Rainbow Table Generation
Results 1 to 7 of 7

Thread: Rainbow Table Generation

  1. #1
    Senior Member
    Join Date
    Jan 2004
    Location
    Hawaii
    Posts
    351

    Question Rainbow Table Generation

    Okay, I know how to generate tables. I know the purpose...and I don't want URL's to any sites on the web, because I've read them all, seen the PDF's, downloaded the tutorials...and I'm still f***ing clueless.

    I just want an explanation of the variables in the table names...and what they do.
    Example: What is the "index", and how does changing it do anything? How do I know how many tables to generate to complete a full set.

    Barring all the garbage I get about "that's impossible", or "that takes too long", here's what I am doing:

    Using Winrtgen v1.3 from http://www.oxid.it I am generating tables for LM hashes.
    I am doing it for a custom charset:
    ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!@#$%^&*()

    46 characters. I don't know what to set the chain length to, or what to do for index and chain count. Those make no sense to me. By leaving everything default, and increasing the tables...I slowly but surely get a better success percentage. I don't know why more tables increases this...mainly because I'm still not sure what a chain is, and what is stored in a single .rt file. I apparently have to generate 100,000,000,000,000 tables to get a 100% success rate according to this.

    It won't tell me how large it is for anything more than 10,000,000,000 tables (1665497181 e86 at 610.35MB/table)

    I have it generating 175 tables right now for a grand total of ~114GB. Each table takes less than two days on my AMD Sempron 2600 @ 1835Mhz.

    So what I want to know:
    What is in one chain?
    Does it matter how long the chain is?
    How many chains should I have in a table?
    What is stored in one .rt file?
    Why do more tables mean better success rate?
    If I'm only doing 175/100,000,000,000,000 tables, does that mean I only have 0.00000000000175% of the full table?

    A_T
    Geek isn't just a four-letter word; it's a six-figure income.

  2. #2
    Senior Member
    Join Date
    Jul 2004
    Posts
    469
    2 of the entries I know for sure what they are, and I'm using some creative thinking to tell what the others do.

    When you start adding a table you pick a charset, and a min/max length of the password. This in turn generates the keyspace. This tells you how many possible combinations can be made up with max length and your charset. For a complete rainbow table of this data set you need atleast keyspace many entries in your table.

    This leads to number of tables and chain count. Chain count is how many chains are included per table, and table is how many tables to generate.
    10 tables with 100 chain count = 1000 chains
    1 table with 1000 chain count = 1000 chains.

    This allows you to break up the tables to store on multiple media.

    As far as I can tell chain length is a quality based entry. It doesn't seem to effect the size of the table, but does effect compute time for the table. My guess is this field allows you to specify how accurate to make a table.

    Index is the only field I have no clue what it does.

    I'm curious, when you started your tables, what max len did you specify for your charset?

    For the default 7 char max, with default of 40,000,000 chains per table (610 megs), and default of 2400 chain length, I only needed 71 tables to get a 100% result.

  3. #3
    Junior Member
    Join Date
    Apr 2005
    Posts
    10
    First off the tables are allready in existance, Rainbowtables.shmoo.com ( there are torrents there ) Second off you don't need that many tables, did you bother to look at the success rate? Third off if you are trying to crack longer LM hashes, You in reality only need a table set of the characters you want with a length of 1-7 because passwords that are longer and the hash ends up being two seperate hases shoved together. I.E. if you use pw dump to get some LM hash it is going to be 14 characters long if the password is less than or equal two 7 characters in length the second has will just come up blank, as it is just a space saver. Longer that 7 character passwords you can split the hash in notepad into 2 parts equal in length and use each one individually. Forth there is a program for LM hashes using the Time/Memory Trade Off that was created called Ophcrack and it comes with the tables for free as well. Just make sure you have the right kind of hash as well. LM Hashes are turned off by default usually.

  4. #4
    Senior Member
    Join Date
    Jan 2004
    Location
    Hawaii
    Posts
    351
    Thanks everyone.
    To staticblackz...if you think LM hashes are off by default, give me your IP. Also, I know of the shmoo project, and they aren't the tables I want either. I've also heard of Ophcrack. But I don't want the premade stuff, I want my own, I want to make my own....

    Though you did point out something I overlooked, seeing as how LM hashes are always broken down into 7 character pieces, then I don't need anything else....so that helps.

    So now my two remaining questions:
    chain length and index...what are they?

    A_T

    PS - I have one more question...what is fastlm?
    Geek isn't just a four-letter word; it's a six-figure income.

  5. #5
    Junior Member
    Join Date
    Apr 2005
    Posts
    10
    Ah just a quick sidenote I didn't mean to offend you. From what I can gather the chain length is the amount of hashes encoded and decoded. I still can't figure out the chain count, you might try reading Philippe Oechslin paper on the time memory trade-off technique used in rainbow tables. That sould shed some light. Also a Recent security update disabled lm hashes from being sent out over the network by default ( Downgrade Attack still may be possible ) and when windows is first installed the programs to set your pass only generates ntlm hash I believe but have no simply way to test this. however this is just a guess but if you join a domain at that time it may generate the lm hash. Also once you change or set you password through windows and not the windows setup 1st run thing I have been talking about, unless the nolmhash setting is set in the registry the lm hash is generated and can be retrived by use of pwdump2 or possibly and this is speculation also, a downgrade attack, as I don;t know if it would work without some trickery.

  6. #6
    Senior Member
    Join Date
    Jan 2004
    Location
    Hawaii
    Posts
    351
    AFAIK, an LM Hash is always generated, unless specified otherwise to only generate NTLM hashes.

    A_T
    Geek isn't just a four-letter word; it's a six-figure income.

  7. #7
    Junior Member
    Join Date
    Apr 2005
    Posts
    10
    Now were both a little smarter!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •