[Article]-Tutorial: Rainbow Tables and RainbowCrack

This topic contains 24 replies, has 8 voices, and was last updated by  Anonymous 11 years, 3 months ago.

  • Author
    Posts
  • #842
     Don Donzal 
    Keymaster

    Chris has done what amounts to an academic paper on rainbow tables. This impressive article has to be one of the most definitive works on the subject. I hope the readers appreciate the kind of work it takes to bring you this type of content.

    Hats off Chris!

    Tutorial: Rainbow Tables and RainbowCrack

    Don

    • This topic was modified 10 months, 1 week ago by  Don Donzal.
  • #10596
     oleDB 
    Participant

    That was a very excellent writeup Chris.

    I would also like to mention this tool, which I’m starting to like better then Cain and LC5. It seems to be slightly faster.

    http://ophcrack.sourceforge.net/

  • #10597
     Don Donzal 
    Keymaster

    I’ve mentioned this in another post, but it’s worth mentioning here. Ophcrack has a live, bootable CD:

    Ophcrack Live CD
    The Ophcrack LiveCD is a bootable Linux CD-ROM containing ophcrack 2.3 and a set of tables (SSTIC04-10k). It allows for testing the strength of passwords on a Windows machine without having to install anything on it. Just put it into the CD-ROM drive, reboot and it will try to find a Windows partition, extract its SAM and start auditing the passwords.

    Getting it
    You can download the ISO image from SourceForge mirrors.

    Package
    You will find ophcrack 2.3 release (source tarball and win32 installer) at the root of the CD-ROM. The tables are located in directory ‘ophcrack/10000’. Please feel free to install ophcrack and copy the tables on your harddisk if you want to use ophcrack outside of the LiveCD.

    Don

    PS – Help get Chris’ awesome work noticed by digging this story.

  • #10598
     Anonymous 
    Participant

    cool, i’ll have to check that out, specially if its a bootable ISO

  • #10599
     ryan.cartner 
    Participant

    Way to go Chris, this just made frontpage digg.com

  • #10600
     Anonymous 
    Participant

    yea!!!!

    now i can expect a few more trojans in my email tomorrow i guess…

    its worth it though for EH-net and LSO

  • #10601
     slimjim100 
    Participant

    Very nice write up! I am one of the founders of http://www.plain-text.info and I still feel people do not listen to the fact weak passwords is negligence. I do want to add one thing. You explained how NTLM is better and LM (true) and that users should migrate over to NTLM. I agree it’s the right way to go but remember to that LM is still around because networks and domains still have Windows 9X & NT PC’s on there domains. If you force you domain/LAN to only NTLM you will push out all the older M$ PC’s. Anyway nice paper and good luck on you keeping the Trojans out. I just opened a new web site (http://www.anti-hacker.info) and I get all kinds of kiddies hitting it.

    Slimjim100

    http://www.anti-hacker.info

  • #10602
     Anonymous 
    Participant

    hey thanks for the nice comments! and the good point about the 98/NT boxes.

    and welcome to EH-net.

  • #10603
     p0et 
    Participant

    last night I thought I’d try to create some rainbow tables.  I followed Chris’ tutorial and the one on http://www.antsight.com/zsl/rainbowcrack/rcracktutorial.htm. 

    I didn’t see that I should have done “rtgen lm alpha 1 7 0 2100 8000000 all” for my first table, so I did “rtgen lm alpha 1 7 1 2100 8000000 all”.  This finished in a few hours and the description I saw for it was:
    rtgen lm alpha 1 7 2 2100 8000000 all
    hash routine: lm
    hash length: 8
    plain charset: ABCDEFGHIJKLMNOPQRSTUVWXYZ
    plain charset in hex: 41 42 43 44 45 46 47 48 49 4a 4b 4c 4d 4e 4f 50 51 52 53 5
    4 55 56 57 58 59 5a
    plain length range: 1 – 7
    plain charset name: alpha
    plain space total: 8353082582
    rainbow table index: 1

    I then proceeded to “rtgen lm alpha 1 7 2 2100 8000000 all” and the info I saw for this was:
    hash routine: lm
    hash length: 8
    plain charset: ABCDEFGHIJKLMNOPQRSTUVWXYZ
    plain charset in hex: 41 42 43 44 45 46 47 48 49 4a 4b 4c 4d 4e 4f 50 51 52 53 5
    4 55 56 57 58 59 5a
    plain length range: 1 – 7
    plain charset name: alpha
    plain space total: 8353082582
    rainbow table index: 2

    These both look quite identical to me.  I thought they would have different plain charsets or am I missing something?

    lm alpha 1 7 0 2100 8000000 all is being generated right now…

    Thanks.

  • #10604
     slimjim100 
    Participant

    Try to read this http://www.plain-text.info/Rainbowtables_Basics/. Also look at your rainbow table index number.

    Slimjim100

  • #10605
     p0et 
    Participant

    I see that I can either generate my own rainbow tables with the help of the Tutorial on this site or I could download the SSTIC04-10k rainbow table.

    What do you guys prefer?  Any benefits to doing it either way?  I just finished generating and sorting my 5 rainbow tables.

