Rainbow Tables

EXPLAINED
By: Warpboy

CopyRight 2006 - Forever

Warpboy
www.securitydb.org
SDB www.securitydb.org

Table of Contents
0x01: Defining Rainbow Tables
0x02: Time-Memory Trade-Off
0x03: Setting Up Software
0x04: Generating Rainbow Tables
0x05: Cracking Hashes
0x06: The End
0x07: Shoutz / Contact Info

Total Pages: 11
SDB www.securitydb.org 0x01

Defining Rainbow Tables

So what exactly are rainbow tables? Rainbow tables are the new generation of
cracking, using advanced developed methods for cracking passwords encrypted with
algorithms such as the Message Digest 5 (MD5) or LanManager (LM). Rainbow tables
have become more popular and more widely known for the speed at which passwords
encrypted with these algorithms can be cracked. It is vital to stay up-to-date with
technology; therefore, this paper will teach you all about rainbow tables and how they
are being used and applied in todays world.
A rainbow table is a special type of lookup table offering a time-memory
tradeoff used in recovering the plaintext password from a ciphertext generated by a
one-way hash. Translation? A rainbow table is a lookup table, such as you lookup a
word in a text file, but a little more complicated. Rainbow tables use time-memory
trade-off (explained later) to decrease the amount of time to crack a ciphertext
(encrypted word) into a plaintext. The algorithms md5 and lm are one way, meaning
they cannot be decrypted, but they can be looked up.

Time-Memory Trade-Off 0x02

The traditional way to crack passwords is brute forcing, which would simply just
try all the plaintexts one by one. This was and still is a time consuming method of
cracking passwords. The implementation of Philippe Oechslin's time-memory trade-off
method of decreasing time of cryptanalysis by using precalculated data stored in
memory, is being used in rainbow tables. The idea of time-memory trade-off is to do
all cracking time computation in advance and store the result in files (rainbow tables).
The process of pre- computation of rainbow-tables does take a decent amount
of time. However, once all the tables are created, the time-memory trade-off cracker is
hundreds of times faster than a traditional brute force cracker. Time-memory trade-off
has revolutionized password cracking by decreasing the time of cryptanalysis. To
summerize, time-memory trade-off is used in rainbow tables to speed up the time it
takes to crack a ciphertext.

Setting Up Software 0x03

There is a variety of rainbow table generation software and time-memory trade-

off crackers out there. For the sake of this tutorial and by personal preference I am
going to use RainbowCrack which is available (FREE) for download at http://www.
antsight.com/zsl/rainbowcrack/. If you dislike RainbowCrack and are looking for a
rainbow table generator and a time-memory trade-off cracker check out Winrtgen and
Cain&Abel, which are both available at http://www.oxid.it/projects.html (FREE).
SDB www.securitydb.org

Let's download and setup RainbowCrack. Extract its contents to your preferred
directory; "C:\" for the tutorials sake, and rename the folder to something like
"rainbowcrack". After extracting it should look something like in Figure 1.1, below.

If it helps, you may want to take a look at the ReadMe, but this really isn't
necessary. If there were no extraction errors and the files contents match the ones in
the zip archive you downloaded from the Project RainbowCrack homepage, then you
have successfully installed RainbowCrack to your computer.

Generating Rainbow Tables 0x04

Before you can begin to crack hashes you need to have a good amount of
rainbow tables available. Therefore, during this chapter the generation process of
rainbow tables is covered. The amount of space you are willing to set aside for your
rainbow tables completely depends on your personal preference. If you have under
100gb I wouldn't recommend generating to many rainbow tables.
The program used to generate rainbow tables is "rtgen", located in the
RainbowCrack directory we created earlier. To generate rainbow tables you need to
specify specific arguements, these arguements consist of:

hash algorithm \ character set \ plaintext length minimum \ plaintext length maximum \
rainbow table index \ rainbow chain legth \ rainbow chain count \ file title suffix

Hash algorithm options: algorithm of choice (exp: md5)

Character set: located in the RainbowCrack directory as charset.txt, can be
modified (exp: alpha-numeric [123456789ABCDEFGHIJKLMNOPQRSTUV])
Plaintext length minimum: Minimum characters in each word (exp: 1)
Plaintext length maximum: Maximum amount of characters in each word(exp:8)
Rainbow Table Index: The index of the rainbow table (exp: 0)
SDB www.securitydb.org

Rainbow Chain Length: The length of the rainbow chain (exp: 11300)
Rainbow Chain Count: The amount of rainbow chains to generate (exp: 6000)
File Title Suffix: This is used for rainbow tables which are to be linked with
eachother to prevent duplicating (exp: 0)

Before generating a table it is a good idea to check and see an

approximantation of the amount of time the table is going to take to generate. To do
this you use the "-bench" arguement at the end of the arguements (excluding the
rainbow chain count/length and file title suffix arguements). To do this first open the
cmd prompt (because rtgen is a console application) then cd to the rainbow crack
directory (where you installed rainbow crack). See Figure 1.2 below.

