About

A Case for Modern Rainbow Table Usage

Rainbow tables went out of style a few years ago when GPU-accelerated password cracking became popular. With tools like hashcat, it no longer made sense to invest the effort to obtain the existing obsolete tables. Furthermore, no GPU-accelerated open-source tools existed to create new tables with. For these reasons, the world of rainbow tables was forgotten by the infosec community.

However, rule-based cracking and rainbow table cracking were never exclusive strategies. They were (and still are, in fact), complementary. Rules are great at finding patterns, which are commonly set by users; rainbow tables are effective against fully random passwords, which can exist for highly sensitive accounts.

For example, if the database of NTLM password hashes for a Windows domain were obtained, the optimal strategy would be:

Use hashcat to brute-force all 1-7 character passwords (this can be done quickly). Use hashcat to crack passwords based on rules (variable time). Use rainbow tables to break complex 8-character passwords (a few hours). Use rainbow tables to break complex 9-character passwords (a few days).

While brute-forcing 8-character passwords is very much possible with hashcat, it is inefficient to do so for smaller numbers of hashes:

Hashcat arguments used: "-m 1000 -a 3 -w 3 -O hashes.txt ?a?a?a?a?a?a?a?a"

As shown in the graph above, on a machine with a single NVIDIA RTX 2070 GPU, hashcat takes roughly 75 hours to brute-force one hundred 8-character NTLM passwords, whereas the Rainbow Crackalack software (with the NTLM-8 tables) achieves a 93% success rate in an hour and a half!

The following graph shows the cracking times for 9-character NTLM hashes:

Hashcat arguments used: "-m 1000 -a 3 -w 3 -O hashes.txt ?a?a?a?a?a?a?a?a?a"

The graph above shows that, on a machine with a single NVIDIA RTX 2070 GPU, hashcat would take an estimated 150 days to crack 50% of 9-character NTLM hashes, whereas rainbow tables would do it in a little over 2 days! (51 hours, to be exact)

Cracking Example

The following example shows one hundred NTLM 8-character password hashes being cracked by the crackalack_lookup tool:

# ./crackalack_lookup /NTLM8_Master/ random_ntlm_hashes_8_chars_101.txt Rainbow Crackalack v1.0 Copyright 2018-2019 Positron Security LLC <https://www.positronsecurity.com/> Make Rainbow Tables Great Again Found 1 platforms. Found 2 devices on platform #0. Device #0: Vendor: Advanced Micro Devices, Inc. Name: gfx900 Version: OpenCL 2.0 Driver: 2862.0 (HSA1.1,LC) Max compute units: 64 Max work group size: 256 Global memory size: 8573157376 Device #1: Vendor: Advanced Micro Devices, Inc. Name: gfx900 Version: OpenCL 2.0 Driver: 2862.0 (HSA1.1,LC) Max compute units: 64 Max work group size: 256 Global memory size: 8573157376 Binary searching will be done with 32 threads. Loaded 101 of 101 uncracked hashes from random_ntlm_hashes_8_chars_101.txt. Pre-computing hash #1: a7c002406a080278885e47da3909187f... Note: optimized NTLM8 kernel will be used for precomputation. Completed in 16.4 secs. Pre-computing hash #2: bb53c0cb3a8cf0f71f0d6b170ff6b622... Completed in 16.5 secs. Pre-computing hash #3: 8e7c7397e513cee2cb50c2fc174ca7b3... Completed in 16.5 secs. Pre-computing hash #4: c260b99e3b87dfd7538acae873f99291... Completed in 16.6 secs. Pre-computing hash #5: 6055c3fc48f8260ece230fe8b599375e... Completed in 16.6 secs. Pre-computing hash #6: bdabd5d2332764e0f15a8dc7ee0c1d3a... Completed in 16.6 secs. [...] Pre-computation finished in 28 mins, 11 secs. Processing compressed table: /NTLM8_Master/ ntlm_ascii-32-95#8-8_0_422000x67108864_206.rtc... Table loaded in 2.0 secs. Searching table for matching endpoints... Table searched in 8.8 secs. Checking 79462 potential matches... HASH CRACKED => f417de201da2836457d3d893281e6b0f:2M*CD'HD Completed false alarm checks in 7.0 secs. Processing compressed table: /NTLM8_Master/ ntlm_ascii-32-95#8-8_0_422000x67108864_1.rtc... Table loaded in 1.5 secs. Searching table for matching endpoints... Table searched in 8.1 secs. Checking 51869 potential matches... HASH CRACKED => 4591f8e93ac153282059b5629607aceb: fdrp_<t HASH CRACKED => 4175d41bb49cd4fd42069435228f0135:`A7&tlSo Completed false alarm checks in 4.0 secs. Processing compressed table: /NTLM8_Master/ ntlm_ascii-32-95#8-8_0_422000x67108864_116.rtc... Table loaded in 1.5 secs. Searching table for matching endpoints... Table searched in 6.1 secs. Checking 61776 potential matches... HASH CRACKED => 52cc18d2dc77f80601532e41cb6738a9:)s&pw3"w HASH CRACKED => defc96c4f1290e15ac71e35a78625246:E/6""r}] Completed false alarm checks in 4.0 secs. Processing compressed table: /NTLM8_Master/ ntlm_ascii-32-95#8-8_0_422000x67108864_119.rtc... Table loaded in 1.5 secs. Searching table for matching endpoints... Table searched in 5.7 secs. Checking 60337 potential matches... HASH CRACKED => c260b99e3b87dfd7538acae873f99291:=R\XHZ5P HASH CRACKED => 39b00f4aaebaf614da751a26ae92f209:G|r=sM.r HASH CRACKED => 03d5353a16d89732e540b38126c35bd9:2}MOJGy5 HASH CRACKED => d4e323ec73f7475571e2b82600e86b73:c0w[U'a: Completed false alarm checks in 4.0 secs. [...] RAINBOW CRACKALACK LOOKUP REPORT * Crack Summary * Of the 101 hashes loaded, 92 were cracked, or 91.09%. Results ------- a7c002406a080278885e47da3909187f ?0.'{!'I bb53c0cb3a8cf0f71f0d6b170ff6b622 ]U$AG:YJ 8e7c7397e513cee2cb50c2fc174ca7b3 4D2(KIX! c260b99e3b87dfd7538acae873f99291 =R\XHZ5P [...] ------- Results have been written in JTR format to: rainbowcrackalack_jtr.pot Results have been written in hashcat format to: rainbowcrackalack_hashcat.pot * Time Summary * Precomputation: 28 mins, 11 secs I/O: 25 mins, 50 secs Searching: 23 mins, 28 secs False alarm checks: 39 mins, 57 secs Total: 1 hours, 57 mins * Statistics * Number of tables processed: 745 Number of false alarms: 14,895,354 Number of chains processed: 49,966,924,469 Time spent per table: 9.5 secs False alarms checked per second: 6,212.5 False alarms per no. chains: 0.02981% Successful cracks per false alarms: 0.00062% Successful cracks per total chains: 0.00000018%