1
00:00:00,180 --> 00:00:04,930
Welcome to part seven of this module rainbow tables.

2
00:00:05,080 --> 00:00:09,150
I've mentioned them in passing and now it's time to talk about them.

3
00:00:09,520 --> 00:00:17,290
In this video we'll be taking a look at Rainbow crack on Kelly Linux which is found under applications.

4
00:00:17,290 --> 00:00:19,080
Password attacks.

5
00:00:19,180 --> 00:00:20,140
Fair warning.

6
00:00:20,140 --> 00:00:26,330
This video is going to be heavy on the explanation and a bit light on demonstration.

7
00:00:26,440 --> 00:00:29,890
If you stick with it you'll understand why.

8
00:00:29,940 --> 00:00:36,600
First off in order to make sure each of these videos is stand alone for those wishing to reference a

9
00:00:36,600 --> 00:00:44,970
particular tool or concept I will briefly explain that a password hash is basically a string of characters

10
00:00:45,420 --> 00:00:50,430
that were you to decode them would give you plain text information.

11
00:00:50,430 --> 00:00:58,290
This is usually a password but could be a credit card number or name or some other very important piece

12
00:00:58,290 --> 00:00:59,600
of information.

13
00:00:59,610 --> 00:01:06,240
There are several different hashing algorithms so a password that is converted to empty five will have

14
00:01:06,240 --> 00:01:13,500
a hash that looks quite different from the exact same password converted into let's say A.L. M.

15
00:01:16,530 --> 00:01:21,870
For example the word password an empty five looks like this.

16
00:01:23,950 --> 00:01:28,940
That is an empty five hash in the previous videos in this module.

17
00:01:29,080 --> 00:01:35,410
You've seen examples of how to brute force hashes as well as perform dictionary based attacks against

18
00:01:35,410 --> 00:01:44,040
them all of these methods involve throwing words or combination of words and characters at the hash

19
00:01:44,070 --> 00:01:50,580
by converting them into a hash and trying to match up the characters with those of the hash trying to

20
00:01:50,580 --> 00:01:51,900
crack.

21
00:01:51,930 --> 00:01:59,100
It's very time consuming particularly as each guest's requires a conversion to take place which adds

22
00:01:59,100 --> 00:02:02,850
on the time the process takes exponentially.

23
00:02:02,850 --> 00:02:09,150
So the question I would like you to ask yourself as you're thinking about this is what if you already

24
00:02:09,150 --> 00:02:13,430
had a file that contained all possible hashes.

25
00:02:13,440 --> 00:02:20,310
What if the dictionary file you are using for your dictionary based attack and every word in it already

26
00:02:20,310 --> 00:02:25,070
pre converted into a hash of the appropriate format.

27
00:02:25,080 --> 00:02:31,950
What if you could even add in a particular salt or you had all the possible character set combinations

28
00:02:32,430 --> 00:02:40,380
already converted into hashes and stored in a table now before we begin I have to be honest.

29
00:02:40,620 --> 00:02:46,500
Although rainbow tables are a big part of penetration testing and hacking I have not used them very

30
00:02:46,500 --> 00:02:47,350
much.

31
00:02:47,550 --> 00:02:50,110
The reason for this has to do with hardware.

32
00:02:50,160 --> 00:02:54,550
As you'll soon come to understand it is a big limitation.

33
00:02:54,570 --> 00:03:06,120
The idea behind rainbow crack is that it uses time memory tradeoff algorithms to crack hashes it differs

34
00:03:06,120 --> 00:03:07,410
from brute force.

35
00:03:07,440 --> 00:03:14,850
Hash crackers in the sense that a brute force cracker will generate all possible plaintext and compute

36
00:03:14,880 --> 00:03:17,570
the corresponding hashes on the fly.

37
00:03:17,850 --> 00:03:22,110
Then it will compare against the hash to be cracked.

38
00:03:22,110 --> 00:03:25,560
Once a match is found the plain text is found.

39
00:03:25,800 --> 00:03:32,490
If all possible plain texts are tested and no match is found then you're out of luck.

40
00:03:32,490 --> 00:03:34,820
The plain text is not found.

41
00:03:34,980 --> 00:03:41,520
It's really all or nothing with this type of hash cracking all intermediate computation results are

42
00:03:41,520 --> 00:03:43,450
discarded.

43
00:03:43,450 --> 00:03:51,750
A time memory tradeoff hash cracker on the other hand needs a pre computation state at the time all

44
00:03:51,750 --> 00:04:00,360
plain text hash pairs within the selected hash algorithm character set plain text length are computed

45
00:04:00,720 --> 00:04:05,080
and results are stored in files which are called rainbow tables.

46
00:04:05,190 --> 00:04:13,890
It's time consuming to do this kind of computation but once the time pre computation is finished hashes

47
00:04:13,890 --> 00:04:19,980
stored in the table can be cracked with much better performance than a brute force cracker graphics

48
00:04:19,980 --> 00:04:27,150
card acceleration is another key feature of rainbow crack by offloading most of the runtime computations

49
00:04:27,150 --> 00:04:30,190
to in video or M.D. GP use.

