Kali Linux: ophcrack

From OnnoWiki
Jump to: navigation, search

Insert the USB Live CD and Boot your PC. Make sure the Boot from USB is the first option in the Boot menu at BIOS.

Boot Windows machine with the LiveCD. On the boot menu of Kali Linux, select Live (forensic mode). Kali Linux initialize and when it loads, it will open a terminal window and navigate to the Windows password database file

Crack the Windows password with ophcrack:

After loading Live kali linux go to the system menu > ophcrack click ok

Ophcrack uses Rainbow Tables to crack NTLM and LM hashes into plain text, its a free Windows password cracker based on rainbow tables. It is a very efficient implementation of rainbow tables done by the inventors of the method. If you have a complex password it will take a lot longer than simple passwords, and with the free tables your password may never be cracked.

Once the crack is done you will see the password in plain text, write it down and reboot the machine to login. If your password isn’t cracked, you can also log in as one of the other users with admin rights and then change your password from within Windows.

With the free tables available you will not be able to crack every password, but the paid tables range from $100 to $1000.Windows uses NTLM hashes to encrypt the password file which gets stored in SAM file. We simply need to target this file to retrieve the password

Now you can see the ophcrack application windows. Here, click on Load > Encrypted SAM

After that we need to give the path to SAM directory which is by default /mnt/hda1/WINDOWS/System32 click choose

Screenshot - Monday 18 August 2014 - 04:58:22 IST

Here we can see the saved hashed now with the username and userid.

Screenshot - Monday 18 August 2014 - 04:59:31 IST

Now click on Crack button and wait for the password. Its quick and easy

Screenshot - Monday 18 August 2014 - 05:00:54 IST

That’s it. It’ll show the password , if you unsuccessfully go with free tables. I downloaded the xp free small and the Vista free tables. Once you have downloaded the tables you will need to unzip them in separate folders. I made a folder called “hash-tables” and then made 2 more folders within for each table to unzip to.

Run the program and click on “Tables” button. Select the table you downloaded and click “Install”, navigate to the folder where you unzipped the table, select it and then click “ok.” You should see green lights next to the tables you installed.

Screenshot - Monday 18 August 2014 - 05:00:08 IST

Screenshot - Monday 18 August 2014 - 05:01:25 IST

Reset Windows password with chntpw:

Navigate to the Windows password database file. Almost all versions of windows password is saved in SAM file. This file is usually located under /Windows/System32/config. On your system it may look something like this: /media/hda1/Windows/System32/config.

The SAM database is usually in the /media/name_of_hard_drive/Windows/System32/config

Type command chntpw -l SAM and it will list out all the usernames that are contained on the Windows system.

#chntpw -l   SAM

The command gives us a list of usernames on the system. When we have the username we want to modify and we simply run the command chntpw -u “username” SAM

Screenshot - Tuesday 19 August 2014 - 11:35:00 IST

In the example below we typed: chntpw -u “Sanjai sathish” SAM and we get the following menu:

#chntpw -u Sanjai sathish

Screenshot - Tuesday 19 August 2014 - 11:36:50 IST

We now have the option of clearing the password, changing the password, or promoting the user to administrator. Changing the password does not always work on Windows 7,8 systems. it may works on XP system, so it is recommended to clear the password. Therefore you will be able to log in with a blank password. You can also promote the user to a local administrator as well.

Crack the password in Linux using John the ripper:

John the Ripper is a fast password cracker, Its primary purpose is to detect weak Unix passwords. Besides several crypt(3) password hash types most commonly found on various Unix systems, supported out of the box are Windows LM hashes, plus lots of other hashes and ciphers in the community-enhanced version

John the ripper is a popular dictionary based password cracking tool. It uses a wordlist full of passwords and then tries to crack a given password hash using each of the password from the wordlist. In other words its called brute force password cracking and is the most basic form of password cracking. It is also the most time and cpu consuming technique. More the passwords to try, more the time required.

But still if you want to crack a password locally on your system then john is one of the good tools to try. John is in the top 10 security tools in Kali linux.

In this topic i am going to show you, how to use the unshadow command along with john to crack the password of users on a linux system. On linux the username/password details are stored in the following 2 files


The actual password hash is stored in /etc/shadow and this file is accessible on with root access to the machine. So try to get this file from your own linux system. Or first create a new user with a simple password. I will create a new user on my linux system named happy, with password chess.

Now that our new user is already created its time to crack his password.


The unshadow command will basically combine the data of /etc/passwd and /etc/shadow to create 1 file with username and password details. Usage is quite simple.

#unshadow /etc/passwd /etc/shadow > ~/crack

We redirected the output of unshadow command to a new file called crack.

Now this new file shall be cracked by john. For the wordlist we shall be using the password list that comes with john on kali linux. It is located at the following path /usr/share/john/password.lst or you can use your own password lists too.

#john –wordlist=/usr/share/john/password.lst ~/crack

Use the “–show” option to display all of the cracked passwords reliably

Screenshot - Monday 18 August 2014 - 05:05:50 IST

So in the above command john was able to crack the hash and get us the password “chess” for the user “happy”. Now john was able to crack, only because the password “chess” was present in the password list. If it were not there then john would have failed.

Use the show option to list all the cracked passwords.

#john –show ~/crack