The power of Rainbow Tables

| 1 Comment
The concept of Rainbow Tables isn't new, but implementations of it are relatively new. Part of that is because computing power has increased enough that they're now feasible. Plus, with distributed computing skills increasing in the marketplace throwing a hundred CPU's worth of spare cycles is quite doable. You can even purchase them.

Since L0phtcrack has been discontinued, the Open Source community has come up with several replacements. One of which is Ophcrack, which even ships a LiveCD that in their words:
Just put it into the CD-ROM drive, reboot and it will try to find a Windows partition, extract its SAM and start auditing the passwords.
Not useful for remote network intrusions, but perhaps useful in a home-setting for recovering lost passwords. Yet another reason for physical security with your servers.

Passwords in the easy character sets, the ones that show up on the keyboard, are readily available. For reference:

0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ!"#$%&' ()*+,-./:;&<=>?@[\]^_`{|}~ (including the space character)

For reference, that's upper-case, lower-case, numbers, and shift-symbols. The four most common character sets. I know of projects which are working on rainbow tables for the full ASCII table (remember [alt]+205 and the like: ═). Those are going to be for-purchase or sponsored sites, as those tables will be well over 1TB in size. It won't be long.

Of course, if you happen to possess a full-ASCII rainbow table, the biggest computational task to crack a password will be parsing through the 1.7TB (or whatever) of rainbow table for the correct hash. That will take a few minutes, but certainly much less time than hammering away at it one hash at a time with LCP or John the Ripper.

Another thing to keep in mind is that LanMan hashes are, still, the easiest to crack. NTLM hashes are also crackable, but require more CPU horsepower so the available tables for NTLM hashes are still fairly simple. I haven't seen any for NTLMv2. Another in a bucket-full of reasons for setting up your Windows domains and machines to only use NTLMv2.

Also of note, Rainbow Tables are available for MD5 as well as LanMan. One of the password crypt options on Linux is MD5, though that is typically salted which renders purchased Rainbow Tables useless. That is not so true with things like embedded devices that use unstalted MD5, or other software-based authentication systems such as commercial FTP servers.

Salting your hashes means that purchased Rainbow Tables are useless. On the other hand, if given enough time a hacker who obtained access to the password hashes will be able to solve all possible hashes on a server. Regardless of whether or not you changed your passwords after the intrusion. This sort of attack is different than the kind of /etc/passwd stealing we've had going on for a couple decades now, in that once the table is computed there ARE no safe passwords until you change the salt. Assuming ready access to the password file, of course.

Happily, the sort of hacker looking to perform this sort of attack is rare. Most of the hackers out there are looking to set up botnets and warez sites, and don't have the patience for this kind of attack. They're looking for lots of low hanging fruit, rather than one specific target.

Rainbow Tables are a powerful tool, especially against Windows networks that still maintain LanMan hashes. LanMan has been depreciated for quite some time, but backwards compatibility forces continued use. Older version of Samba don't speak NTLM, which forces Windows machines to speak (and therefore store hashes for) LanMan. With Raindow Tables in the equation and a Windows system that maintains LanMan hashes, passwords 14 characters and shorter (I was wrong, it's 7+7 not 8+8) are effectively the same as clear-text.

1 Comment

Wow, I guess it's been a while since I wanted to actually crack a password instead of just reset it. The last time I did that, back in 2001, or was it just 2003... Well, anyway, when I did it last, I had a working, though, cracked, ironically, version of L0phtCrack that was still doing quite well. Thanks for the update!I used to be on the bleeding edge of security tech, but now I'm on the sleeping edge. ;)