Вы находитесь на странице: 1из 3

3/25/2011 RainbowCrack Project - RainbowCrack T…

RainbowCrack Project
Home | Download | Documentation | Rainbow Tables | Buy Rainbow Tables | Contac t Us

RainbowCrack Tutorial
RainbowCrack is a general propose implementation of Philippe Oec hslin's faster time-memory trade-off technique. Function of this software is
to c rack hash.

The straightforward way to crac k hash is brute force. In brute force approac h, all candidate plaintexts and corresponding hashes are
c omputed one by one. The c omputed hashes are c ompared with the target hash. If one of them matc hes, the plaintext is found. Otherwise
the proc ess continues until finish searching all candidate plaintexts.

In time-memory tradeoff approach, the task of hash computing is done in advance with the results stored in files called "rainbow table". After
that, hashes can be looked up from the rainbow tables whenever needed. The pre-computation proc ess needs several times the effort of full
key spac e brute force. But once the one time pre-computation is complete, the table lookup performance c an be hundreds or thousands times
faster than brute force.

This doc ument explains the steps to make the RainbowCrack software working for first time user. Most contents in this document are
implementation specific, while others are generic to time-memory tradeoff algorithm.

The RainbowCrac k software includes three tools that must be used in sequence to make things working.
Step 1: Use rtgen program to generate rainbow tables.
Step 2: Use rtsort program to sort rainbow tables generated by rtgen.
Step 3: Use rcrack program to lookup rainbow tables sorted by rtsort.

The table lookup process in final step is equivalent to the hash c racking process.

The way to use these programs will be explained in this doc ument. All of them are command line programs.

Step 1: Use rtgen program to generate rainbow tables

The rtgen program need several parameters to generate a rainbow table, the syntax of the command line is:

rtgen hash_algorithm c harset plaintext_len_min plaintext_len_max table_index c hain_len chain_num part_index

Explanation of these parameters:

parameter meaning
hash_algorithm The hash algorithm (lm, ntlm, md5 and so on) used in the rainbow table.

charset The charset of all plaintexts in the rainbow table. All possible c harset are defined in the charset.txt file.
These two parameters define the possible length of all plaintexts in the rainbow table. If charset is numeric,
plaintext_len_min is 1, and plaintext_len_max is 5. Then the plaintext "12345" is likely included in the table, but "123456"
will not be inc luded.
These four parameters are really difficult to explain in simple words. To read and understand Philippe Oec hslin's original
paper can help to know the exact meaning.
The table_index is related to the "reduce function" that is used in rainbow table.
The chain_len is the length of eac h "rainbow c hain" in the rainbow table. A "rainbow chain" sized 16 bytes is the smallest
unit in a rainbow table. A rainbow table contains lots of rainbow chains.
The chain_num is the number of rainbow chains in the rainbow table.
The part_index parameter determines how the "start point" in eac h rainbow chain is generated. It must be a number (or
begin with a number) in RainbowCrack 1.3 & 1.4. In RainbowCrac k 1.2, this parameter c an be any string because random
"start point" is used, while 1.3 & 1.4 use the sequential "start point".

The right values of all the parameters depend on what you need, to selec t good parameters require some understanding of the time-memory
tradeoff algorithm.

One ready to work c onfiguration is given below, as an example:

hash_algorithm lm, ntlm or md5
alpha-numeric = [ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789]
charset or
project-rainbowcrack.com/tutorial.htm 1/3
3/25/2011 RainbowCrack Project - RainbowCrack T…
charset or
loweralpha-numeric = [abcdefghijklmnopqrstuvwxyz0123456789]
plaintext_len_min 1
plaintext_len_max 7
chain_len 3800
chain_num 33554432
36^1 + 36^2 + 36^3 + 36^4 + 36^5 + 36^6 + 36^7 = 80603140212
key space
key space is the number of possible plaintexts for the charset, plaintext_len_min and plaintext_len_max selected.
table size 3 GB

succ ess rate The time-memory tradeoff algorithm is a probabilistic algorithm. Whatever the parameters are selected, there is always
probability that the plaintext within the selected charset and plaintext length range is not c overed. The succ ess rate is
99.9% with the parameters used in this example.
The ac tual rtgen commands used to generate the rainbow tables are:
rtgen md5 loweralpha-numeric 1 7 0 3800 33554432 0
rtgen md5 loweralpha-numeric 1 7 1 3800 33554432 0
rtgen md5 loweralpha-numeric 1 7 2 3800 33554432 0
rtgen md5 loweralpha-numeric 1 7 3 3800 33554432 0
rtgen md5 loweralpha-numeric 1 7 4 3800 33554432 0
table generation
rtgen md5 loweralpha-numeric 1 7 5 3800 33554432 0
If ntlm or lm table is desired, replace "md5" in c ommands above with "ntlm" or "lm".
If alpha-numeric c harset is desired, replac e "loweralpha-numeric" in commands above with "alpha-numeric".

