Security Master weapon awareness of Rainbow hash table crack tool-vulnerability warning-the black bar safety net

ID MYHACK58:62200716890
Type myhack58
Reporter 佚名
Modified 2007-09-14T00:00:00


Cross-platform password Cracker Ophcrack the crack speed is simply incredible. In the end how fast? It can be in 1 6 0 seconds to crack“Fgpyyih804423”this password. Many people think that this password is already quite safe. Microsoft's password strength determination tool that the password of the security level is“strong.” While the Geekwisdom password strength estimator that the password security strength is“ordinary”.

Ophcrack the crack the speed why so fast? This is because it uses a rainbow table. I'm not talking about I used to do a desktop background of kind of the real Rainbow.

However, the rainbow table is also very beautiful.

To understand Rainbow tables work, you first have to understand how computers store passwords, either on your own with a desktop or on a remote network server there.

The password is never stored in plain text documents. At least we should not do so, unless you're using the world's most childish program, and your purpose is to build the world's most insecure system. In fact, we should put the password as a hash function output value to store. A hash is a one-way operation. Even if the attacker can read the password hash of the table, he also can not just pass that hash table to reconstruct the password.

But the attacker can use Rainbow hash table attack on password hash of the table: through large, for a variety of possible letter combinations of pre-calculated hash value. The attacker's computer of course can also be run to calculate all the values, but the use of this pre-calculated hash value of the huge table, apparently enables the attacker can perform faster progression scale command-assuming the attack aircraft has a large enough RAM to the entire table stored in the memory, or at least most of the table centre. This is a very typical time-memory trade-off, especially hackers more inclined to use this shortcut.

A rainbow table is how large? Ophcrack installation dialogue session will allow you to have a General concept:

To generate these massive Rainbow table takes a long time, but once generated, then each attack of the computer can use these tables to crack a strong password the hash table.

Available The smallest Rainbow table is the most basic of the alphanumeric table, so its size will have 388MB the. This is the Ophcrack boot disk in the default table. Even this minimal table is also quite effective. I used to use it to attack me in a Windows XP virtual machine on setting the password, the results are as follows:


found? seconds Password1! 7 0 0 Fgpyyih804423 yes 1 5 9 Fgpyyih80442% 7 0 0 saMejus9 yes 1 4 0 thequickbrownfoxjumpsoverthelazydog 7 0 0

Of course, you with this Rainbow table can crack that with a non-alphanumeric character of the password, such as%&^$#this, because the table simply does not contain these characters. You may also notice that those passphrase, I also like them, since they are themselves the length of the problem, the passphrase for this technology is immune. But, then again, the attack can be in 1 1 minutes crack all May 1 4-digit alphanumeric password combination in 9 9. 9%, This is with the smallest Rainbow table. Table larger, more full, attack cracking ability is stronger. Ophcrack documentation describes it can use a rainbow table between the differences:

Alphanumeric table 10k 388MB contains all of the alphanumeric password 9 9. 9%of the LanManager table. These are uppercase and lowercase letters and numbers into the password about 8 0 0 million.

Since the LanManager hash table the password is cut into each of the 7 characters of the two parts, we can use the table to crack length in a 1 to 1 between the 4 password. Since the LanManager hash table is case-insensitive, the table of 8 0 0 million a combination is equivalent to 1 2*1 0 the 1 1 th or 2 8 3 th th password.

Alphanumeric table 5k 720MB contains all the letters of the numeric password, 9 9. 9%of the LanManager table. However, since the table becomes 2 times larger, if your computer has 1GB or more of RAM space while it the crack speed is that the first one 4 times.

Extension table 7.5 GB contains the longest 1 of 4 uppercase and lowercase letters, numbers, and the following 3 3 special characters!"#$%& amp;'()+,-./:;& lt;=>?@ [\]^_`{|} ~)The composition of the password in 9 6% of the LanManager table. The table has about 7 trillion combinations, 51 0 1 Power of 2 or 2 9 2 th)password.

NT 8.5 GB we can use the table to crack the computer on the NT hash table, which is a LanManager hash table can not. The table contains with the following character consisting of the possible password combinations of 9 0% is:

·The highest 6-bit characters by uppercase and lowercase letters, numbers, and 3 3 special characters above enumerated as

·7 upper and lower case letters and numbers

·8 lowercase letters and numbers

The table contains the 7 trillion combinations, corresponding to 7 trillion passwords the NT hash table does not exist LanManager hash table weakness is.

Note that all of these Rainbow tables are specific for the password length and letter combination. Too long of a password, or a table containing no character, then use the rainbow table will not crack.

Unfortunately, due to the legacy LanManager hash tables unforgivable shortcomings, Windows servers are particularly vulnerable to Rainbow table attacks. To my surprise, Windows Server 2 0 0 3 in the default state should also support the old-style Lan Manager. I strongly suggest that you disable Lan Manager hash table, especially in those stores all the user domain credentials on the Server be sure to disable the hash table. This will be on you all the Windows98 users caused great inconvenience, but I think in order to improve security, doing so is worth it.

I heard that the next release of Windows Server 2008 will eventually LanManager hash table is removed. Windows Vista has does not support these outdated hash table. In the Vista system to run OphCrack while results see the following dialog box:

All LM hash table are empty. Please use NT hash tables to crack the remaining hash tables. I wish I could use NT the table, but I can't find to use 8. 5GBNT hash Rainbow tables reliable sources.

Ophcrack tool is not very flexible. It does not allow you to generate your own Rainbow tables. Therefore, you have to use the Project Rainbow crack tools, the tool can be used to crack almost all the letters of the combination as well as any hash algorithm. However, you've got heart, Rainbow table attacks have only recently prevalent reason is due to the computer's 2-4GB of memory has only recently reached a acceptable level. I mean it is huge.

The following is to attack the safety performance of higher NT of the hash table needed to generate the rainbow table size:

Character Set Length Table Size ABCDEFGHIJKLMNOPQRSTUVWXYZ 1 4 0.6 GB ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 1 4 3 GB ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!@#$%^& ()-_+= 1 4 2 4 GB ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!@#$%^& ()-_+=~`[]{}|\:;"'<>,.?/ 1 4 6 4 GB

Usually on the desktop, with the rainbow table attack too exaggerated. If a hacker be able to achieve the physical meaning of the accessing host, then you do not have any security to speak of. This is the 1 0 computer security is not political reform is in Article 3. Once a hacker can be in the physical meaning of the accessing host, then he can use a lot of tools to re-set the password.

But if the remote hackers from the server or database to obtain a large number of password hashes, we're in trouble. In this case, we suffer from the rainbow table attack risk is very large. Therefore you must not rely only on the hash technology-you gotta give it to the hash table plus these tricks, so that the resulting hash value is unique. To the hash table plus the pattern, it sounds very complex, vaguely also can feel very delicious?, the But it is actually very simple. In generating the hash table prior to the password plus a unique prefix on the line:

hash = md5('deliciously-salty-' + password)

Thus, the attacker cannot use a rainbow table to attack you - “password”and“delicious fresh password”to generate a hash result does not match. Unless the hacker knows all your hash table are added to this prefix. Even really know, he/she will also have to specifically for your machine to generate a custom Rainbow table.