readme.txt

跟rainbow table结合破解windoes登陆密码及各种hash密码

OPHCRACK (Time-Memory-Trade-Off-Crack)

A windows password cracker based on the faster time-memory trade-off using
rainbow tables. This program is given as an example of efficient
implementation of rainbow tables. It is limited to alphanumerical
passwords. Feel free to make your own extensions.

CONTENTS:

Directories: 
src      - source files and Makefile
linux    - precompiled linux executables
windows  - precompiled windows executables


Main programs:
ophcrack - the password cracker
precomp  - a program for creating rainbow tables (in ascii format)
binarize - compress ascii tables into more compact binary format


Utilities:
test_hash  - generate lanmanhash and nthash from a password
test_speed - Test the speed of hash and reduction functions


COMPILING:

You need libssl and libssl-devel to compile the programs.

Type make to make all programs.

TESTING:

Run the test script (test.sh in the linux directory, test.bat in the windows
directory) to run a test that generates a small set of tables and 
recovers a password using these tables. 


EXAMPLES:

This is what the test script does to create tables and crack a password:

create a first table (table0) in directory Test (which must exist). This table
is made from 4000 rainbow chains of length 1000. Merging chains will be
removed. The remaining table is a so-called 'perfect' table (smaller and more efficient): 
./precomp -d Test/ -t 1000 -m 4000 0

create second table (table1):
./precomp -d Test/ -t 1000 -m 4000 1

convert tables to binary representation:
cd Test && ../binarize table0 && ../binarize table1

you may want to delete the ascii version of the tables now:
cd Test && rm table0 && rm table1

Now use the cracker to find a password:
./ophcrack -s -t 1000 -d Test/ -n 2 3b5d4264276d312ee516b06b1b1dc3a9:fff23d5f2a088b0bc952337fbaa8d6c4

You can also get the hashes from a windows sam dump, e.g. by using pwdump2. In
that case just provide the filename instead of a hash:
./ophcrack -s -t 1000 -d Test/ sam.txt


ADVANCED GENERATION OF TABLES:

The above tables are very small and will only find a fraction of passwords. If
you were to build larger tables, say four tables starting with 100'000'000
chains of length 5000, you can make use of the following
optimizations:

- build tables stepwise:

Rather than creating 100'000'000 chains of length 5000 and then removing the
merges, you can remove the merges along the way by building the table
stepwise:

mkdir big

# stop and remove merges after 100 columns
./precomp -d big/ -t 5000 -m 100000000 -s 100 0
./precomp -d big/ -t 5000 -m 100000000 -s 100 1
./precomp -d big/ -t 5000 -m 100000000 -s 100 2
./precomp -d big/ -t 5000 -m 100000000 -s 100 3

# append the next 300 columns and remove merges
./precomp -d big/ -t 5000 -s 300 0
./precomp -d big/ -t 5000 -s 300 1
./precomp -d big/ -t 5000 -s 300 2
./precomp -d big/ -t 5000 -s 300 3

# append the next 1100 columns and remove merges
./precomp -d big/ -t 5000 -s 1100 0
./precomp -d big/ -t 5000 -s 1100 1
./precomp -d big/ -t 5000 -s 1100 2
./precomp -d big/ -t 5000 -s 1100 3

# append the next 3500 columns and remove merges
./precomp -d big/ -t 5000 -s 3500 0
./precomp -d big/ -t 5000 -s 3500 1
./precomp -d big/ -t 5000 -s 3500 2
./precomp -d big/ -t 5000 -s 3500 3

cd big
binarize table0; binarize table1; binarize table2; binarize table3

- parallelizing the table generation:

You can generate each table on a different machine. If you want to parallelize
further, you can generate slices of each table on different machines. In that
case, merges between different slices are only removed when reuniting the
tables:

#on machine1:
./precomp -d lower/ -t 5000 -m 50000000 -s 100 0
./precomp -d lower/ -t 5000 -s 300  0
./precomp -d lower/ -t 5000 -s 1100 0
./precomp -d lower/ -t 5000 -s 3500 0
#on machine2
./precomp -d upper/ -t 5000 -m 50000000 -M 50000000 -s 100 0
./precomp -d upper/ -t 5000 -s 300  0
./precomp -d upper/ -t 5000 -s 1100 0
./precomp -d upper/ -t 5000 -s 3500 0

cat lower/table0 upper/table0 | sort -k 1.7 > big/table0


MEMORY USAGE AND SPEED CONSIDERATIONS

By default, ophcrack will only load one table at time in memory. If you have
enough memory, use the -n option to specify how many tables to load in parallel.
Searching in tables in parallel is faster. Note that if you have only a few 
passwords to crack, the cracking time will be dominated by the time needed to 
load the tables from the hard disk. Shortest cracking times are achieved when
cracking a file containing many hashes (or cracking the same password twice in 
a row, which may not be very useful).



Copyright Philippe Oechslin, July 2004 (philippe.oechslin@epfl.ch)

The file LICENCE.TXT contains the copyright licence of this program.