Password Cracking with Rainbow Tables

1
Password Cracking with
Rainbow Tables
Korhan Bircan
April 23rd, 2008
Introduction to Computer System Security

Password Cracking with Rainbow Tables 2
Outline
Introduction
Secure passwords
Demo
Hellman’s original method
Rainbow tables
Cracking Windows Passwords
Password crackers
Protection mechanisms
Conclusion

Introduction
How passwords are stored
Where passwords are stored
Windows: C:WINDOWSsystem32configSAM
Linux: /etc/passwd
MacOS: /var/db/shadow/hash/
Shadow passwords
/etc/shadow only readable by root
/etc/passwd file shows a character such as '*',
or x' instead of the hashed password

Introduction

Introduction
LanManager Hash
password converted to uppercase, null-padded or
truncated to 14B
password split into two 7B halves, a zero bit is
inserted after every 7th bit, the resulting 8B halves
are used to create two DES keys
each of these keys is used to DES-encrypt
“KGS!@#$%”, resulting in two 8B ciphertext values
concatenation the two to get 16B LM Hash.
supported by all versions of Windows for
backwards compatibility

Introduction
NTLM Hash: challenge-response
sequence
Client sends supported or requested features
(eg. encryption key size, mutual authentication
etc.)
Server replies with similar flags plus a random
challenge
Client uses challenge and its credentials to
calculate the response

Introduction
Salted hashes: For each password, generate a random
number (a nonce). Hash the password with the nonce,
and store both the hash and the nonce.
usual approach
hash = md5(“deliciously salty” + password)
• MD5 is broken
• Its modern competitors, like SHA1 and SHA256 are fast, which is a
problem.
With 16b hash, there are 2^16 = 65,536 variations to the
same password
Speed is exactly what you don’t want in a password
hash function.
Using raw hash functions to authenticate passwords is
as naive as using unsalted hash functions. Don’t.

Introduction
How passwords are cracked
brute force: online vs offline attack. Given
enough time and CPU power password
eventually gets cracked
dictionary: list of words, encrypt them one at a
time and check if hashes are equal
hybrid: dictionary with mutation filters

Secure Passwords
Password Strength
bit-strength
[a-z][A-Z][0-9] and symbols = 95 variations per
character = log(95) ~ 6.6b
8 character password x 6.6b = 53b
cracking 72b key using current equipment is
estimated to take about 1,453 years
no digital computer is capable of breaking 128b or
256b encryption
NIST recommends 80b for most secure passwords ~
12 character random password from 95 character
domain

Secure Passwords
A strong Windows password includes
characters from at least three of the
following groups:
Use pass phrases eg. "I re@lly want to
buy 11 Dogs!"

Secure Passwords
Use >14 characters
it is the limit that DOS network boot disks,
Microsoft Remote Installation Services (RIS)
Pre eXecutable Environment (PXE) boot disks,
and older LAN Manager clients (Win9x) utilizes
Use Alt characters eg. Alt+0709 = Å
Change passwords often

Secure Passwords
Intel Pentium M 1.60GHz, 512MB RAM
hash/secalgorithm
1,300,728LM
2,623,294NTLM
924,898SHA1
3,401,360MD5

Secure Passwords
key space, N, plain dictionary attack
26 chars, passwd length <= 7
26 chars, passwd length <=14
∑=
=
7
1
6.8036
i
i
G
∑=
=
7
1
3.83526
i
i
M
∑=
==
14
1
10
67107.626
i
i
EGx
PGx
i
i
72102.7256
7
1
7
==∑=
15.1min4.1min5.3min10.7min
SHA1MD5NTLMLM
2468.5 years671.2 years870.3 years1755.3 years
SHA1MD5NTLMLM
2,297,070.7 years624,619.6 years809,881.0 years1,633,359.2 years
SHA1MD5NTLMLM
1.0 day6.6 hr8.5 hr17.2 hr
SHA1MD5NTLMLM

Secure Passwords
secpol.msc

Secure Passwords
don’t
use personal information
use any word in any language spelled forward
or backward
tie passwords to the month
create new passwords that are substantially
similar to ones you've previously used
use the same password for different systems

Secure Passwords
Disable LM Hash

Demo Setup
Create guest account for each student
Passwords need to be alphanumeric and
<15 characters long
Crack them!

Classical Tables
1980 Martin Hellman: N keys, operations&memory
ciphertexts are organised in chains, only first and last element
stored; k:key, S:cipher, C:ciphertext P:plaintext, R:reduction
function
= and generates a key from another key to form
a chain:
m chains of length t are created, first and last elements are
stored in a table.
3/2
N

Classical Tables
To find a key, generate a chain of keys starting with
R(C) and up to length t
If C was indeed obtained with a key used while
creating the table then we will eventually
generate the key that matches the last key of the
corresponding chain
Using the first key of the chain, whole chain is
regenerated
The key right before R(C) is the key we are
looking for

Classical Tables
There is a chance that chains starting at different
keys collide and merge
Probability of finding a key, m rows and t keys:
Probability of finding a key, l tables with
different reduction functions:

Classical Tables
False alarms:
key may be a part of a chain which has the
same endpoint but is not in the table
key is in a chain that is part of the table but
which merges with other chains of the table
Merges correspond to same endpoint,
detected during sort. They are replaced
with new chains

Bounds and Parameters
0mlmM ××= 0m
0tltT ××=
M: bounds on memory
T: cryptanalysis time
m: number of chains per table
l: number of tables : starting point + end point = 8B
t: average chain length : time to encrypt a plaintext
0m
0t
0mlmM ××=
Memory
Time

Bounds and Parameters
Winrtgen Benchmarks:

Rainbow Tables
A rainbow table is a compact
representation of related plaintext
password chains

Rainbow Tables
Recovering a password

Rainbow Tables
Probability of success in an m x t size table:
start with m1 = m distinct keys in the first column
in the second column the m1 keys are randomly
distributed over the key space of size N, generating m2
keys:
each column i has mi distinct keys. Success rate of
table:

Rainbow Tables
Advantages over classical tables:
t(t-1)/2 look-ups as opposed to t^2
merges result in identical endpoints and are
thus detectable
no loops since each reduction function appears
once
constant length rainbow chains

Rainbow Tables
Advantages over classical tables:
When two chains collide in a single table they
merge
Instead use successive reduction functions 1 to t
If two chains can collide they merge iff collision
appears at the same position in both chains
(probability is 1/t)
If key is found early, gain can be up to a factor of
t because while the rainbow table is searched,
the amount of calculation increases quadritically
to (t^2-1)/2 whereas in classical tables it
increases linearly to t^2.

Rainbow Tables: Parameter Optimization
0.9990success probability
610 MBtable size
8353082582keyspace
[ABCDEFGHIJKLMNOPQRSTUVWXYZ]charset
3 GBtable size
80603140212keyspace
[ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789]charset
24 GBtable size
915358891407 (2^39.7)keyspace
[ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!@#$%^&*()-_+= ]charset
64 GBtable size
7555858447479 (2^42.8)keyspace
[ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!@#$%^&*()-_+=~`[]{}|:;"'<>,.?/ ]charset
Last table would take 41.3 years to generate on my laptop.

Rainbow Tables: Parameter Optimization
2100
len_chain
0:4
table index
8000000,
40000000
71alpha[numeric]lm
num_chainslen_maxlen_mincharsethash

Password Crackers: RainbowCrack
extract password hashes using pwdump or
fgdump

create rainbow tables
sort the tables

Run the cracker

Password Crackers: Cain&Abel
Go to “Cracker”, right click to import
hashes from pwdump file

Password Crackers: Ophcrack

Password Crackers: Ophcrack
Live CD: dumps the hashes from the SAM
and SYSTEM files and you don’t need to
be admin

Limitations of Rainbow Tables
table generation takes a long time
false alarms occur often
simple salting algorithm nullifies rainbow
tables

Limiting physical access
Continue to force the use of special
characters
Keep up with updates
Use Multi-factor authentication
salted hashes
Use NTLM
Use secure passwords
Protection Mechanisms

Use state of the art password schemes
Use what your operating system gives you (eg.
PHK’s FreeBSD MD5)
Stanford Secure Remote Password
Adaptive hashing: bcrypt
uses pessimized Blowfish
Protection Mechanisms

Conclusion
Rainbow tables reduce the number of
table look-ups by length of chains
Computations reduced by 2, average case
performance even greater
Some cryptographic systems believed to
be secure when implemented can be
cracked by anyone today
Be smart about choosing passwords and
storing them

References
“Making a Faster Cryptanalytic Time-Memory Trade-Off”, Philipppe
Oechslin, CRYPTO 2003: pp617–630
“Top 10 Password Crackers”, http://sectools.org/crackers.html
“Cain&Abel”, http://www.oxid.it/cain.html
“PWDump”, http://www.foofus.net/fizzgig/pwdump/
“RainbowCrack”, http://www.antsight.com/zsl/rainbowcrack/
“Ophcrack”, http://lasecwww.epfl.ch/~oechslin/projects/ophcrack/
“Winrtgen”, http://www.oxid.it/projects.html
“Hacking dei Sistemi: Password”, Cardinale, Giacchetti, Giovannetti
“Mac OS X password hashes”,
http://www.macshadows.com/kb/index.php?title=Mac_OS_X_password_has
hes
“Shadow Password”, http://en.wikipedia.org/wiki/Shadow_password
“Password Cracking”,http://en.wikipedia.org/wiki/Password_cracking
“Selecting Secure Passwords”,
http://www.microsoft.com/smallbusiness/support/articles/select_sec_passw
ords.mspx

Password Cracking with Rainbow Tables

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (20)

Similar to Password Cracking with Rainbow Tables

Similar to Password Cracking with Rainbow Tables (20)

Recently uploaded

Recently uploaded (20)

Password Cracking with Rainbow Tables