Lanman rainbow tables

Discussion in 'OT Technology' started by TheRider, Oct 3, 2005.

  1. TheRider

    TheRider Geeky OT Supporter

    Joined:
    Jan 27, 2002
    Messages:
    7,365
    Likes Received:
    9
    Location:
    San Diego
    Anyone got a more direct download link then the bitorrent for the 64 gig lanman rainbow tables? Taking forever this route, ie may run up to 20odd days.
     
  2. TheRider

    TheRider Geeky OT Supporter

    Joined:
    Jan 27, 2002
    Messages:
    7,365
    Likes Received:
    9
    Location:
    San Diego
    I guess no one has a better link, oh well only 6 more days till my download is done :bigthumb:
     
  3. kronik85

    kronik85 New Member

    Joined:
    Feb 8, 2005
    Messages:
    34,837
    Likes Received:
    0
    Location:
    Deutschland
    who really wants to host a 64gig file for people to download and eat up bandwidth?
     
  4. TheRider

    TheRider Geeky OT Supporter

    Joined:
    Jan 27, 2002
    Messages:
    7,365
    Likes Received:
    9
    Location:
    San Diego
    I suppose, but they are super handy. They are fully downloaded, sorted, and usable now. I can crack any lanman hash that is 14 or less characters fast, very very useful.
     
  5. ski

    ski New Member

    Joined:
    Mar 13, 2005
    Messages:
    22,499
    Likes Received:
    0
    Location:
    Boston
    What are these for, cracking lm hashes on boxes that have them enabled?
     
  6. CyberBullets

    CyberBullets I reach to the sky, and call out your name. If I c

    Joined:
    Nov 13, 2001
    Messages:
    11,865
    Likes Received:
    0
    Location:
    BC, Canada/Stockholm, Sweden
    yeah more or less.
     
  7. TheRider

    TheRider Geeky OT Supporter

    Joined:
    Jan 27, 2002
    Messages:
    7,365
    Likes Received:
    9
    Location:
    San Diego
    Any windows server uses lanman hashes for encrypting the passwords, meaning if you simply dump the hashes of a server you can crack all the passwords sub 14 characters in the domain very very fast. It's a time trade off cracking system, takes time to get the 64 gigs generated but once you have them, it's all fast from there on out.
     
  8. CyberBullets

    CyberBullets I reach to the sky, and call out your name. If I c

    Joined:
    Nov 13, 2001
    Messages:
    11,865
    Likes Received:
    0
    Location:
    BC, Canada/Stockholm, Sweden
    You also have to waste 64gb of space on the server + it only works for Windows Servers.

    IMO it's a waste of time, bandwidth and space. May as well just crack them brute force. We just do that whenever we need to do a security audit on the passwords; though, our company is sub 100 users.

    Our password specs are 7 characters, 1 upper, 1 lower, 1 number, 1 symbol.
     
  9. TheRider

    TheRider Geeky OT Supporter

    Joined:
    Jan 27, 2002
    Messages:
    7,365
    Likes Received:
    9
    Location:
    San Diego
    How long does it take to brute force 100 passwords that may be up to 14 characters that are upper/lower/number/punct/spaces ? With these tables a few hours tops. On a brute force attack I'd guess a few years.

    If you would like a demo, paste in a few hash's that are 14 or less native characters, and we can time brute force vs rainbow.

    Oh the tables can be on any drive, doesn't have to be on the server, you can move the hash's to whatever machine you like, an 80gb external drive will easily handle the tables that you plug in whenever you need.
     
    Last edited: Nov 4, 2005
  10. CyberBullets

    CyberBullets I reach to the sky, and call out your name. If I c

    Joined:
    Nov 13, 2001
    Messages:
    11,865
    Likes Received:
    0
    Location:
    BC, Canada/Stockholm, Sweden
    No not a few years.
    Few hours per password.
    How?

    A wrong password takes longer to validate then a correct password. Windows passwords are unique that you can acctually see if a specific character in the password is correct or not. Depending on the time returned for errors or not, you can quickly break down a password. The software is run on the server. I forget how many characters per second it simulates, but i beleive its 3million.
     
