{"id":471,"date":"2012-03-23T14:24:49","date_gmt":"2012-03-23T14:24:49","guid":{"rendered":"http:\/\/www.phillips321.co.uk\/?p=471"},"modified":"2012-03-23T14:29:11","modified_gmt":"2012-03-23T14:29:11","slug":"cracking-lm-hashes-with-rainbow-tables","status":"publish","type":"post","link":"https:\/\/www.phillips321.co.uk\/2012\/03\/23\/cracking-lm-hashes-with-rainbow-tables\/","title":{"rendered":"Cracking LM hashes with rainbow tables"},"content":{"rendered":"<p>So you&#8217;ve got a hash and you want to crack it. We&#8217;ve already covered a quick way to <a href=\"http:\/\/www.phillips321.co.uk\/2012\/03\/04\/mount-and-crack-a-windows-partition-passwords\/\" title=\"Mount and crack a windows partition passwords\" target=\"_blank\">get to a windows password here<\/a> but in that example we simply used <a href=\"http:\/\/www.openwall.com\/john\/\" target=\"_blank\">john the ripper<\/a> to crack the password&#8230; but what if john is taking ages? Step in rainbow tables.<\/p>\n<p>I wont go into detail of what <a href=\"http:\/\/en.wikipedia.org\/wiki\/Rainbow_table\" target=\"_blank\">Rainbow tables are as they are already well documented on the web<\/a> but as a quick summary they are simply pre computed hashes stored in usually large tables in order to tradeoff the CPU\/storage issue computers are always up against.<\/p>\n<p>Lets just say we have the hash:<\/p>\n<div class=\"codecolorer-container bash vibrant\" style=\"overflow:auto;white-space:nowrap;width:100%;\"><table cellspacing=\"0\" cellpadding=\"0\"><tbody><tr><td class=\"line-numbers\"><div>1<br \/><\/div><\/td><td><div class=\"bash codecolorer\">Administrator:<span class=\"nu0\">500<\/span>:1d9321d6da8213bdc4482861fc3ea9db:80290fc9b3c2b233769aa9d6ced8bc86:::<\/div><\/td><\/tr><\/tbody><\/table><\/div>\n<p>The first, and most common tool, that we&#8217;ll use to perform the cracking is <a href=\"http:\/\/ophcrack.sourceforge.net\/\" target=\"_blank\">ophcrack<\/a>. It&#8217;s easy to install, on debian boxes it&#8217;s as easy as <em>apt-get install ophcrack<\/em>(you&#8217;ll need the correct repository).<\/p>\n<p>Once you&#8217;ve got ophcrack install you&#8217;ll also need to download the rainbow tables for it, they can be <a href=\"http:\/\/ophcrack.sourceforge.net\/tables.php\" target=\"_blank\">found here<\/a>.<\/p>\n<p>Simply load it up and click the tables icon, you then need to click install in order to load your tables (XP free fast and XP free small):<br \/>\n<a href=\"http:\/\/www.phillips321.co.uk\/wp-content\/uploads\/2012\/03\/ophcrack1.png\"><img loading=\"lazy\" src=\"http:\/\/www.phillips321.co.uk\/wp-content\/uploads\/2012\/03\/ophcrack1-150x150.png\" alt=\"\" title=\"ophcrack1\" width=\"150\" height=\"150\" class=\"aligncenter size-thumbnail wp-image-475\" \/><\/a><br \/>\nThen click Load&#8211;>Single Hash:<br \/>\n<a href=\"http:\/\/www.phillips321.co.uk\/wp-content\/uploads\/2012\/03\/ophcrack2.png\"><img loading=\"lazy\" src=\"http:\/\/www.phillips321.co.uk\/wp-content\/uploads\/2012\/03\/ophcrack2-150x150.png\" alt=\"\" title=\"ophcrack2\" width=\"150\" height=\"150\" class=\"aligncenter size-thumbnail wp-image-476\" \/><\/a><br \/>\nThen it&#8217;s as simple as clicking <strong>Crack<\/strong>, if the password is found it&#8217;ll be displayed as such, simple!<br \/>\n<a href=\"http:\/\/www.phillips321.co.uk\/wp-content\/uploads\/2012\/03\/ophcrack3.png\"><img loading=\"lazy\" src=\"http:\/\/www.phillips321.co.uk\/wp-content\/uploads\/2012\/03\/ophcrack3-150x150.png\" alt=\"\" title=\"ophcrack3\" width=\"150\" height=\"150\" class=\"aligncenter size-thumbnail wp-image-477\" \/><\/a><\/p>\n<p>The next tool on the list is <a href=\"http:\/\/sourceforge.net\/projects\/rcracki\/\" target=\"_blank\">rcracki (or rcracki_mt as it&#8217;s now known).<\/a> This tool is to be used with the rainbow tables provided on <a href=\"http:\/\/freerainbowtables.com\/en\/tables2\/\" target=\"_blank\">freerainbowtables.com<\/a>. The tables are pretty large and for LanManager hashes like we&#8217;ve got here you have 2 options:<\/p>\n<ul>\n<li>lm_all-space#1-7: 34 GB<\/li>\n<li>lm_lm-frt-cp437-850#1-7: 365 GB<\/li>\n<\/ul>\n<p>In the example here we&#8217;ll be using the lm_all-space#1-7 tables but feel free if you have the time, bandwidth and storage to download both.<\/p>\n<p>Once you&#8217;ve downloaded the tables you need to run rcrack_mt and point it towards both the hash and the tables. In this example I&#8217;ve dropped the hash used above in hash.txt:<\/p>\n<div class=\"codecolorer-container bash vibrant\" style=\"overflow:auto;white-space:nowrap;width:100%;\"><table cellspacing=\"0\" cellpadding=\"0\"><tbody><tr><td class=\"line-numbers\"><div>1<br \/>2<br \/>3<br \/>4<br \/>5<br \/>6<br \/>7<br \/>8<br \/>9<br \/><\/div><\/td><td><div class=\"bash codecolorer\"><span class=\"co4\">phillips321@KubuntuDesktop:$ <\/span>.<span class=\"sy0\">\/<\/span>rcracki_mt <span class=\"re5\">-f<\/span> hash.txt lm_all-space<span class=\"sy0\">\/*<\/span>.rti2<br \/>\nUsing <span class=\"nu0\">1<\/span> threads <span class=\"kw1\">for<\/span> pre-calculation and <span class=\"kw2\">false<\/span> alarm checking...<br \/>\nFound <span class=\"nu0\">80<\/span> rainbowtable files...<br \/>\n<br \/>\n<span class=\"co4\">lm_all-space#<\/span><span class=\"nu0\">1<\/span>-<span class=\"nu0\">7<\/span>_0_10000x51209963_distrrtgen<span class=\"br0\">&#91;<\/span>p<span class=\"br0\">&#93;<\/span><span class=\"br0\">&#91;<\/span>i<span class=\"br0\">&#93;<\/span>_19.rti2<br \/>\nChain Position is now <span class=\"nu0\">51209963<\/span><br \/>\n<span class=\"nu0\">307259778<\/span> bytes <span class=\"kw2\">read<\/span>, disk access time: 2.33s<br \/>\nsearching <span class=\"kw1\">for<\/span> <span class=\"nu0\">2<\/span> hashes...<br \/>\ncryptanalysis time: <span class=\"nu0\">37.33<\/span> s<\/div><\/td><\/tr><\/tbody><\/table><\/div>\n<p>Depending on where the password falls within the rainbow tables the next bit could take a while&#8230;in my case this took ~70seconds on my machine.<\/p>\n<div class=\"codecolorer-container bash vibrant\" style=\"overflow:auto;white-space:nowrap;width:100%;\"><table cellspacing=\"0\" cellpadding=\"0\"><tbody><tr><td class=\"line-numbers\"><div>1<br \/>2<br \/>3<br \/>4<br \/>5<br \/>6<br \/>7<br \/>8<br \/>9<br \/>10<br \/>11<br \/>12<br \/>13<br \/><\/div><\/td><td><div class=\"bash codecolorer\">statistics<br \/>\n<span class=\"re5\">-------------------------------------------------------<\/span><br \/>\nplaintext found: &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;<span class=\"nu0\">2<\/span> of <span class=\"nu0\">2<\/span><span class=\"br0\">&#40;<\/span><span class=\"nu0\">100.00<\/span><span class=\"sy0\">%<\/span><span class=\"br0\">&#41;<\/span><br \/>\ntotal disk access time: &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 74.48s<br \/>\ntotal cryptanalysis time: &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 11.10s<br \/>\ntotal pre-calculation time: &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 55.06s<br \/>\ntotal chain walk step: &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;<span class=\"nu0\">149955003<\/span><br \/>\ntotal <span class=\"kw2\">false<\/span> alarm: &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;<span class=\"nu0\">7769<\/span><br \/>\ntotal chain walk step due to <span class=\"kw2\">false<\/span> alarm: <span class=\"nu0\">29230562<\/span><br \/>\nresult<br \/>\n<span class=\"re5\">-------------------------------------------------------<\/span><br \/>\nAdministrator &nbsp; hacmebank &nbsp; &nbsp; &nbsp; hex:6861636d6562616e6b<br \/>\n<span class=\"co4\">phillips321@KubuntuDesktop:$<\/span><\/div><\/td><\/tr><\/tbody><\/table><\/div>\n<p>And there you have it, two ways to crack a LM hash using rainbow tables.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>So you&#8217;ve got a hash and you want to crack it. We&#8217;ve already covered a quick way to get to a windows password here but in that example we simply used john the ripper to crack the password&#8230; but what if john is taking ages? Step in rainbow tables. I wont go into detail of [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[1],"tags":[182,184,183,180,185,181],"_links":{"self":[{"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/posts\/471"}],"collection":[{"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/comments?post=471"}],"version-history":[{"count":7,"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/posts\/471\/revisions"}],"predecessor-version":[{"id":482,"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/posts\/471\/revisions\/482"}],"wp:attachment":[{"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/media?parent=471"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/categories?post=471"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/tags?post=471"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}