| This document is for people who want to learn to the how and why of
password cracking. There is a lot of information being presented and
you should READ IT ALL BEFORE you attempted doing anything documented
here. I do my best to provide step by step instructions along with
the reasons for doing it this way. Other times I will point to a
particular website where you find the information. In those cases
someone else has done what I attempting and did a good or great job
and I did not want to steal their hard work. These instructions have
several excerpts from a combination of posts from pureh@te,
granger53, irongeek, PrairieFire, RaginRob, stasik, and Solar
Designer. I would also like to thank each of them and others for the
help they have provided me on the BackTrack forum.
I will cover both getting the SAM from inside windows and from the
BackTrack CD. The SAM is the Security Accounts Manager database where
local usernames and passwords are stored. For legal purposes I am
using my own system for this article. The first step is to get a copy
of pwdump. You can choose one from
http://en.wikipedia.org/wiki/Pwdump |
The LM hash is the old style hash used in MS operating systems before NT 3.1. It converts the password to uppercase, null-pads or truncates the password to 14 characters. The password is split into two 7 character halves and uses the DES algorithm. NT 3.1 to XP SP2 supports LM hashes for backward compatibility and is enabled by default. Vista supports LM hashes but is disabled by default. Given the weaknesses in the LM hash it is recommended to disable using LM hashes for all MS operating systems using the steps in http://support.microsoft.com/kb/299656
NTLM was introduced in NT 3.1 and does not covert the password to uppercase, does not break the password apart, and supports password lengths greater than 14. There are two versions of NTLM v1 and v2. Do to a weakness in NTLM v1 is should not be used. Microsoft has included support for NTLM v2 for all of its operating systems either via service pack or the Directory Services client (for windows 9X). You enable NTLM v2 by following the instructions at http://support.microsoft.com/kb/239869. For maximum security you should set the LMCompatibility to 3 for Windows 9X and LMCompatibilityLevel to 5 for NT, 2000, XP, and 2003. Of course you should test these changes BEFORE you put them into a production environment.
If LM hashes are disabled on your system the output of pwdump will look like:
Administrator:500:NO
PASSWORD*********************:00AB1D1285F410C30A83B435F2CA798D:::
Guest:501:NO
PASSWORD*********************:31A6CAE0D36AD931B76C59D7E1C039C0:::
HelpAssistant:1000:NO
PASSWORD*********************:BF23C2595478A6279F7CB53EF76E601F:::
SUPPORT_3845a0:1002:NO
PASSWORD*********************:0C8D62E10A6240BACD910C8AB295BB79:::
ASPNET:1005:9F07AE96CA4310752BDC083AAC960496:A99C1C3DB39E3C732EF5C2F63579AF96:::
The first field is the username. The second field is the last four numbers of the SID for that username. The SID is a security identifier that is unique to each username. The third field is the LM hash. The forth field is the NTLM hash.
If you do not have a ASPNET user account do not worry about it. If you do have a ASPNET user account do NOT change the password as I am told that will break something. What I did was delete the account and then recreate it using: systemroot%\Microsoft.NET\Framework\v1.1.4322\aspnet_regiis.exe /i
BackTrack 2 users use the following:
# bkhive-linux /mnt/XXX/WINDOWS/system32/config/system syskey.txt
BackTrack 3 users use the following:
# bkhive /mnt/XXX/WINDOWS/system32/config/system syskey.txt
john only needs to know the path to the hash.txt to begin bruteforcing and
return the uppercase password
# /usr/local/john/john hash.txt
john only needs to know the path to the hash.txt to begin cracking and
return the uppercase password
# /usr/local/john/john -f:NT hash.txt
will begin to bruteforce the NTLM hashes
Stasik told me it is much easier to crack the NTLM hash if you know the character set. This way you do not need to bruteforce all possible characters combinations. Once you have TESTTEST, feed a custom character set of tesTES to john and it will return the proper case password much faster than if you did not limit the character set. The issue is john has no easy way to limit the character set. You will have to modify the john.conf file and include the following code that Solar Designer has kindly published to the john-users mail list:
[List.External:customcharset]
int running; // Are we already running?
int last; // Last character position, zero-based
int c0, c[0x100]; // Cyclic charset
void init()
{
int length, cm, i;
length = 10; // password length
c[c0 = 't'] = 'e'; // change the t and the e to the first and second
letters of the custom character set
c['e'] = 's'; // change the e and the s to the second and third letters of
the character set
c['s'] = 'T'; // change the s and T to the third and fourth letters
c['T'] = 'E'; // etc
c['E'] = 'S'; // etc
c[cm = 'S'] = c0; // change the S to the last letter of the character set
// If you cannot see the pattern then do not bother with this trick.
