Go4Expert

Go4Expert (http://www.go4expert.com/)
-   Ethical hacking Tips (http://www.go4expert.com/articles/ethical-hacking-tutorials/)
-   -   Cracking MD5 hashes using Rainbow Tables (http://www.go4expert.com/articles/cracking-md5-hashes-using-rainbow-tables-t17240/)

neo_vi 30Apr2009 14:25

Cracking MD5 hashes using Rainbow Tables
 

Introduction



We have all heard of rainbow tables, which will be used to crack passwords and hashes. In this tutorial we will learn how to crack md5 hashes using rainbow tables.

Tools u should have



These are the tools u should have inorder to utilize this tutorial.
  1. Rainbow table generator - 'Winrtgen' comes with cain and abel
  2. cain and abel - get it from www.oxid.it
  3. Of course u must have some md5 hashes to crack.
All are freewares, so you won't face problem in getting these tools.

Creating rainbow tables



Rainbow tables can be created for various kind of hashes. e.g lm,fastlm,nt,md5 etc.
Here we are going to stick with md5 hashes alone.

MD5 hashes



MD5 hashes will be seen in sql databases. If u crack a site with SQL injection you will be shown with the username and md5 hashed password, for e.g 'admin:bc8f87a21501ae15a48d77a91513c3a7'.
So one has to crack or decrpyt the md5 hashes to enter into that site.

Creating rainbow tables



I have a set of hashes whose passwords are 4-6 in length. All are numeric passwords.
So i will explain how to create rainbow tables for this type of passwords.
  1. open the Winrtgen tool.
  2. click add table
  3. A dialog box will appear showing the settings.
Explanation of the settings
hash : type of the hash u wish to crack (in our case its md5)
MinLen: minimum length of the password (4)
Max Len: Maximum lenght of the password (6)
Index : Keep it as zero always.
ChainLen: It will tel u the success probability. And it plays a major role in the amount of time needed to create the table. For passwords with greater length the chain length should be a little larger. In our case chain length of 2 is enough. We will get 100% success probability with that.
Chaincount: 40000000
No of tables: 1
Keep the above two in its default values.
The picture below shows the setting for our case.
http://www.go4expert.com/images/arti...0429220230.jpg

Click ok in the table generator to create the table. Wait for it to complete. It will take a little extra time than it is showing in the benchmark. The time is for arranging the tables. It will do some kind of internal processing.

Cryptanalysis Attack



After creating the tables we are going to start the cryptanalysis attack of an md5 hash using the tables.
  1. open cain and abel.
  2. Load the hashes in the md5 screen under the cracker tab. These are some of the example hashes, which I will be using in this tutorial
    Code:

               
    315ff5049c0634d7d8195d2a1d1cf0df        - 021465       
    b139e104214a08ae3f2ebcce149cdf6e        - 1924   
    2467d3744600858cc9026d5ac6005305        - 232323     
    286c9c72ce04c511e8b4ed91e1fa9a24        - 071678     
    1aa4396d4fd1f977d93a8a579d6a4167        - 71032       
    3941c4358616274ac2436eacf67fae05        - 8319

  3. For adding the hashes click the button with ‘+’ symbol or goto file menu and select ‘Add to list’ or use Insert key. All the loaded hashes are within 4-6 in length.
  4. For cracking it, either select the hashes one by one or you can even select all.
  5. Right click the hash and select ‘Cryptanalysis Attack via Rainbow Tables’
  6. In the dialog box appearing Click Add table and select the table which we created in the previous step.
  7. Click ‘start’ to perform the attack.

Results



In the picture(1), See the ‘Max cryptanalysis time’ . The cracking will take a little longer than that. It also depends on how speed your computer is.
After few seconds, the result is shown like this,
Code:

  Hash:286c9c72ce04c511e8b4ed91e1fa9a24 Plain:071678      (Hex:303731363738)
  Hash:1aa4396d4fd1f977d93a8a579d6a4167 Plain:71032        (Hex:3731303332)
  Hash:3941c4358616274ac2436eacf67fae05 Plain:8319        (Hex:38333139)
  Hash:79cef9cc5c842ee39e164009c7554da2 Plain:98304        (Hex:3938333034)
  Hash:315ff5049c0634d7d8195d2a1d1cf0df Plain:021465      (Hex:303231343635)
  Hash:b139e104214a08ae3f2ebcce149cdf6e Plain:1924        (Hex:31393234)
  Hash:2467d3744600858cc9026d5ac6005305 Plain:232323      (Hex:32333233323)

That is it. The cryptanalysis attack has been performed and the hashes are cracked. This shows the power and capability of rainbow tables attack. If we have tables we can possibly crack any hashes within minutes.

NOTE:

Since these hashes are very small in length, even a brute force attack will reveal the plain texts. But I used rainbow tables for the purpose of simplicity and portability. U can create your own tables with the character set you need. Custom character set is also possible. For example you are watching a person who is typing his password, you are having an eye on his keyboard moves. If you are sure that he uses only numeric and symbols for his password. You can start cracking the hashes (if u get it by some means) by creating the tables with symbols and numbers alone.


FAQ’s



Cain and abel setup is caught by my antivirus!
Yes, it is a password cracking utility. So your antivirus will block it. It may even quarantine it. So before installing disable the antivirus. After installing it too, cain.exe will be blocked by the AV, so disable the antivirus till you use that program.

I don’t have any md5 hashes to test. Where can I get it?
Open cain.exe and look for hash calculator, if u can’t find it use the shortcut ‘alt+c’. Type in anything and give calculate. You will be given with various hashes. Copy the md5 alone to test.

You may ask why md5? There is lot of hashes!
Yes there is lot of hashes, but when u hack a site with SQL injection or some other thing, you will get an md5 hashed password. That is why I am particular about md5.

DISCLAIMER:
This tutorial is for education purposes only; I do not encourage you to hack any site. If you do something and get caught you are solely responsible for what you have done.

indiansword 1May2009 01:25

Re: Cracking MD5 hashes using Rainbow Tables
 
5/10

shabbir 3May2009 11:57

Re: Cracking MD5 hashes using Rainbow Tables
 
Nominate this article of the month for April 2009

kisanka 8May2009 15:26

Re: Cracking MD5 hashes using Rainbow Tables
 
good post, gonna try this. please post more about the uses of Cain & Abel. it will be very useful for most the readers..

BukiBv 9May2009 20:58

Re: Cracking MD5 hashes using Rainbow Tables
 
very nice thanX :D

SaswatPadhi 10May2009 19:39

Re: Cracking MD5 hashes using Rainbow Tables
 
I don't really get this !?!

(1) Can we reverse a crypto-hash ?? :confused: There can be infinitely many arbitrary data blocks with the same MD5.
As I saw in your article, you make some assumption about the data : such as numeric, or uses special symbols etc .. But what if you have no idea AT ALL ??

(2) If the data-block is combined with a random salt before generating MD5 hash, then ?? Rainbow tables are almost useless !

neo_vi 12May2009 17:18

Re: Cracking MD5 hashes using Rainbow Tables
 
Quote:

Originally Posted by SaswatPadhi (Post 47524)
I don't really get this !?!

(1) Can we reverse a crypto-hash ?? :confused: There can be infinitely many arbitrary data blocks with the same MD5.
As I saw in your article, you make some assumption about the data : such as numeric, or uses special symbols etc .. But what if you have no idea AT ALL ??

(2) If the data-block is combined with a random salt before generating MD5 hash, then ?? Rainbow tables are almost useless !

For
(1) No. And if u have no idea at all u can make an assumption that the password length may be with 4-10 chars and u can use all char set to create rainbow tables. I just demonstrated it for numeric cos of the time constraint. If u re free enough to create a rainbow tables of size 80 GB or more create it and crack it.

(2) In real time most of the sites give unsalted passwords by SQL injection. And no one is gonna combine with random salt for an admin password.

see the last part of the article (FAQ's) I have clearly said this is used for cracking the passwords which we get from SQL injection. I am not dealing with any kinda data that is hashed or salted with MD5.

shabbir 18May2009 19:45

Re: Cracking MD5 hashes using Rainbow Tables
 
Start Voting for article of the month - April 2009

shabbir 3Jun2009 09:14

Re: Cracking MD5 hashes using Rainbow Tables
 
Winner of Article of the month - April 2009


All times are GMT +5.5. The time now is 10:42.