Team Theta Video Project Document

April 13th, 2011OphCrack Tutorial

Zachary Quinn, Stephen Roma, Michael Sakoian, Aaron Schiff, Kyle Simmers, and Derek Soderstrom

P a g e | 1

ContentsBackground:...............................................................................................................................2Purpose:.....................................................................................................................................2Script:.........................................................................................................................................2Walkthrough:..............................................................................................................................4References...............................................................................................................................10

P a g e | 2

Background: There are many reasons to try and break into windows through a password exploit, you

forgot your password for some reason, you want to play a prank on a friend, or you want to access to another person’s files. Ophcrack is a program that allows you to crack the Windows logon password. The way that Ophcrack is able to break the password is by utilizing rainbow tables. Windows passwords are “in a weak hash form, the first kind of which is called the LM (Lan Manager) Hash” (Back). Secondly, when there is a password that is more than seven characters, they are split into seven character chunks, converted into uppercase and hashed with the DES encryption. “This means there are only about 237 8-bit hashes instead of 283 16-bit hashes; a good thing for an attacker looking to break a password” (Back). This makes cracking the password a lot easier with the Ophcrack Live CD.

Purpose: The purpose of this lab is to explore the program Ophcrack. This program is primarily

used by forensic analysts in order to crack/retrieve passwords within the windows system. The scenario for this lab is that we have recently obtained a computer from a crime scene that is suspected to have incriminating evidence within the administrator account. In order to access this information quickly and easily we need to crack the password for this account. At first glance of the computer, we realize that we have access to guest accounts on the machine. With this information we know that by using the Ophcrack program we will be able to successfully crack and log onto the administrator account giving us access to the necessary information. For this lab it is also understood that all the necessary forensic steps were taken in order to ensure the integrity and validity of the data.

Script: Narrator: Hi, we are team theta. Our members include (team names). Narrator: For this video, we will be exploring the program OphCrack. OphCrack is a commonly used, cross platform password cracker that uses rainbow tables that will be described later in this video. In order to demonstrate this program, we are going to retrieve the password from the administrator account while logged into the guest account of the same computer.

P a g e | 3

Narrator: Now we are going to opening up OphCrack. OphCrack is fairly intuitive software that has a user friend interface. The first step in attempting to crack the administrator password is to install the rainbow tables. Narrator: (Read rainbow table slide) Narrator: Now click the table’s icon. Select XP free small. This option selects the pre-determined list of hashes. You may choose other options but his is the smallest and most appropriate for this demo. Once the option is selected, hit install and find the directory where the table was downloading. We have skipped this step because we have already installed the table. Narrator: the next step is to load the local SAM file. In order to do this, click the load menu, highlight and select the local SAM option.

Narrator: (Read local SAM slide). This is where our password is currently stored in our system where we can retrieve it from. Narrator: The next step will be to begin the cracking process. Highlight the account of your choice but in our case choose the administrator account. Select the crack button. The program will begin to automatically brute force the administrator account. It is using the rainbow tables which contain pre calculated hash values. These hash values will be compared to the hash values in the Local SAM to determine a match through using a brute force attack. This process could take a long time and is dependent on the complexity of the password. For this demo, the password is fairly basic and will be cracked in under a minute. Narrator: A nice feature of this program is that it is able to display data during the brute force attack. An example of this data includes the number of hash, number of f-seek, and number of false alarms is on the left while on the right it will display the number of prefixed and post fixes found and the number of starts found. This shows when a matched hash value is found. Narrator: When we return to the main screen, you can see that the administrator account has been hacked. For this demo, we have stopped the attack early because our password was fully recovered. Here you can see the password for the administrator account which is pennstate. With the attack done, we are able to view more statistics in a graph format. These graphs show details on the brute force attack and passwords recovered. For this demo this graph is very basic because of the simplicity of the password.

Narrator: now with the password found, log out of the guest account and attempt to log into the administrator account using the password recover which is pennstate.

Narrator: SUCCESS!

P a g e | 4

Walkthrough:

Step 1: Open OphCrackStep 2: Install the rainbow tables by clicking the tables icon.

Step 3: Select XP free small. This option selects the pre-determined list of hashes. You may choose other options but his is the smallest and most appropriate for this demo.

Step 4: Once the option is selected, hit install and find the directory where the table was downloading.

P a g e | 5

Step 5: Load the local SAM file. In order to do this, click the load menu, highlight and select the local SAM option.

P a g e | 6

This is where our password is currently stored in our system where we can retrieve it from.

Step 6: Highlight the account of your choice but in our case choose the administrator account.

P a g e | 7

Step 7: Select the crack button.

A nice feature of this program is that it is able to display data during the brute force attack. An example of this data includes the number of hash, number of f-seek, and number of false alarms is on the left while on the right it will display the number of prefixed and post fixes found and the number of starts found. This shows when a matched hash value is found.

P a g e | 8

When we return to the main screen, you can see that the administrator account has been hacked. For this demo, we have stopped the attack early because our password was fully recovered. Here you can see the password for the administrator account which is pennstate. With the attack done, we are able to view more statistics in a graph format. These graphs show details on the brute force attack and passwords recovered. For this demo this graph is very basic because of the simplicity of the password.

P a g e | 9

P a g e | 10

Step 8: Now with the password found, log out of the guest account and attempt to log into the administrator account using the password recover which is pennstate.

References

Back, Elliot. "Cracking Windows Passwords with Ophcrack and Rainbow Tables." Elliott C. Back: Internet & Technology. N.p., 26 Apr. 2006. Web. 4 Apr. 2011.

<elliottback.com/wp/cracking-windows-passwords-with-ophcrack-and-rainbow-tables/>.

Fisher, Tim. "Ophcrack Password Recovery - How To Recover Passwords Using OphcrackLiveCD - Password Crack." PC Support - Computer Support - Fix Computer Problems - PC Help - Free Computer Help. Web. 02 Feb. 2011.<http://pcsupport.about.com/od/toolsofthetrade/ss/ophcracksbs.htm>.

Kuliukas, Kestas. "How Rainbow Tables work." kestas.kuliukas.com; Kestas' home page. N.p., n.d. Web. 4 Apr. 2011. <http://kestas.kuliukas.com/RainbowTables/>.

Nikerider. "How to Oph-crack Windows Login Passwords." HubPages. Web. 02 Feb. 2011.

<http://hubpages.com/hub/ophcrack> Ophcrack. Web. 02 Feb. 2011. < http :// ophcrack . sourceforge . net /