a companion discussion area for blog.codinghorror.com

Rainbow Hash Cracking


Yes, tasty. I salt my hashes with unique information from the user. So only they can hack their passwords! Or unless someone gains access to the DB and guesses which fields I’m using. It’s a good thing I’m lazy and not a perfectionist otherwise I’d still be worrying if it’s a secure enough method. Just thinking about it makes me want to go try other hashing schemes that are just now popping up in my head. I guess I’ll have to wait and see.


First off- a 14 character alpha-numeric full table would take about 1,600,000,000,000,000,000 entries. An additional password character adds 36^15 next character adds 36^16. (Based on all caps)

Next, rainbow Table do NOT store ALL combinations. They store a start range and an end range based on the hash. Therefore the engine compares the hash, finds what password range it falls within, and bruteforces THESE passwords. This is known as the Time-Memory trade off.

I have an Alpha(small+cap), numeric, extended character, 1 through 45 character rainbow table set on a 50 DVDs and STILL only get a 45.362% chance of breaching a “12 character salted” pass phrase EVEN WHEN I KNOW WHAT THE SALT IS. (LophtCrack, John the Ripper, RainbowCrack, Ophcrack, Cain n Able)

Simply Pass=2f+(MD5(MD5([Pass Phrase])+[Pass Phrase]))+3e
This creates a “hash” that doesn’t match known hash length and creates a pass phrase at least 33 characters long (assuming [Pass Phrase]=“A”

So Then we have Pass=2f+(MD5(5f4dcc3b5aa765d61d8327deb882cf99A)))+3e
Giving: Pass=2f+(2e463de3a23c0d6e33e67313cfc9b5e6)+3e
Yielding Final: Pass=2f2e463de3a23c0d6e33e67313cfc9b5e63e

Try running that through rainbow tables and the engine won’t even load the tables. It won’t see a hash.

If a hacker has physical access to the hardware, he could open a DOS box and ADD himself as an Admin in 2 lines. So rainbow tables are for REMOTELY getting a password. Much easier to just use packet gathering on the network and just get the password from there. (Take a look at the Cain n Able tools if you don’t believe me.)

Software-wise, they will reverse engineer the software and BYPASS; “patch”, or use your own code to create a “key generator”. It is an unending battle.


There are even some password managers that can generate passwords using AES and are free like the Cute Password Manager(http://www.cutepasswordmanager.com).


Instead of dealing with huge files, I just reset the vista password with the offline nt password and registry editor. I was forced to do it once I encountered the “All Lm hashes are empty, please use NThash tables to crack the remaining hashes” problem.



Why can’t people just hash it twice?

hashing a hash will result in a 32 length password. Which will probably make rainbow tables quite redundant. Unless they do have a gigantic table.

If so, just get the last 4 char of the password, hash it, append it to the password hash, and hash the "password hash + last 4 char hash + username hash ". it will result in a 96 length “password”.

This will require them to generate a custom table for every user or just use brute force.

(password + 2 salt)


I think even adding a simple database generated sequence to the password and then taking md5 can evedently reduce the threat of rainbow table attack.

e.g md5(md5(UID).Password)

don’t you think?


Rainbow tables rock… except for rare cases where there is no matching hash. For MD5 cracking, I sometimes need a brute forcer (I use MD5 CrackFAST, but there are others available). This is especially useful when it would likely take longer to download a rainbow table than brute force the MD5 hash, especially on my connection. :smiley:


new cracking technique is in the making…

it will not get your hash, instead it will disable all your security protocols temporarily and put a password of their choice. So all your tricky algorithm is useless



Nice try. If you really don’t want to do something illegal, then don’t try to crack actual passwords. And, contrary to what you hear, it’s really not all that easy to crack passwords (except for LM Hash). It can take hundreds of hours of computer time to generate the required tables.


well, I discovered that it is a hexadecimal code:
DCD3D6E5E0D6B7 is actually: DC D3 D6 E5 E0 D6 B7

and I just tried some simple words, because I did know that the password must have 7 characters…
the password seemed to be: ‘service’

simple huh:p
well, now I know the password, Ill tell the systemadmin that their security sucks…
but uhm, how is it to be decrypted?


Well, I spent a half hour in a text editor and figured it out; I can see you don’t know your name, but how do you not know an ASCII table? Is that even possible?

Anyway, he’s using the old algorithm where you ROT13 the password, invert the result, and XOR it with the key. That was 20 minutes, but once I figured the cipher, cracking the key was dead simple.

I should make you find it yourself, but since his security’s so lame, I’ll tell you: the key is E_LqiY: which is not very strong.

So, yeah, definitely tell him his security sucks.


Unless I’m mistaken. You can’t read the SAM database on Windows XP and Vista unless you have access to it already. Providing you’re under an Limited User Account you’re not going to be reading any Hashes from the SAM anyway (I checked this on Windows XP and Vista). I don’t know if Windows shares keys over a network or not but as far as a local running computer is concerned you’re safe on a Limited Use Accout.


Follow up. http://www.antsight.com/zsl/rainbowcrack/faq.htm.

Can I crack lm/ntlm hash obtained via network packet capture with RainbowCrack?

No. Any challange-response style hash is not possible, just like those salted ones.

Also note that Windows XP and Vista are using syskey now which further protects the SAM database if put to good use.


Interesting and I will try rainbow and kitty desktop …thank 4 sharing :


Am I the only poster wondering why you have a Hello Kitty Rainbow background?


(sorry if this has been mentioned - I stopped reading the comments halfway down) I could be wrong, but I thought the whole concept of rainbopw tables was based on the fact that MD5 hashing results in a fixed length hash (20 bytes {or was it 16})…
This means that despite an infinite (theoretically) number of passwords, there is a finite number of hashes - so (by the Pigeonhole principle) any hash may come from several passwords.
This means that adding a salt is only slightly effective, if the hacker can actually find the Hash (which is kind of the idea of rainbow tables).
The rainbow table maps back to something that SHOULD produce the hash under a straight MD5 Hash - OOPS…Jus had a lightbulb moment - I didn’t take into account that adding the salt is somethign the hacker has no control over - so the hash is not a straight MD5 - I suddenly realise the value of the salt (but I’ll still post this for the next person to also have an ‘AHA’ moment)


very nice article! thanks for sharing :slight_smile:


Rainbow Tables are useless for long strong passwords. However many feel that these are tough… they are easy.

Use a pattern based on a word and boom! Safe password.

Ex. pick a short word, enter it twice, once lower case, once holding shift… but here is a pattern hit every key above!
a becomes aq1
So that password dog becomes:


Oops, hit tab key when I was inside the comments box.

dog becomes de3o9gt5DE#O(GT%

cat becomes cde3aq1t5CDE#AQ!T%

Strong, long, easy to remember.

I use this method to create a base. If I need a password for ebay, gmail, my bank then I use.


If you have to change every 30 or 90 days then just add the month and year:

Long, strong, never repeats, easy to remember.


@ old post it says that takes about 12 hours to make 400 salts… well most of us have faster pc with mutlicores now but that not the issue if you have heard of Chinese Lottery for cracking encryption use that same idea for making hashs and you have say 20 servers with 2 quad core cpus in writing out hashes 2 times faster so lets say
40020 = 8000 in 6 hours and you can run this unmanned for a week so you get 800028=224000 or more and altho you will get some repeats you can easly filter them out.