Ophcrack is a rainbow tables-based password cracker that can be used to crack the Windows LM and NTLM password hashes. It comes as a command-line and graphical-user interface program. Just like the RainbowCrack tool, Ophcrack is based on the time-memory tradeoff method.
To start the ophcrack command line, use the console to execute the following command:
# ophcrack-cli
This will display the Ophcrack usage instructions and example on your screen.
To start Ophcrack GUI, use the console to execute the following command:
# ophcrack
This will display the Ophcrack GUI page.
Before you can use Ophcrack, you need to grab the rainbow tables from the Ophcrack site (http://ophcrack.sourceforge.net/tables.php). Currently, there are three tables that can be downloaded for free:
- Small XP table: This comes as a 308 MB compressed file. It has a 99.9 percent success rate and contains the character set of numeric, small, and capital letters. You can download it from http://downloads.sourceforge.net/ophcrack/tables_xp_free_small.zip.
- Fast XP table: This has the same success rate and character set as the small XP tables, but it is faster compared to the small XP tables. You can get it from http://downloads.sourceforge.net/ophcrack/tables_xp_free_fast.zip.
- Vista table: This has a 99.9 percent success rate and is currently based on the dictionary words with variations. It is a 461 MB compressed file. You can get it from http://downloads.sourceforge.net/ophcrack/tables_vista_free.zip.
As an example, we use the xp_free_fast tables, and I have extracted and put the files in the xp_free_small directory. The Windows XP password hash file is stored in the test-sam file in the pwdump format.
We used the following command to crack the Windows password hashes obtained earlier:
# ophcrack-cli -d fast -t fast -f test-sam
The following output shows the cracking process:
Four hashes have been found in test-sam: Opened 4 table(s) from fast. 0h 0m 0s; Found empty password for user tedi (NT hash #1) 0h 0m 1s; Found password D01 for 2nd LM hash #0 0h 0m 13s; Found password PASSWOR for 1st LM hash #0in table XP free fast #1 at column 4489. 0h 0m 13s; Found password password01 for user Administrator (NT hash #0) 0h 0m 13s; search (100%); tables: total 4, done 0, using 4; pwd found 2/2.
The following are the results of ophrack:
Results: username / hash LM password NT password Administrator PASSWORD01 password01 tedi *** empty *** *** empty ***
You can see that Ophcrack is able to obtain all of the passwords for the corresponding users.
Another tool to look at is RainbowCrack. In Kali, RainbowCrack comes with three tools: rtgen, rtsort, and rcrack.
To use the RainbowCrack or OphCrack tools, you will need rainbow tables. You can get some free tables at the following: