Thursday, July 28, 2011

Password Auditing (or, How I Learned to Crack Passwords)

Password auditing can be a fun little project for an IT security department.  Currently, Microsoft systems store their passwords in the registry via an NTLM hash.  As I will show, NTLM is fairly easily reversed when good password policy is not followed. 

The methodology I will cover is going to utilize rainbow tables for cracking passwords.  Rainbow tables are stored tables of pre-computed hashes that are compared against to the hashes you have in order to find the password in a much faster time.  This method is great when you have a set of good tables.  When you don’t have this ability, there still are brute force attacks which can be fairly lengthy if you don’t have access to a nice cloud or local cluster. 

I utilized 3 different programs to complete my password auditing testing:  ophcrack, rcracki_mt, and rcrack. 


     Ophcrack is great little utility.  You can download a LiveCD to boot from disk (will automatically load your NTLM hashes) or you can load an application to a test machine (what I did).  The methodology of use is pretty much the same.  First off, there are many tables for Ophcrack available from their website. 

This graph shows the various tables available.  Note that there is only one free table.  However, their tables are fairly priced if you have the money.  The Vista free tables are very well put together and will due for basic auditing and searching for really easy passwords.  I was able to get Vista Special tables for about 100$, I believe.  Not a bad deal considering it’ll get a good majority of passwords I found in my testing (unfortunately). 

The interface is fairly straight forward.  “Load” option will allow you to load the various formats of hashes (LM or NTLM).  In order to get the hashes from my machine I used Password Dump v7.1.  Simply run:  pwdump7 –d <output location>  and the application will do the work and create a text similar to this: 

Clark:1000:NO PASSWORD*********************:259745CB123A52AA2E693AAACCA2DB52:::
Barry:1000:NO PASSWORD*********************:2D20D252A479F485CDF5E171D93985BF:::
Bruce:1000:NO PASSWORD*********************:21E6C83723EB7BC2CFED883DA412B804:::
Oliver:1000:NO PASSWORD*********************:8D793BF7E73DAA43A28D04BD4BA1FC05:::
Peter:1000:NO PASSWORD*********************:E803ABFAF249575CAF1529465E243B3E:::
Matt:1000:NO PASSWORD*********************:6B4B376436A5664FEACAC52301155951:::
Logan:1000:NO PASSWORD*********************:71BAD9C6FD984ADD32187A1DDF360F85:::
Scott:1000:NO PASSWORD*********************:67A252C097F568BEC274AF4CC1462DC0:::
Xavier:1000:NO PASSWORD*********************:A086E310475F2B8DFD9E2F7265BD16C8:::
Steve:1000:NO PASSWORD*********************:6EF391B2282F1DA56379EDB11BBB034F:::
Clint:1000:NO PASSWORD*********************:87F65D137998A4CE59EA65B114A0F831:::
Eric:1000:NO PASSWORD*********************:F773C5DB7DDEBEFA4B0DAE7EE8C50AEA:::

This was the text file I used to crack.  No I didn’t have all these accounts setup on a Windows machine; I wanted to test the application so I created this file by simply copying the context of the pwdumd7 file output and generated the hashes via Cain & Abel v.4.9.4 hash generator. 

            Once you have the hashes, you can click on the crack button and you will see something like this: 

From here you can simply save the results into a simple CSV file.  

Voila!  You will have your passwords cracked in roughly 12 minutes (at least on my i5 dual core 8GB DDR3 laptop in this scenario).  


     rcracki is a decent application that is available from  You'll notice also at that website there are a plethora of various rainbow tables from MD5 hashing to LM and NTLM hashed passwords.  I personally, chose to go with the rainbow table for NTLM that had the hashes for 7 character passwords including all possible variations (roughly 140 GB worth of tables).  

     rcracki_mt is a command line interface tool, with fairly simple usage.  Here is my usage example:

This command breaks down as such:
     rcracki_mt -h <hash> (-l <password list>) -t <number of threads to utilize> <directory to your tables>

rcracki_mt was able to find a completely special character password in about 5 minutes of cracking with the 2 threads.  Not bad, however, rcracki_mt tables are separated into a ton of tables that have to load and to me didn't seem super efficient.  However, it's my personal opinion and for free this is a GREAT option.  


      rcrack is a similar version to rcracki_mt, however it uses simple .rt tables and not the indexed versions utilized by rcracki_mt.  rcrack is both a GUI and CLI tool.  I chose for the GUI version because I was using this in a demonstration and pictures are easier for meetings.  With rcrack you also get a tools to generate your own rainbow tables.  I opted to create my own rainbow table to be able to crack any numerical password up to 10 digits.  To generate this table it took roughly 2 days time to complete the 4 tables I made totaling around 200MB.    I then created a simple text file with various numerical passwords into a text file, again I got the hashes using Cain and Abel's hash generator.

     This is what RainbowCrack GUI will look like once you select File |  Load Passwords from List...  Then once you have your hashes loaded, you select "Rainbow Tables" and point it either to a singe file or a directory.  Now to begin cracking:

With this instance in order to find all 5 passwords it took merely 2 minutes.  

It is also possible to convert the tables available at into a format usable by RainbowCrack (rcrack).  However, I have not felt the need to test this as I find rcracki_mt decent enough to use at this moment.  

All of these methodologies are what I have used to begin auditing passwords in order to assess the need for a stronger password policy.  Hopefully you can use it to implement auditing if you need to.

+++Hopefully not needed to say, but use this information ethically!  I did this for research and work, not to harm anyone.