Now you should be in the rainbow crack directory, like below in Figure 1.3.
SDB www.securitydb.org

Now that you are in the RainbowCrack directory you need to start 'rtgen.exe' or
the rainbow table generator and then you can start to generate the rainbow tables.
Let's start rtgen and see what happens, see Figure 1.4 below.

As you can see it's just the arguments (covered earlier) that rtgen requires to
generate a table based on the user inputted arguments. Now that we know how the
program works, let's generate our first rainbow table. Before you can generate, it's a
good idea to benchmark or figure out how long the table is going to take to be created.
To do this you use the -bench argument, see Figure 1.5 below.
SDB www.securitydb.org
After you have tested to see how long the generation process is going to take,
you're ready to start generating. The disheartening part about the generation process
is that it usually takes an incredibly long time. If you have multiple computers, then
generating sets of rainbow tables would obviously not take as long.
Sets of rainbow tables are just rainbow tables based on each other, for
example you can't have a 39 GB rainbow table because the computer can't handle
this large size. However, you can have 39 by 1 GB tables; you can do this by having
indexes on your tables. Rtgen knows that if the index is 1 and there is a 0 indexed
table then it won't re-generate the same contents that were in the first table(0 table).
Basically, rainbow table sets allow you to have multiple tables that really are one big
table, just split up into separate ones.
In Figure 1.6 below, there is a basic 1-3 character lower-alpha char. set
rainbow table generating. After its generated it should look something like Figure 1.7.
SDB www.securitydb.org

After the generation process is complete you have to sort the rainbow table
using rtsort, all this program does is organize the newly created rainbow table. See
Figure 1.8 below, where the previous rainbow table that was generated in Figure 1.7
is being sorted.

After generating and sorting is complete it's time to test the rainbow table out.

0x05
Cracking Hashes
Since the rainbow table's algorithm that we just generated is MD5 lets go
encrypt a simple plain-text with the alogrithm. There are tons of online MD5
encryptors on the net, to make it easy you can go to www.securitydb.org/cracker/ or
you can google "MD5 encryptor".
Remember when submitting the plain text, make sure it matches the character
set used in the previously generated rainbow table. For the sake of this paper, im
going to encrypt 'ad' (without quotes) with the md5 alogrithm. Then I am going to
attempt to crack the hash with the rainbow table. This is really only to test the rainbow
tables ability.

ad:523af537946b79c4f8369ed39ba78605

Now the rainbow table should be able to crack the hash and give the plaintext
'ad'. The program used is rcrack, the arguements for it are easy, you can actually load
all the rainbow tables in a directory with it, but in this tutorial we are only using one
rainbow table.
SDB www.securitydb.org

In Figure 1.9 (below) 'rcrack' is searching for the hash in the rainbow table.

In Figure 2.1 (below) you can see the rainbow table worked.

Congrats! You have successfully generated and sorted a rainbow table and
used it to crack a simple hash. With 'rcrack' there are 2 other arguments besides (-h).
You have -p which handles a password dump file, only with the lan manager algorithm
though. Then there is -l, which handles a text file with hashes. So you can crack
multiple hashes in 1 session.
SDB www.securitydb.org 0x06

The End
During this paper, the word 'crack' or 'cracking' is used; however, the hashes
are never really cracked. The MD5 and LM algorithms have not yet been cracked,
they are said to be one-way algorithms so they can only be looked up. So really when
you say "Im cracking this hash with my rainbow tables", you are incorrect. However,
with modern slang that statement could be treated as if it were valid.
Some resources for furthering your knowledge on rainbow tables:

www.antsight.com/zsl/rainbowcrack/
http://en.wikipedia.org/wiki/Rainbow_table
http://lasecwww.epfl.ch/~oechslin/publications/crypto03.pdf

Some online time-memory trade-off crackers:

www.milw0rm.com/cracker/
www.plain-text.info

0x07
Shoutz / Contact Info

ShoutZ: TimQ, Z666, Ice_Dragon, kAoTiX, Ethernet, PunkerX, The-

Maggot, theNerd, Archangel, Phrankeh, Grim, Splinter,
Gammarayz, Maverick, Wolv, NinjaOptix, and SDB memberz + all
my otha friends not mentioned

---------------
Contact Info
---------------

E-mail: [email protected]
MSNM: [email protected]
Website: www.securitydb.org