Kali Linux
About Lesson

RainbowCrack is a password cracking tool available for Windows and Linux operating systems. Unlike other password cracking tools, RainbowCrack uses a time-memory tradeoff algorithm to crack hashes along with large pre-computed “rainbow tables” that help to reduce password cracking time.

Features include:

  • Available rerminal-based and GUI-friendly interface
  • Works well with multi-core processors
  • Rainbow table generation, sort, conversion and lookup
  • Support for GPU acceleration (Nvidia CUDA and AMD OpenCL)
  • Bolster rainbow table of any hash calculation and charset.
  • Support rainbow table in raw file format (.rt) and compact file format (.rtc).

A time-memory tradeoff hash cracker need a pre-computation stage, at the time all plaintext/hash pairs within the selected hash algorithm, charset, plaintext length are computed and results are stored in files called rainbow table. It is time consuming to do this kind of computation. But once the one time pre-computation is finished, hashes stored in the table can be cracked with much better performance than a brute force cracker.

Source: https://project-rainbowcrack.com
RainbowCrack Homepage | Kali RainbowCrack Repo

Intro to Rainbow Tables

The main benefit of Rainbow Tables is that while the actual creation of the rainbow tables takes much more time than cracking a single hash, after they are generated you can use the tables over and over again. Additionally, once you have generated the Rainbow Tables, RainbowCrack is faster than brute force attacks and needs less memory than full dictionary attacks.

Rainbow Tables are popular with a particularly weak password algorithm known as Microsoft LM hash. LM stands for LAN Manager, this password algorithm was used in earlier days of Windows and still lives on only for compatibility reasons. By default Windows XP or even Windows Server 2003 keeps the LM hash of your passwords in addition to a more secure hash (NTLM or NTLMv2). This allows for the benefit of backwards compatibility with older operating systems on your network but unfortunately makes the job of password cracking easier if you can obtain the LM hashes instead of the NTLM hashes.

Microsoft’s LAN Manager algorithm and its weaknesses

So why is the LM algorithm weak? “The LANManger scheme has several weaknesses, including converting all characters to uppercase, splitting passwords into 7-byte chunks, and not using an additional random element known as ‘salt.” [2]

These three issues give rainbow tables their cracking power.  By converting all characters to uppercase you effectively cut your key space in half.  So if you had passwords of only characters (A-Z, a-z) you would think you would have 52 possibilities, but in reality with LM, you only have 26 because password are converted to all uppercase.  So my way secure password of PaSsWoRd would be converted automatically to PASSWORD.

Passwords longer than 7 characters are split into 2 chunks so a 14 character password is effectively turned into two, seven character passwords (and converted to uppercase).  The chunks can also be attacked separately as you will see when we start cracking passwords.

Lastly, by not salting any of the passwords no extra complexity is added to stored passwords.

For some more background info check out the LM section of Wikipedia.org: http://en.wikipedia.org/wiki/LM_hash

From the Rainbow Tables wiki:

“Rainbow tables use a refined algorithm by using a number of different reduction functions to create multiple parallel chains within a single “rainbow” table, reducing the probability of false positives from accidental chain collisions, and thus increasing the probability of a correct password crack. As well as increasing the probability of a correct crack for a given table size, the use of multiple reduction functions also greatly increases the speed of lookups.

Rainbow tables are specific to the hash function they were created for e.g., MD5 tables can crack only MD5 hashes. The theory of this technique was first pioneered by Philippe Oechslin [3] as a fast form of time-memory tradeoff [4], which he implemented in the Windows password cracker Ophcrack. The more powerful RainbowCrack program was later developed that can generate and use rainbow tables for a variety of character sets and hashing algorithms, including LM hash, MD5, SHA1, and NTLM.”[5]

Let’s check out some sample rainbow table configurations and see how they fare, as we go thru the tutorial all of this should make more sense.

LM configuration #0

charset [ABCDEFGHIJKLMNOPQRSTUVWXYZ]
keyspace 8353082582
table size 610 MB
success probability 0.9990

Has a success probability of 99.90% and only takes up 610 MB.

LM configuration #1

charset [ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789]
keyspace 80603140212
table size 3 GB
success probability 0.9904

Has a success probability of 99.04% and takes up 3 GB.

LM configuration #5

charset [ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!@#$%^&*()-_+= ]
keyspace 915358891407 (2^39.7)
table size 24 GB
success probability 0.99909

Has a success probability of 99.1% and takes up 24 GB.  This is starting to get large but 1) not THAT large with as cheap as hard drive space is and 2) with the character set involved.  Don’t forget this will work on passwords up to 14 characters as well.  What starts to make a difference is how long it takes to compute these tables.

