Ethical Hacker Community Forums

Chris has done what amounts to an academic paper on rainbow tables. This impressive article has to be one of the most definitive works on the subject. I hope the readers appreciate the kind of work it takes to bring you this type of content.

Hats off Chris!

Tutorial: Rainbow Tables and RainbowCrack (http://www.ethicalhacker.net/content/view/94/24/)

Don

That was a very excellent writeup Chris.

I would also like to mention this tool, which I'm starting to like better then Cain and LC5. It seems to be slightly faster.

http://ophcrack.sourceforge.net/ (http://ophcrack.sourceforge.net/)

I've mentioned this in another post, but it's worth mentioning here. Ophcrack has a live, bootable CD:


Don

PS - Help get Chris' awesome work noticed by digging this story (http://www.digg.com/security/Tutorial_All_You_Ever_Wanted_to_Know_About_PW_Cracking_and_Rainbow_Tables).

cool, i'll have to check that out, specially if its a bootable ISO

Way to go Chris, this just made frontpage digg.com

yea!!!!

now i can expect a few more trojans in my email tomorrow i guess...

its worth it though for EH-net and LSO

Very nice write up! I am one of the founders of www.plain-text.info and I still feel people do not listen to the fact weak passwords is negligence. I do want to add one thing. You explained how NTLM is better and LM (true) and that users should migrate over to NTLM. I agree it's the right way to go but remember to that LM is still around because networks and domains still have Windows 9X & NT PC's on there domains. If you force you domain/LAN to only NTLM you will push out all the older M$ PC's. Anyway nice paper and good luck on you keeping the Trojans out. I just opened a new web site (www.anti-hacker.info) and I get all kinds of kiddies hitting it.

Slimjim100

www.anti-hacker.info

hey thanks for the nice comments! and the good point about the 98/NT boxes.

and welcome to EH-net.

last night I thought I'd try to create some rainbow tables.  I followed Chris' tutorial and the one on http://www.antsight.com/zsl/rainbowcrack/rcracktutorial.htm. 

I didn't see that I should have done "rtgen lm alpha 1 7 0 2100 8000000 all" for my first table, so I did "rtgen lm alpha 1 7 1 2100 8000000 all".  This finished in a few hours and the description I saw for it was:
rtgen lm alpha 1 7 2 2100 8000000 all
hash routine: lm
hash length: 8
plain charset: ABCDEFGHIJKLMNOPQRSTUVWXYZ
plain charset in hex: 41 42 43 44 45 46 47 48 49 4a 4b 4c 4d 4e 4f 50 51 52 53 5
4 55 56 57 58 59 5a
plain length range: 1 - 7
plain charset name: alpha
plain space total: 8353082582
rainbow table index: 1

I then proceeded to "rtgen lm alpha 1 7 2 2100 8000000 all" and the info I saw for this was:
hash routine: lm
hash length: 8
plain charset: ABCDEFGHIJKLMNOPQRSTUVWXYZ
plain charset in hex: 41 42 43 44 45 46 47 48 49 4a 4b 4c 4d 4e 4f 50 51 52 53 5
4 55 56 57 58 59 5a
plain length range: 1 - 7
plain charset name: alpha
plain space total: 8353082582
rainbow table index: 2

These both look quite identical to me.  I thought they would have different plain charsets or am I missing something?

lm alpha 1 7 0 2100 8000000 all is being generated right now...

Thanks.

Try to read this http://www.plain-text.info/Rainbowtables_Basics/. Also look at your rainbow table index number.

Slimjim100

I see that I can either generate my own rainbow tables with the help of the Tutorial on this site or I could download the SSTIC04-10k rainbow table.

What do you guys prefer?  Any benefits to doing it either way?  I just finished generating and sorting my 5 rainbow tables.

i ended up downloading a set from somewhere...dont remember where and i also created my own.  depending on computer speeds it can take a while to generate them (a day or more).  if you can download them for free i would do that, personnally i wouldnt buy anything i can do myself but thats just me.

