Professional Documents
Culture Documents
Rainbow Crack v1.0 Tutorial
Rainbow Crack v1.0 Tutorial
0 tutorial
http://www.antsight.com/zsl/rainbowcrack/rcracktutorial.htm
RainbowCrack tutorial
by Zhu Shuanglei <shuanglei@hotmail.com> http://www.antsight.com/zsl/rainbowcrack/
RainbowCrack is a general propose implementation of Philippe Oechslin's faster time-memory trade-off technique. In this tutorial, we will guide you through the steps to build a instant windows password cracker. You can always take Philippe Oechslin's paper as a good reference if you want some in depth understanding of the theory.
lm alpha (ABCDEFGHIJKLMNOPQRSTUVWXYZ) 1-7 26^1 + 26^2 + 26^3 + 26^4 + 26^5 + 26^6 + 26^7 = 8353082582 2100 8000000 5 m * 16 * l = 640000000 B = 610 MB 0.9990 3.7841 s 8.2836 s
31.1441 s rtgen lm alpha 1 7 0 2100 8000000 all rtgen lm alpha 1 7 1 2100 8000000 all rtgen lm alpha 1 7 2 2100 8000000 all rtgen lm alpha 1 7 3 2100 8000000 all rtgen lm alpha 1 7 4 2100 8000000 all
1 de 4
17/04/2007 22:30
http://www.antsight.com/zsl/rainbowcrack/rcracktutorial.htm
2 days 18 hours
we will generate rainbow tables for lanmanager hash(lm), other hash algorithms(md5, sha1 ...) are also possible charset we use alpha characters as the plaintext charset length range of the plaintext plaintext length range for example: if you use charset alpha and plaintext length range "4-6", "AAAA" and "ZZZZZZ" are among the key space; "AAA" is not because it has a length 3 key space There are 8353082582 different alpha only plaintexts. t rainbow chain length, see the paper for detail m rainbow chain count of each rainbow table, see the paper for detail l rainbow table count, see the paper for detail disk usage disk space required to store all generated rainbow tables each rainbow chain will take 16 bytes (8 bytes for a start point and 8 bytes for a end point) success rate When the rainbow tables have been generated, you will have the probability 99.9% to crack an alpha only password. Due to the nature of the theory, this is not a granted attack. mean cryptanalysis time You need 3.7841 seconds to crack an alpha password on average. It does not take into account the time spent on "false alarm". See the paper to find out what is a "false alarm". mean cryptanalysis time If you don't have enough free physical memory to hold one rainbow table a time, the on a low memory program (rcrack.exe) will have to load the table chunk by chunk and search the table system chunk by chunk. Losing the change of finding the password in early time. It does not take into account the time spent on "false alarm". max cryptanalysis time If the password you are searching is not covered by the rainbow tables. You will have to search all tables only to find nothing. It does not take into account the time spent on "false alarm". table precomputation Use the utility "rtgen.exe" in the distribution and these commands to generate the commands rainbow tables which are required to launch the attack. (see next section of the tutorial for more) table precomputation Table precomputation is time expensive. This is the meaning of "Time-Memory time Trade-Off". hash algorithm configuration #1 hash algorithm charset plaintext length range key space t m l disk usage success rate mean cryptanalysis time mean cryptanalysis time on a low memory system (free memory size much smaller than 610MB) max cryptanalysis time
lm alpha-numeric(ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789) 1-7 36^1 + 36^2 + 36^3 + 36^4 + 36^5 + 36^6 + 36^7 = 80603140212 2400 40000000 5 m * 16 * l = 3200000000 B = 3 GB 0.9904 7.6276 s 13.3075 s 40.6780 s
2 de 4
17/04/2007 22:30
http://www.antsight.com/zsl/rainbowcrack/rcracktutorial.htm
rtgen lm alpha-numeric 1 7 0 2400 40000000 all rtgen lm alpha-numeric 1 7 1 2400 40000000 all rtgen lm alpha-numeric 1 7 2 2400 40000000 all rtgen lm alpha-numeric 1 7 3 2400 40000000 all rtgen lm alpha-numeric 1 7 4 2400 40000000 all 15 days 17 hours
Some explanations: With this configuration, you can crack an alpha-numeric password in 13.3075 seconds on a 256MB memory system with 99.04% success rate. In this tutorial we use "configuration#0". If you want the second configuration, everything is similar.
When the precomputation is complete, make sure the following files are in place: 128,000,000 bytes lm_alpha#1-7_0_2100x8000000_all.rt 128,000,000 bytes lm_alpha#1-7_1_2100x8000000_all.rt
3 de 4
17/04/2007 22:30
http://www.antsight.com/zsl/rainbowcrack/rcracktutorial.htm
If everything goes well, backup all files (recommended) and proceed to the next section of the tutorial.
5. Crack the hash with rcrack.exe and the sorted rainbow tables
Finally you have everything ready. Now the time to play with "rcrack.exe". Notice the file "random_lm_alpha#1-7.hash" in the distribution. It contain 10 randomly generated lanmanager hashes(charset alpha, length 1-7). We will use this file as a test vector. Launch the program by issuing the command: rcrack c:\rainbowcrack\*.rt -l random_lm_alpha#1-7.hash You should replace "c:\rainbowcrack\" with where you place the sorted rainbow tables. It seems that you will find the plaintext of all 10 lanmanager hashes. Now open the file "random_lm_alpha#1-7.plain" and validate the result of rcrack.exe. If they match, that is ok. To crack some windows password, the syntax is similar: pwdump2 > pwfile.txt rcrack c:\rainbowcrack\*.rt -f pwfile.txt The pwdump2 utility is used to dump the lanmanager hashes of windows system. If your password consists of letters only, rcrack will be able to crack it with the success rate 99.9%. Have fun! Create date: 2003/9/9 Revised: 2003/11/21
4 de 4
17/04/2007 22:30
This document was created with Win2PDF available at http://www.daneprairie.com. The unregistered version of Win2PDF is for evaluation or non-commercial use only.