  • #10606
     Anonymous 
    Participant

    i ended up downloading a set from somewhere…dont remember where and i also created my own.  depending on computer speeds it can take a while to generate them (a day or more).  if you can download them for free i would do that, personnally i wouldnt buy anything i can do myself but thats just me.

  • #10607
     slimjim100 
    Participant

    I made my own back when rainbowcrack was released but I went out and did the team method. If you can find a small group of others that want to help you can just make the scripts and assign them out. My little team was called “Midga.org” (note the domain is now a friends mudding site) but after getting up and running we merged with another group and made plain-text.info and at last count I think we are up to about 2+ terabytes of tables. I would not recommend buying rainbow tables as half the fun is customizing them to fit your needs. I have 250 gig of tables on an external hard drive I keep with me for offline cracking and when I need more power I then move to web based tables.

    Slimjim100

  • #10608
     p0et 
    Participant

    Hey guys,
    There was a website I used a little while ago to input a few hashes (individually) and the site’s rainbow tables cracked them for me.  I’ve lost the site though.  You guys know which one that was?

    I know the plain-text.info site, but see that you can only input a hash file or something and the results are posted for all to see.  It wasn’t that one.

    Thanks!

  • #10609
     p0et 
    Participant
  • #10610
     bob677890 
    Participant

    I’m still not understanding how to effectively use the table indexing feature. I would like to generate NTLM hashes for 1 to 10 characters, mixedalpha-numeric-symbol14, which will take quite some time on a single machine. However, I have 4 2.0GHz machines that I can split up this processing on… how do determine the probability success rate when more than an index of zero is used? Could someone provide example rtgen commands to run on each of the four machines I have available?

    Much thanks.

  • #10611
     slimjim100 
    Participant

    I will take a quick stab at this one…

    Ok you would build a script to set the index 0 for computer #1, then you would have the same script but the index would now be set to 1 for computer #2, and so on. If you plan on using winrtgen.exe from http://www.oxid.it you can modify the “Tables.lst” file on each PC so that the different computers only make the tables you want. This will let you edit out the tables you are making on other computers.

    Example:

    Tables.lst


    ntlm_all#1-10_0_240000x40000000000000_oxid#000.rt;
    ntlm_all#1-10_0_240000x40000000000000_oxid#001.rt;
    ntlm_all#1-10_0_240000x40000000000000_oxid#002.rt;
    ntlm_all#1-10_0_240000x40000000000000_oxid#003.rt;


    You see 4 tables if you wanted to use 4 computers to make this set you could just modify the Tables.lst to show one table per list per PC and when you are done you would have the set you wanted to make.

    Not sure if what I just typed made since… If you understand it cool if not post below and I will try to explain it again.

    Brian

  • #10612
     bob677890 
    Participant

    Thanks for the reply.

    I understand how to index the tables, what I don’t understand is how to determine the probability of success when using indexes.

    For instance, the Hak5 NTLM tables (http://www.hak5.org/wiki/Community_Rainbow_Tables/Assignment_List) have 25 tables, with 22 chains per table. When using the criteria provided (ntlm mixalpha-numeric-all-space 1 7 0 10000 40000000 0), WinRTGen benchmarks a ~11% probability success rate, yet Hak5 claims ~95% success probability. How is that probability determined?

    Thanks.

  • #10613
     bob677890 
    Participant

    Nevermind, I think this might be what I was looking for…

    http://www.antsight.com/zsl/rainbowcrack/configurations.htm

  • #10614
     Anonymous 
    Participant

    I am confused, on 2 counts.

    1- Safe ALT-XXX passcode entries, ie- no LM hash, are these 3 or 4 digit numbers?  The texts mentions both, and the table also seems ambiguous.

    2- Can’t the function which produces the hash be found in the code and unwound to give a new function, such that one could enter the hash and return the original passcode?

    thanks, Glenn

  • #10615
     JJJHS13 
    Participant

    How do i get the software for linux? Im not a big fan of wine

  • #10616
     Anonymous 
    Participant
  • #10617
     JJJHS13 
    Participant

    Sorry im new with linux, i dont know where the compiler is on this weird thing

  • #10618
     Anonymous 
    Participant

    @jjjhs13 wrote:

    Sorry im new with linux, i dont know where the compiler is on this weird thing

    then you need to go over to LearnSecurityOnline.com

    http://www.learnsecurityonline.com

    register an account, then go to core competencies –> operating systems –> and read all the linux articles.

  • #10619
     Anonymous 
    Participant

    @Manjusri wrote:

    I am confused, on 2 counts.

    1- Safe ALT-XXX passcode entries, ie- no LM hash, are these 3 or 4 digit numbers?  The texts mentions both, and the table also seems ambiguous.

    yes 3 or four digits can be used
    try: http://www.castlecops.com/a5842-Passwords_Staying_Safe.html

    @Manjusri wrote:

    2- Can’t the function which produces the hash be found in the code and unwound to give a new function, such that one could enter the hash and return the original passcode?

    not really, the idea by hashing is that its really easy one way and really hard the other. doing some googling on password hashes and hashing might lead you to some reading on why that wont work.

You must be logged in to reply to this topic.

Contact Us

Thoughts, suggestions, issues? Send us an email, and we'll get back to you.

Sending

Copyright ©2019 Caendra, Inc.

Sign in with Caendra

Forgot password?Sign up

Forgot your details?