📄 rcracktutorial.htm
字号:
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<meta name="GENERATOR" content="Microsoft FrontPage 4.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<title>RainbowCrack v1.0 tutorial</title>
</head>
<body>
<h1>RainbowCrack tutorial</h1>
<p><font size="2">by Zhu Shuanglei <shuanglei@hotmail.com><br>
http://www.antsight.com/zsl/rainbowcrack/</font></p>
<hr size="1">
<p>RainbowCrack is an instant windows password cracker based on <a href="http://lasecwww.epfl.ch/philippe.shtml">Philippe
Oechslin</a>'s <a href="http://lasecwww.epfl.ch/php_code/publications/search.php?ref=Oech03">faster
time-memory trade-off technique</a>. It is recommended to look through the paper before you
read this tutorial.<br>
<br>
In this tutorial, we will guide you through the steps to make things working.<br>
</p>
<h2>1. Some basis of Time-Memory Trade-Off
</h2>
<p>There are two typical attacks in cryptanalysis of block ciphers: brute force
and table precomputation. In brute force, an attacker tries all possible keys to
encrypt a known plaintext for which he has the corresponding ciphertext. The
idea of table precomputation is to precompute and store encryptions of a chosen
plaintext and corresponding keys for all possible keys. </p>
<p>RainbowCrack use the second method. It precompute and store all possible
password - LanManager hash pairs in files so called "rainbow
table". Any time the password of a LanManager hash is required, you just
query the precomputed tables and find the password in seconds.<br>
</p>
<h2>2. Select the configuration
</h2>
<p>First of all, we will select the configuration of the attack. There ars so
many parameters to be adjusted in the theory: the success rate you want, the
character set to use, the hard disk space you can afford and so on. If you know
the theory well, you can work on you own. If not, we have prepared some typical parameter configurations for you. They are optimized to
the best of my knowledge.
</p>
<p>NOTE: All the configurations below are ready for a 666MHz CPU. If your CPU
is faster, the performance will be better.
</p>
<table border="1" width="100%" cellspacing="0">
<tr>
<td width="100%" colspan="2">CONFIGURATION #0</td>
</tr>
<tr>
<td width="39%">character set</td>
<td width="61%"> alpha (ABCDEFGHIJKLMNOPQRSTUVWXYZ)</td>
</tr>
<tr>
<td width="39%">key space</td>
<td width="61%"> 26^1 + 26^2 + 26^3 + 26^4 + 26^5 + 26^6 + 26^7 = 8353082582</td>
</tr>
<tr>
<td width="39%">t</td>
<td width="61%">2100</td>
</tr>
<tr>
<td width="39%">m</td>
<td width="61%">8000000</td>
</tr>
<tr>
<td width="39%">l</td>
<td width="61%">5</td>
</tr>
<tr>
<td width="39%">disk usage</td>
<td width="61%">m * 16 * l = 640000000 B = 610 MB</td>
</tr>
<tr>
<td width="39%">success rate</td>
<td width="61%"> 0.9990</td>
</tr>
<tr>
<td width="39%">mean cryptanalysis time</td>
<td width="61%"> 3.7841 s</td>
</tr>
<tr>
<td width="39%">mean cryptanalysis time on a low memory system (free memory
size much smaller than 122MB)</td>
<td width="61%" valign="top"> 8.2836 s</td>
</tr>
<tr>
<td width="39%">max cryptanalysis time</td>
<td width="61%"> 31.1441 s</td>
</tr>
<tr>
<td width="39%" valign="top">table precomputation commands</td>
<td width="61%">rtgen alpha 0 2100 8000000 bla<br>
rtgen alpha 1 2100 8000000 bla<br>
rtgen alpha 2 2100 8000000 bla<br>
rtgen alpha 3 2100 8000000 bla<br>
rtgen alpha 4 2100 8000000 bla</td>
</tr>
<tr>
<td width="39%" valign="top">table precomputation time</td>
<td width="61%">2 days 18 hours</td>
</tr>
</table>
<p>Some explanations:
</p>
<table border="0" width="100%" cellspacing="0">
<tr>
<td width="22%">
character set</td>
<td width="78%"> we use alpha characters as the plaintext character set</td>
</tr>
<tr>
<td width="22%">
key space</td>
<td width="78%">There are 8353082582 different alpha only
plaintexts.</td>
</tr>
<tr>
<td width="22%">t</td>
<td width="78%">rainbow chain length, see the <a href="http://lasecwww.epfl.ch/php_code/publications/search.php?ref=Oech03">paper</a>
for detail</td>
</tr>
<tr>
<td width="22%">m</td>
<td width="78%">
