8/9/2019 Rainbow Tables - Barcamp Indonesia - Panggi Libersa
1/36
Rainbow TablesTesting Passwords Security
Jakarta , December 12th 2009
8/9/2019 Rainbow Tables - Barcamp Indonesia - Panggi Libersa
2/36
About me
Panggi Libersa a.k.a malcoder Student at Indonesias Computer University
Like to take picture
Almost get his CEH certification ( waiting for exam)
Member of GNU/Linux User Group at Bandung [ Klub Linux Bandung ]
Small web hosting owner [ hostinggokil.com , ofirnetwork.com (in progress) ]
Web : malcoder.info and opensecuritylab.org
Find me :
@panggi malcoder panggi_y2k
panggi.libersa panggi panggi
8/9/2019 Rainbow Tables - Barcamp Indonesia - Panggi Libersa
3/36
Some things Man was never meant
to know. For everything else, there's
Google Geeky Quote
8/9/2019 Rainbow Tables - Barcamp Indonesia - Panggi Libersa
4/36
Why Do I talk about this ? Awareness of Security I promise that this will change your view on Password
Security
Havent met anyone that isnt surprised at the power of this
stuffs ability to make cracking password become so easy
8/9/2019 Rainbow Tables - Barcamp Indonesia - Panggi Libersa
5/36
So , What is Password ?
A password is a secret word or string
ofcharacters that is used for authentication,
to prove identity or gain access to a resource
.The password must be kept secret from those
not allowed access.(source : http://en.wikipedia.org/wiki/Password)
8/9/2019 Rainbow Tables - Barcamp Indonesia - Panggi Libersa
6/36
Password Usage
8/9/2019 Rainbow Tables - Barcamp Indonesia - Panggi Libersa
7/36
How to keep it secret ?
Dont tell to anybody else , keep it in mind
(personal)
Store the password records on a secure
environment (provider)
8/9/2019 Rainbow Tables - Barcamp Indonesia - Panggi Libersa
8/36
Type of storing password
Cleartext (ex : this-is-so-secret , 260987)
Encrypted Reversible encryption without key ( ex : base64 cipher)
Reversible encryption with key (ex : poly alphabetic substitution cipher)
One Way Hash ( ex : md5 , sha1 )
One Way Hash with salt ( ex : md5 + salt )
8/9/2019 Rainbow Tables - Barcamp Indonesia - Panggi Libersa
9/36
Example of the encryption usage
Base64 ( functions : encode and decode) Encode : cleartext -> ciphertext
Decode : ciphertext -> cleartext
cleartext :
panggi encodeciphertext :
cGFuZ2dp
ciphertext :
cGFuZ2dpdecode cleartext :
panggi
8/9/2019 Rainbow Tables - Barcamp Indonesia - Panggi Libersa
10/36
Polyalphabetic substitution cipher ex : Vigenre cipher
Usage :
Key: ABCDEF AB CDEFA BCD EFABCDEFABCD
Plaintext: CRYPTO IS SHORT FOR CRYPTOGRAPHY
Ciphertext: CSASXT IT UKSWT GQU GWYQVRKWAQJB
8/9/2019 Rainbow Tables - Barcamp Indonesia - Panggi Libersa
11/36
One Way Hash
CAN NOT BE DECODED , feel secured ? Wait
8/9/2019 Rainbow Tables - Barcamp Indonesia - Panggi Libersa
12/36
One way hash + salt
I will explain later ..
NEXT
8/9/2019 Rainbow Tables - Barcamp Indonesia - Panggi Libersa
13/36
Our Focus Today
Cracking One Way Hash Cipher
MD5
LM (LAN MANAGER) for MS WindowsPassword
8/9/2019 Rainbow Tables - Barcamp Indonesia - Panggi Libersa
14/36
Characteristics
MD5 : The 128-bit (16-byte) MD5 hashes (also
termed message digests) are typically
represented as a sequence of
32 hexadecimal digits
Example :
test = 098f6bcd4621d373cade4e832627b4f6
8/9/2019 Rainbow Tables - Barcamp Indonesia - Panggi Libersa
15/36
LM :
The users ANSI password is converted to uppercase.
This password is null-padded to 14 bytes. The fixed-length password is split into two 7-byte
halves.
These values are used to create two DES keys, one fromeach 7-byte half, by converting the seven bytes into abit stream, and inserting a parity-bit after every sevenbits. This generates the 64 bits needed for the DES key.
Each of these keys is used to DES-encrypt theconstant ASCII string KGS!@#$%, resulting in two 8-
byte ciphertext values. The DES CipherMode should Setto ECB, and PaddingMode should set to NONE.
These two ciphertext values are concatenated to forma 16-byte value, which is the LM hash.
8/9/2019 Rainbow Tables - Barcamp Indonesia - Panggi Libersa
16/36
Example :
percobaan:1016:3EABC00C9F7B74B09A0F5D12D8F
612D0:34976BC196DADD52A6D02AE530F806C3:::
percobaan = username
1016 = ID
3EABC00C9F7B74B09A0F5D12D8F612D0 (LEFTside of LM password , it means the password ismore than 7 chars)
34976BC196D
A
DD52A
6D02A
E530F806C3 (RIGHTside of LM pass , so we just have to crack 7 charsand fit it together )
8/9/2019 Rainbow Tables - Barcamp Indonesia - Panggi Libersa
17/36
Methods of cracking the passwords
Brute Force
Dictionary
Rainbow Tables our focus
Etc
8/9/2019 Rainbow Tables - Barcamp Indonesia - Panggi Libersa
18/36
Brute force
Using all possible combination in sequence
Example :Targeted hash : 4a8a08f09d37b73795649038408b5f33
OK.. Crack it ..
a = 0cc175b9c0f1b6a831c399e269772661
8/9/2019 Rainbow Tables - Barcamp Indonesia - Panggi Libersa
19/36
Dictionary Given the wordlist ofcommon passwords
Example :
Targetted hash : 3858f62230ac3c915f300c664312c63f
dic-crack 3858f62230ac3c915f300c664312c63f- L path-of-wordlist/wordlist.txt
searching.
fooa
8/9/2019 Rainbow Tables - Barcamp Indonesia - Panggi Libersa
20/36
Rainbow Tables ? A rainbow table is a lookup table offering
a time-memory tradeoffused in recovering
the plaintext password from a password hash
generated by a hash function, oftena cryptographic hash function. A common
application is to make attacks against hashed
passwords feasible(http://en.wikipedia.org/wiki/Rainbow_tables)
8/9/2019 Rainbow Tables - Barcamp Indonesia - Panggi Libersa
21/36
8/9/2019 Rainbow Tables - Barcamp Indonesia - Panggi Libersa
22/36
English please
Lookup table ?
Trade-memory tradeoff ?
8/9/2019 Rainbow Tables - Barcamp Indonesia - Panggi Libersa
23/36
Time for the Demo Example : md5_hash.txt
20392298d6b78e0890cd22a7bf071c49
c9122fd7bae0681b62a39ddfc1c7fb19
469590a45cc7f985b53d15113157e6ea31c9febeeb68929cd6c097239cf3e9d3
2e19ab163556288cf239f5339927e408
dcb76da384ae3028d6aa9b2ebcea01c9
d1cbedff31b828ac2f15548357988073
c94630fe9dea660ba53ddf5d3a41e802
73e405227c02a626e66f0dc4dd3a53a3
9486f7a4fdf724cf6cacbdc103661fce
26f803e714f7d39c0b5a9dd67d03f887
0248750eb423b999bd684b10668f7241
9ac17fc47347d505c92e3ca31fee675d
b65a81125dbfaab4a3ecdff26a9793093fde6bb0541387e4ebdadf7c2ff31123
d695f8f703c1b3b0dce9d588a4d4abad
86acaeb6d0f7241ea54b73528fa204ca
78c5d5ed7ea4372435e9f006b29ea745
75003783871e9404cd0793ca81594841
e63d33d7ad4b4360f761634de070a860
a9684b0defabebc108720fda1627f43d
b150e73aa5fc110c27320c98effcc0f1
464b59d944c93b6a5eb3dfd0abf15114
4e3d682f0821b23f6d49fa1ac2cf154a
d740ee7f1cd46b3d536a6f4331a4c77f13781c244d5bb85a296bcbe4ac7992f7
bcdc908a16dbfe1297b4b0891ccf9ed7
10f97476043d02db1a236b877232c0a6
d81bf97286c617c77b679478ce8b72b2
7279f67e313cc35e518f94c775a42196
8/9/2019 Rainbow Tables - Barcamp Indonesia - Panggi Libersa
24/36
ResultD:\hashcrack>rcrack d:\md5_tables\*.rt -l md5_hash.txt
md5_alpha#1-7_0_2400x40000000_panggi#000.rt:
640000000 bytes read, disk access time: 9.99 s
verifying the file...