50
00:04:30,510 --> 00:04:34,920
Overall cracking performance can be improved even further.

51
00:04:34,920 --> 00:04:35,490
Great.

52
00:04:35,610 --> 00:04:38,940
So show me the tool already I hear you say.

53
00:04:39,180 --> 00:04:43,200
Well I did say this was going to be theory heavy.

54
00:04:43,200 --> 00:04:47,580
Here's why I pulled up Project Rainbow.

55
00:04:47,580 --> 00:04:49,140
Crack dot com.

56
00:04:49,280 --> 00:04:51,630
And if we scroll down a little bit.

57
00:04:57,340 --> 00:05:02,040
Here's some rainbow tables if you'd like to download them.

58
00:05:02,050 --> 00:05:11,790
Notice that each category has its own set of tables MDG 5 mix alphanumeric is not the same as SHA 1.

59
00:05:11,830 --> 00:05:13,660
Mix alphanumeric.

60
00:05:13,660 --> 00:05:21,400
Notice also that the smallest of these tables weighs in at just over 50 gigabytes and larger examples

61
00:05:21,400 --> 00:05:29,710
go as high as 690 to 864 gigabytes and they can get even bigger than that but I'm not trying to scare

62
00:05:29,710 --> 00:05:30,880
you off.

63
00:05:30,940 --> 00:05:38,800
This is where the rainbow cracked tool comes in but I want you to keep in mind that a full sized quote

64
00:05:38,920 --> 00:05:47,590
unquote perfect table for a particular character set under a particular format is going to be positively

65
00:05:47,590 --> 00:05:49,540
gargantuan.

66
00:05:49,540 --> 00:05:57,280
If you happen to have a computer with a legendary amount of hard disk space ideally solid state more

67
00:05:57,280 --> 00:06:06,050
RAM then you know what to do with a super high end graphics card or two or four or six and a really

68
00:06:06,050 --> 00:06:12,850
good cooling system then you can setup one heck of a cracking station if you use all of these tables.

69
00:06:14,230 --> 00:06:22,330
But before we leave this page which is again project dash rainbow crack dot com by the way I want to

70
00:06:22,330 --> 00:06:30,160
point out that should you wish to use rainbow crack to generate any of these lists you see here from

71
00:06:30,160 --> 00:06:39,230
scratch the commands to do so or at the bottom of the page don't click on one of these let's just click

72
00:06:39,230 --> 00:06:49,420
on empty five ASCII what I have highlighted here is just the syntax for one part of this particular

73
00:06:49,420 --> 00:06:49,990
table

74
00:06:54,690 --> 00:07:02,220
you would run all of these commands one after another using the rainbow crack tool to generate this

75
00:07:02,370 --> 00:07:11,280
one table as you can see setting this up is a big deal you need a powerful system to get the most out

76
00:07:11,280 --> 00:07:18,780
of it a can and will run rainbow crack to generate a much smaller table to show off how this process

77
00:07:18,780 --> 00:07:26,310
works but the point I'm trying to make is if you have the hardware rainbow tables are really the way

78
00:07:26,310 --> 00:07:33,540
to go this will invoke the full power of that hardware and greatly improve your capability but on an

79
00:07:33,540 --> 00:07:43,620
old laptop or dare I say virtual box this method is of questionable usefulness a smaller table might

80
00:07:43,620 --> 00:07:52,170
work for you and indeed a very old application called off crack does in fact use smaller tables to crack

81
00:07:52,170 --> 00:07:58,920
passwords for Windows systems that are older than Windows 7 I didn't do a video on this program because

82
00:07:58,920 --> 00:08:04,500
it's so badly out of date that it's basically not functional anymore and there are better ways to crack

83
00:08:04,500 --> 00:08:11,850
such passwords but the point is it's a small table can still be useful in some cases

84
00:08:16,080 --> 00:08:19,890
the last thing I want to point out before I generate a small table

85
00:08:23,790 --> 00:08:31,500
there are links to three video demonstrations of rainbow tables being used to crack three different

86
00:08:31,500 --> 00:08:39,030
hashes these videos are offered by Project Rainbow crack itself since this sort of demonstration is

87
00:08:39,030 --> 00:08:47,130
beyond the hardware capability of people like me but there isn't really that much to see a simple gooey

88
00:08:47,130 --> 00:08:51,350
in a Windows environment a single hash and a whole lot of tables.

89
00:08:51,630 --> 00:08:56,490
The program attacks the hash using the tables and that's basically it

90
00:09:06,760 --> 00:09:13,540
our crack empty is by the way the command line method of doing what you will see in those videos but

91
00:09:13,540 --> 00:09:20,560
this is assuming you have the appropriate tables to actually use if you are using a tiny one like I'm

92
00:09:20,560 --> 00:09:26,680
going to you're probably just better off using one of the other methods shown in this module because

93
00:09:27,040 --> 00:09:33,760
you weren't going to get a lot of bang for your buck in terms of the memory time tradeoff.

94
00:09:33,760 --> 00:09:44,360
So without further ado let's go ahead and generate a small table just for demonstration purposes.

95
00:09:44,590 --> 00:09:55,570
We'll use Archie Chen to get the syntax OK Artie gen and we're going to specify for this example we'll

96
00:09:55,570 --> 00:10:06,480
do SHA 256 and we're going to do lower alpha numeric and 1 5 0.

97
00:10:06,630 --> 00:10:14,800
We're going to limit it to a maximum of five characters long with a minimum of 1 tables 0 and we'll

98
00:10:14,800 --> 00:10:19,000
say a limit of 1000 minimum 1000 maximum

99
00:10:21,720 --> 00:10:22,480
leave.

100
00:10:22,500 --> 00:10:34,070
We need to zero as well because it's not part of an index and we'll press Enter OK so this will now

101
00:10:34,070 --> 00:10:35,740
generate the rainbow table.

102
00:10:35,780 --> 00:10:43,160
This may take some time and this might make more sense if I was trying to crack a database file filled

103
00:10:43,160 --> 00:10:52,720
with hashes that I knew for a fact were one to five character strings long and maybe just numbers and

104
00:10:52,720 --> 00:10:56,470
if I knew they were SHA 256.

105
00:10:56,650 --> 00:11:03,640
In this very specific example using this method might be faster than just brute forcing it in the traditional

106
00:11:03,640 --> 00:11:04,690
way.

107
00:11:04,780 --> 00:11:10,770
It makes more sense if you pretend that I'm not recording this video in a virtual box environment.

108
00:11:10,930 --> 00:11:16,690
When Kelly is installed to a dedicated partition with full system resources at its command and a decent

109
00:11:16,690 --> 00:11:22,160
GP you this approach becomes a lot more tenable OK.

110
00:11:22,160 --> 00:11:28,870
It looks like it has generated it's quite small at 1000 rainbow chains.

111
00:11:28,870 --> 00:11:39,280
So let's go ahead and pull it up believe it stored in seedy user share rainbow crack

112
00:11:42,280 --> 00:11:44,080
Yes and there it is.

113
00:11:49,200 --> 00:11:51,300
So the table was created.

114
00:11:51,660 --> 00:11:55,940
We could then use this table in any program that calls for it.

115
00:11:55,980 --> 00:12:00,850
You can experiment with your character sets and your range.

116
00:12:01,050 --> 00:12:08,670
You can create really as many rainbow tables as you like but realistically in my personal opinion this

117
00:12:08,670 --> 00:12:11,800
is an all or nothing type of a thing.

118
00:12:11,850 --> 00:12:18,630
If you have all possible rainbow tables for your target or at least for the type of hash you're trying

119
00:12:18,630 --> 00:12:26,310
to crack and you've got the hardware you can generate all of the tables you saw on the web page using

120
00:12:26,310 --> 00:12:33,590
the command shown and you can go to town but if you're using smaller tables that weren't created for

121
00:12:33,590 --> 00:12:42,350
cracking specific things over and over again such as a database with you know a five digit pin number

122
00:12:42,410 --> 00:12:48,740
over and over again different hashes all five digit PIN numbers and you know that they're going to be

123
00:12:48,860 --> 00:12:53,740
numbers and you know they're all like empty five or something.

124
00:12:53,740 --> 00:12:58,700
You're probably just better off using brute force or a word list.

125
00:12:58,750 --> 00:13:04,540
Your odds aren't really any better using a rainbow table which is going to take a very long time to

126
00:13:04,540 --> 00:13:09,060
create which would then offset the amount of time that it saves you.

127
00:13:09,070 --> 00:13:16,860
These tables are for people with really good hardware and a reason to break hashes on a regular basis.

128
00:13:16,900 --> 00:13:25,670
It's not a great fit for small time pen testers with ordinary laptops and you absolutely do not need

129
00:13:25,670 --> 00:13:32,090
to use rainbow tables to crack hashes but if you can use them and if you've got a computer that's up

130
00:13:32,090 --> 00:13:37,710
to the challenge they will definitely speed up the process as always.

131
00:13:37,710 --> 00:13:43,710
Never use this tool or any other tool shown in this class against any target that you don't either personally

132
00:13:43,710 --> 00:13:48,400
own referee written permission from the owner to penetration test.

133
00:13:48,470 --> 00:13:50,620
I hope he found this explanation helpful.

134
00:13:50,630 --> 00:13:57,020
I'm sorry it was probably very boring without much to look at but this is material that had to be covered.

135
00:13:57,230 --> 00:13:59,740
Rainbow tables are useful tools.

136
00:13:59,750 --> 00:14:01,330
They really are.

137
00:14:01,400 --> 00:14:07,850
It's just that you have to be in the right situation for them to really come into their own.

138
00:14:08,450 --> 00:14:13,450
So I hope you found this tutorial helpful I'm sorry that it was a little on the short side.

139
00:14:13,460 --> 00:14:15,590
Thank you for your patience and your attention.