• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Rainbow Tables
 

Rainbow Tables

on

  • 3,310 views

My Presentation at Barcamp ID in Jakarta 12 th Dec 2009 [revised]

My Presentation at Barcamp ID in Jakarta 12 th Dec 2009 [revised]

Statistics

Views

Total Views
3,310
Views on SlideShare
3,294
Embed Views
16

Actions

Likes
2
Downloads
65
Comments
3

1 Embed 16

http://www.slideshare.net 16

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel

13 of 3 previous next Post a comment

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Rainbow Tables Rainbow Tables Presentation Transcript

    • Jakarta , December 12th 2009
      Rainbow Tables
      Testing Passwords Security
    • About me
      PanggiLibersaa.k.amalcoder
      Student at Indonesia’s Computer University
      Like to take picture 
      Almost get his CEH certification ( waiting for exam)
      Member of GNU/Linux User Group at Bandung [ Klub Linux Bandung ]
      Small web hosting owner [ hostinggokil.com , ofirnetwork.com (in progress) ]
      Web : malcoder.infoandopensecuritylab.org
      Find me :
      @panggimalcoder panggi_y2k
      panggi.libersapanggipanggi
    • “Some things Man was never meant to know. For everything else, there's Google” Geeky Quote
    • Why Do I talk about this ?
      Awareness of Security
      • I promise that this will change your view on Password Security
      • Haven’t met anyone that isn’t surprised at the power of this stuff’s ability to make cracking password become so easy
    • So , What is Password ?
      A password is a secret word or string of characters that is used for authentication, to prove identity or gain access to a resource .The password must be kept secret from those not allowed access.
      (source : http://en.wikipedia.org/wiki/Password)
    • Password Usage
    • How to keep it secret ?
      Don’t tell to anybody else , keep it in mind (personal)
      Store the password records on a secure environment (provider)
    • Type of storing password
      Cleartext (ex : this-is-so-secret , 260987)
      Encrypted
      • Reversible encryption without key ( ex : base64 cipher)
      • Reversible encryption with key (ex : poly alphabetic substitution cipher)
      • One Way Hash ( ex : md5 , sha1 )
      • One Way Hash with salt ( ex : md5 + salt )
    • Example of the encryption usage
      Base64 ( functions : encode and decode)
      • Encode : cleartext -> ciphertext
      • Decode : ciphertext -> cleartext
      cleartext : panggi
      ciphertext :
      cGFuZ2dp
      encode
      ciphertext :
      cGFuZ2dp
      decode
      cleartext : panggi
    • Polyalphabetic substitution cipher
      • ex : Vigenèrecipher
      • Usage :
      Key: ABCDEF AB CDEFA BCD EFABCDEFABCD
      Plaintext: CRYPTOIS SHORT FOR CRYPTOGRAPHY
      Ciphertext: CSASXTIT UKSWT GQU GWYQVRKWAQJB
      • One Way Hash
      • CAN NOT BE DECODED , feel secured ? Wait 
    • One way hash + salt
      • I will explain later .. 
      NEXT
    • Our Focus Today
      Cracking One Way Hash Cipher
      • MD5
      • LM (LAN MANAGER) for MS Windows Password
    • Characteristics
      MD5 : The 128-bit (16-byte) MD5 hashes (also termed message digests) are typically represented as a sequence of 32 hexadecimal digits
      • Example :
      test = 098f6bcd4621d373cade4e832627b4f6
    • LM :
      • The user’s ANSI password is converted to uppercase.
      • This password is null-padded to 14 bytes.
      • The “fixed-length” password is split into two 7-byte halves.
      • These values are used to create two DES keys, one from each 7-byte half, by converting the seven bytes into a bit stream, and inserting a parity-bit after every seven bits. This generates the 64 bits needed for the DES key.
      • Each of these keys is used to DES-encrypt the constant ASCII string “KGS!@#$%”, resulting in two 8-byte ciphertext values. The DES CipherMode should Set to ECB, and PaddingMode should set to NONE.
      • These two ciphertext values are concatenated to form a 16-byte value, which is the LM hash.
    • Example :
      percobaan:1016:3EABC00C9F7B74B09A0F5D12D8F612D0:34976BC196DADD52A6D02AE530F806C3:::
      • percobaan = username
      • 1016 = ID
      • 3EABC00C9F7B74B09A0F5D12D8F612D0 (LEFT side of LM password , it means the password is more than 7 chars)
      • 34976BC196DADD52A6D02AE530F806C3 (RIGHT side of LM pass , so we just have to crack 7 chars and fit it together  )
    • Methods of cracking the passwords
      Brute Force
      Dictionary
      Rainbow Tables  our focus
      Etc…
    • Brute force
      Using all possible combination in sequence
      Example :
      Targeted hash : 4a8a08f09d37b73795649038408b5f33
      OK.. Crack it ..
      a = 0cc175b9c0f1b6a831c399e269772661 <= no
      b = 92eb5ffee6ae2fec3ad71c777531578f <= no
      c = 4a8a08f09d37b73795649038408b5f33 <= yes
      Result :
      Plaintext of 4a8a08f09d37b73795649038408b5f33 is “c”
    • Dictionary
      Given the wordlist of common passwords
      Example :
      Targetted hash : 3858f62230ac3c915f300c664312c63f
      dic-crack3858f62230ac3c915f300c664312c63f- L “path-of-wordlist/wordlist.txt”
      searching….

      fooa <= 72b55c624205d69cc145cc610880e1f9 <= no
      foobar <= 3858f62230ac3c915f300c664312c63f <= yes

    • Rainbow Tables ?
      A rainbow table is a lookup table offering a time-memory tradeoff used in recovering the plaintext password from a password hash generated by a hash function, often a cryptographic hash function. A common application is to make attacks against hashed passwords feasible
      (http://en.wikipedia.org/wiki/Rainbow_tables)
    • English please…
      Lookup table ?
      Trade-memory tradeoff ?
      <=?
    • Time for the Demo
      Example : md5_hash.txt
      20392298d6b78e0890cd22a7bf071c49
      c9122fd7bae0681b62a39ddfc1c7fb19
      469590a45cc7f985b53d15113157e6ea
      31c9febeeb68929cd6c097239cf3e9d3
      2e19ab163556288cf239f5339927e408
      dcb76da384ae3028d6aa9b2ebcea01c9
      d1cbedff31b828ac2f15548357988073
      c94630fe9dea660ba53ddf5d3a41e802
      73e405227c02a626e66f0dc4dd3a53a3
      9486f7a4fdf724cf6cacbdc103661fce
      26f803e714f7d39c0b5a9dd67d03f887
      0248750eb423b999bd684b10668f7241
      9ac17fc47347d505c92e3ca31fee675d
      b65a81125dbfaab4a3ecdff26a979309
      3fde6bb0541387e4ebdadf7c2ff31123
      d695f8f703c1b3b0dce9d588a4d4abad
      86acaeb6d0f7241ea54b73528fa204ca
      78c5d5ed7ea4372435e9f006b29ea745
      75003783871e9404cd0793ca81594841
      e63d33d7ad4b4360f761634de070a860
      a9684b0defabebc108720fda1627f43d
      b150e73aa5fc110c27320c98effcc0f1
      464b59d944c93b6a5eb3dfd0abf15114
      4e3d682f0821b23f6d49fa1ac2cf154a
      d740ee7f1cd46b3d536a6f4331a4c77f
      13781c244d5bb85a296bcbe4ac7992f7
      bcdc908a16dbfe1297b4b0891ccf9ed7
      10f97476043d02db1a236b877232c0a6
      d81bf97286c617c77b679478ce8b72b2
      7279f67e313cc35e518f94c775a42196
    • Result
      D:hashcrack>rcrack d:md5_tables*.rt -l md5_hash.txt
      md5_alpha#1-7_0_2400x40000000_panggi#000.rt:
      640000000 bytes read, disk access time: 9.99 s
      verifying the file...
      searching for 30 hashes...
      plaintext of 20392298d6b78e0890cd22a7bf071c49 is PANGGI
      plaintext of c9122fd7bae0681b62a39ddfc1c7fb19 is LOVE
      plaintext of 469590a45cc7f985b53d15113157e6ea is MUSTIKA
      cryptanalysis time: 377.34 s
      md5_alpha-numeric#1-7_0_2400x40000000_panggi#000.rt:
      640000000 bytes read, disk access time: 73.13 s
      verifying the file...
      searching for 27 hashes...
      plaintext of 31c9febeeb68929cd6c097239cf3e9d3 is P4ST1
      plaintext of d81bf97286c617c77b679478ce8b72b2 is 050479
      cryptanalysis time: 102.56 s
      md5_alpha-numeric#1-7_0_2400x40000000_panggi#001.rt:
      640000000 bytes read, disk access time: 60.70 s
      verifying the file...
      searching for 25 hashes...
      plaintext of 10f97476043d02db1a236b877232c0a6 is 7201421
      cryptanalysis time: 28.19 s
