WinXP Password Crack
Content
NETWORK COMMUNICATION, SECURITY AND AUTHENTICATION WinXPassword Cracking Using O!"Crack # C$%
How do&s O!"Crack # C% work' Passwords are encrypted using a special algorithm when stored on the domain controller or your computer. This encrypted format is called the “hash”. Password hashes are “oneway” hashes, so they cannot be decrypted simply by applying the encryption algorithm to the hash. Instead, each “guessed” password must be encrypted with the hashing algorithm, and the resulting hash is compared to the hash of the real password. When the hashes match, you have identified the real password. ! first allows users to download password hash files from their computer or domain controller "(o) *)s" +a,& ad*inis"ra"i,& -ri,i.&g&s "o acc&ss "+& +as+ !i.&s#. ! then uses special techni$ues to chec% passwords very $uic%ly. Typically, all dictionary words are chec%ed first, since these are the most commonly used "and wea%est# passwords. &e't, ! tests “hybrid” passwords. These are dictionary words with e'tra characters at the beginning or end of the dictionary word "e.g.( “)ohn*+” or “popcorn,”#. -ou can also have ! substitute characters that are commonly used to replace letters "“.” instead of “s”, or “+” instead of “I”#. This is also a very fast inspection of wea%er passwords. /inally, ! can use either “brute force” or the precomputed hash tables to chec% all possible combinations of %eyboard characters to identify all passwords, even very strong ones. " ! 0 1dministrator, 2ite, and !onsultant 3ditions all include the !4 set of precomputed hash tables for 556 of the 3nglish alphanumeric password combinations. This provides the same functionality of the brute force audit, but in minutes instead of hours.#
!0 can obtain encrypted passwords from stand-alone Windows &T and 7*** wor%stations, networ%ed servers, primary domain controllers, or 1ctive 4irectory, with or without 2-283installed. !0 can even sniff encrypted passwords from the challenge9response e'changed when one machine authenticates to another over the networ%. This version of !0 installs initially in a +0 day Trial mode in which the /r)"& !orc& crack is no" a,ai.a/.&0
+
a/ora"or( O,&r,i&w • The student will crac% a Win:P password file on the local host. The laboratory is divided into two ma)or phases. • 4uring the !irs" -+as& the students will enter new users with easy to remember passwords on the local machine then e'tract and crac% their password. • 4uring the s&cond -+as& the student will install L0ftCrack v5 Win:P password audit tool. • The laboratory is primarily in outline format with notes to the student on functions to be performed. C.ass Pr&-ara"ion • The student is e'pected to; +. 3'amine *ftcrac% documentation 7. 3'amine Win:P password control functions. a/ora"or( O/1&c"i,& <. The student will understand how to utili=e the *ft!rac% 1udit tool to crac% or recover passwords on the Win:P machine.
P+as& 2 3 T+is .a/ is "o /& co*-.&"&d in "+& Windows XP &n,iron*&n"0
• 4uring this phase of the laboratory the students will add users to the local machine and then e'tract and crac% the passwords utili=ing *ft!rac%. +. 2tart Windows and login as 1dministrator. Right click My Computer > Manage >. The following screen should appear.
7
"7# 2elect Local Users and Groups > Users. The following screen should appear.
"<#
>ighlight Us&rs, right clic% and select N&w )s&r. The following screen should appear.
<
• •
Add a" .&as" "+r&& n&w )s&rs "o "+& .oca. *ac+in& wi"+ &as( "o r&*&*/&r -asswords . ?ore difficult ones can be tried later on. These are dummy users that will subse$uently be deleted. !lose the &ew @ser window.
P+as& 4 A 4uring the s&cond -+as& the student will install the *ft!rac% password audit tool. • The insructor will provide the *ft!rac% utility "or download it from the internet#. • 4ouble clic% the LC5setup file and follow the installation instructions.
• • 1fter installation, load the program +. 2elect tart > programs > LC5 > LC5. 7. !lic% the !B program and follow the Wi=ard. <. 2elect Tria.. The screen shown below should appear.
B
•
/ollow the Wi=ard instructions and select the following; +. 1t Cet 3ncrypted Password screen select ; Retrieve from Local Machine. 7. 1t !hoose 1uditing ?ethod screen select; Common !ass"ord #udit. <. 1t Pic% Deporting 2tyle screen select; #ll $o%es. B. 1t Eegin 1uditing screen clic% &inish to begin password auditing. 0. The following screen shows the completed password auditing.
0
NOTE5 Were the correct passwords recoveredG If time permits try more difficult passwords. Hust remember that it could ta%e hours to crac% a password that is one reason it is done off-line.
• /inal 3'ercise +. Please remove all newly entered users from the machine. 7. 1s a final e'ercise remove *pht!rac% utili=ing the following; tart > > Control panel > #dd'Remove !rograms. 2elect and remove *phtcrac%.
F
CON6RATU ATIONS. -ou have )ust finished the Windows Password !rac%ing aboratory.
I
How do&s O!"Crack # C% work' Passwords are encrypted using a special algorithm when stored on the domain controller or your computer. This encrypted format is called the “hash”. Password hashes are “oneway” hashes, so they cannot be decrypted simply by applying the encryption algorithm to the hash. Instead, each “guessed” password must be encrypted with the hashing algorithm, and the resulting hash is compared to the hash of the real password. When the hashes match, you have identified the real password. ! first allows users to download password hash files from their computer or domain controller "(o) *)s" +a,& ad*inis"ra"i,& -ri,i.&g&s "o acc&ss "+& +as+ !i.&s#. ! then uses special techni$ues to chec% passwords very $uic%ly. Typically, all dictionary words are chec%ed first, since these are the most commonly used "and wea%est# passwords. &e't, ! tests “hybrid” passwords. These are dictionary words with e'tra characters at the beginning or end of the dictionary word "e.g.( “)ohn*+” or “popcorn,”#. -ou can also have ! substitute characters that are commonly used to replace letters "“.” instead of “s”, or “+” instead of “I”#. This is also a very fast inspection of wea%er passwords. /inally, ! can use either “brute force” or the precomputed hash tables to chec% all possible combinations of %eyboard characters to identify all passwords, even very strong ones. " ! 0 1dministrator, 2ite, and !onsultant 3ditions all include the !4 set of precomputed hash tables for 556 of the 3nglish alphanumeric password combinations. This provides the same functionality of the brute force audit, but in minutes instead of hours.#
!0 can obtain encrypted passwords from stand-alone Windows &T and 7*** wor%stations, networ%ed servers, primary domain controllers, or 1ctive 4irectory, with or without 2-283installed. !0 can even sniff encrypted passwords from the challenge9response e'changed when one machine authenticates to another over the networ%. This version of !0 installs initially in a +0 day Trial mode in which the /r)"& !orc& crack is no" a,ai.a/.&0
+
a/ora"or( O,&r,i&w • The student will crac% a Win:P password file on the local host. The laboratory is divided into two ma)or phases. • 4uring the !irs" -+as& the students will enter new users with easy to remember passwords on the local machine then e'tract and crac% their password. • 4uring the s&cond -+as& the student will install L0ftCrack v5 Win:P password audit tool. • The laboratory is primarily in outline format with notes to the student on functions to be performed. C.ass Pr&-ara"ion • The student is e'pected to; +. 3'amine *ftcrac% documentation 7. 3'amine Win:P password control functions. a/ora"or( O/1&c"i,& <. The student will understand how to utili=e the *ft!rac% 1udit tool to crac% or recover passwords on the Win:P machine.
P+as& 2 3 T+is .a/ is "o /& co*-.&"&d in "+& Windows XP &n,iron*&n"0
• 4uring this phase of the laboratory the students will add users to the local machine and then e'tract and crac% the passwords utili=ing *ft!rac%. +. 2tart Windows and login as 1dministrator. Right click My Computer > Manage >. The following screen should appear.
7
"7# 2elect Local Users and Groups > Users. The following screen should appear.
"<#
>ighlight Us&rs, right clic% and select N&w )s&r. The following screen should appear.
<
• •
Add a" .&as" "+r&& n&w )s&rs "o "+& .oca. *ac+in& wi"+ &as( "o r&*&*/&r -asswords . ?ore difficult ones can be tried later on. These are dummy users that will subse$uently be deleted. !lose the &ew @ser window.
P+as& 4 A 4uring the s&cond -+as& the student will install the *ft!rac% password audit tool. • The insructor will provide the *ft!rac% utility "or download it from the internet#. • 4ouble clic% the LC5setup file and follow the installation instructions.
• • 1fter installation, load the program +. 2elect tart > programs > LC5 > LC5. 7. !lic% the !B program and follow the Wi=ard. <. 2elect Tria.. The screen shown below should appear.
B
•
/ollow the Wi=ard instructions and select the following; +. 1t Cet 3ncrypted Password screen select ; Retrieve from Local Machine. 7. 1t !hoose 1uditing ?ethod screen select; Common !ass"ord #udit. <. 1t Pic% Deporting 2tyle screen select; #ll $o%es. B. 1t Eegin 1uditing screen clic% &inish to begin password auditing. 0. The following screen shows the completed password auditing.
0
NOTE5 Were the correct passwords recoveredG If time permits try more difficult passwords. Hust remember that it could ta%e hours to crac% a password that is one reason it is done off-line.
• /inal 3'ercise +. Please remove all newly entered users from the machine. 7. 1s a final e'ercise remove *pht!rac% utili=ing the following; tart > > Control panel > #dd'Remove !rograms. 2elect and remove *phtcrac%.
F
CON6RATU ATIONS. -ou have )ust finished the Windows Password !rac%ing aboratory.
I
