phillips321.co.uk

So you’ve got a hash and you want to crack it. We’ve already covered a quick way to get to a windows password here but in that example we simply used john the ripper to crack the password… but what if john is taking ages? Step in rainbow tables.

I wont go into detail of what Rainbow tables are as they are already well documented on the web but as a quick summary they are simply pre computed hashes stored in usually large tables in order to tradeoff the CPU/storage issue computers are always up against.

Lets just say we have the hash:

The first, and most common tool, that we’ll use to perform the cracking is ophcrack. It’s easy to install, on debian boxes it’s as easy as apt-get install ophcrack(you’ll need the correct repository).

Once you’ve got ophcrack install you’ll also need to download the rainbow tables for it, they can be found here.

Simply load it up and click the tables icon, you then need to click install in order to load your tables (XP free fast and XP free small):

Then click Load–>Single Hash:

Then it’s as simple as clicking Crack, if the password is found it’ll be displayed as such, simple!

The next tool on the list is rcracki (or rcracki_mt as it’s now known). This tool is to be used with the rainbow tables provided on freerainbowtables.com. The tables are pretty large and for LanManager hashes like we’ve got here you have 2 options:

• lm_all-space#1-7: 34 GB
• lm_lm-frt-cp437-850#1-7: 365 GB

In the example here we’ll be using the lm_all-space#1-7 tables but feel free if you have the time, bandwidth and storage to download both.

Once you’ve downloaded the tables you need to run rcrack_mt and point it towards both the hash and the tables. In this example I’ve dropped the hash used above in hash.txt:

Depending on where the password falls within the rainbow tables the next bit could take a while…in my case this took ~70seconds on my machine.

And there you have it, two ways to crack a LM hash using rainbow tables.