I made my own back when rainbowcrack was released but I went out and did the team method. If you can find a small group of others that want to help you can just make the scripts and assign them out. My little team was called "Midga.org" (note the domain is now a friends mudding site) but after getting up and running we merged with another group and made plain-text.info and at last count I think we are up to about 2+ terabytes of tables. I would not recommend buying rainbow tables as half the fun is customizing them to fit your needs. I have 250 gig of tables on an external hard drive I keep with me for offline cracking and when I need more power I then move to web based tables.

Slimjim100

Hey guys,
There was a website I used a little while ago to input a few hashes (individually) and the site's rainbow tables cracked them for me.  I've lost the site though.  You guys know which one that was?

I know the plain-text.info site, but see that you can only input a hash file or something and the results are posted for all to see.  It wasn't that one.

Thanks!

Found it!  http://lasecwww.epfl.ch/~oechslin/projects/ophcrack/

Thanks.

I'm still not understanding how to effectively use the table indexing feature. I would like to generate NTLM hashes for 1 to 10 characters, mixedalpha-numeric-symbol14, which will take quite some time on a single machine. However, I have 4 2.0GHz machines that I can split up this processing on... how do determine the probability success rate when more than an index of zero is used? Could someone provide example rtgen commands to run on each of the four machines I have available?

Much thanks.

I will take a quick stab at this one...

Ok you would build a script to set the index 0 for computer #1, then you would have the same script but the index would now be set to 1 for computer #2, and so on. If you plan on using winrtgen.exe from www.oxid.it you can modify the "Tables.lst" file on each PC so that the different computers only make the tables you want. This will let you edit out the tables you are making on other computers.

Example:

Tables.lst
------------------------------------------------------------------------------
ntlm_all#1-10_0_240000x40000000000000_oxid#000.rt;
ntlm_all#1-10_0_240000x40000000000000_oxid#001.rt;
ntlm_all#1-10_0_240000x40000000000000_oxid#002.rt;
ntlm_all#1-10_0_240000x40000000000000_oxid#003.rt;
-------------------------------------------------------------------------------
You see 4 tables if you wanted to use 4 computers to make this set you could just modify the Tables.lst to show one table per list per PC and when you are done you would have the set you wanted to make.

Not sure if what I just typed made since... If you understand it cool if not post below and I will try to explain it again.

Brian

Thanks for the reply.

I understand how to index the tables, what I don't understand is how to determine the probability of success when using indexes.

For instance, the Hak5 NTLM tables (http://www.hak5.org/wiki/Community_Rainbow_Tables/Assignment_List) have 25 tables, with 22 chains per table. When using the criteria provided (ntlm mixalpha-numeric-all-space 1 7 0 10000 40000000 0), WinRTGen benchmarks a ~11% probability success rate, yet Hak5 claims ~95% success probability. How is that probability determined?

Thanks.

Nevermind, I think this might be what I was looking for...

http://www.antsight.com/zsl/rainbowcrack/configurations.htm

I am confused, on 2 counts.

1- Safe ALT-XXX passcode entries, ie- no LM hash, are these 3 or 4 digit numbers?  The texts mentions both, and the table also seems ambiguous.

2- Can't the function which produces the hash be found in the code and unwound to give a new function, such that one could enter the hash and return the original passcode?

thanks, Glenn

How do i get the software for linux? Im not a big fan of wine

download the source and compile

http://www.antsight.com/zsl/rainbowcrack/rainbowcrack-1.2-src.zip

Sorry im new with linux, i dont know where the compiler is on this weird thing

then you need to go over to LearnSecurityOnline.com

http://www.learnsecurityonline.com

register an account, then go to core competencies --> operating systems --> and read all the linux articles.

yes 3 or four digits can be used
try: http://www.castlecops.com/a5842-Passwords_Staying_Safe.html


not really, the idea by hashing is that its really easy one way and really hard the other. doing some googling on password hashes and hashing might lead you to some reading on why that wont work.