cracking using rainbow tables
DESCRIPTION
This ppt gives you the details how the passwords are stored in windows, how one can crack them and ways to avoid themTRANSCRIPT
RAINBOW TABLES LM & NTLM HASHES
By:-Rahul Sharma
TE COMPUTERS T3224245
How Windows Store Passwords??
• LM “hashes”• Old technology used on LAN Manager
• NT hashes• Unicode password or MD4 hash• Used for authentication on more recent
Windows systems
How a Hash looks Like??
E52CAC67419A9A224A3B108F3FA6CB6D
te
LM “Hash” Generation
Encrypt the result
Processed according to Data Encryption Standard(DES)
0 added after every 7 bits to convert it to 64 bits
7 bytes converted to 56 bits
Separated into two 7 character strings
Padded with NULL to 14 characters
Converted to upper case
how to create the hash
pAsSWOrd PASSWORD
P A S S W O R D 0 0 0 0 0 0
P A S S W O R D 0 0 0 0 0 0
1 1 0 1 0 0 0
0
0 1 1
1 1 0 1 0 0 0 0 1 1
CONVERT 7 BYTES INTO BITS (56 BITS)
ADD A 0 BIT AFTER EVERY 7 BITS (64 BITS)
DES KEY #1
1.
2.
3.
4.
5.
DES KEY #2
LM hashes
DES KEY #1
DES KEY #2
ENCYRPT(KGS!@#$%)
ENCYRPT(KGS!@#$%)
FIRST 8 BYTES OF LM HASH SECOND 8 BYTES OF LM HASH
OverviewPASSWORD
P A S S W O R D 0 0 0 0 0 0
P A S S W O R D 0 0 0 0 0 0
DES KEY #1
DES KEY #2
ENCYRPT(KGS!@#$%)
FIRST 8 BYTES OF LM HASH SECOND 8 BYTES OF LM HASH
Proof that case doesn’t matter
Password = E52CAC67419A9A22 4A3B108F3FA6CB6D
PaSSwORd = E52CAC67419A9A22 4A3B108F3FA6CB6D
Password1 = E52CAC67419A9A22 38F10713B629B565
NTLM HASHES
Uses MD4 algorithm to create a hash of the mixed-case password
Results in a 16 byte hash of the password (stored in the SAM…)
Used for any password greater than 14 characters
NTLM HASH
PassWOrD
MD4 HASH ALGORITHM (RFC 1320)
16 BYTE NTLM HASH
Proof that case DOES matter
Password = F15ABD57801840F3348DDCCAFB677F6A
PaSSwORd = 17504CE07C0A0D4A1BD3A99A0821F957
Password1 = F9A3152D926F9FF898D0BAFBA0BFFD30
NTLM Hash Considerations
• Case preserving
• Maximum length = 127 characters
• Better Security than LM Hashes
• Number of ≤14-character password (full char set) ≈ 2.7*1067
• Number of 127-character passwords ≈ 4.9*10611
ATTACKS ON PASSWORDS….
Attacks on passwords
Dictionary Attacks
Brute Force Attacks
Cryptanalysis Attacks
What it could contain :
Well known passwords
Natural languages
(single words)
Names of persons,
locations, car makers, teams
Well known expressions
(movie / book titles)
Dictionary attack
• What is a Brute Force Attack?
• Types of Brute Force attacks: Online B.F. Offline B.F.
• Can be prevented :- limit number of login attempts
BRUTE FORCE ATTACK
CRYPTANALYSIS ATTACK
Attacker has details
Knowledge of Algorithms
Efficient methods
RAINBOW TABLES ??
• Precomputed Hash chains• Hash and reduce
Rainbow Tables
hello dc23de Jumbo
34d23ba…..rock
Hash Reduce
Hash
ReduceReduce
STARTjoy
Hello
Bottle
……….
passwd
ENDhelp
rock
Mess
…..….
linux23
EXAMPLE
Algorithm followed:-
The final reduced value is the password.
Hash and reduce till the provided hash value found.
Entry found, load starting value.
Hash and reduce till entry not found.
Compare with End Point in Rainbow table.
Reduce the Hash
STARTjoy
Hello
Bottle
……….
passwd
ENDhelp
rock
Mess
…..….
linux23
adf453 rocky ed342ab
tapeacd23rock
Reduce
ReduceReduce
Hash
Hash
Hello df234
passadf453
Hash
Reduce
Hash
Some Facts
IS THIS EFFECTIVE???
How to prevent rainbow tables from cracking passwords??
Use of SALTS
Use special symbols
Use Long passwords
What is SALT??
Special text or code.It does password strengthening
SOME FACTS:-• Windows doesn't salt its hash!• This makes it possible to speed up password
cracking with precomputed Rainbow Tables• LINUX uses SALT….
PROOF• Here are two accounts on a Windows 7 Beta
machine with the password 'password'
• This hash is from a different Windows 7 Beta machine
Linux Salts its Hashes
• 18yr student used dictionary script to automatically trying English word which led him to stuff account.
• Username: “crystal”, password:”Happiness” .
TWITTER ATTACK!!!
• Use long passwords.• Use special symbols.• Use of salts.• Limit no. of login attempts.• Use NTLM Hashes as difficult to
crack.• Change password frequently.
Conclusions
REFERENCESIEEE PAPERS [1] Orhun KARA and Adem ATALAY - “Preimages of Hash Functions
Through Rainbow Tables” dated-September 14-16, 2009
[2] Kostas Theoharoulis, Charalampos Manifavas and Ioannis Papaefstathiou - “HighEnd Reconfigurable Systems for fast Windows’ Password Cracking” dated - November 10, 2009
WEBSITES• http://www.rainbowtables.net/tutorials.php• http://en.wikipedia.org/wiki/Rainbow_table• http://www.freerainbowtables.com/• http://kestas.kuliukas.com/RainbowTables/• http://project-rainbowcrack.com/• http://www.ethicalhacker.net/content/view/94/24
QUESTIONS ?