How to Recover a Windows Password with Ophcrack
When Windows stores a password, it is done so by hashing the password in an LM hash and putting it in the Windows SAM file. In the scary moment that you lose your password, but don't want to pay some geek to have full root access to your computer, you need to recover it using Ophcrack. Ophcrack doesn't remove the password, or bypass it, it cracks the password hash using rainbow tables.
Ophcrack is favored to be used on a live CD medium. Windows has a security measure in place that disallows all access to the SAM file when the system is in use. To combat this, the partition and Windows file system must be mounted using a operating system that can load and run itself from memory. This prevents the Windows system from loading, and allows the SAM file to be read from.
In today's Null Byte, we are going to burn the Ophcrack medium to a disc, and run its tables against our Windows password to assess their strength.
- A Windows installation on your hard drive
- A blank CD
Step 1 Burn Ophcrack to a Disc
We need to burn our tool to a CD so we can boot from it and crack our SAM file.
- First, let's install some easy-to-use, free software to burn our ISO.
Download Free ISO Burner.
- Download the Ophcrack ISO that corresponds to your OS.
- Open up Free ISO Burner and select the Ophcrack ISO file. Here is an example image from the website:
- Check off Finalize Disc.
- Set the burn speed to as low as you can. The slower the burn, the higher the quality it is. It also helps reduce turning CDs into a coffee coaster due to incorrectly burning the image.
- Click "Brun" (program typo).
Step 2 Boot from Ophcrack
- Throw the disc in your disc tray.
- Reboot your computer.
- Hit the button to get into the setup menu during boot time (variable f* key).
- Boot from the CD first.
- The software should have a popup window that runs the rainbow tables against your SAM file.
I'm not sure how large Ophcrack tables are, but some people swear it has a greater than 90% success rate. I doubt it would on mine, with my ridiculous passwords.