// If you can make the necessary changes to suit you environment.
running = 0;
last = length - 1;
i = 0;
while (i < length) word[i++] = cm; word[i] = 0;
}
void generate()
{
int i;
i = last;
while ((word[i] = c[word[i]]) == c0)
if (!i--) {
if (running++) word = 0;
  return;
}
}
Once you make the necessary changes begin cracking using:
# /usr/local/john/john -external=customcharset -f:NT hash.txt
Some notes from Solar Designer:
Stasik told me it is much easier to crack the NTLM hash if you know the character set. This way you do not need to bruteforce all possible characters combinations. Once you have TESTTEST, feed a custom character set of tesTES to mdcrack and it will return the proper case password much faster than if you did not limit the character set.
# wine MDCrack-sse.exe -charset=tesTES -algorithm=ntlm D280553F0103F2E643406517296E7582
If you know the password length you can use:
# wine MDCrack-sse.exe -charset=tesTES -algorithm=ntlm -minsize=8 -maxsize=8 D280553F0103F2E643406517296E7582
The password is TestTest however mdcrack 1.8.3 returns sestTest. I filed a bug report with Gregory Duchemin, the author of mdcrack, and he has fixed the problem with version 1.8.4.
download ophcrack from http://sourceforge.net/project/showfiles.php?group_id=133599 and download 1 of the 2 rainbow tables from http://lasecwww.epfl.ch/~oechslin/projects/ophcrack/. If you have the hard drive space I would recommend downloading SSTIC04-5K. If this is a demo or do not have a lot of disk space download SSTIC04-10K. This is not a typo; SSTIC04-5K is a larger download than SSTIC04-10K. The rainbow tables that ophcrack uses are NOT compatible with the rainbow tables generated by rtgen.
You will have to purchase the NTLM rainbow tables from http://www.objectif-securite.ch/en/products.php The rainbow table contains 99% of passwords of made of following characters:
length 1 to 6:
0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ!"#$%
&'()*+,-./:;&<=>?@[\]^_`{|}~ (space included)
length 7:
0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ
length 8:
0123456789abcdefghijklmnopqrstuvwxyz
You CANNOT generate your own rainbow tables for ophcrack to use. If you know that the password meets the above specs you can purchase the table and give it a try.
C:\> pwdump7 >c:\hash.txt
pwdump7 will dump the SAM to the screen and the > character redirects
the output to a file called hash.txt
When a user logs into a domain their password is cached in the registry so
that in the event that the Domain Controller or network goes down the user
can still login to their PC. To export these registry keys you need a tool
call cachedump. It can be downloaded from
http://www.mirrors.wiretapped.net/security/host-security/john/contrib/cachedump/
The readme.txt in the zip contains everything you want to know about where
the cached credentials are stored, how cached credentials work, how they are
hashed, and how the tool works.
You call also download the fgdump with source file from http://www.foofus.net/fizzgig/fgdump/ and get cachedump.
To use:
Now you can use john the ripper to crack the hashes. Please note that Cached Credentials use a different hash than LM or NTLM.
The best way to protect yourself from this is to disable cached credentials. Change the value of the following registry key: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\CACHEDLOGONSCOUNT to 0. You can do this manually or with Group Policy.
download john the ripper from http://www.openwall.com/john/
C:\> cd \john171w\run
C:\> john-386 C:\hash.txt
download mdcrack from http://membres.lycos.fr/mdcrack/ or c3rb3r.openwall.net/mdcrack/ and extract the files
You cannot as the john the ripper that you can download from the website does not support NTLM. You will have to download the source code, one of the patches that adds support for NTLM and compile it yourself. There are also one or two places where you can download a john binary that already has the patches applied.
download mdcrack from http://membres.lycos.fr/mdcrack/ or c3rb3r.openwall.net/mdcrack/ and extract the files
The result should be TestTest
Stasik told me it is much easier to crack the NTLM hash if you know the character set. This way you do not need to bruteforce all possible characters combinations. Once you have TESTTEST, feed a custom character set of tesTES to mdcrack and it will return the proper case password much faster than if you did not limit the character set.
C:\MDCrack-183> MDCrack-sse.exe -charset=tesTES -algorithm=ntlm D280553F0103F2E643406517296E7582
If you know the password length you can use:
C:\MDCrack-183> MDCrack-sse.exe -charset=tesTES -algorithm=ntlm -minsize=8 -maxsize=8 D280553F0103F2E643406517296E7582
The password is TestTest
You will have to purchase the NTLM rainbow tables from http://www.objectif-securite.ch/en/products.php The rainbow table contains 99% of passwords of made of following characters:
length 1 to 6:
0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ!"#$%
&'()*+,-./:;&<=>?@[\]^_`{|}~ (space included)
length 7:
0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ
length 8:
0123456789abcdefghijklmnopqrstuvwxyz
You CANNOT generate your own rainbow tables for ophcrack to use. If you know that the password meets the above specs you can purchase the table and give it a try.
The ophcrack LiveCD is good when you have physical access to the PC. Just download ophcrack-livecd from http://sourceforge.net/project/showfiles.php?group_id=133599, burn the iso to a CD, boot from the CD, and start cracking using the included SSTIC04-10K rainbow table. This will crack the LM hashes. To crack NTLM hashes you have to purchase 1 of the NTLM hash tables. See section 3.8 for details.
The plain-text.info website is where you can take a LM or MD5 hash and see if someone has already cracked it. The website is easy to use and has a very large list of hashes for you to search. The website also has support for NTLM hashes, but none of the hashes I had were cracked there.
At the moment the pwdump7 utility only work on locally stored SAMs. It will not work on windows server 2000, 2003, or windows 2008 Active Directory. pwdump6 from http://www.foofus.net/fizzgig/pwdump/ can dump windows server 2000 and 2003 Active Directory to a file that john the ripper can crack. fgdump is a newer utility that can dump Active Directory and cached credentials.
See http://www.jms1.net/nt-unlock.shtml for resetting a windows 2000
domain account.
See http://www.nobodix.org/seb/win2003_adminpass.html for resetting a windows
2003 domain account.
If you have a windows client with the Novell NDS client installed you will notice that the client creates a local account on the PC. Usually the local password is the same as the NDS account password. By dumping the local SAM you can usually get a persons NDS password. The above trick I know works as I have used this once. The other techniques listed here I cannot say if they work or not as I retired the last Novell server several months ago.
I would recommend starting to read the documentation at http://www.nmrc.org/pub/faq/hackfaq/hackfaq-19.html to hackfaq-26.html for learning quite abit about attacking Novell servers v2.x to 4.x.
If you have access to the console and the floppy drive of the server you can try one of the console attacks from http://www.nmrc.org/pub/faq/hackfaq/hackfaq-21.html.
If all you have access to is a client you can try some of the client attacks from http://www.nmrc.org/pub/faq/hackfaq/hackfaq-22.html
If you don't have local administrator rights and your server is Novell you can watch the video at http://youtube.com/watch?v=GEl-CsUOY6A and get local administrator rights to your XP box. The attack is very simple you just have to pull your network cable at the right time.
You can use Pandora from http://www.nmrc.org/project/pandora/ to do online and offline attack againist Novell 4.x and 5.x servers.
From williamc's post at
http://forums.remote-exploit.org/showpost.php?p=87491&postcount=7
"I confirmed an interesting vulnerability with Novell. According to this
advisory, the Novell password can be dumped out of memory:
http://www.securityfocus.com/archive/1/402767
We confirmed this on a Novell 7 environment while performing a pentest.
Use both Psexec and pmdump as follows:
psexec \\hostname -u username -p password -s -f -c pmdump -list
Find the PID of the Gwise.exe service. Then:
psexec \\hostname -u -p password -s -f -c pmdump PID PID_dump.txt
This will dump the memory to \\hostname\c$\windows\system32
Open the dump file in a hex editor and search for an organizational string,
like an OU in the targets memory dump file.
