Slashdot Mirror
Ophcrack Says Your Password Is Insecure
javipas writes "An insightful article at Jeff Atwood's Coding Horror reveals the power inside Ophcrack, an Open Source program that is capable of discovering virtually any password in Windows operating systems. The article explains how passwords get stored on Windows using hash functions, and how Ophcrack can generate immense tables of words and letter combinations that are compared to the password we want to obtain. The program is available in Windows, Mac OS and Linux, but be careful: the generated tables that Ophcrack uses are really big, and you should allow up to 15 Gbytes to store these tables."
Ophcrack live (CD) does not crack all windows passwords, only about 99%. Still it uses only 20 minutes and can crack passwords up to 14 characters, while running from a bootable CD. And it is horrifying how few windows sysadmins who know about this...
echo -n "" | md5
d41d8cd98f00b204e9800998ecf8427e
His password is nothing, not a newline.
i can just reset the password and carry on, You can do this with a Linux box as well, as well as practically any other system, so I'm not sure what your point is here.
Physical access to a box pretty much means you have root access to that box. This is why physical security is such an important part of overall system security.
This is a prime example of the need for a multi layered security model for authentication and authorization of your systems. There are many vendors that supply two factor authentication methods (RSA being the most well known) that provide for one time passwords. Techniques like this effectively mitigate the risk of a user account compromised by use of a hash table like this. BTW, this is nothing new. Rainbow tables have been out for ages. --Colin
Colin McNamara - CCIE #18233 "The difficult we do immediately, the impossible just takes a little longer"
Got it.
norad:~# echo "" | md5sum
68b329da9893e34099c7d8ad5cb9c940 -
Actually, it's:
Password:
LM Hash: AAD3B435B51404EEAAD3B435B51404EE
NT Hash: 31D6CFE0D16AE931B73C59D7E0C089C0
Windows password hashes are not MD5...
Brought to you by the "genhash" utility of the PassTheHash toolkit for Windows. (Google it, it's awesome.)
First of all, ophcrack only comes with alpha-numeric tables for LM hashes. If you have special characters in your password, you'll have to generate your own table, which takes a very long time, and a lot of hard drive space. Ophcrack does not have the ability to generate Rainbow tables as the article suggest... Second of all, Ophcrack only works well against LM hashes, because with LM hashes, passwords are split into 7 byte halves, then hashed. So you only have to have tables that go up to 7 characters with LM hashes. If you disable LM hashes on your Windows box, and use NTLM hashes, the entire password is hashed, and is not split up. So if you pick a good password, with special characters, that's fairly long, it will be pretty much impossible to crack if your using NTLM only. Even with rainbow tables... The problem is Windows XP (by default) stores passwords as LM and NTLM hashes. So if an attacker can get the LM hashes, they can crack your password easily. You can hack the registry and keep Windows from storing LM hashes. See http://support.microsoft.com/kb/299656
LM hashes split passwords in 8-letter chunks, and for each of them:
1) the last symbol is removed, so the chunk becomes a 7-character password
2) the password is uppercased (yeah, that's dumb)
and then hashes are calculated for these chunks.
BOTH the LM and NTLM (a much more secure hash) hashes are stored in the registry.
So to get a typical 8-character password, you only need to guess the first 7 characters in uppercase.
After that the more secure NTLM hash is used to guess the case of each character and the eighth character which is missing from LM.
This means that guessing a 16-character password takes at most twice the time than for a 8-char, and not something like 40^8 times as much.
More info here: http://en.wikipedia.org/wiki/LM_hash