      md5_alpha-numeric#1-7_0_2400x40000000_panggi#002.rt:
      640000000 bytes read, disk access time: 68.28 s
      verifying the file...
      searching for 24 hashes...
      cryptanalysis time: 28.24 s
      md5_alpha-numeric#1-7_0_2400x40000000_panggi#003.rt:
      640000000 bytes read, disk access time: 67.72 s
      verifying the file...
      searching for 24 hashes...
      cryptanalysis time: 27.81 s
    • md5_loweralpha#1-7_0_2100x8000000_panggi.rt:
      128000000 bytes read, disk access time: 36.22 s
      verifying the file...
      searching for 24 hashes...
      plaintext of d1cbedff31b828ac2f15548357988073 is nashien
      plaintext of c94630fe9dea660ba53ddf5d3a41e802 is herc
      plaintext of 73e405227c02a626e66f0dc4dd3a53a3 is hayati
      cryptanalysis time: 79.63 s
      md5_loweralpha#1-7_1_2100x8000000_panggi.rt:
      128000000 bytes read, disk access time: 2.86 s
      verifying the file...
      searching for 21 hashes...
      plaintext of 2e19ab163556288cf239f5339927e408 is nunung
      plaintext of dcb76da384ae3028d6aa9b2ebcea01c9 is sayang
      cryptanalysis time: 73.33 s
      md5_loweralpha#1-7_2_2100x8000000_panggi.rt:
      128000000 bytes read, disk access time: 9.56 s
      verifying the file...
      searching for 19 hashes...
      cryptanalysis time: 69.08 s
      md5_loweralpha#1-7_3_2100x8000000_panggi.rt:
      128000000 bytes read, disk access time: 2.45 s
      verifying the file...
      searching for 19 hashes...
      cryptanalysis time: 69.38 s
      md5_loweralpha#1-7_4_2100x8000000_panggi.rt:
      128000000 bytes read, disk access time: 12.00 s
      verifying the file...
      searching for 19 hashes...
      cryptanalysis time: 69.20 s
      md5_loweralpha-numeric#1-7_0_2400x40000000_panggi#000.rt:
      640000000 bytes read, disk access time: 17.91 s
      verifying the file...
      searching for 19 hashes...
      plaintext of 3fde6bb0541387e4ebdadf7c2ff31123 is 1q2w3e
      cryptanalysis time: 75.73 s
      md5_loweralpha-numeric#1-7_0_2400x40000000_panggi#001.rt:
      640000000 bytes read, disk access time: 14.73 s
      verifying the file...
      searching for 18 hashes...
      plaintext of 26f803e714f7d39c0b5a9dd67d03f887 is 8u7y6t
      cryptanalysis time: 21.09 s
    • md5_loweralpha-numeric#1-7_0_2400x40000000_panggi#002.rt:
      640000000 bytes read, disk access time: 13.91 s
      verifying the file...
      searching for 17 hashes...
      cryptanalysis time: 20.03 s
      md5_loweralpha-numeric#1-7_0_2400x40000000_panggi#003.rt:
      640000000 bytes read, disk access time: 14.20 s
      verifying the file...
      searching for 17 hashes...
      plaintext of 9486f7a4fdf724cf6cacbdc103661fce is metty77
      cryptanalysis time: 19.31 s
      md5_mixalpha-numeric-symbol14-space#1-6_0_2400x40000000_panggi#000.rt:
      640000000 bytes read, disk access time: 14.41 s
      verifying the file...
      searching for 16 hashes...
      plaintext of 9ac17fc47347d505c92e3ca31fee675d is 4Dm1n
      plaintext of b65a81125dbfaab4a3ecdff26a979309 is Pa55
      plaintext of d695f8f703c1b3b0dce9d588a4d4abad is UN1k0M
      plaintext of 75003783871e9404cd0793ca81594841 is G0D$
      plaintext of 464b59d944c93b6a5eb3dfd0abf15114 is c(%H2n
      plaintext of d740ee7f1cd46b3d536a6f4331a4c77f is *$^#&3
      plaintext of 13781c244d5bb85a296bcbe4ac7992f7 is h@xX0r
      cryptanalysis time: 33.47 s
      md5_mixalpha-numeric-symbol14-space#1-6_0_2400x40000000_panggi#001.rt:
      640000000 bytes read, disk access time: 12.95 s
      verifying the file...
      searching for 9 hashes...
      plaintext of 0248750eb423b999bd684b10668f7241 is iMoeTh
      plaintext of e63d33d7ad4b4360f761634de070a860 is w_Bu5H
      plaintext of 4e3d682f0821b23f6d49fa1ac2cf154a is R@54In
      cryptanalysis time: 3.86 s
      md5_mixalpha-numeric-symbol14-space#1-6_0_2400x40000000_panggi#002.rt:
      640000000 bytes read, disk access time: 12.92 s
      verifying the file...
      searching for 6 hashes...
      plaintext of 78c5d5ed7ea4372435e9f006b29ea745 is !Q@W#E
      plaintext of a9684b0defabebc108720fda1627f43d is 1!q^YW
      cryptanalysis time: 2.36 s
    • md5_mixalpha-numeric-symbol14-space#1-6_0_2400x40000000_panggi#003.rt:
      640000000 bytes read, disk access time: 18.03 s
      verifying the file...
      searching for 4 hashes...
      plaintext of 86acaeb6d0f7241ea54b73528fa204ca is 5TR0n6
      cryptanalysis time: 1.78 s
      md5_mixalpha-numeric-symbol14-space#1-6_0_2400x40000000_panggi#004.rt:
      640000000 bytes read, disk access time: 12.38 s
      verifying the file...
      searching for 3 hashes...
      cryptanalysis time: 1.38 s
      md5_mixalpha-numeric-symbol14-space#1-6_0_2400x40000000_panggi#005.rt:
      640000000 bytes read, disk access time: 12.41 s
      verifying the file...
      searching for 3 hashes...
      plaintext of b150e73aa5fc110c27320c98effcc0f1 is p@N66i
      cryptanalysis time: 1.38 s
      md5_mixalpha-numeric-symbol14-space#1-6_0_2400x40000000_panggi#006.rt:
      640000000 bytes read, disk access time: 12.44 s
      verifying the file...
      searching for 2 hashes...
      cryptanalysis time: 0.94 s
      md5_numeric#1-9_0_3000x3000000_panggi#000.rt:
      48000000 bytes read, disk access time: 0.72 s
      verifying the file...
      searching for 2 hashes...
      plaintext of bcdc908a16dbfe1297b4b0891ccf9ed7 is 29041987
      plaintext of 7279f67e313cc35e518f94c775a42196 is 776284123
      cryptanalysis time: 23.86 s
      statistics
      -------------------------------------------------------
      plaintext found: 30 of 30 (100.00%)
      total disk access time: 499.91 s
      total cryptanalysis time: 1129.94 s
      total chain walk step: 453610884
      total false alarm: 853120
      total chain walk step due to false alarm: 675710917
    • result
      -------------------------------------------------------
      20392298d6b78e0890cd22a7bf071c49 PANGGI hex:50414e474749
      c9122fd7bae0681b62a39ddfc1c7fb19 LOVE hex:4c4f5645
      469590a45cc7f985b53d15113157e6ea MUSTIKA hex:4d555354494b41
      31c9febeeb68929cd6c097239cf3e9d3 P4ST1 hex:5034535431
      2e19ab163556288cf239f5339927e408 nunung hex:6e756e756e67
      dcb76da384ae3028d6aa9b2ebcea01c9 sayang hex:736179616e67
      d1cbedff31b828ac2f15548357988073 nashien hex:6e61736869656e
      c94630fe9dea660ba53ddf5d3a41e802 herc hex:68657263
      73e405227c02a626e66f0dc4dd3a53a3 hayati hex:686179617469
      9486f7a4fdf724cf6cacbdc103661fce metty77 hex:6d657474793737
      26f803e714f7d39c0b5a9dd67d03f887 8u7y6t hex:387537793674
      0248750eb423b999bd684b10668f7241 iMoeTh hex:694d6f655468
      9ac17fc47347d505c92e3ca31fee675d 4Dm1n hex:34446d316e
      b65a81125dbfaab4a3ecdff26a979309 Pa55 hex:50613535
      3fde6bb0541387e4ebdadf7c2ff31123 1q2w3e hex:317132773365
      d695f8f703c1b3b0dce9d588a4d4abad UN1k0M hex:554e316b304d
      86acaeb6d0f7241ea54b73528fa204ca 5TR0n6 hex:355452306e36
      78c5d5ed7ea4372435e9f006b29ea745 !Q@W#E hex:215140572345
      75003783871e9404cd0793ca81594841 G0D$ hex:47304424
      e63d33d7ad4b4360f761634de070a860 w_Bu5H hex:775f42753548
      a9684b0defabebc108720fda1627f43d 1!q^YW hex:3121715e5957
      b150e73aa5fc110c27320c98effcc0f1 p@N66i hex:70404e363669
      464b59d944c93b6a5eb3dfd0abf15114 c(%H2n hex:63282548326e
      4e3d682f0821b23f6d49fa1ac2cf154a R@54In hex:52403534496e
      d740ee7f1cd46b3d536a6f4331a4c77f *$^#&3 hex:2a245e232633
      13781c244d5bb85a296bcbe4ac7992f7 h@xX0r hex:684078583072
      bcdc908a16dbfe1297b4b0891ccf9ed7 29041987 hex:3239303431393837
      10f97476043d02db1a236b877232c0a6 7201421 hex:37323031343231
      d81bf97286c617c77b679478ce8b72b2 050479 hex:303530343739
      7279f67e313cc35e518f94c775a42196 776284123 hex:373736323834313233
      D:hashcrack>
    • Mr. @ialexs‘s request (pass : maLam1)
      K: ainbowhashcrack>rcrack k: ainbowmd5_tablesmd5_mixalpha-numeric*.rt -h 7d
      62eaa2e2a3da203573dc408d31cd0d
      md5_mixalpha-numeric-symbol14-space#1-6_0_2400x40000000_panggi#000.rt:
      640000000 bytes read, disk access time: 40.91 s
      verifying the file...
      searching for 1 hash...
      cryptanalysis time: 3.41 s
      md5_mixalpha-numeric-symbol14-space#1-6_0_2400x40000000_panggi#001.rt:
      640000000 bytes read, disk access time: 45.14 s
      verifying the file...
      searching for 1 hash...
      cryptanalysis time: 0.45 s
      md5_mixalpha-numeric-symbol14-space#1-6_0_2400x40000000_panggi#002.rt:
      640000000 bytes read, disk access time: 47.19 s
      verifying the file...
      searching for 1 hash...
      cryptanalysis time: 0.47 s
      md5_mixalpha-numeric-symbol14-space#1-6_0_2400x40000000_panggi#003.rt:
      640000000 bytes read, disk access time: 45.22 s
      verifying the file...
      searching for 1 hash...
      cryptanalysis time: 0.44 s
    • md5_mixalpha-numeric-symbol14-space#1-6_0_2400x40000000_panggi#004.rt:
      640000000 bytes read, disk access time: 46.28 s
      verifying the file...
      searching for 1 hash...
      plaintext of 7d62eaa2e2a3da203573dc408d31cd0d is maLam1
      cryptanalysis time: 0.22 s
      statistics
      -------------------------------------------------------
      plaintext found: 1 of 1 (100.00%)
      total disk access time: 224.73 s  See the time.. 
      total cryptanalysis time: 4.98 s
      total chain walk step: 2876401
      total false alarm: 2252
      total chain walk step due to false alarm: 1882084
      result
      -------------------------------------------------------
      7d62eaa2e2a3da203573dc408d31cd0d maLam1 hex:6d614c616d31
      K: ainbowhashcrack>
    • Windows Password (LM)
      Dump it first
      K:Pwdump7>PwDump7.exe > pass_win.txt
      Pwdump v7.1 - raw password extractor
      Author: Andres TarascoAcuna
      url: http://www.514.es
      K:Pwdump7>
    • pass_win.txt ( $ sign is censored by me )
      Administrator:500:NO PASSWORD*********************:95C735766$$$$$$$$EAC22EC$$$$18CF:::
      Guest:501:NO PASSWORD*********************:NO PASSWORD*********************:::
      __vmware_user__:1011:NO PASSWORD*********************:2E4D88$$$$$$$$$$$$701F71FD7F63B9:::
      apache2triad:1013:A215FD4C479AAEC8$$$$$$$$$$465971:6B93A1E44490938$$$$$$$$$$E4C4D63:::
      okay:1014:3EABC00C9F7B74B09A0F5D12D8F612D0:34976BC196DADD52A6D02AE530F806C3:::
      HelpAssistant:1015:F681E43E4269$$$$$$3D27C551$$$$$$:32EB$$$$$$159997D$$$$$$1EC24BA2A:::
      percobaan:1016:3EABC00C9F7B74B09A0F5D12D8F612D0:34976BC196DADD52A6D02AE530F806C3::: crack it
    • irc://irc.plaintext.info#rainbowcrack
    • How to secure it ?
      MD5
      Use salted password ( not naked )
      Example :
      <?function enchsetenev($toencode,$times){    $salt = 's+(_a*';    for($zo=0;$zo<$times;$zo=$zo+1)    {        $toencode = hash('sha512',salt.$toencode);        $toencode = md5($toencode.$salt);    }    return $toencode;}
      ?>how to use it ?simply..
      <?$password="this password is super ultra mega secure and no one would decrypt it for atleast 10 years.. or even alot more :)";$supersecurepassword=enchsetenev($password,1000); 
      ?>
    • LM Hash
      percobaan:1016:3EABC00C9F7B74B09A0F5D12D8F612D0:34976BC196DADD52A6D02AE530F806C3:::
      Use at least 15 characters and Windows will change it’s algorithm to more secure one ( NTLM )
    • Thank You