rainbow chain count of each rainbow table, see the <a href="http://lasecwww.epfl.ch/php_code/publications/search.php?ref=Oech03">paper</a>
for detail</td>
</tr>
<tr>
<td width="22%">l</td>
<td width="78%">
rainbow table count, see the <a href="http://lasecwww.epfl.ch/php_code/publications/search.php?ref=Oech03">paper</a>
for detail</td>
</tr>
<tr>
<td width="22%" valign="top">
disk usage</td>
<td width="78%"> disk space required to store all generated rainbow
tables<br>
each rainbow chain will take 16 bytes (8 bytes for a start point and 8 bytes for
a end point)</td>
</tr>
<tr>
<td width="22%" valign="top">
success rate</td>
<td width="78%">When the rainbow tables have been generated, you will have
the probability 99.9% to crack an alpha only password.<br>
Due to the nature of the theory, this is not a granted attack.</td>
</tr>
<tr>
<td width="22%" valign="top">mean cryptanalysis time</td>
<td width="78%">You need 3.7841 seconds to crack an alpha password on
average.<br>
It does not take into account the time spent on "false alarm".<br>
See the <a href="http://lasecwww.epfl.ch/php_code/publications/search.php?ref=Oech03">paper</a>
to find out what is a "false alarm".</td>
</tr>
<tr>
<td width="22%" valign="top">mean cryptanalysis time on a low memory system</td>
<td width="78%">If you don't have enough free physical memory to hold one
rainbow table a time, the program (rcrack.exe) will have to load the table
chunk by chunk and search the table chunk by chunk. Losing the change of
finding the password in early time.<br>
It does not take into account the time spent on "false alarm".</td>
</tr>
<tr>
<td width="22%" valign="top">max cryptanalysis time</td>
<td width="78%">If the password you are searching is not covered by the
rainbow tables. You will have to search all tables only to find nothing.<br>
It does not take into account the time spent on "false alarm".</td>
</tr>
<tr>
<td width="22%" valign="top">table precomputation commands</td>
<td width="78%">Use the utility "rtgen.exe" in the distribution
and these commands to generate the rainbow tables which are required to launch the
attack.<br>
(see next section of the tutorial for more)</td>
</tr>
<tr>
<td width="22%" valign="top">table precomputation time</td>
<td width="78%">Table precomputation is time expensive. This is the meaning
of "Time-Memory Trade-Off".</td>
</tr>
</table>
<table border="1" width="100%" cellspacing="0">
<tr>
<td width="100%" colspan="2">CONFIGURATION #1</td>
</tr>
<tr>
<td width="39%">character set</td>
<td width="61%"> alpha-numeric(ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789)</td>
</tr>
<tr>
<td width="39%">key space</td>
<td width="61%"> 36^1 + 36^2 + 36^3 + 36^4 + 36^5 + 36^6 + 36^7 = 80603140212</td>
</tr>
<tr>
<td width="39%">t</td>
<td width="61%">2400</td>
</tr>
<tr>
<td width="39%">m</td>
<td width="61%">40000000</td>
</tr>
<tr>
<td width="39%">l</td>
<td width="61%">5</td>
</tr>
<tr>
<td width="39%">disk usage</td>
<td width="61%">m * 16 * l = 3200000000 B = 3 GB</td>
</tr>
<tr>
<td width="39%">success rate</td>
<td width="61%"> 0.9904</td>
</tr>
<tr>
<td width="39%">mean cryptanalysis time</td>
<td width="61%"> 7.6276 s</td>
</tr>
<tr>
<td width="39%">mean cryptanalysis time on a low memory system (free memory
size much smaller than 610MB)</td>
<td width="61%"> 13.3075 s</td>
</tr>
<tr>
<td width="39%">max cryptanalysis time</td>
<td width="61%"> 40.6780 s</td>
</tr>
<tr>
<td width="39%" valign="top">table precomputation commands</td>
<td width="61%">rtgen alpha-numeric 0 2400 40000000 bla<br>
rtgen alpha-numeric 1 2400 40000000 bla<br>
rtgen alpha-numeric 2 2400 40000000 bla<br>
rtgen alpha-numeric 3 2400 40000000 bla<br>
rtgen alpha-numeric 4 2400 40000000 bla</td>
</tr>
<tr>
<td width="39%" valign="top">table precomputation time</td>
<td width="61%">15 days 17 hours</td>
</tr>
</table>
<p>Some explanations:<br>
With this configuration, you can crack an alpha-numeric password in 13.3075 seconds
on a 256MB memory system with 99.04% success rate. Due to the limited CPU
power/patience, I accept the 99% success rate instead of the 99.9% one.
