January 3, 2013

Crack Hashes using Rainbow Tables

In this tutorial we will describe the main options of RainbowCrack. We will explain the basic operation for using RC to crack Hashes Passwords (LM, NTML, MD5) generating and using rainbow tables.

About RainbowCrack
RainbowCrack is a general propose implementation of Philippe Oechslin's faster time-memory trade-off technique. Function of this software is to crack hash.

The straightforward way to crack hash is brute force. In brute force approach, all candidate plaintexts and corresponding hashes are computed one by one. The computed hashes are compared with the target hash. If one of them matches, the plaintext is found. Otherwise the process continues until finish searching all candidate plaintexts.

In time-memory tradeoff approach, the task of hash computing is done in advance with the results stored in files called "rainbow table". After that, hashes can be looked up from the rainbow tables whenever needed. The pre-computation process needs several times the effort of full key space brute force. But once the one time pre-computation is complete, the table lookup performance can be hundreds or thousands times faster than brute force.

This document explains the steps to make the RainbowCrack software working for first time user. Most contents in this document are implementation specific, while others are generic to time-memory tradeoff algorithm.

(Note: For the Purpose of this tutorial we will use BackBox (Based on Ubuntu) as OS and the latest installation packages of RainbowCrack)

Download RainbowCrack

Download one of the latest version of RainbowCrack for 32 or 64 bit operation system from the official site.

(Note: RainbowCrack can be used both on Linux and Windows OS)

Explanation

The RainbowCrack software includes three tools that must be used in sequence to make things working.
  • rtgen program to generate rainbow tables.
  • rtsort program to sort rainbow tables generated by rtgen.
  • rcrack program to lookup rainbow tables sorted by rtsort.
Also software includes a .txt file with name "charset.txt". This file contains all the available set of chars that we can use to generate the tables.

(Note: We can use one of the set that charset contains or we can create our set. Below we will analyze and explain this option)

Generate Rainbow Tables

On this part of tutorial will generate the Rainbow Tables using the rtgen tool. The syntax of the command line is:
rtgen hash_algorithm charset plaintext_len_min plaintext_len_max table_index chain_len chain_num part_index
hash_algorithm can be: LM, NTLM, MD5
charset can be: alpha-numeric, loweralpha-numeric, etc.
plaintext_len_min describes the minimum length of our hash code.
plaintext_len_max describes the maximum length of our hash code.
table_index describes the order of the tables and is related to the "reduce function" that is used in rainbow table.
chain_len describes the length of each "rainbow chain" in the rainbow table.
chain_num describes the number of rainbow chains in the rainbow table.
part_index determines how the "start point" in each rainbow chain is generated.

(Note: For the purpose of this Tutorial we will generate tables using MD5 hash algorithm, loweralpha-numeric charset and length code from 1 until 5)

So, on terminal write:
rtgen md5 loweralpha-numeric 1 5 0 10000 9682 0
As result will be the following lines:
rainbow table md5_loweralpha-numeric#1-5_0_10000x9682_0.rt parameters
hash algorithm:         md5
hash length:            16
charset:                abcdefghijklmnopqrstuvwxyz0123456789
charset in hex:         61 62 63 64 65 66 67 68 69 6a 6b 6c 6d 6e 6f 70 71 72 73 74 75 76 77 78 79 7a 30 31 32 33 34 35 36 37 38 39 
charset length:         36
plaintext length range: 1 - 5
reduce offset:          0x00000000
plaintext total:        62193780

sequential starting point begin from 0 (0x0000000000000000)
generating...
9682 of 9682 rainbow chains generated (0 m 2.9 s)
After the first table generation will continue using the same way to generate totally 6 tables.
rtgen md5 loweralpha-numeric 1 5 1 10000 9682 0
rtgen md5 loweralpha-numeric 1 5 2 10000 9682 0
rtgen md5 loweralpha-numeric 1 5 3 10000 9682 0
rtgen md5 loweralpha-numeric 1 5 4 10000 9682 0
rtgen md5 loweralpha-numeric 1 5 5 10000 9682 0
(Note: On every table generation we must increase the table_index from 0 to N number. N it depends from your length number and from the charset)

Sort Rainbow Tables

The rtsort program is used to sort the "end point" of all rainbow chains in a rainbow table to make table lookup easier.

The syntax of the command line is:
rtsort md5_loweralpha-numeric#1-5_0_10000x9682_0
rtsort md5_loweralpha-numeric#1-5_1_10000x9682_0
rtsort md5_loweralpha-numeric#1-5_2_10000x9682_0
rtsort md5_loweralpha-numeric#1-5_3_10000x9682_0
rtsort md5_loweralpha-numeric#1-5_4_10000x9682_0
rtsort md5_loweralpha-numeric#1-5_5_10000x9682_0
As result will be the following lines for each line separately:
md5_loweralpha-numeric#1-5_0_10000x9682_0.rt:
4810149888 bytes memory available
loading rainbow table...
sorting rainbow table by end point...
writing sorted rainbow table...

