A rainbow table can be thought of as a dictionary, except for words and their definitions they contain character combinations on one side and their hash form on the other side. What is a hash and why do you want to know which random combinations of characters a hash enters?
Internet passwords are almost always stored as a hash. A hash is a method of cryptography that is very cheap to compute in one direction, but expensive to calculate in the opposite direction. This means that you can take a raw text input, for example, execute the string the password and a hash algorithm like MD5 to get an output from 5F4DCC3B5AA765D61
Back to the rainbow tables, an entry should contain password on one side and 5F4DCC3B5AA765D61D8327DEB882CF99 on the other side. Should we ever come across this hash, we can search our table, find and learn what the original string was. But before we can do that, we need to learn how to make a rainbow table.
For this guide, I will demonstrate from a base of Kali Linux running in a virtual machine, but the instructions for most Linux distributions will basically be the same. I will also add some information for the Windows platform.
Step 1: Set up RainbowCrack
We will use RainbowCrack to create and sort our tables. Kali Linux ships with RainbowCrack already installed, but if you do not have it installed or running on Windows, you can download it or use Aptitude if you're on a Debian-based distribution like Mint.
On Windows Once Download RainbowCrack, create a new folder that you can easily navigate to from the command prompt, and extract everything in it. Then open the command prompt and navigate to the directory that you created. Continue with step 2, as the next paragraphs are for potash.
If you're sure RainbowCrack is installed, you'll need to create and navigate a new folder in Kali. Here our tables are generated and sorted. You can use the following commands to set up the folder in your home directory. It is best to use a new empty directory for the sort that occurs after the table is generated.
cd ~ mkdir RainbowTables cd RainbowTables
It's important to know that rainbow tables take up a huge amount of storage space, especially if you use a wide character set and a long maximum length. Make sure you have at least hundreds of gigabytes of space. It is better to have at least half a terabyte free. If this space is not available to you, you can still follow with smaller fonts, shorter maximum lengths, and shorter chain lengths.
Once we are in the system directory we created, we can run to make sure everything is installed correctly. This will also return some practical help with some example uses of rtgen and the naming of parameters. RTGEN
RainbowCrack 1.7 Copyright 2017 Rainbow Crack Project. All rights reserved. http://project-rainbowcrack.com/ usage: rtgen hash_algorithm charset plaintext_len_min plaintext_len_max table_index chain_len chainnumber part_index rtgen hash_algorithm charset plaintext_len_min plaintext_len_max table_index -bench Hash algorithms implemented: In HashLen = 8 PlaintextLen = 0-7 ntlm HashLen = 16 PlaintextLen = 0-15 md5 HashLen = 16 PlaintextLen = 0-15 sha1 HashLen = 20 PlaintextLen = 0-20 sha256 HashLen = 32 PlaintextLen = 0-20 Examples: md5 low alpha 1 7 0 1000 1000 0 rtgen md5 loweralpha 1 7 0 -bench
As you can see, there are two uses, each with an example:
rtgen hash_algorithm charset plaintext_len_min plaintext_len_max table_index chain_num part_index md5 low alpha 1 7 0 1000 1000 0 rtgen hash_algorithm charset plaintext_len_min plaintext_len_max table_index -bench rtgen md5 loweralpha 1 7 0 -bench
Of course the parameters are not really explained because of the space restrictions, so I'll do that better to track them later.
- hash_algorithm: This is the hash algorithm that our rainbow tables should use. For a list of available algorithms, see implemented hash algorithms in the return text. In our example, we use MD5, but RainbowCrack is also capable of creating perfect SHA1 and NTLM tables, and I will specify the code for the tables for all three.
- charset: The set of characters used Generate the plain text strings for the rainbow tables. Numeric is digits 0-9, Loweralpha is alphanumeric (all letters and digits 0-9), but only in lowercase letters. For a complete list of fonts that you can use, see "charset.txt" in RainbowCrack.
- plaintext_len_min: The minimum length of plain text strings. For example, if we select a numeric character set and a min and max of 1, our table will contain all digits 0-9 and their hash equivalent.
- plaintext_len_max: The maximum length of plaintext strings. For example, if we choose a minimum of 1 and a maximum of 2, we get all digits 0-9 and 00-99 and their hash equivalents in our table.
- table_index: This parameter selects the reduction function. A reduction function is a mathematical formula that reduces the number of combinations by removing combinations that are unlikely to be unlikely. This drastically reduces the computing time. But the flip side is that there is a tiny possibility that a certain reduction function skips the desired combination. Therefore, "perfect" tables use multiple runs with different reduction functions to make tables "perfect", which all possible tables contain.
- chain_len: This controls the length of each table. The larger this number is, the more plain texts are hashed and stored in the table. Therefore, the abovementioned reduction function is important – it reduces possible combinations to the chain length you have chosen. The flip side of a long chain length is the creation time. If you want a table that is "perfect" and extensive, this can take months.
- chain_num: This is the number of chains to be generated. Each chain consists of 16 bytes.
- part_index: This is the case if hard disk space or computational power is limited or if your file system can not handle exceptionally large files. We can change this from the 0, which should normally be the segmentation of the spreadsheet file into smaller parts.
- -bench: This is a flag that you can add to benchmark the settings you have selected. No rainbow tables are created, just a few numbers to help you determine how quickly you can generate table entries. On this basis, you can determine how long the table generation will actually take.
Now let's generate these tables! If you use Windows instead of Linux, you may have to use rtgen.exe instead of rtgen in my following examples. Run the following commands separately. But be warned, it will take hours for them to complete. You can press Ctrl-C on your keyboard to finish, and the next time you run the same command, it will resume where it left off.
rdgen md5 lower-alpha-numeric 1 7 0 2400 24652134 0 rtgen md5 low alpha numeric 1 7 1 2400 24652134 0 rtgen md5 low alpha numeric 1 7 2 2400 24652134 0 rtgen md5 low alpha numeric 1 7 3 2400 24652134 0 rtgen md5 low alpha numeric 1 7 4 2400 24652134 0 rtgen md5 loweralpha-numeric 1 7 5 2400 24652134 0
The above commands generate six different rainbow tables with the character set in Loweralpha containing 36 possible characters. For any plain text that falls into this category, we have over 99% chance of having its hash equivalent in our tables.
rdgen md5 low alpha numeric 1 7 0 2400 24652134 0 Rainbow Table md5_loweralpha numeric parameter # 1-7_0_2400x24652134_0.rt Hash Algorithm: MD5 Hashlange: 16 Character set name: Loweralpha-numeric Character set data: abcdefghijklmnopqrstuvwxyz0123456789 Hexagon sets: 61 62 63 64 65 66 67 68 69 6a 6b 6c 6d 6e 6f 70 71 72 73 74 75 76 77 78 79 7a 30 31 32 33 34 35 37 38 38 Character set length: 36 Plain text length range: 1 - 7 Reduce offset: 0x00000000 Plain text in total: 80603140212 sequential starting point starts at 0 (0x000000000000000000) generating ... 65536 of 24652134 generated rainbow chains (0 m 21.3 s) 131072 of 24652134 generated rainbow chains (0 m 32.8 s) 196608 of 24652134 generated rainbow chains (0 m 32.2 s) 262144 of 24652134 generated rainbow chains (0 m 32.9 s) 327680 of 24652134 generated rainbow chains (0 m 32.2 s) 393216 of 24652134 generated rainbow chains (0 m 33.0 s) 458752 of 24652134 generated rainbow chains (0 m 33.3 s) 524288 of 24652134 generated rainbow chains (0 m 34.0 s) 589824 of 24652134 generated rainbow chains (0 m 33.3 s) 655360 of 24652134 generated rainbow chains (0 m 33.8 s) 720896 of 24652134 generated rainbow chains (0 m 33.0 s) 786432 of 24652134 generated rainbow chains (0 m 32.3 s) 851968 of 24652134 generated rainbow chains (0 m 34.0 s) 917504 of 24652134 generated rainbow chains (0 m 34.3 s) 983040 of 24652134 generated rainbow chains (0 m 34.4 s) 1048576 of 24652134 generated rainbow chains (0 m 33.7 s) .....
When every rainbow table is ready, it is saved in the .rt file generated by the command. This gives each Rainbow table its own .rt file.
If you're trying to create tables for SHA1 or NTLM, or possibly another character set and length for MD5, you can reference the tables created by the RainbowCrack team. At the bottom of the page, you can select the algorithm you are looking for to display a list of the commands that you want to run to create your own commands.
Step 4: Sort the Rainbow Tables
Our rainbow table generation is complete, but we can not yet use it. We have to sort them in a table, which we can search efficiently. Luckily that's easy, we just run:
As long as we are in the directory where we created it, the command will be used. Create all tables into which we have generated an easy-to-search .rt file. This file is accessible in the directory we selected, in this case Rainbow Tables in the home directory.
Now you have an almost perfect rainbow table at your disposal. We'll discuss what we can do with this spreadsheet, how we can do it, and how you can protect yourself from people trying to crack your passwords in a forthcoming guide.