  11. TheRider

    TheRider Geeky OT Supporter

    Joined:
    Jan 27, 2002
    Messages:
    7,365
    Likes Received:
    9
    Location:
    San Diego
    Can I paste a hash for you to brute force then? I'd be very curious. I'd guess it will take ages to brute.

    Harmless hash:

    IWAM_NTSERVER2:1487:b9a21d70ca6aeadd22121237c95ccd93:2a925aa151a3c2fe577c1aa2170e8531:::

    Using the rainbow table method:

    statistics
    -------------------------------------------------------
    plaintext found:
    total disk access time: 944.05 s
    total cryptanalysis time: 751.14 s
    total chain walk step: 505387390
    total false alarm: 26309
    total chain walk step due to false alarm: 134088899

    I blanked out the result, so you wouldn't have the password :)
    This was on a PIV 3.6 with 2 GB Memory and a Single 400GB Sata, with faster IO this would be much quicker.
     
    Last edited: Nov 4, 2005
  12. ski

    ski New Member

    Joined:
    Mar 13, 2005
    Messages:
    22,499
    Likes Received:
    0
    Location:
    Boston
    Oh shit, nerd challenge.
     
  13. CyberBullets

    CyberBullets I reach to the sky, and call out your name. If I c

    Joined:
    Nov 13, 2001
    Messages:
    11,865
    Likes Received:
    0
    Location:
    BC, Canada/Stockholm, Sweden
    I'd run it but..

    A) I'm at home for the weekend, and not going back in till Tuesday.
    B) I don't have access to the Windows Server box. I'm a software developer who works & takes care of the Linux boxes at work.
    C) Even if I did have access, I'm not wasting time on that on a work computer. We have a strict computer policy, and the last thing I want to do is break it. I was the one who was on the committee who came up with the policies that are now in place. Oh the irony.
    D) I could really careless. Like I said before IMO the 64GB isn't worth the trade off. When we do our security audit, we start it Friday night, come back Monday morning and the audits are complete on the passwords.

    If you still are interested look up @stake lc5 if you want to see one of the hash software we use.
     
  14. TheRider

    TheRider Geeky OT Supporter

    Joined:
    Jan 27, 2002
    Messages:
    7,365
    Likes Received:
    9
    Location:
    San Diego
    Fair enough, if all you were using was @stake lc5 it would take you over a year to break that hash anyways if not many years with unless you have a distributed cluster. I thought you might have had access to something more sophisticated.

    The rainbow table is basically 100% in cracking sub 15 characters with a full set of characters and fast. If you don't have to crack passwords, then you are right not worth it to you. Auditing for brute force dictionary attacks isn't particularly helpful if files are locked and encrypted by a users password that is gone. Changing the passwords kills the files, any other method takes forever.

    If you have to figure out passwords that are greater then 6 characters and non book then it isn't even worth going any other way using l0pht aka @stake isn't even comparable. The cost of a drive to store 64 gigs is what $60? That's a really small price to pay for near instant password reversal as needed when files may be needed quickly.

    If you are saying $60 is too great a price to pay, what does that say about the value of your files?
     
  15. CyberBullets

    CyberBullets I reach to the sky, and call out your name. If I c

    Joined:
    Nov 13, 2001
    Messages:
    11,865
    Likes Received:
    0
    Location:
    BC, Canada/Stockholm, Sweden
    I believe if the file is locked and encrypted by a user, an administrator can take ownership of the file and de-crypt it.

    That happened to me a while back. I had my work directory encrypted and I had to do a format. I copied the files to a backup drive, did a new install and when I came back, I didn't have any permissions to the folder. As the admin, I was able to take ownership and decrypt them.

    And I'm not worried about users who "lock/encrypt" files. All our important files our on our needs are on our UNIX box which they have very restricted access to.
     
    Last edited: Nov 4, 2005
  16. kronik85

    kronik85 New Member

    Joined:
    Feb 8, 2005
    Messages:
    34,837
    Likes Received:
    0
    Location:
    Deutschland

    it's working just fine for that company..... so who cares?

    lm rainbow tables are for just that, lm hashes. not too diverse.

    i never said they weren't useful, i was just saying that no one (generally) wants to host 64 gigs of data to host to the public.

    they're fun, but they get old. nice to have on hand, but not all necessary.
     

Share This Page