This article is going to show up one method of how to use freely available tools to crack and audit window XP Windows passwords.
If you're approaching a standard windows XP machine the user's hashed credentials are stored in \windows\system32\config\SAM. If you fire up the Cain program, it will look there for the hashes for you:
I.E Navigate to the cracker tab and the appropriate NTLM hash screen and then click the on the + which will dump the local users hashes into the program.
The next thing to do is to select a user for whom you'd like to crack a password for. You'll have a few options, including dictionary attack, brute force attack, and cryptanalysis attack. If you're going to try the dictionary attack, you'll need to provide a good dictionary file. You can also choose a brute force attack, where the program will simply sequentially go through all the possible combinations/permutations of all the possible characters/passwords given a specific minimum and maximum password length.
Let's give the brute force method a shot first:
You can see here that I chose a minimum of one character and a maximum of 16 characters, and a pretty varied character set to try from. You can't see it here, but when I click on start, the program tells me what current password it's trying, as it cycles through all of them. However what you can see is the time left until it finds the right one, which you can see here:
The program says it's going to take 1.68 X 10 raised the 17th power years. That is a very long time to say the least - its much larger than a billion, much larger than a billion trillion years, so clearly it's time I upgraded my CPU or I tried a different method.
The other method we'll use is cryptanalysis attack. You can see how to select that option here:
Specifically we're going to make use of a Rainbow Table. A rainbow table is basically a database of hashes that are precomputed ahead of time so you don't have to wait to try every possible combination of password, wait for the system to hash it, and match it as we saw above.
You can find out all the technical details listed here in the paper "Making a Faster Cryptanalytic Time-Memory Trade-Off" by Philippe Oechslin. An excellent and perhaps more easily to follow article on rainbow tables could also be found here.
So now that you know what they are, it's time to use them. You have a few options when using the rainbow tables: create them on your own or purchase them.
If you'd like to go ahead and purchase them I'd suggest stopping over at the Project Rainbow Crack website, and also read the following article by John Strand and his experiences.
It turns out it's really easy to create the rainbow tables and here's excellent article on how to do so specifically using the rtgen tool from the Project Rainbow site.
Since I was using an older PC it took me about five days to completely create the rainbow tables that are described in the tutorial. I.E:
rtgen ntlm loweralpha-numeric 1 7 0 3800 33554432 0
rtgen ntlm loweralpha-numeric 1 7 1 3800 33554432 0
rtgen ntlm loweralpha-numeric 1 7 2 3800 33554432 0
rtgen ntlm loweralpha-numeric 1 7 3 3800 33554432 0
rtgen ntlm loweralpha-numeric 1 7 4 3800 33554432 0
rtgen ntlm loweralpha-numeric 1 7 5 3800 33554432 0
Specifically, 6 tables to crack an NTLM based hash using just the loweralpha-numeric character set with a minimum of one character at a maximum of seven characters per password.
So by now you're probably wondering, well did it work? What I did as a test is create 2 new local XP users and I gave the first one a password of john123, just within the limits of our character length.
Sure enough and just about 40 seconds Cain was able to recover the password with ease. I wasn't really convinced, I mean, I could have guessed 'john123' as easily as anyone so I tried a little bit more difficult password, still under the length limit.
As it turns out the password that I chose, l0v33l , was even easier to crack in terms of overall time, mainly due to the fact it had one less character, but still was able to recover the password of what would seem to be a password that is not easily guessable.
Soon as you can see, there may be a decision in terms of should I buy or should I create my own rainbow tables, but the answer depends on the solution you're looking for. If you're looking to try to crack a password that definitely has a very varied character set, and known to be a good length you might do better to simply purchase the tables since the tables themselves can get quite large, and as you've seen to simply create rainbow tables for a very small character set and small password lengths they can take a long time to create and also to download (should you find some online).
Finally, a helpful tool in determining table size is Winrtgen. What I like about the tool is that it clues you in on the success probability and the overall amount of space that you'll need to create the tables.
As you adjust the chain length, count, and number of tables, winrtgen will show you the resulting probability of success and size of each table, which would be considerations in your decisions:
As you adjust the chain length, count, and number of tables, winrtgen will show you the resulting probability of success and size of each table, which would be considerations in your decisions:
Good Luck!
0 comments:
Post a Comment