About

A Case for Modern Rainbow Table Usage

Rainbow tables went out of style a few years ago when GPU-accelerated password cracking became popular. With tools like hashcat, it no longer made sense to invest the effort to obtain the existing obsolete tables. Furthermore, no GPU-accelerated open-source tools existed to create new tables with. For these reasons, the world of rainbow tables was forgotten by the infosec community.

However, rule-based cracking and rainbow table cracking were never exclusive strategies. They were (and still are, in fact), complementary. Rules are great at finding patterns, which are commonly set by users; rainbow tables are effective against fully random passwords, which can exist for highly sensitive accounts.

For example, if the database of NTLM password hashes for a Windows domain were obtained, the optimal strategy would be:

  1. Use hashcat to brute-force all 1-7 character passwords (this can be done quickly).
  2. Use hashcat to crack passwords based on rules (variable time).
  3. Use rainbow tables to break complex 8-character passwords (a few hours).
  4. Use rainbow tables to break complex 9-character passwords (a few days).

While brute-forcing 8-character passwords is very much possible with hashcat, it is inefficient to do so for smaller numbers of hashes:

Hashcat arguments used: "-m 1000 -a 3 -w 3 -O hashes.txt ?a?a?a?a?a?a?a?a"

As shown in the graph above, on a machine with a single NVIDIA RTX 2070 GPU, hashcat takes roughly 75 hours to brute-force one hundred 8-character NTLM passwords, whereas the Rainbow Crackalack software (with the NTLM-8 tables) achieves a 93% success rate in an hour and a half!

The following graph shows the cracking times for 9-character NTLM hashes:

Hashcat arguments used: "-m 1000 -a 3 -w 3 -O hashes.txt ?a?a?a?a?a?a?a?a?a"

The graph above shows that, on a machine with a single NVIDIA RTX 2070 GPU, hashcat would take an estimated 150 days to crack 50% of 9-character NTLM hashes, whereas rainbow tables would do it in a little over 2 days! (51 hours, to be exact)

Cracking Example

The following example shows one hundred NTLM 8-character password hashes being cracked by the crackalack_lookup tool:

# ./crackalack_lookup /NTLM8_Master/ random_ntlm_hashes_8_chars_101.txt Rainbow Crackalack v1.0 Copyright 2018-2019 Positron Security LLC <https://www.positronsecurity.com/> Make Rainbow Tables Great Again Found 1 platforms. Found 2 devices on platform #0. Device #0: Vendor: Advanced Micro Devices, Inc. Name: gfx900 Version: OpenCL 2.0 Driver: 2862.0 (HSA1.1,LC) Max compute units: 64 Max work group size: 256 Global memory size: 8573157376 Device #1: Vendor: Advanced Micro Devices, Inc. Name: gfx900 Version: OpenCL 2.0 Driver: 2862.0 (HSA1.1,LC) Max compute units: 64 Max work group size: 256 Global memory size: 8573157376 Binary searching will be done with 32 threads. Loaded 101 of 101 uncracked hashes from random_ntlm_hashes_8_chars_101.txt. Pre-computing hash #1: a7c002406a080278885e47da3909187f... Note: optimized NTLM8 kernel will be used for precomputation. Completed in 16.4 secs. Pre-computing hash #2: bb53c0cb3a8cf0f71f0d6b170ff6b622... Completed in 16.5 secs. Pre-computing hash #3: 8e7c7397e513cee2cb50c2fc174ca7b3... Completed in 16.5 secs. Pre-computing hash #4: c260b99e3b87dfd7538acae873f99291... Completed in 16.6 secs. Pre-computing hash #5: 6055c3fc48f8260ece230fe8b599375e... Completed in 16.6 secs. Pre-computing hash #6: bdabd5d2332764e0f15a8dc7ee0c1d3a... Completed in 16.6 secs. [...] Pre-computation finished in 28 mins, 11 secs. Processing compressed table: /NTLM8_Master/ ntlm_ascii-32-95#8-8_0_422000x67108864_206.rtc... Table loaded in 2.0 secs. Searching table for matching endpoints... Table searched in 8.8 secs. Checking 79462 potential matches... HASH CRACKED => f417de201da2836457d3d893281e6b0f:2M*CD'HD Completed false alarm checks in 7.0 secs. Processing compressed table: /NTLM8_Master/ ntlm_ascii-32-95#8-8_0_422000x67108864_1.rtc... Table loaded in 1.5 secs. Searching table for matching endpoints... Table searched in 8.1 secs. Checking 51869 potential matches... HASH CRACKED => 4591f8e93ac153282059b5629607aceb: fdrp_<t HASH CRACKED => 4175d41bb49cd4fd42069435228f0135:`A7&tlSo Completed false alarm checks in 4.0 secs. Processing compressed table: /NTLM8_Master/ ntlm_ascii-32-95#8-8_0_422000x67108864_116.rtc... Table loaded in 1.5 secs. Searching table for matching endpoints... Table searched in 6.1 secs. Checking 61776 potential matches... HASH CRACKED => 52cc18d2dc77f80601532e41cb6738a9:)s&pw3"w HASH CRACKED => defc96c4f1290e15ac71e35a78625246:E/6""r}] Completed false alarm checks in 4.0 secs. Processing compressed table: /NTLM8_Master/ ntlm_ascii-32-95#8-8_0_422000x67108864_119.rtc... Table loaded in 1.5 secs. Searching table for matching endpoints... Table searched in 5.7 secs. Checking 60337 potential matches... HASH CRACKED => c260b99e3b87dfd7538acae873f99291:=R\XHZ5P HASH CRACKED => 39b00f4aaebaf614da751a26ae92f209:G|r=sM.r HASH CRACKED => 03d5353a16d89732e540b38126c35bd9:2}MOJGy5 HASH CRACKED => d4e323ec73f7475571e2b82600e86b73:c0w[U'a: Completed false alarm checks in 4.0 secs. [...] RAINBOW CRACKALACK LOOKUP REPORT * Crack Summary * Of the 101 hashes loaded, 92 were cracked, or 91.09%. Results ------- a7c002406a080278885e47da3909187f ?0.'{!'I bb53c0cb3a8cf0f71f0d6b170ff6b622 ]U$AG:YJ 8e7c7397e513cee2cb50c2fc174ca7b3 4D2(KIX! c260b99e3b87dfd7538acae873f99291 =R\XHZ5P [...] ------- Results have been written in JTR format to: rainbowcrackalack_jtr.pot Results have been written in hashcat format to: rainbowcrackalack_hashcat.pot * Time Summary * Precomputation: 28 mins, 11 secs I/O: 25 mins, 50 secs Searching: 23 mins, 28 secs False alarm checks: 39 mins, 57 secs Total: 1 hours, 57 mins * Statistics * Number of tables processed: 745 Number of false alarms: 14,895,354 Number of chains processed: 49,966,924,469 Time spent per table: 9.5 secs False alarms checked per second: 6,212.5 False alarms per no. chains: 0.02981% Successful cracks per false alarms: 0.00062% Successful cracks per total chains: 0.00000018%

News

February 26, 2021

Version 1.3 was released, which includes massive speedups for NTLM 9-character lookups. Precomputation times are 9.5x faster, and false alarm checks are 4.5x faster!

April 2, 2020

The NTLM 9-character tables are now available! Furthermore, version 1.2 of the software was also released, which features a 30-40% speedup on lookups due to parallel table loading. The full announcement can be found here.

August 8, 2019

Version 1.1 was released today. It features massive speed improvements (credit Steve Thomas), finalization of the NTLM9 spec, and various improvements and bugfixes.

June 11, 2019

Today marks the launch of the project! The source code for table generation and lookup is now available, along with tables targeting NTLM 8-character passwords. Our Kickstarter project aims to raise funds for more equipment so we can generate NTLM 9-character tables!

Volunteers

Although the original Kickstarter project failed to reach its funding goal, volunteers from around the world nevertheless stepped up and generated 10 terabytes of raw 9-character tables over the course of 8 months! A round of applause for their dedicated work!:

Sponsors

Download

The source code for table generation and lookup is available on Github. Pre-compiled executables for Windows are available as well.

NTLM 8-character tables can be downloaded for free via BitTorrent. These are 93% effective and are 486 GB in size.

NTLM 9-character tables can also be downloaded for free via BitTorrent. These are 50% effective and are 6.7 TB in size.

Contact

You may contact us using this form or by reaching out to @therealjoetesta on Twitter.