Ophcrack Cheat Sheet
Windows NTLM/LM rainbow-table cracker with GUI and live CD heritage.
Overview
Ophcrack recovers Windows passwords using rainbow tables for LM/NTLM hashes—fast for weak passwords when tables match the charset/length. Use on SAM/NTDS dumps you are authorized to analyze (forensics, lab AD, owned machines).
Install
sudo apt install ophcrack ophcrack-cliEssential commands
GUI
ophcrackCLI — single hash
ophcrack-cli -gCrack pwdump/SAM file with tables
ophcrack-cli -d /path/to/tables -f sam.txtophcrack-cli -d /usr/share/ophcrack/tables_vista_free -f hashes.txt -wCommon workflows
On Linux after acquiring SAM+SYSTEM:
bkhive SYSTEM SYSTEM.hivesamdump2 SYSTEM SAM > sam.txtophcrack-cli -d tables_xp_free -f sam.txtuser:id:lm:ntlm:::
ophcrack-cli -d tables_vista_free -f pwdump.txt -o result.txtIf ophcrack fails, pass NTLM to hashcat
hashcat -m 1000 ntlm_only.txt rockyou.txtFlags reference
-d | Tables directory |
|---|---|
-f | Hash file |
-g | Show hash format help |
-o | Output file |
-w | Hide usernames (wide tables) |
-t | Table set number (CLI) |
Tips
- LM hashes crack quickly; modern Windows disables LM—focus on NTLM tables.
- Free tables cover short passwords; purchase or generate larger tables for engagements.
- Empty LM field aad3b435b51404eeaad3b435b51404ee is normal—crack the NTLM half.
- For domain hashes at scale, hashcat/secretsdump + rules usually replace ophcrack.