Main Page‎ > ‎

Rainbow Tables

NOTE: If you download the rainbow-tables you need to also download the associated dictionary file and rules file to make it work. For most of the tables the files are basic_rules, and dic-0294. I apologize I should have saved them in the first cfg tgz for each table but I was trying to save space. My bad.  


Overview:

This page is dedicated to our dictionary based rainbow table password cracker, (known as drcrack). The original source code is based off of rcrack written by Zhu Shuanglei. 

As stated, dcrack allows the creation and use of dictionary based rainbow tables. If you are unfamiliar with rainbow tables a good reference is the original rcrack homepage. Normally rainbow tables are generated based on a brute force type approach. For example, you could create a rainbow table that would attempt to crack all passwords of length one through six, containing alphanumeric characters. A further refinement developed by the people over at http://www.freerainbowtables.com is the mixed rainbow table.  An mixed rainbow table allows you to create tables by defining brute force rules such as "the first six characters should be letters, and the last two characters should be numbers". Dictionary based rainbow tables, such as those generated by drcrack, on the other hand allow you to create pre-generated hash tables based on dictionary words and common word mangling rules, such as "P@ssword12".

All three methods are very useful. With the inclusion of drcrack, we feel that most password cracking against unsalted hashes can be done using pre-generated tables. Aka, an attacker can use traditional rainbow tables for pure-brute force password audits, indexed tables to expand their brute force attacks, and dictionary based tables to cover their normal dictionary based attacks.

Features:

  • Menu based rule generator
  • Config files -table generation info is no longer stored in the filename!!
  • Multi-threaded support for multi-core CPUs, (Linux and MacOSX only)
  • Various other performance tweaks such as using optimized hashing functions for the most common password hashes, (goodbye openssl).
  • Backwards compatible with traditional rcrack rainbow tables, (though not indexed rainbow tables)

Files:

DRCrack -multi threaded version 1.03
-Changes: See the change history below, but several new features were added and this should result in a big performance boost

 
Dictionary Based Rainbow Tables
All online rainbow tables can be found at the following website:
-Please note, for the rainbow tables to work you need to download not only the tables, but the associated config and dictionary files as well.


Supported Systems:

Config Generator and Multi-Threaded Version
Most flavors of Linux
MacOSX

Patch Notes:

Version 1.03: 

-Changes: Removed some debugging code from the multi-threaded rainbow table creator. You should see a significant increase in performance now
-Added the ability to specify your own salt values for mscache and oracle password hashes.
-As an addendum to the above point, any tables created with drtgen 1.03 will not work with previous versions. Don't worry, all the old tables still work with the new version.
-Completely changed the command line format for drtgen to help avoid confusion, and hopefully make it easier to use
-Added the -bench option to help predict how long a table will take to create.
-Lots of other internal tweaks and code cleanup
-Once again, if you notice any new, (or old), bugs please let me know

Version 1.01: 

-Changes: Fixed an issue with the makefile that caused the program to not compile on some systems, (aka capitalized Public.cpp)
-Special thanks to the person who pointed this out

Version 1.0: 
After over a year and a half, we finally are ready to deploy our release version. Why so long? Well originally we were going to present it at Shmoocon08 but we didn't have the tables done in time. Then we decided to publish a paper on it, other stuff came up (check out our pcfg password generator), optimized the algorithm which invalidated all our old tables, etc. It's done though, and we are pretty proud of it. There's sure to be bugs, so if you have any suggestions or find any mistakes, please let us know.

Installation/Configuration (Linux, MacOSX):

1. Download and untar the source files
2. make

Creating Rule Files:

1. run ./dr_rules
2. Specify the appropriate configuration options

-Option (1) modifies the character sets.  Use this to add support for different languages, or to modify which numbers/special characters to use in the word mangling rules

-Option (2) allows you to create word mangling rules.  For example, add two numbers to the end of the dictionary word, and replace ‘a’ with an ‘@’.

3. Save your settings. 

-Option (3) creates a rules file that can be used to generate a dictionary based rainbow table.

-Note: you can load this saved file into dr_rules at a later point if you wish to make any changes


Creating Rainbow Tables

usage: drtgen <options> 
----------------------------------------------------------------
Options For All Rainbow Table Types    |
----------------------------------------------------------------
-file    <file name>    
(REQUIRED):The rt filename to use, not required if using -bench

-hash    <hash type>    
(REQUIRED):The hash type to use
hash types supported: lm ntlm md2 md4 md5 doublemd5 sha1 ripemd160 mysql323 mysqlsha1 ciscopix mscache halflmchall lmchall ntlmchall oracle 

-cLen    <chain length>
(REQUIRED):The length of each chain, aka the compression used

-cCount    <# of chains>  
(REQUIRED):The number of chains, influences how big the table will be

-bench                  
(optional):benchmark how long the table will take to generate

-index   <index value>  
(optional):The index offset, only matters if you have multiple tables

-threads <num threads>  
(optional):The number of processors to use

-salt    <salt value>  
(optional):The salt value to use for the hash. Capitalization matters! If no salt is specified, mscache="administrator", oracle="SYS"

-------------------------------------------------------------
Options For Dictionary Based Tables   |
-------------------------------------------------------------
-d                      
(REQUIRED):Tell drtgen that this is a dictionary based attack

-dic   <dictionary name>
(REQUIRED):The name of the input dictionary to use

-rules <rules file name>
(REQURIED):The name of the word mangling rule file to use

-------------------------------------------------------------------
Options For Traditional Rainbow Tables   |
-------------------------------------------------------------------
-charset <charset name>
(REQUIRED):The character set to use, a list can be found in charset.txt.  Use "byte" to specify all 256 characters as the charset of the plaintext

-lmin    <minimum size>
(REQUIRED):The minimum sized password to try and bruteforce

-lmax    <maximum size>
(REQUIRED):The maximum sized password to try and bruteforce

-----------------------
Examples      |
-----------------------
Basic Dictionary Based Attack
./drtgen -d -dic inputdic.txt -rules manglingrules.txt -hash ntlm -cLen 2600 -cCount 500000 -file basic_ntlm_table

Basic Salted Dictionary Based Attack
./drtgen -d -dic inputdic.txt -rules manglingrules.txt -hash mscache -salt administrator -cCount 2600 -cNum 500000 -file basic_ntlm_table

Multi-threaded Dictionary Based Attack
./drtgen -d -dic inputdic.txt -rules manglingrules.txt -hash ntlm -p 4 -cLen 2600 -cCount 500000 -file basic_ntlm_table

Benchmarking a Dictionary Based Attack -Note: Will generally underestimate time due to the fact it doesn't write to disk
./drtgen -d -dic inputdic.txt -rules manglingrules.txt -hash ntlm -cLen 2600 -cCount 500000 -bench
 
Traditional Rainbow Table Generation
./drtgen -d -charset loweralpha-numeric -lmin 1 -lmax 7 -hash ntlm -cLen 2600 -cCount 500000 -file basic_ntlm_table

After the table is created:

Run ./rtsort <file name.rt>
Example: ./rtsort testtable.rt
This sorts the rainbow table and it is required before you can use the table in a cracking session

Cracking Password Hashes:
 
1. For a Dictionary Based Rainbow Table Run
./drcrack -d <file name.cfg> -l <hash file>
or
./drcrack -d <file name.cfg> -h <individual hash>
Comments