Cracking MD5 hashes using Rainbow Tables

Discussion in 'Ethical hacking Tips' started by neo_vi, Apr 30, 2009.

  1. neo_vi

    neo_vi Member

    Joined:
    Feb 1, 2008
    Messages:
    720
    Likes Received:
    16
    Trophy Points:
    18
    Occupation:
    Software engineer
    Location:
    Earth
    Home Page:
    http://computertipaday.blogspot.com

    Introduction



    We have all heard of rainbow tables, which will be used to crack passwords and hashes. In this tutorial we will learn how to crack md5 hashes using rainbow tables.

    Tools u should have



    These are the tools u should have inorder to utilize this tutorial.
    1. Rainbow table generator - 'Winrtgen' comes with cain and abel
    2. cain and abel - get it from www.oxid.it
    3. Of course u must have some md5 hashes to crack.
    All are freewares, so you won't face problem in getting these tools.

    Creating rainbow tables



    Rainbow tables can be created for various kind of hashes. e.g lm,fastlm,nt,md5 etc.
    Here we are going to stick with md5 hashes alone.

    MD5 hashes



    MD5 hashes will be seen in sql databases. If u crack a site with SQL injection you will be shown with the username and md5 hashed password, for e.g 'admin:bc8f87a21501ae15a48d77a91513c3a7'.
    So one has to crack or decrpyt the md5 hashes to enter into that site.

    Creating rainbow tables



    I have a set of hashes whose passwords are 4-6 in length. All are numeric passwords.
    So i will explain how to create rainbow tables for this type of passwords.
    1. open the Winrtgen tool.
    2. click add table
    3. A dialog box will appear showing the settings.
    Explanation of the settings
    hash : type of the hash u wish to crack (in our case its md5)
    MinLen: minimum length of the password (4)
    Max Len: Maximum lenght of the password (6)
    Index : Keep it as zero always.
    ChainLen: It will tel u the success probability. And it plays a major role in the amount of time needed to create the table. For passwords with greater length the chain length should be a little larger. In our case chain length of 2 is enough. We will get 100% success probability with that.
    Chaincount: 40000000
    No of tables: 1
    Keep the above two in its default values.
    The picture below shows the setting for our case.
    [​IMG]

    Click ok in the table generator to create the table. Wait for it to complete. It will take a little extra time than it is showing in the benchmark. The time is for arranging the tables. It will do some kind of internal processing.

    Cryptanalysis Attack



    After creating the tables we are going to start the cryptanalysis attack of an md5 hash using the tables.
    1. open cain and abel.
    2. Load the hashes in the md5 screen under the cracker tab. These are some of the example hashes, which I will be using in this tutorial
      Code:
                  
      315ff5049c0634d7d8195d2a1d1cf0df         - 021465        
      b139e104214a08ae3f2ebcce149cdf6e         - 1924    
      2467d3744600858cc9026d5ac6005305         - 232323      
      286c9c72ce04c511e8b4ed91e1fa9a24         - 071678       
      1aa4396d4fd1f977d93a8a579d6a4167         - 71032        
      3941c4358616274ac2436eacf67fae05         - 8319         
      
    3. For adding the hashes click the button with ‘+’ symbol or goto file menu and select ‘Add to list’ or use Insert key. All the loaded hashes are within 4-6 in length.
    4. For cracking it, either select the hashes one by one or you can even select all.
    5. Right click the hash and select ‘Cryptanalysis Attack via Rainbow Tables’
    6. In the dialog box appearing Click Add table and select the table which we created in the previous step.
    7. Click ‘start’ to perform the attack.

    Results



    In the picture(1), See the ‘Max cryptanalysis time’ . The cracking will take a little longer than that. It also depends on how speed your computer is.
    After few seconds, the result is shown like this,
    Code:
      Hash:286c9c72ce04c511e8b4ed91e1fa9a24 Plain:071678       (Hex:303731363738)
      Hash:1aa4396d4fd1f977d93a8a579d6a4167 Plain:71032        (Hex:3731303332)
      Hash:3941c4358616274ac2436eacf67fae05 Plain:8319         (Hex:38333139)
      Hash:79cef9cc5c842ee39e164009c7554da2 Plain:98304        (Hex:3938333034)
      Hash:315ff5049c0634d7d8195d2a1d1cf0df Plain:021465       (Hex:303231343635)
      Hash:b139e104214a08ae3f2ebcce149cdf6e Plain:1924         (Hex:31393234)
      Hash:2467d3744600858cc9026d5ac6005305 Plain:232323       (Hex:32333233323)
    
    That is it. The cryptanalysis attack has been performed and the hashes are cracked. This shows the power and capability of rainbow tables attack. If we have tables we can possibly crack any hashes within minutes.

    NOTE:

    Since these hashes are very small in length, even a brute force attack will reveal the plain texts. But I used rainbow tables for the purpose of simplicity and portability. U can create your own tables with the character set you need. Custom character set is also possible. For example you are watching a person who is typing his password, you are having an eye on his keyboard moves. If you are sure that he uses only numeric and symbols for his password. You can start cracking the hashes (if u get it by some means) by creating the tables with symbols and numbers alone.


    FAQ’s



    Cain and abel setup is caught by my antivirus!
    Yes, it is a password cracking utility. So your antivirus will block it. It may even quarantine it. So before installing disable the antivirus. After installing it too, cain.exe will be blocked by the AV, so disable the antivirus till you use that program.

    I don’t have any md5 hashes to test. Where can I get it?
    Open cain.exe and look for hash calculator, if u can’t find it use the shortcut ‘alt+c’. Type in anything and give calculate. You will be given with various hashes. Copy the md5 alone to test.

    You may ask why md5? There is lot of hashes!
    Yes there is lot of hashes, but when u hack a site with SQL injection or some other thing, you will get an md5 hashed password. That is why I am particular about md5.

    DISCLAIMER:
    This tutorial is for education purposes only; I do not encourage you to hack any site. If you do something and get caught you are solely responsible for what you have done.
     
    Last edited by a moderator: Jan 21, 2017
  2. indiansword

    indiansword Security Expert

    Joined:
    Oct 19, 2008
    Messages:
    491
    Likes Received:
    37
    Trophy Points:
    0
    Occupation:
    Operation Planner for 3 Australia
    Home Page:
    http://www.Secworm.net
  3. shabbir

    shabbir Administrator Staff Member

    Joined:
    Jul 12, 2004
    Messages:
    15,375
    Likes Received:
    388
    Trophy Points:
    83
  4. kisanka

    kisanka New Member

    Joined:
    Dec 31, 2008
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    0
    good post, gonna try this. please post more about the uses of Cain & Abel. it will be very useful for most the readers..
     
  5. BukiBv

    BukiBv New Member

    Joined:
    Mar 29, 2009
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    0
    very nice thanX :D
     
  6. SaswatPadhi

    SaswatPadhi ~ Б0ЯИ Τ0 С0δЭ ~

    Joined:
    May 5, 2009
    Messages:
    1,342
    Likes Received:
    55
    Trophy Points:
    0
    Occupation:
    STUDENT !
    Location:
    Orissa, INDIA
    Home Page:
    http://www.crackingforfun.blogspot.com
    I don't really get this !?!

    (1) Can we reverse a crypto-hash ?? :confused: There can be infinitely many arbitrary data blocks with the same MD5.
    As I saw in your article, you make some assumption about the data : such as numeric, or uses special symbols etc .. But what if you have no idea AT ALL ??

    (2) If the data-block is combined with a random salt before generating MD5 hash, then ?? Rainbow tables are almost useless !
     
  7. neo_vi

    neo_vi Member

    Joined:
    Feb 1, 2008
    Messages:
    720
    Likes Received:
    16
    Trophy Points:
    18
    Occupation:
    Software engineer
    Location:
    Earth
    Home Page:
    http://computertipaday.blogspot.com
    For
    (1) No. And if u have no idea at all u can make an assumption that the password length may be with 4-10 chars and u can use all char set to create rainbow tables. I just demonstrated it for numeric cos of the time constraint. If u re free enough to create a rainbow tables of size 80 GB or more create it and crack it.

    (2) In real time most of the sites give unsalted passwords by SQL injection. And no one is gonna combine with random salt for an admin password.

    see the last part of the article (FAQ's) I have clearly said this is used for cracking the passwords which we get from SQL injection. I am not dealing with any kinda data that is hashed or salted with MD5.
     
  8. shabbir

    shabbir Administrator Staff Member

    Joined:
    Jul 12, 2004
    Messages:
    15,375
    Likes Received:
    388
    Trophy Points:
    83
  9. shabbir

    shabbir Administrator Staff Member

    Joined:
    Jul 12, 2004
    Messages:
    15,375
    Likes Received:
    388
    Trophy Points:
    83

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice