Myth of secure password is ended
1 Comments
Once upon a time we used to work with brute-forcing password cracking tools like L0phtCrack (developed by @stake and terminated by Symantec), John the Ripper (it's just out the 1.7 version after 7 years of hibernation) or Cain & Abel (from italian Massimiliano Montoro).
At that time to develop a secure password was enough a string longer than 7 characters with at least one character from all 4 alphanumeric groups.
Then arrived the Rainbow Table method and everything changed.
A Rainbow Table is nothing but a pre-compute array of all possible arrangements of all alphanumeric characters, in a format used by Windows LanMan and NTLM hashing algorithms (but also appliable to MD5 and SHA1).
The cracking tool just search in the pre-computed table the string you'll pass it, giving the clear-text password within seconds (less than 1 most of time).
To start the game you just need a dumping tool, like the new PWdump6, run it on your victim machine and grab all users hashes.
You also need the tables, but this is simple as well: Rainbow Tables can be generated by anyone with a standard computer, enough disk space and some patience (depending on your CPU power it can take days or weeks).
Easy? It can be even easier...
Someone has been kind enough to pre-compute Rainbow Tables for you and sell you DVDs for a small price. Within a couple of days you can be on business.
Easier? It can be even more...
The Shmoo Group is distributing a 44GB-tableset through torrents. You just have to free enough space and start downloading them. Or, if you really need to do the dirty work, and want to dedicate a whole HD to Rainbow Tables, you can download a huge 120GB-tableset (complete charset, 7 characters maximum) pre-computed by Hak5.
A lot easier? It can be much more...
Someone has been so kind to provide you his Rainbow Tables to be queried online. You just have to upload your hash and within seconds the crack is done.
Much more easy? You won't believe how easy it could really be...
Creator of Rainbow Table method, Philippe Oechslin, and of the best Rainbow Table cracking tool, Ophcrack, released a Linux liveCD distribution which boots on any Windows computer, mounts existing NTFS partitions, finds the local SAM file containing users passwords, dumps hashes and provides all clear-text passwords within minutes.
It comes with a small Rainbow Table able to crack passwords without any special character, but it's enough to proof how it works: I booted a computer with Ophcrack LiveCD 1.0 and it took 5 seconds to find my seeming complex password s3cur1tyz3r0 from the User account.
With a complete Rainbow Table embedded (something concrete as soon as HD DVD and Blu-Ray drivers and disks will start to spread) I could crack any password out there.
At that time to develop a secure password was enough a string longer than 7 characters with at least one character from all 4 alphanumeric groups.
Then arrived the Rainbow Table method and everything changed.
A Rainbow Table is nothing but a pre-compute array of all possible arrangements of all alphanumeric characters, in a format used by Windows LanMan and NTLM hashing algorithms (but also appliable to MD5 and SHA1).
The cracking tool just search in the pre-computed table the string you'll pass it, giving the clear-text password within seconds (less than 1 most of time).
To start the game you just need a dumping tool, like the new PWdump6, run it on your victim machine and grab all users hashes.
You also need the tables, but this is simple as well: Rainbow Tables can be generated by anyone with a standard computer, enough disk space and some patience (depending on your CPU power it can take days or weeks).
Easy? It can be even easier...
Someone has been kind enough to pre-compute Rainbow Tables for you and sell you DVDs for a small price. Within a couple of days you can be on business.
Easier? It can be even more...
The Shmoo Group is distributing a 44GB-tableset through torrents. You just have to free enough space and start downloading them. Or, if you really need to do the dirty work, and want to dedicate a whole HD to Rainbow Tables, you can download a huge 120GB-tableset (complete charset, 7 characters maximum) pre-computed by Hak5.
A lot easier? It can be much more...
Someone has been so kind to provide you his Rainbow Tables to be queried online. You just have to upload your hash and within seconds the crack is done.
Much more easy? You won't believe how easy it could really be...
Creator of Rainbow Table method, Philippe Oechslin, and of the best Rainbow Table cracking tool, Ophcrack, released a Linux liveCD distribution which boots on any Windows computer, mounts existing NTFS partitions, finds the local SAM file containing users passwords, dumps hashes and provides all clear-text passwords within minutes.
It comes with a small Rainbow Table able to crack passwords without any special character, but it's enough to proof how it works: I booted a computer with Ophcrack LiveCD 1.0 and it took 5 seconds to find my seeming complex password s3cur1tyz3r0 from the User account.
With a complete Rainbow Table embedded (something concrete as soon as HD DVD and Blu-Ray drivers and disks will start to spread) I could crack any password out there.
Most Recent Articles
1 Comments:
Links to this article:
Stay up to date |
|