LM configuration #6

charset [ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!@#$%^&*()-_+=~`[]{}|:;”‘<>,.?/ ]
keyspace 7555858447479 (2^42.8)
table size 64 GB
success probability 0.999

Has a success probability of 99.9% and takes up 64 GB.  This character set includes all possible characters on a standard keyboard (not including alt+xxx characters). So this table set is probably going to make any windows secret key laugh hysterically 14 characters in minutes. This is incredible yet on one PC it will take around 2 years to produce these tables (Faster Time-Memory Trade-Off Technique).

Hope this article helpful for you. Thank You


If You Appreciate What We Do Here On Hackonology, You Should Consider:

Hackonology is the fastest growing and most trusted community site where you can find lots of courses, articles about Technology/Hacking/Cracking. Millions of people visit Hackonology! to search or browse the thousands of published articles available FREELY to all.

Let's be a part of Hacker's Community! Join our Hacking Team

We Are Indian We Are Great


tools included in the rainbowcrack package

rcrack – Rainbow table password cracker
 root@kali:~# rcrack
RainbowCrack 1.7
Copyright 2017 RainbowCrack Project. All rights reserved.
http://project-rainbowcrack.com/

usage: ./rcrack path [path] [...] -h hash
./rcrack path [path] [...] -l hash_list_file
./rcrack path [path] [...] -lm pwdump_file
./rcrack path [path] [...] -ntlm pwdump_file
path:              directory where rainbow tables (*.rt, *.rtc) are stored
-h hash:           load single hash
-l hash_list_file: load hashes from a file, each hash in a line
-lm pwdump_file:   load lm hashes from pwdump file
-ntlm pwdump_file: load ntlm hashes from pwdump file

implemented hash algorithms:
lm HashLen=8 PlaintextLen=0-7
ntlm HashLen=16 PlaintextLen=0-15
md5 HashLen=16 PlaintextLen=0-15
sha1 HashLen=20 PlaintextLen=0-20
sha256 HashLen=32 PlaintextLen=0-20

examples:
./rcrack . -h 5d41402abc4b2a76b9719d911017c592
./rcrack . -l hash.txt  

rt2rtc – Convert rainbow tables from .rt to .rtc

root@kali:~# rt2rtc
RainbowCrack 1.7
Copyright 2017 RainbowCrack Project. All rights reserved.
http://project-rainbowcrack.com/

usage: rt2rtc path [-s start_point_bits] [-e end_point_bits] [-c chunk_size_in_mb] [-p] 

 1 <= start_point_bits <= 64
1 <= end_point_bits   <= 64
1 <= chunk_size_in_mb 

rtc2rt – Convert rainbow tables from .rtc to .rt

root@kali:~# rtc2rt
RainbowCrack 1.7
Copyright 2017 RainbowCrack Project. All rights reserved.
http://project-rainbowcrack.com/

 usage: ./rtc2rt path 

rtgen – Generate rainbow tables

root@kali:~# rtgen RainbowCrack 1.7 
Copyright 2017 RainbowCrack Project. All rights reserved. 
http://project-rainbowcrack.com/ 

usage: rtgen hash_algorithm charset plaintext_len_min plaintext_len_max table_index chain_len chain_num part_indexrtgen hash_algorithm charset plaintext_len_min plaintext_len_max table_index -bench

hash algorithms implemented:
lm HashLen=8 PlaintextLen=0-7
ntlm HashLen=16 PlaintextLen=0-15
md5 HashLen=16 PlaintextLen=0-15
sha1 HashLen=20 PlaintextLen=0-20
sha256 HashLen=32 PlaintextLen=0-20
 
examples:
rtgen md5 loweralpha 1 7 0 1000 1000 0
rtgen md5 loweralpha 1 7 0 -bench 

rtsort – Sort rainbow tables

root@kali:~# rtsortRainbowCrack 1.7
Copyright 2017 RainbowCrack Project. All rights reserved.
http://project-rainbowcrack.com/

 usage: ./rtsort path 

rcrack Usage Example

root@kali:~# coming soon

rt2rtc Usage Example

root@kali:~# coming soon

rtc2rt Usage Example

root@kali:~# coming soon

rtgen Usage Example

root@kali:~# coming soon

rtsort Usage Example

root@kali:~# coming soon