Sensible computer users will always advise you that protecting your user account on your Windows installation with a password is a very important thing to do. And of course, that is correct to help protect and secure private and important data from other users that have access to the same machine. It isn’t the case anymore though that simply putting a password on your account will protect you and your files if someone is desperate enough to want to get in.
There are of course legitimate reasons for wanting to get around a user account password. I’ve lost count the number of times someone has left me with a PC to work on and gone off not telling me what the password is. Some users are so forgetful, they can’t even remember what their own password is, and you’d be surprised how many people actually do that. It’s not a major surprise really when there are possibly 10+ different passwords to remember while using your PC and online etc. We’ve posted quite a few articles on how to get into Windows without knowing any user’s account password. There’s the wonderful password bypass tool Kon-Boot, and a number of password resetting tools like PCLoginNow or Offline Windows Password Editor. Then there’s the hack to get into XP without changing the password. Here’s another method which allows you to crack the Windows user account password and get into Windows which means leaving the current password intact and not resetting it.
Ophcrack is a Windows password cracker that works on the principle of using an advanced text based table of words (rainbow table) to try and discover the password. Although Ophcrack actually has several different tables which can increase the effectiveness of discovering the password, all but the free basic ones are commercial tables that cost at least $99 each. Therefore there are a few limitations on the free version in regards to what type of passwords it can recover.
The Ophcrack program is available in either a Windows (or Linux) installer or a downloadable Linux based LiveCD ISO which you can simply burn to CD and boot from it. There are separate Windows XP and Vista/7 ISO’s and they are not interchangeable because of the way the different versions of Windows store their login passwords. XP uses LM hashes for its passwords, Vista and 7 use NT Hashes which are much more secure and as a consequence much harder to crack. The 2 o/s specific ISO images on the website already contain the free rainbow tables and are ready to go.
We’ll simply concentrate on the LiveCD version here as it’s the most useful and doesn’t need access to the system through another account. Using Ophcrack is actually really very simple and the majority of users have to press a maximum of 1 or 2 keys to get a result. All you need to know is how to burn an ISO to a CD and then boot from it.
When you boot the CD there will be a selection screen where you can choose the graphics mode. If automatic doesn’t work then try text mode, or the low RAM option for older machines. Once the Linux system has booted the ophcrack program will automatically start trying to crack the passwords. After some time, depending on the speed of the system, the account will either show the password or a “not found” in red if ophcrack failed to discover the password.
For multi boot systems or where the program has failed to detect your accounts, a SAM registry file containing the passwords can be loaded manually by clicking on Load -> Encrypted SAM, go to Computer/Media and the hard drives will be listed as hda1, hda2 etc. Go into the required hard drive and navigate to the Windows/System32/Config folder and click Choose. The accounts should now appear and you can press Crack to begin the process.
This type of password cracking is heavily dependent on what sort of password the program is trying to crack with the free version of the rainbow tables and also which o/s the account is in. For example, in XP you can crack 14 alphanumeric characters with a mixture of numbers, upper and lower case letters. The Vista/7 limit is 16 characters and the tables are dictionary based meaning the words from the password have to be in the dictionary. None of the free tables are able to recognize special characters such as spaces, full stops, commas etc.
As a simple test, raymondcc as a password is found in both versions, but raYmondcc is not found in the Vista/7 table because of the upper case “Y” in the middle. raymondccblog is also not found in vista/7, but that and something like raYmondCCbloG is found in the XP version. In short, the Vista and 7 cracking will only get out common names and words which don’t have numbers or case differences inserted at random, whereas the XP cracking can handle far more combinations.