9

Completing an assignment for my Ethical Hacking unit at University at the moment and the first task I have is to crack some passwords.

Decided to use backtrack to crack some passwords from a Windows XP box I set up.

I'm using bkhive and samdump2 to get the encryption key to unencrypted the SAM file and dump it into a text file.

I'm then using John the Ripper to crack the password hashes, this is working fine with "short passwords" but when I try it with long passwords of say 20 characters it just says that there is no password for that account.

Anyone got any idea what's going on?

EDIT: Just to make it clear, it doesn't even attempt to crack the password, it just says that the user has no password after about 10 second of the program running. I'm aware that it would take an awful long time to crack the password.

It thinks that it has cracked the password: have a look at this: http://aporcupine.com/john.png

A_Porcupine
  • 261
  • 1
  • 8
  • What mode are you using? Wordlist? Single? Incremental? – music2myear Dec 16 '11 at 17:11
  • 6
    Do you have to actually crack it, or just get past it? –  Dec 16 '11 at 19:32
  • > Anyone got any idea what's going on? The long password is doing it's job, making it hard to crack. It depends on what method you are using to crack the password, but for Ranbow-tables and Dictionary attacks, if the users password is not in the database it will not be able to be cracked. I think this is what is happening to you as it is reporting that it can not find the password. If you switched to a brute force method of cracking you would eventually get the password, however for a 20 character having lowercase only and testing passwords at 1,000,000,000/sec it would take up to [631 Billion – Scott Chamberlain Dec 16 '11 at 18:49

6 Answers6

8

For a password of that length, your only real options are to subvert it entirely, or try a different approach.

  • Rainbow tables aren't yet big enough to cope with that length, but because the majority of passwords in use are badly chosen
  • A dictionary attack may give you better odds of breaking it. You'd need to make some assumptions on words, alternate characters etc and will have no guarantee that your assumptions are correct. Have a look at this question over on the Security Stack Exchange for some in depth discussion on passwords sparked by the famous xkcd cartoon.
  • Social engineering might be your best bet - however that probably doesn't come under the remit of an Ethical Hacking course at University.

You should definitely come on over to Security SE anyway, as it is likely to give you useful input which could help you on your course.

Rory Alsop
  • 61,474
  • 12
  • 117
  • 321
7

I found my answer so thought I'd share.

John the Ripper was automatically using the LM hashes to try and crack the passwords and there are no LM hashes for the two passwords that did not crack.

I could resolve this issue by telling JTR to use the NT hashes using "-format=NT" but this would take an awful long time.

A_Porcupine
  • 261
  • 1
  • 8
2

TRK can simply wipe the password. It's not best (ie, user would know their password's been reset) but it certainly works and works quickly:

music2myear
  • 166
  • 4
1

Just download the Windows Password Key and burn it to a CD or USB drive, then insert the disk to your locked computer, reboot, press the button it says on the screen. then it will auto reset windows password in minutes. Or you can see this tutorial: Forgot xp password, how to find windows xp password

See this guy use that tool to crack windows password succefully in a short time.

http://www.youtube.com/watch?v=VRpw9ygSEys

dianiysom
  • 11
  • 1
0

Have you ever tried Ophcrack? The password hash is hard to crack but you can replace the existing LM/NT hashes with the hashes of a known password, this is what most Windows password reset program does, such as PCUnlocker.

0

If you have the password hash, you could download a rainbow table lookup program and check it against that. The larger ones go up to around 14 characters. Of course, the tables themselves are enormous. The largest one I've seen was almost two terabytes, and that was in a custom format that cut the size nearly in half.