Rainbow Tables: How to Create & Use Them to Crack Passwords
More password cracking action from Null Byte! Today we aren't going to be cracking passwords per se, rather, we are going to learn the basics of generating rainbow tables and how to use them. First, let's go over how passwords are stored and recovered.
Passwords are normally stored in one-way hashes. When a password is created, the user types the password in what is called "plain text", since it is in a plain, unhashed form. However, after a password is made, the computer stores a one-way hash of the password that obfuscates it. Hashes are made to be one-way, which means algorithmic reversal is impossible. This means we have to crack those hashes!
Normally, when you crack a password hash, your computer computes a word, generates the hash, then compares to see if there is a match. If there is, the password is correct; if not, it will keep guessing. Rainbow tables work on the principle of a time-memory trade-off. This means that hashes are pre-generated by a computer and stored in a large rainbow table file with all of the hashes and words that correspond to them. This method works especially well for people with slow processors, since you don't have to compute much. Rainbow cracking can greatly reduce the amount of time it takes to crack a password hash, plus you can keep the tables, so you only have to generate them once!
- Windows, Mac OSX, or Linux OS
- Admin, or root access
Step 1 Download & Install RainbowCrack
Text in bold means it is a terminal command (NT, OSX, or *nix). However, for this step, all commands in bold are for Linux only. The other operating systems use a GUI.
RainbowCrack is the tool that we are going to be using to generate and use rainbow tables.
- Download RainbowCrack.
- Extract the archive (Windows and Mac users extract via GUI).
tar zxvf <rainbowcrack>
- Change to the new directory that has been made from extracting RainbowCrack.
cd <new dir>
- Configure the installation.
- Now, compile the source code for installation.
make && sudo make install
Step 2 Generate a Rainbow Table and Crack with It
Now, lets generate a table that consists of all the alpha-lowercase and numeral characters. We want these to use the MD5 hash algorithm and be between 4-6 characters. All OS users must open a terminal, or a command prompt and be located in the RainbowCrack working directory.
- In your working directory, issue the following command to start table generation.
rtgen md5 loweralpha-numeric 1 7 0 3800 33554432 0
- Sort the tables so the processor can access them quicker. The table files will be in the current directory. Run the following command on each of the files in the directory ending in *.rt.
rtsort <*.rt file>
This will take about 6 hours to generate on a single core processor. After you generate the table, let's practice using it on a word.
- Let's hash the word "burger" with the MD5 algorithm and then use our tables to crack it. Notice the b is in lowercase. Here is our result: 6e69685d22c94ffd42ccd7e70e246bd9
- Crack the hash with the following command, along with the path to your file.
rcrack <path-to-rainbow-table.rt> -h 6e69685d22c94ffd42ccd7e70e246bd9
It will return your hash. You'll see it is a lot faster than if you were try to bruteforce the six character hash.