If lm table is to be generated, please CONFIRM the charset is alpha-numeric instead of loweralpha-numeric . The lm
algorithm NEVER uses lowercase letters as plaintext.

Now it is time to generate rainbow table.

Change the current directory of your command prompt to RainbowCrack's direc tory, and exec ute following command:

rtgen md5 loweralpha-numeric 1 7 0 3800 33554432 0

This command takes about 4 hours to c omplete on Core2 Duo E7300 proc essor. It is safe to stop the computation any time by pressing
Ctrl+C. Next time if the rtgen program is exec uted with exac tly same command line parameters, it will resume from where the computation is
stopped and c ontinue the table generation.

When the command is finished, a file named "md5_loweralpha-numeric#1-7_0_3800x33554432_0.rt" sized 512 MB will be in place. The file
name is simply all the command line parameters c onnected, with the "rt" extension. The rcrac k program to be explained later need this piec e
of information to know parameters of the rainbow table. So don't rename the file.

Remaining tables can be generated in same way with commands:

rtgen md5 loweralpha-numeric 1 7 1 3800 33554432 0

rtgen md5 loweralpha-numeric 1 7 2 3800 33554432 0
rtgen md5 loweralpha-numeric 1 7 3 3800 33554432 0
rtgen md5 loweralpha-numeric 1 7 4 3800 33554432 0
rtgen md5 loweralpha-numeric 1 7 5 3800 33554432 0

Finally, these files are generated:

md5_loweralpha-numeric #1-7_0_3800x33554432_0.rt 512MB
md5_loweralpha-numeric #1-7_1_3800x33554432_0.rt 512MB
md5_loweralpha-numeric #1-7_2_3800x33554432_0.rt 512MB
md5_loweralpha-numeric #1-7_3_3800x33554432_0.rt 512MB
md5_loweralpha-numeric #1-7_4_3800x33554432_0.rt 512MB
md5_loweralpha-numeric #1-7_5_3800x33554432_0.rt 512MB

Now the rainbow table generation process c omplete.

Step 2: Use rtsort program to sort rainbow tables

The rainbow tables generated by rtgen program need some post processing to make table lookup easier. The rtsort program is used to sort
the "end point" of all rainbow chains in a rainbow table.

Use following commands:

rtsort md5_loweralpha-numeric#1-7_0_3800x33554432_0.rt
rtsort md5_loweralpha-numeric#1-7_1_3800x33554432_0.rt
rtsort md5_loweralpha-numeric#1-7_2_3800x33554432_0.rt
rtsort md5_loweralpha-numeric#1-7_3_3800x33554432_0.rt
rtsort md5_loweralpha-numeric#1-7_4_3800x33554432_0.rt
rtsort md5_loweralpha-numeric#1-7_5_3800x33554432_0.rt

project-rainbowcrack.com/tutorial.htm 2/3
3/25/2011 RainbowCrack Project - RainbowCrack T…

Each command above takes about 1 to 2 minutes to c omplete. The rtsort program will write the sorted rainbow table to the original file.
Don't interrupt the rtsort program; otherwise the rainbow table being sorted will be damaged.
If the free memory size of your system is smaller than the size of the rainbow table being sorted, temporary hard disk space as large as the
rainbow table size will be needed to store intermediate data.

Now the rainbow table sorting proc ess complete.

Step 3: Use rcrack program to lookup rainbow tables

The rcrack program is used to lookup the rainbow tables. It only ac cepts sorted rainbow tables.

Assume the sorted rainbow tables are placed in c:\rt directory, to crack single hash the command line will be:

rcrack c:\rt\*.rt -h your_hash_c omes_here

The first parameter specifies the path to the rainbow tables to lookup. The "*" and "?" c haracter can be used to specify multiple files.

Normally it takes seconds or tens of seconds to finish, if the plaintext is within the selec ted charset and plaintext length range. Otherwise, it
takes much longer time to search all the tables only to find nothing.

To c rack multiple hashes, plac e all the hashes in a text file with each hash in a line. And then specify file name in rcrack command line:

rcrack c:\rt\*.rt -l hash_list_file

If the rainbow tables you generate use lm algorithm, the rcrac k program has special support for it with the "-f" command switch. A hash dump
file in pwdump format is required as input to rc rack program. The file will looks like this:

Guest:501:a296c 9e4267e9ba9aad3b435b51404ee:9d978dda95e5185bbeda9b3ae00f84b4:::

The pwdump file is the output of pwdump2, pwdump3 or other utilities. It contains both the lm hash and the ntlm hash.

To c rack lm hashes in pwdump file, use following command:

rcrack c:\rt\*.rt -f pwdump_file

The lm hash algorithm c onverts all lowercase letters in plaintext to uppercase; as a result all the plaintexts cracked via the lm hash never
c ontain lowercase letters, while the ac tual plaintext may contain lowercase letters. The rcrack program will try to do case correction with the
ntlm hashes stored in same file and output the original plaintext.

Copyright 2003-2011 RainbowCrack Project. All rights reserved.

project-rainbowcrack.com/tutorial.htm 3/3