Tuesday 27 December 2011

Using SIFT and ophcrack to Crack a Windows (XP) Password

First, A Note on Windows Passwords ...


Thought I should include some relevant theory rather than dive striaght in as I have been doing ...

Jesper M. Johansson has written an excellent PowerPoint presentation on "Windows Passwords: Everything You Need To Know" here.
I'm not sure when it was written, but he also wrote a similar MS Technet article in 2005 here.

In both, he describes how Windows stores/uses passwords. There are 2 types of password hashes stored in Windows - the LanManager (LM) password hash and the more recent NT password hash.
The LM password is a holdover from the past and is still included for backward compatibility. It relies on padding, capitalising and splitting a password into 2 seperate 7 character parts. These parts are then used as  (DES) encryption keys to encrypt a known constant. The two resultant encrypted outputs are then joined together to form the LM "hash". There are only 142 possible useable characters that can be entered by the user (of which only 68 appear on English keyboards) and the maximum number of password combinations is 6.8 x 10^12.

In contrast, the NT password hash uses the MD4 hash function on a Unicode (65 535 symbols) based password. If we limit ourselves to use the same character set/password length as LM, there are 4.6 x 10^25 combinations. Which is a LOT more combinations than LM! And once we allow ourselves to use anything from the full symbol list, the number of 14 character length password combinations increases to 2.7 x 10^67. Clearly, NT hashes are a lot more secure than LM hashes.

By using a password longer than 14 characters, Windows will not store the LM password hash (only the NT hash). You can also create/set a NoLMHash Registry value to stop LM hash storage.

I suspect if you want to login to an XP system on your desk, you will need the NT password. But if all you have is the LM password, you could start capitalising various combinations until you get a valid login. eg given a LM password of "NEON96" try Neon96, nEon96 etc.

Using SIFT ophcrack

So as promised, here's how to crack a Windows password using ophcrack on the SIFT Workstation.

1. Go here and download the XP Free Fast (703 Mb) zip file to SIFT (eg save to "/home/sansforensics").

2. Launch a new command terminal window and type "mkdir ~/ophcrack_tables" followed by "mkdir ~/ophcrack_tables/tables_xp_free_fast". Note: The "~/" is shorthand for your home directory ie "/home/sansforensics/". In this step, we are creating a directory structure to store our rainbow tables.

3. Type "mv ~/tables_xp_free_fast.zip ~/ophcrack_tables/tables_xp_free_fast/" to move the downloaded zip file to our new directory structure. This step assumes that you downloaded the zip file to "/home/sansforensics/".

4. Type "cd ~/ophcrack_tables/tables_xp_free_fast" followed by "unzip tables_xp_free_fast.zip" to extract the zip file to the "~/ophcrack_tables/tables_xp_free_fast/" directory.

5. Assuming you've already done step 6 from the previous Volatility post and have obtained the XP hash password file (in "~/xp-passwd"), type "ophcrack -d ~/ophcrack_tables/ -t tables_xp_free_fast,0,1,2,3 -n 4 -f ~/xp-passwd -l ophcrack-vol-op.txt" to load/use all 4 tables to crack the "xp-passwd" hash file and then store the results in the "ophcrack-vol-op.txt" file in the current directory.

The output at the command line will eventually look like:

0h  4m 11s; search (98%); tables: total 4, done 3, using 1; pwd found 4/7.

6. By typing "more ophcrack-vol-op.txt" we can see the actual results:

15 hashes have been found in /home/sansforensics/xp-passwd.
Opened 4 table(s) from /home/sansforensics/ophcrack_tables//tables_xp_free_fast,0,1,2,3.
0h  0m  0s; Found empty password for user Guest (NT hash #1)
0h  0m  0s; Found empty password for 2nd LM hash #4
0h  0m  0s; Found empty password for user Sarah (NT hash #6)
0h  0m  1s; Found password 6 for 2nd LM hash #0
0h  0m 53s; Found password NEON199 for 1st LM hash #0in table XP free fast #2 at column 4645.
0h  0m 53s; Found password Neon1996 for user Administrator (NT hash #0)
0h  0m 59s; Found password NEON96 for 1st LM hash #4in table XP free fast #1 at column 4368.
0h  0m 59s; Found password Neon96 for user phoenix (NT hash #4)
0h  1m  6s; Found password JVYMGP1 for 2nd LM hash #2in table XP free fast #0 at column 4037.


Results:

username / hash                  LM password    NT password
Administrator                    NEON1996       Neon1996
Guest                            *** empty ***  *** empty ***
HelpAssistant                    .......JVYMGP1 .......
SUPPORT_388945a0                 *** empty ***  .......
phoenix                          NEON96         Neon96
ASPNET                           .............. .......
Sarah                            *** empty ***  *** empty ***


It looks like the NIST "HelpAssistant" password cracking attempt has failed - it might have special characters in it. You can also see it took A LOT less time than using John The Ripper (minutes vs hours) and that ophcrack provides the case-sensitive version of the passwords under "NT password" rather than the "LanManager" all caps version.
Just FYI, ophcrack also has a nice Windows GUI available for download from sourceforge but it will only be as good as the rainbow tables you give it.

So I think that about covers Windows Password cracking for now. Please feel free to suggest a new forensicatory area to investigate next.