What are Rainbow Tables?
In simple terms, passwords stored in computers are changed from their plain text form to an encrypted value. This value or hash is the result of an algorithmic calculation designed for the operating system to use, but not to be plainly visible or intelligible to users. Let’s look at an example password and some associated hashes.
The password “rainbow” would look something like this if it were “Hashed” or encrypted with the following hashing selections:
Type |
Hash |
------------------ |
|
MD2 |
A8FA298E39DCCD4BB99546AD015F4146 |
MD4 |
725C086015707D08849CC22283ADE154 |
MD5 |
CD13B6A6AF66FB774FAA589A9D18F906 |
SHA-1 |
1EB08C4E3F8A5AB5761723B1210AD4C30E41DC7 |
RIPEMD-160 |
4870CE7A5BB385EDC57930F05E3DAB0FB883DCC4 |
LM |
9224FC255C58C50E |
NT |
87F65D137998A4CE59EA65B114A0F831 |
MySQL |
32356F306146F12605E |
MySQLSHA1 |
79239E0207CD5F6A472C8795C73B451D349C8573 |
Cisco PIX |
EQRTXAW3PX3q9K5A |
As you can see, the resulting information is quite useless to you and me. However, if there was a way to utilize an application to generate every possible combination of hash variation and then be able to compare your hash with all of those possibilities, you would have Rainbow Tables. The value of utilizing rainbow tables for password cracking and auditing is that traditional methods such as brute forcing and dictionary attacks are time consuming and inefficient. In many cases, the dictionary cracking method requires an enormous list(s) to be effective. One gigabyte of dictionary passwords might be able to yield a 40 to 50 percent compromise of a set of hashes. The same set of hashes with a complete set of Rainbow Tables properly implemented and utilized could effectively compromise 90 to 95 percent of the hashes in less than 25% of the time.
Back to top
Why do I need them?
- Because hackers have them, and you should too.
- Best practices for network security dictate that routine self-assessments be performed to determine end user compliance with policies in effect for password complexity. Routine testing of the passwords your users utilize should be performed at 1.5 times the change interval. Although brute forcing and dictionary attacks provide some functionality, Rainbow Tables provide an efficient and cost effective solution to ensure that users are compliant with, and take ownership of their responsibilities for password complexity.
- Persons and organizations performing security risk assessments are required to perform the same level of due care and diligence as is expected of the organization being audited. Rainbow Tables are the fastest method and most efficient process available for enterprise password auditing and assessments.
Back to top
How do I use them?
There are several GUI (Graphical User Interface) and Command Line tools available to extract the hashes and to perform the complexity testing and assessment. The Cain application is featured on this site for its functionality and versatility. Tutorials can he found here for Dictionary attacks, Brute Force attacks and Cryptanalysis attacks using RainbowTables.net Rainbow Tables.
Back to top
Are there different types of Rainbow Tables?
Yes. Tables must be generated for each type of hash that you want to test. Some examples of Rainbow Table pre calculated hashes include, but are not limited to: LM, NTLM, MD5, MD4, MD2, SHA1, Cisco PIX Firewall and Cisco IOS.
Various types of Rainbow Tables can be purchased here.
Back to top
Will the tables from this site work for all passwords on my network?
It is feasible that a rainbow table could be generated for every possible combination of letters, numbers and symbols, however the time needed to generate these tables could stretch into the thousands of years. With the tables available on this site and at other locations on the Internet, it is possible to crack almost any password under 15 characters using a mixed alphanumeric combination with symbols for LM, NTLM, PIX Firewall, MD4, and MD5. Due to the complexity, time, and resources required to generate Rainbow Tables, not all passwords can be cracked using these methods, and the tables for sale on this site are configured to decrypt passwords that meet specific parameters as indicated in the description of each package.
Rainbow Tables of various configurations can be purchased here.
Back to top
How can I protect myself and my network from a cryptanalysis attack?
Unfortunately, there is no single solution for total network security. But here are a few simple tips...
- Discontinue the use of LM hashes on your network (link)
- Create, implement, test and monitor effective policies and procedures for your users as they relate to password security, password complexity, and force regular change intervals.