From there you can find the Novell password for the user within the file.
To simplify this, if you have already found one Novell password, dump the PID for gwise of that user and search for the password. From there, you can work backwards to find the OU format, and apply it to other targets. For instance, at this particular location, the client's OU is similar to clientname.AA_FINANCE.AA_NW
If you do a search for AA_FINANCE.AA_NW in the memory dump you will see the password in plain text. Suppose the CFO is whomever.AA_FINANCE.AA_NW. By dumping his memory, you can search for the OU and reference your original dump, match up the location and password."
chntpw is a part of BackTrack and can reset a forgotten local user account password. If you don't have BackTrack you can download a CD or floppy disk image from http://home.eunet.no/~pnordahl/ntpasswd/, unzip the file, and either burn the iso the to a CD or use rawrite2 to transfer the image to a floppy. Follow the directions at http://home.eunet.no/~pnordahl/ntpasswd/walkthrough.html on how to use the software.
Unix passwords are located in the /etc/shadow file or the /etc/passwd file. Next unix passwords are "shadowed" and we must "unshadow" them before we can do anything. Without getting into too much detail shadowing the passwords removes the passwords, which are usually stored in world readable /etc/passwd, and moves them to /etc/shadow which can only be read and written to by root or programs run as suid root. Goto http://www.tldp.org/HOWTO/Shadow-Password-HOWTO-2.html if you want details on how shadowing works. Finally unix passwords are salted. The short version is a salt is randomly generated value that is used to encode the user's password, which is usually already encrypted; thus adding another layer of security. The long version can be found at http://www.tldp.org/HOWTO/Shadow-Password-HOWTO-2.html
The above steps will crack the passwd file on the CD. If you want to crack a passwd file located on a hard drive:
Say you have wireless router to which you have forgotten the password. The easiest thing to do in this case is to reset the router to factory defaults. However if you have a lot of custom settings and your backup is nonexistent, out-dated, corrupted, or the backup restored a password which you do not remember, you can try a brute force attack on the router. From http://freeworld.thc.org/thc-hydra/ Hydra currently supports: TELNET, FTP, HTTP-GET, HTTP-HEAD, HTTPS-GET, HTTPS-HEAD, HTTP-PROXY, LDAP2, LADP3, SMB, SMBNT, MS-SQL, MYSQL, POSTGRES, REXEC, RSH, RLOGIN, CVS, SNMP, SMTP-AUTH, SOCKS5, VNC, POP3, IMAP, NNTP, PCNFS, ICQ, SAP/R3, SSH2, Teamspeak, Cisco auth, Cisco enable, Cisco AAA (incorporated in telnet module)
For the sake of this document I will use a Linksys WRT54GL, hardware v1.1, Linksys firmware 4.30.11. The first thing you have to do is find out if the device uses a username AND password to login. Several devices only require a password to login into the device as admin, root, system, etc. The easiest way to find this out is to goto the vendor's website and download installation manual which will give you this information.
As I said earlier, http-get is the correct option for my linksys AP (with
the factory firmware). When you goto the AP website a dialog box opens and
prompts for a username and password. Each AP is different and as such you
will have to change options as RaginRob found out. The following is a
slightly modified version from his tutorial at
http://forums.remote-exploit.org/showthread.php?t=14910
I recently started playing around with Hydra and tried to hack my router. After searching the forum and googleing around a while I noticed that there are only some howto's for routers that have http-auth authentication. That is, when you go to 192.168.2.1 e.g. and before showing anything you have to enter login and password in a popup. My router (T-Com Sinus 154 DSL Basic 3) and many others I've dealt with so far work differently. When I want to login to my router, I have to go to 192.168.2.1, a web interface with a password field shows up, and I have to enter the password which is then checked by /cgi-bin/login.exe via http-post.
It was quite tricky to find out how to use this authentication with hydra, so I guess there are some of you that can benefit from this. I'll describe how I did it, so you can adapt the method and use it with your own router.
First of all I examined the login page of the web interface. Be sure to look at the frame source and not the frameset. You should see the form and the action, here's what I saw:
The form is defined as:
<form name="tF" method="post" action="/cgi-bin/login.exe"
onSubmit="evaltF();">
Somewhere in the form there will be the field that takes the password:
<input type="password" name="pws" class="stylepwd" size="12"
maxlength="12">
This is probably the most important data you need. You need to write down the field name ("pws" in my case). The size attribute comes in very handy too because it tells us that the password's max length is 12 characters.
After that I tried to get familiar with Hydra's options. I figured out that you need the following options:
hydra -l "" -P passwords.txt -t 1 -f -v -V 192.168.2.1 http-post-form /cgi-bin/login.exe:pws=^PASS^:loginpserr.htmThe first part is the script that takes the POST data, we found that in the frame source above.
The second part is the field name of the password field with an added =^PASS^. ^PASS^ is the variable that hydra substitutes with the passwords in the wordlist.
The third part is the "incorrect" condition. Hydra has to find out somehow if the current password that was send to the router is correct or not. You have to find a string that is actually IN A NEGATIVE RESPONSE from the router. As we don't have the password yet we can't know what the router will send if the password is correct, therefore we have to check if it is NOT, which we can find out easily. To find out what the router sends back to hydra I used Wireshark.
Open up wireshark, go to the router login page, start capturing and then login with a wrong password. After that, stop capturing and apply a "http" filter. You will see the POST data sent from hydra to the router (you should also see the "pws=blabla" in the details, that's where hydra sends the passwords from the wordlist). Below that you'll find the router answer. In my case it says something like "This page has moved to loginpserr.htm" packed in some basic HTML. So I used the string loginpserr.htm to validate the .. uhm... faultyness. OMFG %-]
Hydra will consider a password as CORRECT when the router answer DOES NOT contain the given string. So be sure to take an expression that somehow sounds like "incorrect" oder "wrong". If you took "the" for example, and the POSITVE response would be something like "the password you entered was correct", hydra will not recognize it as correct but incorrect.
If your router does not only need a password but also a username, you can easily add the according login name to the last part. So if you need to send the field "login" or whatever it is called in your case with the value "admin" as the only username you could use
/cgi-bin/login.exe:login=admin&pws=^PASS^:loginpserr.htm
When you need to try a whole username list then you can specify the list
via
-L usernames.txt
and
/cgi-bin/login.exe:login=^USER^&pws=^PASS^:loginpserr.htm
Brutus is a windows application that does things similar to Hydra. You can find it at http://www.hoobie.net/brutus/
I cannot do any better than sending you to freeworld.thc.org/thc-orakelcrackert11g/
Again The Hacker's Choice at http://freeworld.thc.org/thc-orakel/ has great documentation on this
To make it more difficult to crack your passwords, use syskey. For more information on syskey see http://support.microsoft.com/kb/310105. The short version is syskey encrypts the SAM. The weakest option but most convenient is to store a system generated password locally; locally means the registry. The up side is the SAM gets encrypted and you can reboot the server remotely without extra equipment. The next option is password startup. This is slightly more difficult to get around, but if you remotely reboot the server, it will stop and wait for someone to enter the password. You will need a KVM over IP or a serial port concentrator so you can enter the password remotely. The most secure option is the system generated password stored on a floppy disk. The downside to this option is floppy disks fail, you misplace the floppy disk, newer equipment does not have a floppy disk drive, no remote reboots, and you will probably leave the floppy in the drive so you can remote reboot and that defeats security. I use a system generated password stored locally, weak but better than not doing it. To disable syskey use chntpw and follow its instructions.
Strictly speaking a wordlist is a file that contains words or phrases from
everyday life. The premade files below are wordlists. The other instructions
in this section are not really wordlists as the resulting file every possible
combination (depending on the options you give the program) of characters. I
have not come across a word to describe these files so I am naming a file
that contains every possible combination of characters a combination list.
Not very original but it does clearly differentiate between the two types of
lists. The resulting combination list can be used in place of a wordlist.
Please note that when you generate a combination list the file will be huge.
Using the 95 English characters to generate every possible combination of 10
characters the resulting file size will be 95^10 =
59,873,693,923,837,900,000 bytes
59,873,693,923,837,900 KB
59,873,693,923,838 MB
59,873,693,924 GB
59,873,694 TB
59,874 PB
60 EB
For 14 characters the file size would be 4,877 YB
The following is cut and paste from http://freeworld.thc.org/thc-hydra/README
"* uniq your dictionary files! this can save you a lot of time :-)
cat words.txt | sort | uniq > dictionary.txt
* if you know that the target is using a password policy (allowing users
only to choose password with a minimum length of 6, containing a least one
letter and one number, etc. use the tool pw-inspector which comes along with
the hydra package to reduce the password list:
cat dictionary.txt | pw-inspector -m 6 -c 2 -n > passlist.txt"
The above paragraph is true for any wordlist and very good advice. See http://forums.remote-exploit.org/showthread.php?t=7199 for places to download wordlists. Remember you want as many possible words as you can fit on your storage device. More is better as long as the list only contains unique words.
For Windows use:
C:\john\john-386.exe --stdout --incremental >wordlist.txt
For Linux use:
#/usr/local/john/john --stdout --incremental >wordlist.txt
The resulting output will be written to the wordlist.txt file.
If you know the maximum length of the password you can use --stdout=length and john output passwords of that length or less. For example --stdout=5 will generate words that are 5 characters long or shorter. Please note that the maximum length john supports by default is 8. If you need to generate a 9 character or longer wordlist you will have to download the source and change a line or two of code. Or you can use a different tool.
If you have a wordlist (wordlist.txt) you want to try against NTLM hashes use the following command:
john -f:NT -w:wordlist.txt pwhashes.txt
or you can edit the john.conf file to use your wordlist. So it would look like this:
[Options]
# Wordlist file name, to be used in batch mode
Wordlist = $JOHN/wordlist.txt
# Use idle cycles only
Idle = N
# Crash recovery file saving delay in seconds
Save = 600
# Beep when a password is found (who needs this anyway?)
Beep = N
in /pentest/password/crunch run it with a --help to see the options. It will ask for a minimum length, maximum length, character set etc.
Xploitz and pureh@te have released their wordlists. The first two are torrents; the rest can be downloaded from the URL.
pureh@te's wordlist - http://www.h33t.com/details.php?id=178f55c67ca0f522831dbc67042a34983e6652f5
Xploitz's first wordlist - http://thepiratebay.org/tor/4017231
Xploitz's second wordlist part 1 - http://www.mediafire.com/?am2exxlnwma
Xploitz's second wordlist part 2 - http://www.mediafire.com/?4mzmdsbhhcn
Xploitz's second wordlist part 3 - http://www.mediafire.com/?4v9znjscgwt
Xploitz's second wordlist part 4 - http://www.mediafire.com/?dmj6yy3gw3x
Xploitz's second wordlist part 5 - http://www.mediafire.com/?5tyidngmztx
Xploitz's second wordlist part 6 - http://www.mediafire.com/?3utzg3jk1mb
Xploitz's second wordlist part 7 - http://www.mediafire.com/?dmwdvdrgsgb
Pureh@te has released another wordlist. It is 64 million words 8-63
characters and it was made from his other wordlist.
http://www.megaupload.com/?d=7RN6ZB2E
You could try the wg perl script from http://freshmeat.net/projects/wg/
$ perl ./wg.pl -l 8 -u 64 -v
abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789\`\~\!\@\#\$\%\^\&\*\(\)\-\_\+\=\[\]\;\'\,\.\/\<\>\?\:\"\{\}\|\
> words.txt
This will generate a list of "words" (actually character strings) between 8 and 64 characters long (-l 8 -u 64) and output it to a text file named "words.txt". The \ characters are there to escape the bash command characters.
Siph0n has taken a C program a thread, converted it to python, and made a couple of enhancements. You can download the source from http://forums.remote-exploit.org/showthread.php?t=14204
NOTE: When generating your own wordlists keep in mind that some programs
(aircrack-ng) have a 2GB file size limit. There is also the issue of RAM. If
you can keep the entire wordlist in RAM, the cracking will proceed that much
faster. So keep your wordlists to a maximum of 2GB. If you have a wordlist
that is larger than you want it to be and/or you want to use aircrack-ng you
will have to do:
# split -bytes=1024 m /tmp/dictionay_file_3GB /tmp/smaller_dictionary_file
please subsitute 1024 m for whatever filesize you wish and change /tmp/ to
the proper path you want to use.
