Hash password cracking in rainbow table

The rainbow table is a very large set of hash keys pre-computed for a variety of possible combinations of letters, numbers, and other characters. It is used to crack various hash encryption passwords. There are a lot of rainbow tables on the Internet for us to download, of course, you can also generate your own, rainbowcrack is such a tool.

RainbowCrack uses the memory time exchange technology to accelerate password cracking. The official address is http://project-rainbowcrack.com/#downloaddownload. RainbowCrack uses a rainbow table. By creating such a rainbow table in advance, it can take a lot of time to crack the password in the future. RainbowCrack includes the following three programs:

Rtgen.exe ...... The rainbow table generation tool generates a password and hash value comparison table.

Rtsort.exe ...... The sorted rainbow table provides input for rcrack.exe.

Rcrack.exe ...... Use the sorted rainbow table for password cracking.

First, use the rainbow table generator (rtgen.exe) to generate your own rainbow table. The command line format is:

Rtgen hash_algorithm \

Plain_charset plain_len_min plain_len_max \

Rainbow_table_index \

Rainbow_chain_length rainbow_chain_count \

File_title_suffix

Rtgen hash_algorithm \

Plain_charset plain_len_min plain_len_max \

Rainbow_table_index \

-Www.2cto.com

Hash_algorithm includes lm, md5, sha1, and mysqlsha1. It specifies the encryption algorithm of the password. lm is the encryption algorithm of the windows Password.

The character set of the password specified by plain_charset generally contains uppercase letters, lowercase letters, numbers, and special characters. The detailed parameter information is as follows:

Numeric = [1, 0123456789]

Alpha = [ABCDEFGHIJKLMNOPQRSTUVWXYZ]
Alpha-numeric = [ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789]

Loweralpha = [abcdefghijklmnopqrstuvwxyz]
Loweralpha-numeric = [abcdefghijklmnopqrstuvwxyz0123456789]

Mixalpha = [abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ]
Mixalpha-numeric = [abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789]

Ascii-32-95 = [! "# $ % & '() * +,-./0123456789:; <=>? @ ABCDEFGHIJKLMNOPQRSTUVWXYZ [\] ^ _ 'abcdefghijklmnopqrstuvwxyz {|}~]
Ascii-32-65-123-4 = [! "# $ % & '() * +,-./0123456789:; <=>? @ ABCDEFGHIJKLMNOPQRSTUVWXYZ [\] ^ _ '{|} ~]
Alpha-numeric-symbol32-space = [ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789! @ # $ % ^ & * ()-_ + = ~ '[] {}|\:;' <> ,.? /]

Oracle-alpha-numeric-symbol3 = [ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 # $ _]

Plain_len_min specifies the minimum password length.

Plain_len_max specifies the maximum length of the password.

Rainbow_table_index specifies the index of the rainbow table.

Rainbow_chain_length specifies the length of the rainbow chain.

Rainbow_chain_count specifies the number of rainbow chains to be generated.

File_title_suffix specifies the comment of the generated rainbow table file name.

-Benchmark user performance testing.

Below are several command line examples using the rainbow Table Builder:

Rtgen lm alpha 1 7 0 100 16 test

Rtgen md5 byte 4 4 0 100 16 test

Rtgen sha1 numeric 1 10 0 100 16 test

Rtgen lm alpha 1 7 0-Snapshot

We recommend that you use the default value to create your own rainbow table. In the following example, we create an md5-encrypted rainbow table with MB uppercase letters. The password can contain at least one character and at most seven characters.

C: yeetrac> rtgen md5 alpha 1 7 0 2100 8000000 yeetrack

Hash routine: lm

Hash length: 8

Plain charset: ABCDEFGHIJKLMNOPQRSTUVWXYZ

Plain charset in hex: 41 42 43 44 45 47 48 49 4a 4b 4c 4d 4e 4f 50 51 53 54 55 56 57 58 59 5a

Plain length range: 1-7

Plain charset name: alpha

Plain space total: 8353082582

Rainbow table index: 0

Reduce offset: 0

Generating...

Done.

Creating a large rainbow table may take a long time, hours, or even days, depending on the hardware. After the rainbow table is generated, we will find a file named lm_alpha # 1-7_0_2100x8001__yeetrack.rt in the current directory. Here, yeetrack is the file name comment we entered in the command.

The next step is to use the rainbow table sorting program (rtsort.exe) for sorting to speed up searching for rainbow tables. The syntax of this command is very simple, in the format:

Rtsort rainbow_table_pathname

Here, rainbow_table_pathname is the file name of the rainbow table to be sorted. For example, to sort the rainbow table created earlier, run the following command:

C: \ yeetrack> rtsort lm_alpha # 1-7_0_2100x8001__all.rt

This command takes several minutes to execute.

Finally, use the rainbow table cracking program (rcrack.exe) to crack the hash value. It is easy to crack the md5 Command, as shown below:

C: \ yeetrack/rainbowcrack-1.5-win64> rcrack.exe md5_alpha #1
0x8001__0.rt-h 8A9A33314944325F77B68F754029EEDB

2549403648 bytes memory available
1x128000000 bytes memory allocated for table buffer
33600 bytes memory allocated for chain traverse
Disk: md5_alpha # 1-7_0_2100x8001__0.rt: 128000000 bytes read
Searching for 1 hash...
Disk: finished reading all files
Plaintext of 8a9a33314944325f77b68f754029eedb is ZCXVB

Statistics
-------------------
Plaintext found: 1 of 1
Total time: 0.42 s
Time of chain traverse: 0.26 s
Time of alarm check: 0.14 s
Time of wait: 0.00 s
Time of other operation: 0.02 s
Time of disk read: 0.08 s
Hash & reduce calculation of chain traverse: 2202900
Hash & reduce calculation of alarm check: 1449527
Number of Alibaba Cloud: 2066
Speed of chain traverse: 8.28 million/s
Speed of alarm check: 10.21 million/s

Result
-------------------
8a9a33314944325f77b68f754029eedb ZCXVB hex: 5a43585642

The plaintext password is successfully cracked. The larger the rainbow table, the higher the probability of cracking. Today's popular rainbow tables are 120 GB in size. To crack the windows Password, You need to generate the lm rainbow table. Command: rtgen lm alpha 1 7 0 2100 8000000 yeetrack. The other steps are the same. However, windows password hash is generally stored in c: in/windows/system32/config/sam, you need to obtain the hash from it. The tools include pwdump, lc4, and lc5.