searching for 30 hashes...
plaintext of 20392298d6b78e0890cd22a7bf071c49 is PANGGI
plaintext of c9122fd7bae0681b62a39ddfc1c7fb19 is LOVE
plaintext of 469590a45cc7f985b53d15113157e6ea is MUSTIKA
cryptanalysis time: 377.34 s
md5_alpha-numeric#1-7_0_2400x40000000_panggi#000.rt:
640000000 bytes read, disk access time: 73.13 s
verifying the file...
searching for 27 hashes...
plaintext of 31c9febeeb68929cd6c097239cf3e9d3 is P4ST1
plaintext of d81bf97286c617c77b679478ce8b72b2 is 050479
cryptanalysis time: 102.56 s
md5_alpha-numeric#1-7_0_2400x40000000_panggi#001.rt:
640000000 bytes read, disk access time: 60.70 s
verifying the file...
searching for 25 hashes...
plaintext of 10f97476043d02db1a236b877232c0a6 is 7201421
cryptanalysis time: 28.19 s
md5_alpha-numeric#1-7_0_2400x40000000_panggi#002.rt:
640000000 bytes read, disk access time: 68.28 s
verifying the file...
searching for 24 hashes...cryptanalysis time: 28.24 s
md5_alpha-numeric#1-7_0_2400x40000000_panggi#003.rt:
640000000 bytes read, disk access time: 67.72 s
verifying the file...
searching for 24 hashes...
cryptanalysis time: 27.81 s
8/9/2019 Rainbow Tables - Barcamp Indonesia - Panggi Libersa
25/36
md5_loweralpha#1-7_0_2100x8000000_panggi.rt:
128000000 bytes read, disk access time: 36.22 s
verifying the file...
searching for 24 hashes...
plaintext of d1cbedff31b828ac2f15548357988073 is nashien
plaintext of c94630fe9dea660ba53ddf5d3a41e802 is herc
plaintext of 73e405227c02a626e66f0dc4dd3a53a3 is hayati
cryptanalysis time: 79.63 s
md5_loweralpha#1-7_1_2100x8000000_panggi.rt:128000000 bytes read, disk access time: 2.86 s
verifying the file...
searching for 21 hashes...
plaintext of 2e19ab163556288cf239f5339927e408 is nunung
plaintext of dcb76da384ae3028d6aa9b2ebcea01c9 is sayang
cryptanalysis time: 73.33 s
md5_loweralpha#1-7_2_2100x8000000_panggi.rt:
128000000 bytes read, disk access time: 9.56 s
verifying the file...
searching for 19 hashes...
cryptanalysis time: 69.08 s
md5_loweralpha#1-7_3_2100x8000000_panggi.rt:128000000 bytes read, disk access time: 2.45 s
verifying the file...
searching for 19 hashes...
cryptanalysis time: 69.38 s
md5_loweralpha#1-7_4_2100x8000000_panggi.rt:
128000000 bytes read, disk access time: 12.00 s
verifying the file...
searching for 19 hashes...
cryptanalysis time: 69.20 s
md5_loweralpha-numeric#1-7_0_2400x40000000_panggi#000.rt:
640000000 bytes read, disk access time: 17.91 s
verifying the file...searching for 19 hashes...
