Use rainbow table + ophcrach + pwdump to crack windows password Hash

I have already discussed what a rainbow table is. If you do not know what a rainbow table is, read it first. Next we will introduce how to crack windows Hash through the rainbow table through examples. Before that, it is necessary to explain in detail Windows Hash. Windows Hash has two types: LM (Lan Manage) Hash and NTLM (New Technology Lan Manage) Hash:

1. LM Hash: divide the password into n (n is 1-2) Seven-byte segments, fill in the missing 0 segments, then add a byte for each segment, and use DES for encrypted storage.

2. NTLM Hash: MD4 + RSA encrypted storage.

Among them, the 9X operating systems use LM; 2 K, XP, 2K3 to maintain compatibility, while using LM and NTLM; Vista, 2008, Win7 uses NTLM.

Start now. Let's start with the idea: Use pwdump6 to export the windows hash file-> Use ophcrach to crack it. Three tools are used in this article: pwdump6, XP free fast (rainbow table), and ophcrack. Click these links to go To the download page.

Step 1: export windows hash files
In this step, you must have a user account with the administrative permissions on the remote host and enable IPC $ AND Admin $ sharing (enabled by default) to use pwdump to obtain windows hash. Here, you may ask: What is the significance of cracking if a user account with administrative permissions on the remote host is used? In fact, it makes a lot of sense. For example, if you obtain the remote host shell through overflow or Web intrusion, you can easily access the host next time in order not to let the Administrator notice it, we have to crack the password of an existing user. At the same time, we have to crack the password on this host and use the collected information for comprehensive analysis, you can easily access other hosts in the network. Now, I am starting my work. Download the package and decompress it in pwdump. Then, run the following command to switch to the pwdump directory:

Pwdump.exe-u username-p password-o win. hash host # username is the user name with administrator permissions; # password is the password; # host is the name or IP address of the computer with IPC $ AND admin $ enabled;

After the command is executed, a Windows hash file is generated in the pwdump directory. OK. Step 1 is complete!

Step 2: start cracking

Install the downloaded ophcreak and run the ophcreak. The ophcreak interface is as follows:

A. Install the rainbow table:

Click "Tables" to bring up the "Table Selection" interface. On the "Table Selection" interface, select the corresponding rainbow Table. We downloaded XP free fast (703 MB ), so here we select "XP free fast", click "Install", select the decompressed rainbow table path (the path cannot contain Chinese characters), and click "OK, when the dots in front of the rainbow table name change from red to green, the correct installation of the rainbow table is completed.

B. Load Windows Hash:

Click the "Load" button, select "pwdump file" from the drop-down menu, and select the "win. hash" file we just exported to Load Windows Hash. As shown in:

C. Start cracking

After configuration, click the Crack button to start cracking. The following is the result of my attack. It took more than four minutes. It will take a while!