Wednesday, January 23, 2008

Using Rainbow Crack Tables for XP Password Discovery

How does Windows NT/2k/XP/Vista store your local passwords?

Windows doesn't actually store your password in plaintext anywhere on your computer, that is to say, you can't just go poking around and find some magic file with everything listed. What windows does instead is store a HASH of your password in a what is called the SAM (Security Accounts Manager). Simply put, windows stores an alpha-numeric string that is the result of some arbitrary one way function, what you see doesn't help you get the password- it only works one way. In this manner, windows can verify your password not by storing your password, but by comparing the hashed result of whatever you type in to the hashed result it has stored.

What is Rainbow Crack? Why not just reset the Administrator password?

There are many utilities to reset your XP administrator password out there available to the consultant, but only one that will discover your password for you and that is a Rainbow Crack Table. A rainbow crack table is a large (very large - 610MB to 64GB) table of pre-computed hashes to be compared with the hashes pulled from your computer. In this manner, instead of brute forcing your way through and spending all kinds of time looking for the password, you are looking through a database, comparing hashes, then printing out the corresponding password. Much faster. If do much consulting, it might be to your benefit to pre-compute a set of tables just to have on hand, or you could try an online password recovery service like (free and fee based) Although in many instances it doesn't matter if you reset a password or discover the password if you EFS on your system, you won't have access to it anymore.

Running Rainbow Crack

Running rainbow crack should really be done on multiple machines speed things up, I ran mine on 5 Compaq Presario 1.6ghz machines and I spent the better part of a month computing the 36GB database. (I also stopped them multiple times to move the computer room) so you can see the advantage of splitting the task up for many cpu's. I'm going to give you an overview of the process on XP, but it is similar in Linux.

Generate and sort your tables as per Tutorial

  1. Download and unzip it, it is all command line driven, so put it somewhere easy to type to.
  2. Figure out how accurate (and how much time and disk space you will use) by picking out a charset from this list
  3. If you have multiple machines, just give each machine a few of the jobs from the list and have them save to the same place on a network share.
  4. When you have computed the tables, use rtsort.exe on them to make rtcrack.exe faster.
  5. Crack the hash with rcrack.exe and the sorted rainbow tables.

Isn't there an easier way?

Why thanks for asking, yes in fact there may be a couple! I say may because the bootable cd Ophcrack has the 650 MB set of Rainbow Tables, so it might not work if the password is tricky. The second option has always worked for me, but you wait a week for results unless you pay a fee.

Useful Resources:

1 comment:

Linky1124 said...

Great information for me!
I also wrote a article about reset windows password.