freerainbowtables.com

[oofki]

I just wanted to let everyone know about freerainbowtables.com Its pretty sweet if you register you can help make rainbow tables and for all the parts you complete you get credits. Right now they have about 1200ghz of computing power :-) Ive been helping out the past couple of days I have a q6600 @ ~2.51 ghz so it runs 4 processes that generate the tables (1 for each cpu) and I am essentially generating them at 10ghz. Anyways check em out :-)

[nihil]

Please explain why you would want rainbow tables, and why they should be freely available to the criminal and skiddie communities?

[oofki]

Hmm good point but I like to contribute to things

[Nokia]

Please explain why you would want rainbow tables, and why they should be freely available to the criminal and skiddie communities?

Password recovery....pen testing.....password auditing.....learning......

They are not freely available to the 'criminal and skiddie communities' as you put it - but rather they are free to anyone who needs them. Plus the software to generate your own is freely available anyway, likewise it is possible to freely download your own ready made tables...

[nihil]

Password recovery

If you have proper authority you do not need to do this.

pen testing

Nonsense! if you have obtained the password hash then the system has been penetrated.

password auditing

Now that really is pathetic! this is the kind of snake oil I would expect from wannabe "security consultants".

It might have occurred to some here that if you "discover a weak password" you have just closed the stable door after the horse has bolted.......... you are already compromised............and you don't need to be a rocket scientist to figure that one out?

If you actually believe in passwords, other than as a means of allocating blame, you would set a policy and enforce it on password generation. You would know that your system enforced your policy, and that auditing it, is a totally spurious exercise.

learning

Ummm, yes, well......................

"Learning" what exactly?

They are not freely available to the 'criminal and skiddie communities' as you put it - but rather they are free to anyone who needs them.

Which, by definition, includes the criminal and skiddie communities.

And I would dearly love to know who, with honest intentions, actually "needs them"?

[Nokia]

Quote:
Password recovery

If you have proper authority you do not need to do this.

Why not?

Quote:
pen testing

Nonsense! if you have obtained the password hash then the system has been penetrated.

Idiot boy, when you have learnt enough to graduate from your PC repair job and moved into something slightly more technical, like IT security, you would know that this not 100% true.

Think Tiger/red team style Pen tests - but I don't expect an A+ PCworld techie to know much about what these are, however, I do suspect that even you may be able to use Google to find out.

I'll try and be as descriptive as I can and spell out one method (yes there are other ways too) of doing a tiger team attack that I do almost daily (sorry can't do pictures on here); You're doing a tiger team test, you're on a customer site and in front of the work station, you have no local account or domain account but you need to get domain admin in less than 20 minutes or the customer gets their money back and your job goes on the line- what are you going to do.......your going to boot into a live CD, say backtrack2 or Ophtcrack, your going to navigate your way to the SAM, your going to bkhive and samdump the SAM, your going to obtain the hash.....great, by your logic you now own the system, so you copy the hash to your pen drive, take your CD out and reboot......now you have the windows logon screen.......what you going to do now then Mr A+.......type the hash in to the logon prompt and wonder why the hell it won't let you logon...hey in your words you have the hash so you own the system right??........no, your going to run the hash through the set of rainbow tables, then three minutes later obtain the plain text password your going to logon as the local admin.....then your going to look for cached domain hashes, if you have these agreed, you may not necessarily need to crack them and can use the actual hash to move around the domain.....so say you logon to a box with a stolen domain users hash and you run a 'whosthere' and find out the domain admin is logged on, great you got the domain admin hash so you own the domain. Now you write your report and say yep we got the domain admin account.....they say great prove it,what's our password....and you say....oh well I don't actually know the password but I can read out your hash.........

Also I wouldn't expect you know know that rainbow tables can be used for more than just running a windows LM password hash through then (You do know what LM is don't you?)

And that just because you have a local admin password hash does not mean the entire system has been compromised - there is more work to do - there could be a multitude of third party app's that the local admin password is useless for, likewise you are not necessarily going to get a domain account just because you have a local admin password - (although you would have to be having a bad day if you didn't) , - and it certainly does not mean the domain has been compromised either - yes you could use pass the hash or similar if you manage to get the domain admin's hash, however as previously mentioned nothing impresses a customer more than telling them what their domain admin password is when witting their audit report. (but Pen test report writing is waaay beyond an A+ technician)

Quote:
password auditing

Now that really is pathetic! this is the kind of snake oil I would expect from wannabe "security consultants".

It might have occurred to some here that if you "discover a weak password" you have just closed the stable door after the horse has bolted.......... you are already compromised............and you don't need to be a rocket scientist to figure that one out?

If you actually believe in passwords, other than as a means of allocating blame, you would set a policy and enforce it on password generation. You would know that your system enforced your policy, and that auditing it, is a totally spurious exercise.

And just when I though you couldn't get any more stupid, you go and prove me very wrong.

Of course rainbow tables are only used to crack windows passwords and nothing else, and all these windows boxes are on a domain, and all these domain admins know how to use a GPO to set a a password policy, and the password policy is great because the domain admins know what constitutes a decent password, and a decent password that is over 8 characters comprising at least one capital letter, one lower case letter, one numerical character and one special character is what this great password policy is going to enforce, and due to this great password policy being in place it is going to take ages to brute force/dictionary attack a password hash with JTR because there is no such thing as rainbow tables to throw an LM hash through and get the plain text password in two minutes is there...oh wait... yes there is..oh and looky here the great password policy did nothing to address the weaknesses of LM...what do you mean the system administrator has no idea what is wrong with using LM and even less of an idea on how to disable it...or that if he did disable it the LM hash is still cached regardless....so this great password policy is superb and the box is now secure due to it...... because as we all know rainbow tables are useless and no one uses them except criminals and skiddies....hmm ever wonder why your still a PC technician....

Quote:
learning

Ummm, yes, well......................

"Learning" what exactly?

What rainbow tables are / hot to create them / how to use them / the benefits of having them/ the perils of enabling LM (Google it), that having the best password policy in the world is absolutely useless if you still have cryptographically (big word I know, Google it) weak algorithms (best Goolge this one too ) that encrypt the password - the list goes on

Quote:
They are not freely available to the 'criminal and skiddie communities' as you put it - but rather they are free to anyone who needs them.

Which, by definition, includes the criminal and skiddie communities.

And I would dearly love to know who, with honest intentions, actually "needs them"?

I use then everyday during pen tests (read above to see what I mean by Pen Tests) and I have yet to meet a pen tester who does not use them regualry.

Obviously having them freely available to everyone includes criminals and skiddies.......having the Internet freely available to everyone means criminals and skddie can also use that........hell lets say the Internet is stupid and should be closed down as well shall we.....


Sheesh, AO's #1 moderator at his best......again.

[oofki]

I have actually extracted the hashes off a computer for a customer before because they wanted me to preserve their password instead of change their password on a XP machine

And the other time Ive needed them I ran an audit on forums that I used to run to make sure all our members with special access were using secure passwords.

[nihil]

I have actually extracted the hashes off a computer for a customer before because they wanted me to preserve their password instead of change their password on a XP machine

Well, I wouldn't do that.............. over here "aiding and abetting" is a felony rap.

The only reason someone would want that is to commit a crime. If they know their password then they don't need you, and if they don't want it reset then it is because they don't want the true owner alerted to the fact that they have accessed the machine.

And the other time Ive needed them I ran an audit on forums that I used to run to make sure all our members with special access were using secure passwords.

Too little too late my friend Security needs to be proactive not reactive?

For that reason I have always found IDS a strange concept. I don't want to know that someone has broken into my machine............ I want to know that an attempt was made, and that it was prevented.

[Net2Infinity]

For that reason I have always found IDS a strange concept. I don't want to know that someone has broken into my machine............ I want to know that an attempt was made, and that it was prevented.

Isn't that why there are now IPS's?

[nihil]

Isn't that why there are now IPS's?

Exactly! that is what I would expect to find in a production environment. The IDS comes into its own when you are attempting to analyse intruder activity without alerting or preventing them.

I would typically associate that with some sort of honeypot.