Tag Archives: security training

Links- Ophcrack for Windows Password Extraction

With forensics in mind, there’s literally a ton of ways to gain access to Windows. From clear text password exploits that dump the password in plaintext to your screen to bootable CDs that reset the Windows password outright (just search Google for “Windows Password Recovery” to see what I mean). This post isn’t meant to cover all password recovery bases, just briefly explain why reset tools may not be forensically sound and provide some links that may be of value to you if you need a good tool (my current favorite method is utilizing tool known as Ophcrack).

For those that don’t know, 0phcrack is a free but powerful utility that makes use of rainbow tables to crack NT HASH and LM passwords. It utilizes a method known as Time-Memory Tradeoff (discussed earlier on the blog). The best tables that support different types of characters for use in password extraction (and for different OS types) can be rather large. Cracking passwords can also be time consuming.

Distributions like the now-defunct free version of e-fense’s Helix 3 (no longer supported in favor of a paid pro version), and DEFT Linux, made/makes use of 0phcrack and provided access to basic rainbow tables for this purpose. If you don’t have Helix or 0phcrack as part of your forensic tool-set, you should. If you are interested in expanding your tables and have access to a large enough medium, feel free to check FreeRainBowTables.com to get more tables generated using distributed computing methods). The basic tables can also be found on 0phcrack’s Sourceforge and are suitable for basic use, but they also have paid tables as well.

0phcrack can be used during the analysis of a target’s SAM and SYSTEM Hivehive. It can be run as an executable from within Windows or in a bootable environment. Such information could provide forensically invaluable in accessing EFS-protected files on the system. From what I know, using methods like chntpw in Backtrack do reset Windows passwords but do then make accessing EFS encrypted files impossible.

Check this video created and posted by TechnologyCrazy to see how to setup 0phcrack (completely unaffiliated with this site).

As I always state, this site does not condone illegal activity. Link posts are links to pre-existing content (I’m actually considering making my own informational videos at some point when I have the time. Maybe even a step-by-step guide).

For links to computer security related tools or resources, feel free to check this Neuralhub post.

If you have access to any related instructional video please post it in the comments! If they are any good (and they are publicly accessible), I’ll share them.

Edit: This post is fairly old and I’ve used some really great programs since then. Here are some further notes to help you decide which encryption auditing tool you should use and when:

Ophcrack Project Homepage

This tool is good for LM and NT hash; quick and easy SAM hive cracking which is ideal if you don’t happen to have a license for PRTK but do for FTK and wish to crack EFS; uses rainbow tables for speed (pre-calculated hashes), for brute force see l0phtcrack below.

l0phtcrack Password Auditor

Offers excellent brute force, support for rainbow tables and dictionary attacks. Some that are coming from PRTK may note l0phtcrack seems to be missing PRTK’s biographical dictionary attack… one of my favorite tools. But that’s not necessarily true: you can accomplish this by loading biographical information in by creating your own dictionaries. Also one of the coolest features of l0phtcrack is the network sniffer which pulls password hashes transmitted across a network… but fair warning: it doesn’t always work, if in doubt, read the documentation).

** Note: thanks to my nameless friend for letting me try his l0phtcrack. Much appreciated.

AccessData’s PRTK

One of my all time favorite tools. Although brute forcing and standard dictionary attacks may take a long time and be resource intensive, PRTK also includes some pretty powerful dictionaries straight off the bat. Also nothing beats the simple and straight forward interface. I’m a huge fan of the biographical dictionary attack in which you can import string data from FTK and FTKi to accomplish a user-specific attack (that is to say, things like directory listings, FTK dtIndex’d results, etc. can all be imported to speed up attacks).  I used PRTK extensively in my AccessData Certified Examiner studies and found it to be one of the best tools to date.

Interesting side note regarding EFS cracking if you have a license to FTK but not to PRTK:

If you are running FTK4+, you can first crack the Windows user password in Ophcrack (SAM & SYSTEM hives) and then, after selecting the EFS encrypted file, allow FTK to decrypt it with the password you’ve discovered. FTK also includes allows you to list multiple passwords if you’re unsure of which it may be. If PRTK is installed on the same system, it’ll use PRTK in the background and decrypt the file. Of course, as an ACE, I advocate getting a license to PRTK if you can, but thankfully PRTK can be used for this at the back-end with little trouble.

CyberCity Wargames Looks Great

Hacker wargames are nothing new: from the epic Pull The Plug to a number of off-shoot sites still in existence, simulated hacking environments are used to help train individuals to develop sound computer security problem solving skills. A few of these sites such as hackthissite.org and OverTheWire teach practical software exploitation and network penetration skills through game-like hands-on challenges. While organizations like Offensive Security and the SANS Institute feature full fledged certification paths involving penetration challenges (see SANS NetWars).

Now the United States Air Force has established one of their newest Cyber Ranges, CyberCity. The new simulation trains both military and government personnel in the proper way to safeguard systems from penetration in real world scenarios. The simulation contains bank-type systems, public wifi networks as in the sort that coffee houses and internet cafes have, social networking site-simulations and more. Even more interesting? The man behind SANS NetWars, Ed Skoudis (noteworthy SANS Metasploit teacher), designed Cyber City himself!

Although some (including myself) have been critical of Director Panetta’s use of “Pearl Harbor” as a metaphor for “cyber war” (see “Cyber Terrorism and the Election” @ Neuralhub), I can’t deny the importance of adopting sound IT security solutions to prevent against new emergent threats both domestic and abroad. I’m glad to see my government adopting them. Penetration testing and defending simulations are ideal learning opportunities.  If you haven’t had the opportunity to attend a con where CTF was being played, I highly recommend attending one of the conventions in New York or Vegas (my first was HOPE 2K!).

Safeguarding such systems in light of specific exploits, malware and viruses such as Stuxnet and Flame is of great importance of to government officials. Whereas some in the news have criticized the U.S. as being behind on cyber defense (especially so with the Chinese attack against White House computer network), the public and private sector have been trying to step up their game and continue to work together to train our future front-line defenders.

From all the articles I’m reading in regards to CyberCity, I’m most impressed with the idea of real world consequences the simulation portrays. If someone botches up, it’ll have “real world” ramifications illustrated in physical models of U.S. cities (sounds a bit like War Hammer+Uplink). The simulations are even complete with statistical information regarding people affected by events occurring in game.

A similar but more expensive project is DARPA’s National Cyber Range (Lockheed won the $30m contract to help design it with DARPA back in 2010). For more information on the NCR, click here. Although my opinion is strictly that of an enthusiast/lay person, from everything that I’m reading, CyberCity looks even more promising!

Lastly, I apologize my infrequent posts as of late. I’ve been taking a DFIR class that’s been taking up much of my time. So be sure to subscribe to fork() to keep up-to-date with all the latest blog postings delivered right to your email!

Sources

O’Harrow, Robert, Jr. “CyberCity allows government hackers to train for attacks.” Washington Post, 11/26/2012.  Note: If you’re interested in learning more about the CyberCity simulation, Robert O’Harrow Jr.’s coverage of it is full of great details and covers CyberCity much more detail.

For some free computer security training videos be sure to check out Security Tube or the fork() post entitled “Computer Security Resources” for more interesting sites.