- Use passwords with the following minimum requirements:
- Not stored in LM format on any machine or server (this will only help if you are no longer using any NT4.0 servers or workstations. If you are, then even if you disable the use of Net BIOS, Windows 2k and XP will still send LM authentication in clear text every time that you browse the network with the “My Network Places” icon.)
- Force password changes every thirty days for all accounts (Especially administrator accounts and those used in a network management capacity)
- Use passwords or pass phrases that cannot be cracked or compromised in less than 30 days.
- Require password history restrictions for password reuse at the maximum level allowed by your operating system.
- Make all passwords at least 15 characters long.
- Make all network control devices at least 25 characters long.
- Force password complexity to require the use of at least the following: Upper case Alpha, lower case alpha, a number, and at least one symbol.
- Utilize password enforcement tools from vendors such as Microsoft’s passfile.dll to enhance your networks password complexity availability.
- Do NOT EVER use a password that is the same value as the user name or the application the password is intended to secure.
- Do NOT EVER use a blank password.
- Avoid the use of any character string that can be found in a dictionary in any language.
- Train your users on how to successfully comply with the intent of your security policies. And then quickly and efficiently audit them for compliance with Rainbow Tables.
- Ensure that all vendor supplied solutions for authentication mechanism are compliant with the implemented security policies of your institution.
- Never allow a third party vendor to utilize the same username or password on your network that is in use in any other facility that they support.
Note: The use of ASCII special characters is highly recommended as there are very limited resources available to generate rainbow tables with all of the ASCII character combination possibilities. Furthermore, the time necessary to integrate these additional characters into Rainbow Table generation protracts the creation time to futile limits.
Back to top
Do I need to perform password auditing as part of my routine self assessments?
Simply put, YES! Passwords are the “Keys to the castle” and their complexity is paramount to maintaining network security. Many organizations go to great lengths to secure their perimeter and infrastructure and forgo the most important aspect of internal security: Password Security! Almost every hacking tool or script that I have found on the Internet has one primary goal, to get either the password to a system or the password hash for that system. Once the password is obtained, even at the lowest level, it can be used to elevate privileges or to gain access to sensitive files and resources. Due diligence and care mandate that compliance with network security policies be examined. This can only be performed through routine self-assessments and can only be considered valid when no stone is left unturned. Password audits should be performed at an interval that is not greater than 1.5 times the required change interval. Any password that can be brute forced in less than 24 hours is considered to be extremely weak and should be changed immediately. Furthermore, if you can break it with a Rainbow Table, then so can a hacker or an employee or even the cleaning lady.
Note: Make sure that your Network Security Policy specifically states that use of the system is considered “authorization” to audit all aspects of network security including passwords. Furthermore, your users should have no expectation of privacy and that security related audits are routinely performed. Failure to do so can open the systems department and their auditors up to legal liabilities.
Back to top
Does RamNet Inc. or RainbowTables.net staff perform security assessments for internal or external networks?
No. RamNet Security Solutions primary focus is the dissemination of information related to performing vulnerability risk assessments and tools and resources necessary to conduct these tests. Currently, our team does not perform security assessments for the general public; however through various affiliations we can recommend a security assessment partner to accommodate your assessment needs. It should be noted that although third party assessments can generally provide a more focused, high level assessment of enterprise security postures, this does not mitigate the need for the self assessments of security implementations. If you would like information on having a vulnerability risk assessment performed by our primary affiliate, please contact us for more information.
Back to top
Where can I get Rainbow Tables for my auditing use?
RainbowTables.net provides a wide selection of Rainbow Tables for you to choose from. Rainbow Tables can be purchased from here.
Back to top
What guidelines does RainbowTables.Net offer in the way of “Routine Self Assessments?”
Guidelines for self-assessment can be located here.
Back to top
I have problems extracting files from Ramius Cracking Dictionary, what should I do?
We recommend 7-zip archiver for extracting lare files from the Ramius Cracking Dictionary. It is free and works well with large files.
Back to top
|
FREQUENTLY ASKED QUESTIONS 
