Explain ophcrack windows 10 tables.

380    Asked by ankurDwivedi in Cyber Security , Asked on Apr 4, 2022

 I'm putting together a demo of Ophcrack for my team here. It's been a while since I used it, like 7-10 years. Booting up into either the Ophcrack live CD or using it in Kali, I'm seeing samdump2 and pwdump showing the same SID/hash for all users of the machine (running in a VM) and Ophcrack says all accounts have an empty password. Any idea what's going on? Can Ophcrack/JTR be used against Windows 10?

Answered by Anisha Dalal

Regarding the ophcrack windows 10 tables - For some reason the tools detect "no password" but there is in fact the password hash shown. Pwdump7 for instance states NO PASSWORD but the NTLM password hash is in the 3rd last field.

Pwdump v7.1 - raw password extractor
Author: Andres Tarasco Acuna
url: http://www.514.es
Administrator:500:NO PASSWORD*********************:878D8014606CDA29677A44EFA1353FC7:::
Guest:501:NO PASSWORD*********************:NO PASSWORD*********************:::
:503:NO PASSWORD*********************:NO PASSWORD*********************:::
dark_st3alth:1001:NO PASSWORD*********************:878D8014606CDA29677A44EFA1353FC7:::
Likewise, fgdump gives a similar NO PASSWORD output, but it fact the password is there:
fgDump 2.1.0 - fizzgig and the mighty group at foofus.net
Written to make j0m0kun's life just a bit easier
Copyright(C) 2008 fizzgig and foofus.net
fgdump comes with ABSOLUTELY NO WARRANTY!
This is free software, and you are welcome to redistribute it
under certain conditions; see the COPYING and README files for
more information.
No parameters specified, doing a local dump. Specify -? if you are looking for help.
--- Session ID: 2017-01-19-21-46-02 ---
Starting dump on
Administrator:500:NO PASSWORD*********************:NO PASSWORD*********************:::
dark_st3alth:1001:NO PASSWORD*********************:878D8014606CDA29677A44EFA1353FC7:::
DefaultAccount:503:NO PASSWORD*********************:NO PASSWORD*********************:::
Guest:501:NO PASSWORD*********************:NO PASSWORD*********************:::
I've used the password "secret" for demonstrative purposes.

For local accounts nothing has changed, but for logins by Microsoft accounts, pins, and picture passwords, I can't be sure if hashes are in fact generated. This is something I haven't gotten around to testing.

Your Answer


Parent Categories