Notifications
Clear all

Rainbow tables & associated tools

7 Posts
5 Users
0 Likes
1,493 Views
Adam10541
(@adam10541)
Posts: 550
Honorable Member
Topic starter
 

I'm looking into adding some depth to our labs password cracking capabilities as currently we just use Passware Forensic.

This is a great tool for standard stuff but I'd like to take advantage of rainbow tables and utilise the other machines in the lab, but before I do that I have a couple of basic questions which I'm having trouble finding a clear answer on.

Firstly I understand there are different types of rainbow tables, I'm looking at FreeRainbowTables.com and they have plenty for download (MD5, LM, NTLM and MYSQL_SHA1), around 9TB in total.

I plan on downloading them all provided I can find the right software to use with them, but my first question is how do I know which rainbow table I need when it comes time to use them? By this I mean I assume different OS and different software use different standards to encrypt data, so if I'm trying to crack a RAR file that was created on Win7 what table do I need? Will it be a different table if it was created on XP or Linux? Or is the table needed dependent on the fact that it's a RAR file.

Is there any list or place I can find out exactly what table I need depending on what I'm trying to crack, or is it a case of just having to have all tables available and the software will figure it out.

Lastly the tables at freerainbowtables.com are all in rti2 format and passware only works with rt format. I can convert the tables but that will essentially double their size and I don't particularly want to try and work with 18TB or rainbow tables.

Does anyone have any experience with cracking software this is windows GUI based (like passware or ophcrack) which can work with rti2 tables?

 
Posted : 01/06/2014 9:17 am
(@athulin)
Posts: 1156
Noble Member
 

Is there any list or place I can find out exactly what table I need depending on what I'm trying to crack, or is it a case of just having to have all tables available and the software will figure it out.

It's more a question of knowing about encryption methods used, location of password hash or tools for extracting them.

What exactly your software will do … well, that depends on what software you choose. Those I know depend on the user to identify the right tables. Do it wrong, and nothing happens – or you get an error message.

Decide what you're really looking for. Shorter time to crack one single password? Better coverage in shorter time – assurance that you've covered all possibilities? Or something else?

Then select the most common crack situation you're faced with. If you have a collection of the passwords you've cracked earlier, review it for character set coverage. If you have password characters that are not covered by the rainbow table set, or passwords of a length that is not covered, evaluate how many those are, and if you're helped by rainbow tables or still need to cover up by brute force, and if so how you need to modify that to avoid searching the password spaces that you've covered by the rainbow tables. Then get that particular crack situation up and running, and evaluate if it really does what you hoped for – not just the rainbow-table part of it, but also the fallback on brute force methods.

I'm looking at FreeRainbowTables.com and they have plenty for download (MD5, LM, NTLM and MYSQL_SHA1), around 9TB in total.

Don't assume you need everything. For example, in the NTLM range there's both ntlm_mixalpha-numeric-all-space#1-7 and ntlm_mixalpha-numeric-all-space#1-8. If you have the second, you don't need the first, and there's a number of other tables that you probably can do without as well.

Also note that some of the specialized tables can be replaced with a 'dump password from rtl' utility, and a tool that you can tell to read passwords from stdin as well as transform them by adding 1-3 digits at the end of each password. And with something like that, it's easy to extend it to cover situations that are _not_ covered by the rainbow tables you have selected – you may want to evaluate such hybrid scenarios as well. (I use John the Ripper for that kind of approach.)

 
Posted : 01/06/2014 12:54 pm
PaulSanderson
(@paulsanderson)
Posts: 651
Honorable Member
 

I plan on downloading them all provided I can find the right software to use with them, but my first question is how do I know which rainbow table I need when it comes time to use them? By this I mean I assume different OS and different software use different standards to encrypt data, so if I'm trying to crack a RAR file that was created on Win7 what table do I need? Will it be a different table if it was created on XP or Linux? Or is the table needed dependent on the fact that it's a RAR file.

If you think this through you'll know the answer )

Using your example of RAR, as it is a cross platform compression package the encryption algorithm must also be cross platform, so it is the application that defines the algorithm. This is almost always true of any application that is not part of an O/S.

 
Posted : 01/06/2014 1:26 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

I have some doubts on the idea of Rainbow Tables being useful specifically for RAR archives. ?

jaclaz

 
Posted : 01/06/2014 3:34 pm
Adam10541
(@adam10541)
Posts: 550
Honorable Member
Topic starter
 

I think RAR might have been a bad example because some of the programs seem to be able to exploit weaknesses in the way the hash is stored, but it was more about trying to figure out what table I might need for any given document/archive etc.

Thanks for the advice, I think the short answer is there is no short answer, I'm going to have to read, study and research.

I've always been very interested in encryption/decryption and love reading about it, however I'm somewhat mathematically challenged so when it comes time to try and understand the process and how it can be applied I start to get frustrated.

We did a couple of units on this stuff when I was doing my degree but it was fairly low level stuff and gave me the false impression that it was easy P

I don't really expect the rainbow tables to be the "cure for all ills" but it's another tool and there may be circumstances where they help me out. I see John the Ripper mentioned quite a lot in different places and it seems to be the most highly regarded one out there, so looks like I'm going to have to go back and get comfortable with Linux again if I want to play in this field as well. ?

 
Posted : 02/06/2014 8:05 am
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

I think RAR might have been a bad example …

Yep.
Basically AFAICU a Rainbow Table is nothing but a (very large) "catalog" or "lookup table" for hashes.
If you have not the hash to look for and/or - like I believe it is the case for RAR encrypted format - the hash is a "salted" and "derived" one a Rainbow table won't be of any use or will be simply too big.
http//stackoverflow.com/questions/3817941/rar-passwords-why-dont-rainbow-tables-work

jaclaz

 
Posted : 02/06/2014 12:47 pm
4n6_Guy
(@4n6_guy)
Posts: 1
New Member
 

I don't really expect the rainbow tables to be the "cure for all ills" but it's another tool and there may be circumstances where they help me out. I see John the Ripper mentioned quite a lot in different places and it seems to be the most highly regarded one out there, so looks like I'm going to have to go back and get comfortable with Linux again if I want to play in this field as well. ?

Not that I would discourage you from using Linux, as I am a big fan, but John the Ripper does have a windows version as well. You will still have to use command line though. I'm not sure what version of Passware you have but the Forensic Edition comes with 5 client licenses that you can install on windows pc's on the same network. Passware will use the unused CPU cycles to help with whatever attack you are running. We've got it set up in our lab and it works quite well.

 
Posted : 11/06/2014 6:12 pm
Share: