Cracking Windows Passwords

Creating passwords to crack

You’ll need a Windows machine (real or virtual) with administrator access. It can run any version of Windows, XP or later, except Windows 10. If you want to use Windows Server 20xx, you’ll need to disable the "Password must meet complexity requirements" policy.

Click Start, type in CMD and press Shift+Ctrl+Enter.

If a "User Account Control" box appears, click Yes.

In the Administrator Command Prompt window, execute these commands:

net user test1 abc /add
net user test2 abcde /add
net user test3 password /add
net user test4 entrincheirado /add
net user test5 Pa$$w0rd /add

Those commands create five new system users.



Downloading and installing Cain & Abel

Open a browser and go to http://www.oxid.it/cain.html

Scroll down and click "Download Cain & Abel v4.9.56 for Windows NT/2000/XP".

Save the installer on your PC.


Double-click the installer. Install the software with the default options.

NOTE: Cain & Abel will be detected as malware by your virus scanner. You will need to allow it to install, which is pretty easy if you use Microsoft Security Essentials or Defender. If you don't want to install it on your real machine, use a VM.

The installer will also ask to install WinPCap. In order to guarantee full functionality and stability, install it too.

Displaying the password hashes

Run CAIN from the Desktop shortcut, as an Administrator

If a "User Account Control" box appears, click Yes.

In the Cain window, at the top, click the Cracker tab. Move the mouse to the center right, where a blank white pane appears with a gray grid.

Right-click and select "Add to list".


In the "Add NT Hashes from" box, click Next.


The password hashes appear, as shown in the figure below. The LM hashes will all be the same if you are using Windows Vista or later, but the NT hash contains the password information.



Cracking passwords

Right-click test1, point to "Brute-Force Attack", and click "NTLM Hashes".

Note: we are cracking the NTLM hashes, not the old, weak LM hashes. The NTLM hashes are much more difficult to crack, so this attack will only be feasible for short passwords.


In the "Brute-Force Attack" box, click the Start button. It should find the three-letter password immediately. Close the "Brute-Force Attack" box.

NOTE: You can select different settings for the Brute Force Attack


Repeat the procedure for test2. The attack should find the five-letter password within a few seconds. Close the "Brute-Force Attack" box.

Repeat the procedure for test3 but, before starting the attack, choose a smaller charset only with characters, and tell CAIN to disregard all passwords shorter than 8 characters.


Notice that even without any complexity, a long password is hard to guess because it will take time to try all the different combinations.

After a few minutes, you should give up and be happy to have the two passwords you found, in the NT Password column of the Cain window.


As you saw, the Brute Force Attack is only effective for very short and simple passwords, unless you have lots of time and very powerful computation resources to try all possible combination, using all possible characters

It’s time to try a different approach; a Dictionary Attack

Right-click test3, point to "Dictionary Attack", and click "NTLM Hashes".


Before starting the attack, you need to add a dictionary file i.e. a wordlist containing all the words you want CAIN to test

Right-click the dictionary area and add a file.


CAIN has a small wordlist. Use it!

clip_image021 Notice all the possible combinations, using the words from the list.


Start the attack! A few seconds later…


Try the same thing for user test4!


Maybe you need a better, bigger wordlist. Go to http://bit.do/Word_Lists and download the file “wordlistPT_Small.zip”. Unpack it to any folder of your choice and add it to CAIN.


Launch the attack again! A few seconds later…


Try the same thing for user test5!


Maybe you need an even bigger wordlist... Or a totally different kind of attack!


Downloading Ophcrack

Visit the website http://ophcrack.sourceforge.net/ and download the LiveCD.


The LiveCD is a completely self-contained, bootable version of Ophcrack 3.6.0 with rainbow tables (just a sample).

Choose the Vista/7 LiveCD.


On the next webpage, Ophcrack LiveCD should begin automatically downloading a single ISO file.

This file can be used to create a bootable CD or USB key that you can use it to boot your machine, physical or virtual.

Insert the Ophcrack LiveCD disc into your optical drive (or USB port) and restart your computer. After the usual POST screen, wait for the Ophcrack menu to appear.


At this stage you don't need to do anything because the boot process will continue automatically after the timer at the bottom of the screen expires.


Watch for Hard Drive Partition information to display.


The next screen is the Ophcrack LiveCD software itself and it will automatically attempt to recover by brute force the passwords for all Windows user accounts that it can find on your computer.


Surprisingly, the initial attack could not crack one of the easy passwords. Keep in mind the attack was too fast! Therefore, only short passwords were tested, maybe just up to 3 characters.

Now you’ll need to load the SAM. This is the storage for local password and is usually found in c:\windows\system32\config

Press the Load button, Choose SAM, and navigate to the appropriate folder.


Add the rainbow tables available in the LiveCD. Press Tables and navigate to the proper folder as shown in the picture. Keep in mind that pending on your partitions configuration, the /media/sr0 path can be different.


This will add the Vista tables, created for the most probable passwords.



Press Crack

After 20 minutes…


After 43 minutes…


We need something else, right? But before that, why don’t we enhance the difficulty a bit more?

Exit Ophcrack and restart your Windows OS. Let’s create some more users, shall we?

net user test6 P@ssw0rd /add
net user test7 abc123!@# /add
net user test8 pazzword123 /add
net user test9 omgqwerty /add
net user test10 qwerty7890 /add

Visit the website http://ophcrack.sourceforge.net/tables.php and download an additional set of rainbow tables, the Vista free based on a dictionary. It’s a file named tables_vista_free.zip. Unpack it to a directory of your choice inside your Windows environment.


Restart your machine again and boot from the Ophcrack Live CD.

Reload the SAM, install all the rainbow tables and start a new cracking procedure.


More passwords, a longer wait… for a very disappoint result!


What can we conclude from this result?

Are the previously created password really safe?

Don’t give up. Not just yet… Restart your machine to Windows.

Let’s try CAIN again with an even bigger wordlist. Go to http://bit.do/Word_Lists and download the file “rockyou.zip” file. Unpack it to any folder and notice the size of the text file.

Let’s attack all accounts at once!


Add the new text file to CAIN’s list of dictionary files and don’t forget to reset all dictionary files to their initial positions. clip_image060

You can even only the basic option to speed things up.clip_image061

Wait one minute…




The free and small rainbow tables are useless for any real application

But with a proper dictionary file, cracking silly passwords is a walk in the park!

Previous post: Sniffing for Passwords with Wireshark

Next post: Cracking Windows 10 passwords


Cracktaking said...

Hi friend the information that you provide that was awesome.I really like your way but few days ago i was visiting a site which also provide cracktaking software download way and here any one can download all kinds of crack software,so if you have much time you also can visit the site and check it out https://cracktaking.com