plaintext of 3fde6bb0541387e4ebdadf7c2ff31123 is 1q2w3e
cryptanalysis time: 75.73 s
md5_loweralpha-numeric#1-7_0_2400x40000000_panggi#001.rt:
640000000 bytes read, disk access time: 14.73 s
verifying the file...
searching for 18 hashes...
plaintext of 26f803e714f7d39c0b5a9dd67d03f887 is 8u7y6t
cryptanalysis time: 21.09 s
8/9/2019 Rainbow Tables - Barcamp Indonesia - Panggi Libersa
26/36
md5_loweralpha-numeric#1-7_0_2400x40000000_panggi#002.rt:
640000000 bytes read, disk access time: 13.91 s
verifying the file...
searching for 17 hashes...
cryptanalysis time: 20.03 s
md5_loweralpha-numeric#1-7_0_2400x40000000_panggi#003.rt:
640000000 bytes read, disk access time: 14.20 s
verifying the file...
searching for 17 hashes...
plaintext of 9 486f7a4fdf724cf6cacbdc103661fce is metty77
cryptanalysis time: 19.31 s
md5_mixalpha-numeric-symbol14-space#1-6_0_2400x40000000_panggi#000.rt:
640000000 bytes read, disk access time: 14.41 s
verifying the file...
searching for 16 hashes...
plaintext of 9ac17fc47347d505c92e3ca31fee675d is 4Dm1n
plaintext of b65a81125dbfaab4a3ecdff26a979309 is Pa55
plaintext of d695f8f703c1b3b0dce9d588a4d4abad is UN1k0M
plaintext of 75003783871e9404cd0793ca81594841 is G0D$plaintext of 464b59d944c93b6a5eb3dfd0abf15114 is c(%H2n
plaintext of d740ee7f1cd46b3d536a6f4331a4c77f is *$^#&3
plaintext of 13781c244d5bb85a296bcbe4ac7992f7 is h@xX0r
cryptanalysis time: 33.47 s
md5_mixalpha-numeric-symbol14-space#1-6_0_2400x40000000_panggi#001.rt:
640000000 bytes read, disk access time: 12.95 s
verifying the file...
searching for 9 hashes...
plaintext of 0248750eb423b999bd684b10668f7241 is iMoeTh
plaintext of e63d33d7ad4b4360f761634de070a860 is w_Bu5H
plaintext of 4e3d682f0821b23f6d49fa1ac2cf154a is R@54Incryptanalysis time: 3.86 s
md5_mixalpha-numeric-symbol14-space#1-6_0_2400x40000000_panggi#002.rt:
640000000 bytes read, disk access time: 12.92 s
verifying the file...
searching for 6 hashes...
plaintext of 78c5d5ed7ea4372435e9f006b29ea745 is !Q@W#E
plaintext of a9684b0defabebc108720fda1627f43d is 1!q^YW
cryptanalysis time: 2.36 s
8/9/2019 Rainbow Tables - Barcamp Indonesia - Panggi Libersa
27/36
md5_mixalpha-numeric-symbol14-space#1-6_0_2400x40000000_panggi#003.rt:
640000000 bytes read, disk access time: 18.03 s
verifying the file...
searching for 4 hashes...
plaintext of 86acaeb6d0f7241ea54b73528fa204ca is 5TR0n6
cryptanalysis time: 1.78 s
md5_mixalpha-numeric-symbol14-space#1-6_0_2400x40000000_panggi#004.rt:
640000000 bytes read, disk access time: 12.38 s
verifying the file...searching for 3 hashes...
cryptanalysis time: 1.38 s
md5_mixalpha-numeric-symbol14-space#1-6_0_2400x40000000_panggi#005.rt:
640000000 bytes read, disk access time: 12.41 s
verifying the file...
searching for 3 hashes...
plaintext of b150e73aa5fc110c27320c98effcc0f1 is p@N66i
cryptanalysis time: 1.38 s
md5_mixalpha-numeric-symbol14-space#1-6_0_2400x40000000_panggi#006.rt:
640000000 bytes read, disk access time: 12.44 sverifying the file...
searching for 2 hashes...
cryptanalysis time: 0.94 s
md5_numeric#1-9_0_3000x3000000_panggi#000.rt:
48000000 bytes read, disk access time: 0.72 s
verifying the file...
searching for 2 hashes...
plaintext of bcdc908a16dbfe1297b4b0891ccf9ed7 is 290419 87
plaintext of 7279f67e313cc35e518f94c775a42196 is 776284123
cryptanalysis time: 23.86 s
statistics
-------------------------------------------------------
plaintext found: 30 of 30 (100.00%)
total disk access time: 499.91 s
total cryptanalysis time: 1129.94 s
total chain walk step: 453610884
total false alarm: 853120
total chain walk step due to false alarm: 675710917
8/9/2019 Rainbow Tables - Barcamp Indonesia - Panggi Libersa
28/36
result
-------------------------------------------------------
20392298d6b78e0890cd22a7bf071c49 PANGGI hex:50414e474749
c9122fd7bae0681b62a39ddfc1c7fb19 LOVE hex:4c4f5645
469590a45cc7f985b53d15113157e6ea MUSTIKA hex:4d555354494b41
31c9febeeb68929cd6c097239cf3e9d3 P4ST1 hex:5034535431
2e19ab163556288cf239f5339927e408 nunung hex:6e756e756e67
dcb76da384ae3028d6aa9b2ebcea01c9 sayang hex:736179616e67
d1cbedff31b828ac2f15548357988073 nashien hex:6e61736869656e
c94630fe9dea660ba53ddf5d3a41e802 herc hex:68657263
73e405227c02a626e66f0dc4dd3a53a3 hayati hex:686179617469
9486f7a4fdf724cf6cacbdc103661fce metty77 hex:6d657474793737
26f803e714f7d39c0b5a9dd67d03f887 8u7y6t hex:387537793674
0248750eb423b999bd684b10668f7241 iMoeTh hex:694d6f655468
9ac17fc47347d505c92e3ca31fee675d 4Dm1n hex:34446d316e
b65a81125dbfaab4a3ecdff26a979309 Pa55 hex:50613535
3fde6bb0541387e4ebdadf7c2ff31123 1q2w3e hex:317132773365
d695f8f703c1b3b0dce9d588a4d4abad UN1k0M hex:554e316b304d
86acaeb6d0f7241ea54b73528fa204ca 5TR0n6 hex:355452306e36
78c5d5ed7ea4372435e9f006b29ea745 !Q@W#E hex:215140572345
75003783871e9404cd0793ca81594841 G0D$ hex:47304424
e63d33d7ad4b4360f761634de070a860 w_Bu5H hex:775f42753548
a9684b0defabebc108720fda1627f43d 1!q^YW hex:3121715e5957
b150e73aa5fc110c27320c98effcc0f1 p@N66i hex:70404e363669
464b59d944c93b6a5eb3dfd0abf15114 c(%H2n hex:63282548326e
4e3d682f0821b23f6d49fa1ac2cf154a R@54In hex:52403534496e
d740ee7f1cd46b3d536a6f4331a4c77f *$^#&3 hex:2a245e232633
13781c244d5bb85a296bcbe4ac7992f7 h@xX0r hex:684078583072
bcdc908a16dbfe1297b4b0891ccf9ed7 29041987 hex:3239303431393837
10f97476043d02db1a236b877232c0a6 7201421 hex:37323031343231
d81bf97286c617c77b679478ce8b72b2 050479 hex:303530343739
7279f67e313cc35e518f94c775a42196 776284123 hex:373736323834313233
D:\hashcrack>
8/9/2019 Rainbow Tables - Barcamp Indonesia - Panggi Libersa
29/36
Mr. @ialexs s request (pass : maLam1)K:\rainbow\hashcrack>rcrack k:\rainbow\md5_tables\md5_mixalpha-numeric*.rt -h 7d
62eaa2e2a3da203573dc408d31cd0d
md5_mixalpha-numeric-symbol14-space#1-6_0_2400x40000000_panggi#000.rt:640000000 bytes read, disk access time: 40.91 s
verifying the file...
searching for 1 hash...
cryptanalysis time: 3.41 s
md5_mixalpha-numeric-symbol14-space#1-6_0_2400x40000000_panggi#001.rt:
640000000 bytes read, disk access time: 45.14 s
verifying the file...searching for 1 hash...
cryptanalysis time: 0.45 s
md5_mixalpha-numeric-symbol14-space#1-6_0_2400x40000000_panggi#002.rt:
640000000 bytes read, disk access time: 47.19 s
verifying the file...
searching for 1 hash...
cryptanalysis time: 0.47 s
md5_mixalpha-numeric-symbol14-space#1-6_0_2400x40000000_panggi#003.rt:
640000000 bytes read, disk access time: 45.22 s
verifying the file...
searching for 1 hash...
cryptanalysis time: 0.44 s
8/9/2019 Rainbow Tables - Barcamp Indonesia - Panggi Libersa
30/36
md5_mixalpha-numeric-symbol14-space#1-6_0_2400x40000000_panggi#004.rt:
640000000 bytes read, disk access time: 46.28 s
verifying the file...
searching for 1 hash...
plaintext of 7d62eaa2e2a3da203573dc408d31cd0d is maLam1cryptanalysis time: 0.22 s
statistics
-------------------------------------------------------
plaintext found: 1 of 1 (100.00%)
total disk access time: 224.73 s See the time.. total cryptanalysis time: 4.98 s
total chain walk step: 2876401
total false alarm: 2252
total chain walk step due to false alarm: 1882084
result-------------------------------------------------------
7d62eaa2e2a3da203573dc408d31cd0d maLam1 hex:6d614c616d31
K:\rainbow\hashcrack>
8/9/2019 Rainbow Tables - Barcamp Indonesia - Panggi Libersa
31/36
Windows Password (LM) Dump it first
K:\Pwdump7>PwDump7.exe > pass_win.txt
Pwdump v7.1 - raw password extractor
Author: Andres Tarasco Acuna
url: http://www.514.es
K:\Pwdump7>
8/9/2019 Rainbow Tables - Barcamp Indonesia - Panggi Libersa
32/36
pass_win.txt ( $ sign is censored by me )
Administrator:500:NOPASSWORD*********************:95C735766$$$$$$$$EAC22EC$$$$18CF:::
Guest:501:NO PASSWORD*********************:NOPASSWORD*********************:::
__vmware_user__:1011:NOPASSWORD*********************:2E4D88$$$$$$$$$$$$701F71FD7F63B9:::
apache2triad:1013:A215FD4C479AAEC8$$$$$$$$$$465971:6B93A1E44490938$$$$$$$$$$E4C4D63:::
okay:1014:3EABC00C9F7B74B09A0F5D12D8F612D0:34976BC196DADD52A6D02AE530F806C3:::
HelpAssistant:1015:F681E43E4269$$$$$$3D27C551$$$$$$:32EB$$$$
$$159997D$$$$$$1EC24BA2A:::percobaan:1016:3EABC00C9F7B74B09A0F5D12D8F612D0:34976BC19
6DADD52A6D02AE530F806C3::: crack it
8/9/2019 Rainbow Tables - Barcamp Indonesia - Panggi Libersa
33/36
irc://irc.plaintext.info#rainbowcrack
8/9/2019 Rainbow Tables - Barcamp Indonesia - Panggi Libersa
34/36
How to secure it ? MD5Use salted password ( not naked )
Example :
how to use it ?simply..
8/9/2019 Rainbow Tables - Barcamp Indonesia - Panggi Libersa
35/36
LM Hash
percobaan:1016:3EABC00C9F7B74B09A0F5D1
2D8F612D0:34976BC196DADD52A6D02AE530
F806C3:::
Use at least 15 characters and Windows will
change its algorithm to more secure one (
NTLM )
8/9/2019 Rainbow Tables - Barcamp Indonesia - Panggi Libersa
36/36
Thank You