Cracking the Hash
After obtaining the password hash (for ways to do this, see the article here), we have to figure out what the password actually is. Well, okay, depending on what you’re trying to accomplish, you may be able to just pass the hash, but for the sake of this article we want to find out what the password actually is. The attack types we’ll look at here are:
- Brute force
- Rainbow Table
A Dictionary attack attempts to find the password by using a word list. This is typically just a text file with each word to test listed on a separate line. When performing a dictionary attack in Cain, additional attack options are available. For example, number substitution (5ecrete, 3ncrypt), and appending numbers to the end of the dictionary words (password1, secrete20). The word list included in the default install of Cain currently includes over 300,000 words, and there are even larger lists available online. To make word lists even more effective, consider using lists for other languages, or lists that include common industry jargon.
Dictionary attacks typically run fairly quickly, but are ineffective against passwords not based on a dictionary word. For example, a dictionary attack is unlikely to find the password &&Fw!WIDK*@.
Personally, I like to run dictionary attacks when auditing internal user’s passwords, and as a quick first line attack. This type of check is typically most appropriate for auditing internal users since the goal there is to make sure user’s are following best-practices (i.e. not using dictionary-based words, or their own names), and not necessarily to obtain their passwords.
The next type of attack we’ll cover is the brute force attack. This attack attempts to take a defined character set (i.e. abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789), and tries to combine them in every possible way until the correct combination is found. As you would expect, this attack would take a prohibitively large amount of time to complete. This attack can be a reasonable option if you suspect the password may be a short one, or using a restricted character set. Due to limitations in the way an LM Hash is generated (breaks the password into 2, 7 character chunks, and converts all letters to uppercase), if the LM Hash is present, then a brute force attack is a fairly reliable way to get the password. In environments with strict password requirements (letter of varying case, number, and special character along with > 8 character length), brute force attacks tend to succeed much less often due to the amount of time it would take to try all permutations.
Finally, a rainbow crack uses a pre-generated table of hashes to identify the password. RainbowCrack (downloadable at http://project-rainbowcrack.com/index.htm#download), can generate rainbow tables for various algorithms and charsets. The power of using a rainbow table is in the fact that it can crack non-dictionary based passwords in a matter of seconds. These tables can be quite large. For example, the rainbowcrack site shows the table holding the hashes for just lowercase passwords up to 9 characters long is 28GB. Rainbow tables can be defeated by systems that implement a salt on the passwords before storing them. They are also ineffective against passphrases or long + complex passwords. Even with the downsides associated with rainbow tables, with the drop in storage space (it’s not hard to find 1TB drives for less than $100), it can be an effective option.
To generate the tables, you’ll need to download rainbowcrack. The download and instructions for generating tables are available from here http://project-rainbowcrack.com. The basic steps for generating rainbow tables are to use the rtgen executable to make the tables, and then using rtsort.exe to sort them so that they’ll be usable.
The syntax for rtgen is ‘rtgen hash_algorithm charset plaintext_len_min plaintext_len_max table_index chain_len chain_num part_index’. Typically you’ll break the tables apart, so will need to run the table generations in chunks. For example:
rtgen ntlm ascii-32-95 1 7 1 3800 33554432 0
rtgen ntlm ascii-32-95 1 7 2 3800 33554432 0
rtgen ntlm ascii-32-95 1 7 3 3800 33554432 0 ... <etc>
note: This will limit the hashes to being generated for passwords up to 7 characters in length. If you’ll be using this for purposes other then testing, you’ll likely need to increase this limit.
Then after the tables are generated, you’ll need to sort them by running rtsort.exe <filename.rt>.
At this point, we have working hashes, so all we have to do is actually use them to crack a hash. You can use rcrack to do this by typing ‘rcrack <path to .rt file> -l <path to hash file>’. For example
rcrack c:\users\dan\hack\rt\tables\*.rt -l c:\hashlist.txt
Another option is to use Cain to attack the hash. I like this option since we used Cain for the other attacks, and this lets us keep all of the hashes/results in one place. To use Cain, return to the Cracker tab, and right-click on the user/s you’d like to crack. Select Cryptanalysis Attack > NTLM Hashes > via RainbowTables (RainbowCrack).
Click the Charsets button, and browse to the charset.txt file that was included in the rainbowcrack download. Then click on the ‘Add Table’ button, and select all of the .rt files that you generated. Then just click the start button to start the crack. While a strong/long password or passphrase can defeat rainbow tables, it’s a nice attack in the sense that it was able to crack passwords like ‘aZ!&$C5′, and ‘H0L3S#!’ in under a minute.