CSE 466 Project 3
(Group project of 2)
Due Date: October 7, 2009, Start of Class
Method of Submission: Print out, Font: Times new roman 12 (or comparable)

Cracking Windows XP passwords
(You must do both methods)

 

Warning: These instructions are meant to provide you training with security issues.  You are advised to implement this project on your personal virtual machines.  Exploiting remote machines is not a good idea – it is a criminal offense.  These instructions are intended to train computer security professionals, not to help criminals.

Note: It is best you do not share the information you learnt in this project with people who have not taken this class.  You can easily figure out why such information may be damaging.

 

Part 1: Cracking Windows XP Password With Ophcrack

Download a copy ophcrack live cd for Win XP from sourceforge. http://ophcrack.sourceforge.net/

Some of you may have already received ophcrack in the DVD that you copied, (I forgot to place them in some DVD’s that I kept in the lab area.) in which case you can use them instead of downloading a fresh copy.   (Once you get it, please share it with friends if possible so we don’t have multiple downloads of ophcrack.)

Before you begin the project, create 3 or 4 dummy accounts on the XP virtual machine such that the password strength varies from weak to really strong.

It is important that the Virtual machine is in powered off state for this part to be done.  Open Vmware workstation and make sure the machine is in powered off state.  If it is, the workstation should allow you to ‘Edit Virtual Machine Settings’ and add a CD Rom drive.  Under its settings, make it use the iso image that you store on your host computer.

If the Virtual machine is not in powered off state, it is likely that there is a VMware suspended state file stored in the virtual machine directory.  Simply delete it, (The file Windows XP Professional.vmss in your virtual machine directory), this should take care of the suspended state problem.

When you boot the machine, make sure you quickly change the boot menu by pressing F2 (or F8 or whatever the specific case may be for your VM) in the Vmware guest OS window. (You will require pressing your mouse in that area pretty fast to transfer window control to the Virtual machine.)

This should make ophcrack boot a live CD linux.  Let the program run through for at least 5 – 10 minutes and take a snapshot of the results and highlight the passwords which did not display.  In your accompanying report with the snapshot you should briefly describe what you learnt from this method, disclose what password you used, why this hack was possible, and what causes password strength to increase.

 

Part 2: Cracking Win XP passwords with Cain and Abel

As before we need dummy accounts with varying passwords on the XP virtual machine. Go to http://www.oxid.it/cain.html

Download the cain and abel v 4.9.31 for Windows NT/2000/XP.  Save on the VM desktop and hit the install button.  The wizard may ask you to install additional items.  Simply click through and install everything it asks you to.  Open the directory where you installed cain and copy abel.exe and abel.dll to the c:\windows directory.  Once you do this, double click the abel.exe file inside c:\windows directory. It should pop up a box saying something to the effect of abel installed.  Then start and run services.msc, and select the abel service and start it.  Once it gets started you can double click on the cain icon created on your desktop.  Select the network tab and right click on quick list and select add to quick list, and enter the ipaddress of your virtual machine when prompted.  Then expand Abel à hashes.  A box should pop up asking you to include password history hashes – click No. 

This shows the password hashes.  Then select the accounts you want to crack and send them to cracker.  Open the cracker tab and right click on an account and select brute force attack - > LM hashes.  You can also choose to utilize NTLM hashes (NTLM is a difficult hash protocol, so choose only short passwords (<7, The TA managed it with 6 letters) to send to NTLM hashes).   In the brute force attack box, click start and this should eventually find passwords.  Do this for all the accounts.  If in any case the cracker cannot find a hash match after 10 minutes simply take a snapshot of the box and hit stop.

In the cracker tab the passwords you cracked should be visible.  Take a snapshot of it and turn it in the report.  Your report should include a brief description of how NTLM hash is different from LM hash.  (you can use Wikipedia or microsoft’s  documentation for this).