wine. This
is strange as I know I had it working previously. To use mdcrack with BackTrack you should upgrade wine to
the latest development version of wine and then use mdcrack-182.zip
For BackTrack 3 users:
1. Goto http://www.winehq.org/site/download and click on slackware.
2. download the latest tgz file, which as of this writting is 1.1.29
3. open a xterm window
4. # upgradepkg wine-1.1.29-i486-1kjz.tgz
Now you can download mdcrack-182.zip download mdcrack
# wget http://membres.lycos.fr/mdcrack/download/MDCrack-182.zip
or
# wget http://c3rb3r.openwall.net/mdcrack/download/MDCrack-182.zip
5.
6. # mkdir mdcrack
7. # mv MDCrack-182.zip mdcrack
8. # cd mdcrack
9. # unzip MDCrack-182.zip
For BackTrack 4 users:
1. open a xterm window
2. # wget -q http://wine.budgetdedicated.com/apt/387EE263.gpg -O- | sudo apt-key add -
# sudo wget http://wine.budgetdedicated.com/apt/sources.list.d/jaunty.list -O /etc/apt/sources.list.d
/winehq.list
3.
4. # sudo apt-get update
5. # sudo apt-get install wine
Now you can download mdcrack-182.zip download mdcrack
# wget http://membres.lycos.fr/mdcrack/download/MDCrack-182.zip
or
# wget http://c3rb3r.openwall.net/mdcrack/download/MDCrack-182.zip
6.
7. # mkdir mdcrack
Cracking Passwords Version 1.1 file:///D:/password10.html
13 of 45 2/15/2010 3:48 PM
8. # mv MDCrack-182.zip mdcrack
9. # cd mdcrack
10. # unzip MDCrack-182.zip
3.3.1.3.1 Cracking the LM hash
MDCrack doesn't crack LM hashes.
3.3.1.3.2 Cracking the NTLM hash
# wine MDCrack-sse.exe --algorithm=NTLM1 NTLMHASH
NTLMHASH would be D280553F0103F2E643406517296E7582 for example
The result should be TestTest
The only way to speed up cracking is to know the minimum length of the password and use --minsize= to
specify it.
3.3.1.3.3 Cracking the NTLM hash using the cracked LM hash
Stasik told me it is much easier to crack the NTLM hash if you know the character set. This way you do not
need to bruteforce all possible characters combinations. Once you have TESTTEST, feed a custom character
set of tesTES to mdcrack and it will return the proper case password much faster than if you did not limit the
character set.
# wine MDCrack-sse.exe --charset=tesTES --algorithm=NTLM1 D280553F0103F2E643406517296E7582
If you know the password length you can use:
# wine MDCrack-sse.exe --charset=tesTES --algorithm=NTLM1 --minsize=8 --maxsize=8
D280553F0103F2E643406517296E7582
The password is TestTest however mdcrack 1.8.3 returns sestTest. I filed a bug report with Gregory
Duchemin, the author of mdcrack, and he has fixed the problem with version 1.8.4.
3.3.1.4 Using Ophcrack
3.3.1.4.1 Cracking the LM hash
download ophcrack and the rainbow tables from http://sourceforge.net/project
/showfiles.php?group_id=133599. If you have the hard drive space I would recommend downloading XP free
fast formally known as SSTIC04-5K. If this is a demo or do not have a lot of disk space download XP free
small formally known as SSTIC04-10K. This is not a typo; SSTIC04-5K is a larger download than
SSTIC04-10K. You can also purchase the XP Special table which contain longer passwords and the special
characters. There are special tables for Vista. The small table is Vista free and is free. There is a table you can
purchase called Vista Special which contains hashes for passwords up to 8 characters. See
http://ophcrack.sourceforge.net/tables.php for the details. The rainbow tables that ophcrack uses are NOT
compatible with the rainbow tables generated by rtgen.
1. # tar -xvzf ophcrack-2.4.1.tar.gz
2. # cd ophcrack-2.4.1
3. # ./configure
Cracking Passwords Version 1.1 file:///D:/password10.html
14 of 45 2/15/2010 3:48 PM
4. # make
5. # make install
6. # ophcrack
7. click on the load button and select the appropriate option, I will select local SAM.
8. click on the tables button and select the rainbow table you installed.
click on the launch button. You will see pre-loading table boxes on the screen. You may also see a
message that says "All LM hashes are empty. Please use NThash tables to crack the remaining hashes."
This means that the administrators have disabled windows ability to save LM hashes.
9.
10. wait until ophcrack is done
3.3.1.4.2 Cracking the NTLM hash
You will have to purchase the NTLM rainbow tables from http://www.objectif-securite.ch/en/products.php.
The rainbow table contains 99% of passwords of made of following characters:
length 1 to 6:
0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ!"#$%&'()*+,-./:;&<
=>?@[\]^_`{|}~ (space included)
length 7:
0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ
length 8:
0123456789abcdefghijklmnopqrstuvwxyz
You CANNOT generate your own rainbow tables for ophcrack to use. If you know that the password meets
the above specs you can purchase the table and give it a try.
3.3.1.4.3 Cracking the NTLM hash using the cracked LM hash
There is no way to do this. If ophcrack cracks the LM hash you should switch to john or mdcrack to get the
NTLM password.
3.3.2 Using Windows Tools
3.3.2.1 John the Ripper
3.3.2.1.1 Cracking the LM hash
1. download john the ripper from http://www.openwall.com/john/
2. open a command prompt (Start, Run, cmd, enter)
cd to where you extracted john (I extracted john to the root of my C drive) so it would be cd
\john171w\run
C:\> cd \john171w\run
3.
john only needs to know the path to the hash.txt to begin bruteforcing and return the uppercase
password
C:\> john-386 C:\hash.txt
4.
3.3.2.1.2 Cracking the NTLM hash
skype : yamod.gas