RainbowCrack官方使用指南英文.docx

RainbowCrack TutorialIntroductionRainbowCrack is a general propose implementation of Philippe Oechslins faster time-memory trade-off technique. Function of this software is to crack hash.The straightforward way to crack hash is brute force. In brute force approach, all candidate plaintexts and corresponding hashes are computed one by one. The computed hashes are compared with the target hash. If one of them matches, the plaintext is found. Otherwise the process continues until finish searching all candidate plaintexts.In time-memory tradeoff approach, the task of hash computing is done in advance with the results stored in files called rainbow table. After that, hashes can be looked up from the rainbow tables whenever needed. The pre-computation process needs several times the effort of full key space brute force. But once the one time pre-computation is complete, the table lookup performance can be hundreds or thousands times faster than brute force.This document explains the steps to make the RainbowCrack software working for first time user. Most contents in this document are implementation specific, while others are generic to time-memory tradeoff algorithm.The RainbowCrack software includes three tools that must be used in sequence to make things working.Step 1: Use rtgen program to generate rainbow tables.Step 2: Use rtsort program to sort rainbow tables generated by rtgen.Step 3: Use rcrack program to lookup rainbow tables sorted by rtsort.The table lookup process in final step is equivalent to the hash cracking process.The way to use these programs will be explained in this document. All of them are command line programs.Step 1: Use rtgen program to generate rainbow tablesThe rtgen program need several parameters to generate a rainbow table, the syntax of the command line is:rtgen hash_algorithm charset plaintext_len_min plaintext_len_max table_index chain_len chain_num part_indexExplanation of these parameters: parametermeaninghash_algorithmThe hash algorithm (lm, ntlm, md5 and so on) used in the rainbow table.charsetThe charset of all plaintexts in the rainbow table. All possible charset are defined in the charset.txt file.plaintext_len_minplaintext_len_maxThese two parameters define the possible length of all plaintexts in the rainbow table. If charset is numeric, plaintext_len_min is 1, and plaintext_len_max is 5. Then the plaintext 12345 is likely included in the table, but 123456 will not be included.table_indexchain_lenchain_numpart_indexThese four parameters are really difficult to explain in simple words. To read and understand Philippe Oechslins original paper can help to know the exact meaning.The table_index is related to the reduce function that is used in rainbow table.The chain_len is the length of each rainbow chain in the rainbow table. A rainbow chain sized 16 bytes is the smallest unit in a rainbow table. A rainbow table contains lots of rainbow chains.The chain_num is the number of rainbow chains in the rainbow table.The part_index parameter determines how the start point in each rainbow chain is generated. It must be a number (or begin with a number) in RainbowCrack 1.3 & 1.4. In RainbowCrack 1.2, this parameter can be any string because random start point is used, while 1.3 & 1.4 use the sequential start point.The right values of all the parameters depend on what you need, to select good parameters require some understanding of the time-memory tradeoff algorithm.One ready to work configuration is given below, as an example:hash_algorithmlm, ntlm or md5charsetalpha-numeric = ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789orloweralpha-numeric = abcdefghijklmnopqrstuvwxyz0123456789plaintext_len_min1plaintext_len_max7chain_len3800chain_num33554432key space361 + 362 + 363 + 364 + 365 + 366 + 367 = 80603140212key space is the number of possible plaintexts for the charset, plaintext_len_min and plaintext_len_max selected. table size3 GBsuccess rate0.999The time-memory tradeoff algorithm is a probabilistic algorithm. Whatever the parameters are selected, there is always probability that the plaintext within the selected charset and plaintext length range is not covered. The success rate is 99.9% with the parameters used in this example. table generation commandsThe actual rtgen commands used to generate the rainbow tables are:rtgen md5 loweralpha-numeric 1 7 0 3800 33554432 0rtgen md5 loweralpha-numeric 1 7 1 3800 33554432 0rtgen md5 loweralpha-numeric 1 7 2 3800 33554432 0rtgen md5 loweralpha-numeric 1 7 3 3800 33554432 0rtgen md5 loweralpha-numeric 1 7 4 3800 33554432 0rtgen md5 loweralpha-numeric 1 7 5 3800 33554432 0If ntlm or lm table is desired, replace md5 in commands above with ntlm or lm.If alpha-numeric charset is desired, replace loweralpha-numeric in commands above with alpha-numeric.If lm table is to be generated, please CONFIRM the charset is alpha-numeric instead of loweralpha-numeric. The lm algorithm NEVER uses lowercase letters as plaintext.Now it is time to generate rainbow table.Change the current directory of your command prompt to RainbowCracks directory, and execute following command:rtgen md5 loweralpha-numeric 1 7 0 3800 33554432 0 This command takes about 4 hours to complete on Core2 Duo E7300 processor. It is safe to stop the computation any time by pressing Ctrl+C. Next time if the rtgen program is executed with exactly same command line parameters, it will resume from where the computation is stopped and continue the table generation.When the command is finished, a file named md5_loweralpha-numeric#1-7_0_3800x33554432_0.rt sized 512 MB will be in place. The file name is simply all the command line parameters connected, with the rt extension. The rcrack program to be explained later need this piece of information to know parameters of the rainbow table. So dont rename the file.Remaining tables can be generated in same way with commands:rtgen md5 loweralpha-numeric 1 7 1 3800 33554432 0rtgen md5 loweralpha-numeric 1 7 2 3800 33554432 0rtgen md5 loweralpha-numeric 1 7 3 3800 33554432 0rtgen md5 loweralpha-numeric 1 7 4 3800 33554432 0rtgen md5 loweralpha-numeric 1 7 5 3800 33554432 0Finally, these files are generated:md5_loweralpha-numeric#1-7_0_3800x33554432_0.rt 512MBmd5_loweralpha-numeric#1-7_1_3800x33554432_0.rt 512MBmd5_loweralpha-numeric#1-7_2_3800x33554432_0.rt 512MBmd5_loweralpha-numeric#1-7_3_3800x33554432_0.rt 512MBmd5_loweralpha-numeric#1-7_4_3800x33554432_0.rt 512MBmd5_loweralpha-numeric#1-7_5_3800x33554432_0.rt 512MBNow the rainbow table generation process complete.Step 2: Use rtsort program to sort rainbow tablesThe rainbow tables generated by rtgen program need some post processing to make table lookup easier. The rtsort program is used to sort the end point of all rainbow chains in a rainbow table.Use following commands:rtsort md5_loweralpha-numeric#1-7_0_3800x33554432_0.rtrtsort md5_loweralpha-numeric#1-7_1_3800x33554432_0.rtrtsort md5_loweralpha-numeric#1-7_2_3800x33554432_0.rtrtsort md5_loweralpha-numeric#1-7_3_3800x33554432_0.rtrtsort md5_loweralpha-numeric#1-7_4_3800x33554432_0.rtrtsort md5_loweralpha-numeric#1-7_5_3800x33554432_0.rtEach command above takes about 1 to 2 minutes to complete. The rtsort program will write the sorted rainbow table to the original file.Dont interrupt the rtsort program; otherwise the rainbow table being sorted will be damaged.If the free memory size of your system is smaller than the size of the rainbow table being sorted, temporary hard disk space as large as the rainbow table size will be needed to store intermediate data.Now the rainbow table sorting process complete.Step 3: Use rcrack program to lookup rainbow tablesThe rcrack program is used to lookup the rainbow tables. It only accepts sorted rainbow tables.Assume the sorted rainbow tables are placed in c:rt directory, to crack single hash the command line will be:rcrack c:rt*.rt -h your_hash_comes_here The first parameter specifies the path to the rainbow tables to lookup. The * and ? character can be used to specify multiple files.Normally it takes seconds or tens of seconds to finish, if the plaintext is within the selected charset and plaintext length range. Otherwise, it takes much longer time to search all the tables only to find nothing.To crack multiple hashes, place all the hashes in a text file with each hash in a line. And then specify file name in rcrack command line:rcrack c:rt*.rt -l hash_list_file If the rainbow tables you generate use lm algorithm, the rcrack program has