Crack Hashes

On this part of tutorial we will use the rcrack tool to lookup the rainbow tables for the suitable - required Hash code. The default syntax of the command line is:
crack /the/directory/of/*.rt -option hash_code
Option can be one of the below:
-h your_hash_directly_here 
-f pwdump_file
-l hash_list_file
(Note:Option -f can be used if the rainbow tables you generate using lm algorithm)

As first will use the -h option to crack the below hash code. So, on command line write:
rcrack Charset/MD5/*.rt -h D9DA8170E8BC9F27B2D32A6C9A6C697D
As result 'll have the following lines:
4889038848 bytes memory available
6 x 154912 bytes memory allocated for table buffer
160000 bytes memory allocated for chain traverse
disk: Charset/MD5/md5_loweralpha-numeric#1-5_0_10000x9682_0.rt: 154912 bytes read
disk: Charset/MD5/md5_loweralpha-numeric#1-5_1_10000x9682_0.rt: 154912 bytes read
disk: Charset/MD5/md5_loweralpha-numeric#1-5_2_10000x9682_0.rt: 154912 bytes read
disk: Charset/MD5/md5_loweralpha-numeric#1-5_3_10000x9682_0.rt: 154912 bytes read
disk: Charset/MD5/md5_loweralpha-numeric#1-5_4_10000x9682_0.rt: 154912 bytes read
disk: Charset/MD5/md5_loweralpha-numeric#1-5_5_10000x9682_0.rt: 154912 bytes read
searching for 1 hash...
plaintext of d9da8170e8bc9f27b2d32a6c9a6c697d is adm1n
disk: thread aborted

statistics
-------------------------------------------------------
plaintext found:                              1 of 1
total time:                                   2.53 s
time of chain traverse:                     1.60 s
time of alarm check:                        0.81 s
time of wait:                               0.00 s
time of other operation:                    0.12 s
time of disk read:                            0.03 s
hash & reduce calculation of chain traverse:  49990000
hash & reduce calculation of alarm check:     24756418
number of alarm:                              7680
speed of chain traverse:                      31.30 million/s
speed of alarm check:                         30.64 million/s

result
-------------------------------------------------------
d9da8170e8bc9f27b2d32a6c9a6c697d  adm1n  hex:61646d316e
(Note:The above code generated as MD5 Hash code)

Next we will try the -l option for NLTM Hash code.
rcrack Charset/NTLM/*.rt -l Hash_me.txt
As result 'll have the following lines:
4866244608 bytes memory available
6 x 154912 bytes memory allocated for table buffer
320000 bytes memory allocated for chain traverse
disk: Charset/NTLM/ntlm_loweralpha-numeric#1-5_0_10000x9682_0.rt: 154912 bytes read
disk: Charset/NTLM/ntlm_loweralpha-numeric#1-5_1_10000x9682_0.rt: 154912 bytes read
disk: Charset/NTLM/ntlm_loweralpha-numeric#1-5_2_10000x9682_0.rt: 154912 bytes read
disk: Charset/NTLM/ntlm_loweralpha-numeric#1-5_3_10000x9682_0.rt: 154912 bytes read
disk: Charset/NTLM/ntlm_loweralpha-numeric#1-5_4_10000x9682_0.rt: 154912 bytes read
disk: Charset/NTLM/ntlm_loweralpha-numeric#1-5_5_10000x9682_0.rt: 154912 bytes read
searching for 2 hashes...
plaintext of cade9ee667617d06fb176615ce24e4b8 is pr1vs
plaintext of cf9210fd953db38d12a78f52a1f389c0 is ra1nt
disk: thread aborted

statistics
-------------------------------------------------------
plaintext found:                              2 of 2
total time:                                   3.53 s
time of chain traverse:                     2.44 s
time of alarm check:                        1.02 s
time of wait:                               0.01 s
time of other operation:                    0.06 s
time of disk read:                            0.00 s
hash & reduce calculation of chain traverse:  99980000
hash & reduce calculation of alarm check:     39798954
number of alarm:                              14080
speed of chain traverse:                      40.99 million/s
speed of alarm check:                         38.90 million/s

result
-------------------------------------------------------
cf9210fd953db38d12a78f52a1f389c0  ra1nt  hex:7261316e74
cade9ee667617d06fb176615ce24e4b8  pr1vs  hex:7072317673

Edit Charset.txt List

On this part of Tutorial will edit and create our set of chars on charset.txt file. The specific file contains the following lines: 
numeric            = [0123456789] 

alpha              = [ABCDEFGHIJKLMNOPQRSTUVWXYZ] 
alpha-numeric      = [ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789] 

loweralpha         = [abcdefghijklmnopqrstuvwxyz] 
loweralpha-numeric = [abcdefghijklmnopqrstuvwxyz0123456789] 

mixalpha           = [abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ] 
mixalpha-numeric   = [abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789] 

ascii-32-95                     = [ !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~] 
ascii-32-65-123-4            = [ !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`{|}~] 
alpha-numeric-symbol32-space = [ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!@#$%^&*()-_+=~`[]{}|\:;"'<>,.?/ ] 

oracle-alpha-numeric-symbol3 = [ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789#$_]
we can add our set of character like the following example:
set_char_name                 = [my,chars,-,symbols]
and we can use it adding the name of our set on rtgen tool.

(Note: I used the onlinehashcrack.com to generate my passwords to LM/NTLM format)

Conclusion

The are a lot of ways and things we can do to pass a hash code file. This tutorial describes the basic things we can do to create/generate and crack a simple .txt file which include MD5/LM/NTML Hashes. The best way is to try every parameter on a virtual environment, creating our Hash codes and tables to figure out what every option does before proceed to real hash code files.

Designed and Created by Liatsis Fotis for liatsisfotis.com

Download Tutorial (PDF)