</p>
<p>In this tutorial we select "CONFIGURATION#0". If you want the
second configuration, everything is similar.
</p>
<h2>
<br>
3. Precompute the rainbow tables with rtgen.exe
</h2>
<p>Now the time to generate the rainbow tables.<br>
There is an utility
called "rtgen.exe" (rainbow table generator) in the distribution. Now
open
a MS-DOS prompt, switch to the directory where the rainbowcrack files are
extracted, make sure there is 128 MB free disk space in place and execute the command:
</p>
<table border="0" width="100%" cellspacing="0" bgcolor="#EBEBEB">
<tr>
<td width="100%">rtgen alpha 0 2100 8000000 bla</td>
</tr>
</table>
<p>This will begin the generation of first rainbow table. It takes 13.2 hours to
complete on a 666 MHz CPU.<br>
Leave you computer working ...<br>
<br>
You can pause the precomputation any time by pressing Ctrl+C.
Next time you run rtgen.exe with the same parameters the program will pick up
where the precomputation left off and continue the generation of the rainbow
table.
</p>
<p>When the generation of first rainbow table is finished. There will be a file
named "lm_alpha_0_2100x8000000_bla.rt" (128000000 bytes) in the
directory. Don't rename the file because we store some parameters in the file
title.
</p>
<p>Now the time to generate the remaining rainbow tables, make sure you have
enough free disk space (128000000 bytes for each table):
</p>
<table border="0" width="100%" cellspacing="0" bgcolor="#EBEBEB">
<tr>
<td width="100%">
rtgen alpha 1 2100 8000000 bla<br>
rtgen alpha 2 2100 8000000 bla<br>
rtgen alpha 3 2100 8000000 bla<br>
rtgen alpha 4 2100 8000000 bla</td>
</tr>
</table>
<p>Leave you computer working ...<br>
......<br>
......<br>
<br>
<br>
When the precomputation is complete, make sure the following files are in place:<br>
128,000,000 bytes lm_alpha_0_2100x8000000_bla.rt<br>
128,000,000 bytes lm_alpha_1_2100x8000000_bla.rt<br>
128,000,000 bytes lm_alpha_2_2100x8000000_bla.rt<br>
128,000,000 bytes lm_alpha_3_2100x8000000_bla.rt<br>
128,000,000 bytes lm_alpha_4_2100x8000000_bla.rt
</p>
<p>If everything goes well, backup all files (recommended) and proceed to the
next section of the tutorial.
</p>
<h2>4. Sort rainbow tables with rtsort.exe
</h2>
<p>To speed up the search of rainbow table, we should sort the rainbow table
with "rtsort.exe" in advance.<br>
In fact "rcrack.exe" only accept sorted rainbow tables.<br>
<br>
Use these commands:
</p>
<table border="0" width="100%" cellspacing="0" bgcolor="#EBEBEB">
<tr>
<td width="100%">rtsort lm_alpha_0_2100x8000000_bla.rt<br>
rtsort lm_alpha_1_2100x8000000_bla.rt<br>
rtsort lm_alpha_2_2100x8000000_bla.rt<br>
rtsort lm_alpha_3_2100x8000000_bla.rt<br>
rtsort lm_alpha_4_2100x8000000_bla.rt</td>
</tr>
</table>
<p>Each command will take several minutes to complete. The
"rtsort.exe" utility will sort the file and write back to the original
file.<br>
<br>
Notice: If free memory size is smaller than the file size, we can't load the
file into memory at a time. In which case extra free disk space as large as the
file to be sorted is required to apply an external sort.
</p>
<p>If everything goes well, proceed to the next section.
</p>
<h2>5. Crack the LanManager hash with rcrack.exe and the sorted rainbow
tables
</h2>
<p>Finally you have everything ready. Now the time to play with
"rcrack.exe".<br>
Notice the file "random_alpha.txt" in the distribution.
It contain hashes of several randomly generated alpha only passwords in pwdump
format. We
will use this file as the target.</p>
<p>Launch the crack by issuing the command:</p>
<table border="0" width="100%" cellspacing="0" bgcolor="#EBEBEB">
<tr>
<td width="100%">rcrack c:\rainbowcrack\*.rt -f random_alpha.txt</td>
</tr>
</table>
<p>(Replace "c:\rainbowcrack\" with where you place the sorted
rainbow tables.)</p>
<p> </p>
<p>Have fun!<br>
2003-9-9<br>
</p>
</body>
</html>
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -