Saturday, February 14, 2009

Dictionary Based Rainbow Tables with Dr-crack


After Matt Weir's shmoocon talk I got motivated to generate and play with some dictionary based rainbow tables with Dr-crack. Why... I don't know, I pass the hash for everything now, and

"Dictionary based rainbow tables, such as those generated by drcrack, on the other hand allow you to create pre-generated hash tables based on dictionary words and common word mangling rules, such as "P@ssword12".

Plus it's less "magic" when I say I cracked the passwords versus just passing the hash, passing the hash still seems to be magic to alot of people. Plus, as Matt Carpenter pointed out to me, you cant log into Terminal Services/RDP with a hash :-)

So I went to the website and downloaded the .tar, extracted, and typed make all and got the following error.

cg@notBT:~/evil/drcrack/shmoocon_submit$ make all make: *** No rule to make target `Public.o', needed by `drtgen'. Stop.

The issue ended up being public.cpp which needed to be named Public.cpp. rename the file and you should be good to go.

You can run ./dr_rules to alter either the basic_rules file or the keyboard_rules file but to get started I just used the default keyboard rules, dictionary, and table that they generated.

I changed a password in a VM to a keyboard combo (but still a 10 character password) that I was sure was in the dictionary and dumped the hashes.

then I ran the tool: (usage was here: http://reusablesec.googlepages.com/drcrack)

cg@notBT:~/evil/drcrack/shmoocon_submit$ ./drcrack -d /home/cg/evil/drcrack/keyboard_basic/keyboard_map.cfg -h 0D757AD173D2FC249CE19364FD64C8EC
keyboard_map.cfg:
Hash=ntlm...
index=0
ChainLen=2400
ChainCount=5000000
RainbowTable=/home/cg/evil/drcrack/keyboard_basic/keyboard_map.rt
Dictionary=/home/cg/evil/drcrack/keyboard_basic/keyboard_dic.txt
ManglingRules=/home/cg/evil/drcrack/keyboard_basic/keyboard.rules
NEWRULES IS TRUE
Processing mangling rules
special=[>!@#$%^&*()_+\-=?.,/\\":; ] size=26
lower=[abcdefghijklmnopqrstuvwxyz] size=26
upper=[ABCDEFGHIJKLMNOPQRSTUVWXYZ] size=26
number=[0123456789] size=10
Reading in the dictionary
Dictionary Size = 658
Calculating rule and index size
Figuring out Rule Size
Index Size for rule 0 is=658
Index Size for rule 1 is=432964
Index Size for rule 2 is=284890312
the total Size=285323934
reading chunk...
83888 bytes read, disk access time: 0.00 s
verifying the file...
searching for 1 hash...
cryptanalysis time: 6.93 s
reading chunk...
83888 bytes read, disk access time: 0.00 s
searching for 1 hash...
cryptanalysis time: 0.25 s
reading chunk...
83888 bytes read, disk access time: 0.00 s
searching for 1 hash...
cryptanalysis time: 0.38 s
reading chunk...
83888 bytes read, disk access time: 0.00 s
searching for 1 hash...
cryptanalysis time: 0.12 s
reading chunk...
83888 bytes read, disk access time: 0.00 s
searching for 1 hash...
cryptanalysis time: 0.04 s
reading chunk...
83888 bytes read, disk access time: 0.00 s
searching for 1 hash...
cryptanalysis time: 0.03 s
reading chunk...
83888 bytes read, disk access time: 0.00 s
searching for 1 hash...
cryptanalysis time: 0.14 s
reading chunk...
83888 bytes read, disk access time: 0.00 s
searching for 1 hash...
cryptanalysis time: 0.17 s
reading chunk...
83888 bytes read, disk access time: 0.00 s
searching for 1 hash...
cryptanalysis time: 0.02 s
reading chunk...
83888 bytes read, disk access time: 0.00 s
searching for 1 hash...
cryptanalysis time: 0.01 s
reading chunk...
83888 bytes read, disk access time: 0.00 s
searching for 1 hash...
cryptanalysis time: 0.06 s
reading chunk...
83888 bytes read, disk access time: 0.00 s
searching for 1 hash...
cryptanalysis time: 0.17 s
reading chunk...
83888 bytes read, disk access time: 0.00 s
searching for 1 hash...
cryptanalysis time: 0.70 s
reading chunk...
83888 bytes read, disk access time: 0.00 s
searching for 1 hash...
cryptanalysis time: 0.05 s
reading chunk...
83888 bytes read, disk access time: 0.00 s
searching for 1 hash...
cryptanalysis time: 0.05 s
reading chunk...
83888 bytes read, disk access time: 0.00 s
searching for 1 hash...
cryptanalysis time: 0.22 s
reading chunk...
83888 bytes read, disk access time: 0.00 s
searching for 1 hash...
cryptanalysis time: 0.03 s
reading chunk...
83888 bytes read, disk access time: 0.00 s
searching for 1 hash...
plaintext of 0d757ad173d2fc249ce19364fd64c8ec is qwertyuiop
cryptanalysis time: 0.03 s

statistics
-------------------------------------------------------
plaintext found: 1 of 1 (100.00%)
total disk access time: 0.00 s
total cryptanalysis time: 9.40 s
total chain walk step: 2876401
total false alarm: 1451
total chain walk step due to false alarm: 1253346

result
-------------------------------------------------------
0d757ad173d2fc249ce19364fd64c8ec qwertyuiop hex:71776572747975696f70


Overall not bad, in less than 10 seconds I found a password that would have been in a pretty big NTLM table otherwise.

I'm sure more posts are forthcoming...
CG

1 comment:

Pento said...

Very interesting...for a long time want to play with Rainbow Tables.. :)