Rainbow tables are files that contain pre-computed hashes of passwords. This drastically cuts down on the time it takes to crack passwords. You will need a set of tables for each algorithm you want to break. Since LM hashes are so weak I do not waste the disk space to store them. The last time I checked the size of the LM hash rainbow tables for a password of 1 to 7 characters and a character set of:
[ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!@#$%^&*()-_+=~`[]{}|\:;"'<>,.?/] was 120GB in size. The table was generated by Hak5. This table is supposed to have a 99.9% success rate. You do not need a table with 8 to 14 characters as the password is split into 2 separate 7 character hashes.
NTLM tables are larger as the possible character set is:
[abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!@#$%^&*()-_+=~`[]{}|\:;"'<>,.?/] and the password is not broken into smaller parts. Given this and most likely you have 6 or 7 character minimum password length; the size of the tables can be quite large. I have not found anywhere to download a reasonable set of NTLM rainbow tables. To me reasonable is from 1 to 14 characters using the above character set. A table using these specs will extremely large.
To generate you rainbow tables you need three things: what algorithm are you going to need, the software to generate the table, a really fast PC or FPGA or GPU. Let us start with the NTLM algorithm. The BackTrack software has rtgen available to generate the tables. If you want to generate tables using windows download Cain & Abel from http://www.oxid.it/projects.html as that contains the latest release of winrtgen.
A set of tables that use the loweralpha-numeric-symbol14 character set for a maximum of 8 character password and a 99.6972% probability of success will take 120 tables and 175GB of disk space. I used winrtgen to get these figures. To begin the generation:
boot the BackTrack cd and login as root
# rtgen ntlm loweralpha-numeric-symbol14 1 8 0 20000 97505489 _XXX
rtgen is application
ntlm is the algorithm you want to rtgen to use
loweralpha-numeric-symbol14 is the character set you want to use
1 is the minimum password length
8 is the maximum password length
0 is the table index - do not worry about it
20000 is the chain length, higher numbers increase the probability success
rate without increasing the table size much
97505489 is the number of chains to store in the table. Think of this as the
size of table you want to generate. 97505489 is the right size to generate a
table if you are going to store them on a DVD. With 97505489 you can store 3
tables on 1 DVD. Use 40000000 if you are to store the table on a CD. You can
use whatever number you want as long as the resulting table is less than 2GB
in size. The password cracking tools have issues with tables greater than
2GB.
_XXX is whatever you want appended to the filename. Since I know I need 120
tables I will start with _001 and end at _120
So to generate 3 tables you do:
# rtgen ntlm loweralpha-numeric-symbol14 1 8 0 20000 97505489 _001
# rtgen ntlm loweralpha-numeric-symbol14 1 8 0 20000 97505489 _002
# rtgen ntlm loweralpha-numeric-symbol14 1 8 0 20000 97505489 _003
which will result in the following files be created:
ntlm_loweralpha-numeric-symbol14#1-8_0_20000x97505489_001.rt
ntlm_loweralpha-numeric-symbol14#1-8_0_20000x97505489_002.rt
ntlm_loweralpha-numeric-symbol14#1-8_0_20000x97505489_003.rt
Once all of the tables have been generated you have to sort them before
you can use them:
# rtsort ntlm_loweralpha-numeric-symbol14#1-8_0_20000x97505489_001.rt
# rtsort ntlm_loweralpha-numeric-symbol14#1-8_0_20000x97505489_002.rt
# rtsort ntlm_loweralpha-numeric-symbol14#1-8_0_20000x97505489_003.rt
Each command will take awhile to complete. The larger the file the longer it takes. It is recommended that you do this on a PC with at least 2GB of RAM (if you use 97505489 as the number of chains) so the entire file can be loaded into RAM which makes the sort faster.
You do not need rainbow tables for WEP. See other postings for WEP cracking details.
Rainbow tables can be used to crack the Pre-Shared Keyes of WPA. The Church of WIFI has a 40GB torrent of rainbow tables that use ~1,000,000 words for a total of approximately 40GB of hash tables for the top 1000 SSID's. The torrent is at http://umbra.shmoo.com:6969/torrents/wpa_psk-h1kari_renderman.torrent
Changes from version 0.1
Changes from version 0.2
Changes from version 0.3
Changes from version 0.4