Rainbow Hash Cracking

Is there any good reason a salt should be made up of printable/typeable [sp?] characters?

I mean, how many rainbow tables consider e.g. ASCII 9 as a character that could be in you password? I’m guessing not many.
If you can be sure it won’t break your hashing software even ASCII 0, which I would imagine brings in all sorts of incompatibility with the concept of a 0-terminated string. (Which may or may not be relevant -either way, don’t refute the entire argument based on why 0-terminated strings are irrelevant)

This is effectively just obfuscation which I am aware should never be confused with security, but it seems to me a bright idea.
At least until someone cares to point out why I’m being an idiot.

I have some doubt about effectiveness of salt. Indeed it’s fake security. I’m gonna to illustrate you something.

MD5 is like a division in which we take quotient and/or remainder part and stop. For instance: 5/2=2 remainder 1
We were originating this with 5 and 5. The same result is possible also dividing 50 by 20 = 2 remainder 1
Now … what’s the meaning adding salt to password if the resulting md5 it’s just something that I can obtain in a different manner ? I would say if the hash f74g28dae85 is obtainable with 'holy-shit+password, but I can obtain it also with ‘trouble’ … it’s not necessary that I now the original salt+password ( ‘holy-shit’+password )… once I got the combination of characters that generates the same hash, I’m ready.
What does it mean ?

It means that weak points of md5 sha1, 2 etc are:

  • fixed length
  • manner in which they are generated: they are not univoque
  • fixed charset

from the other side, something univoque is easily decryptable too.

In few words: if you generate a simple database containing each combination of hash’s characters and for each one at least ONE word that generates it, you cracked all the md5 world.

md5 returns a string of 32 characters. They are alphanumeric but the set is: 0123456789abcdef it’s hexadecimal.

so you have to generate a db that contains a finite number of md5 and it’s related generating word.

How many do they are ? being 32 fixed characters in which each one has 16 possible variations, the number is huge but not so much and it’s finite:
16 rise 32 power what a number.
16^32=3,4028236692093846346337460743177e+38
it means that you have to find: 1,0633823966279326983230456482243e+37 words
but each letter is 1 byte ( 8 bit ) so each word is 256 bytes long
it will require an amount of bytes: 8,7112285931760246646623899502533e+40
it means: 75557863725914323419136 Enna Bytes !!! ( 1 Enna byte = 1024 Peta Bytes … 1 byte = 8 bit and 1 kBytes = 1 024 bits )

Are you capable to do this ?
Are you talking again about weak points of md5 and the necessity to insert salt ?
I really can tell you that if you obtain this huge database, you can put the salt into the toilet because it’s useless.
But even with rainbow tables that actually are on line you can put it on toilet, because it’s just PROBABILITY, to find a combination of characters that gives the same result of your password + salt.
What is the probability ? it’s of course in the worst case 1/3,4028236692093846346337460743177e+38 and normalizing this you obtain 2,9387358770557187699218413430556e-37%
Of course, you can be lucky at the second tentative to get one. ore more in 20 tentatives. The frequency of this is totally unknown and it’s unknown the probability to find immediately 10 words that generates the same hash of other 10 … statistically is equally distributed … in the reality depends from your ass-factor :slight_smile:

Best Regards

mmm, i dont know show the LM hash
but thanx for the info

TEEEEEEEEEEST

teeeeeeeeest

There is, however, a fundamental flaw with all password security systems: http://xkcd.com/538/

X74@z3!

So there.

Nothing

I prefer windows password reset 6.0

http://www.resetwindowspassword.com/

Please,Help Me…

31d6cfe0d16ae931b73c59d7e0c089c0 NT Hash Admin Password ?

ronaldschaafsma

This is a guide for cracking passwords in Windows under XP, 2000, 98, and 95, all of which use roughly the same architecture. As you know, passwords are stored in windows in a weak hash form, the first kind of which is called the LM (Lan Manager) Hash. Passwords longer than 7 characters are broken up into 7-character chunks, made uppercase, and then hashed with DES.

Nice writeup. I normally go about cracking hashes in a different way though. Rainbow tables are great if you have a single hash that needs to be cracked, but they can take a very long time if you have hundreds of hashes. My order goes something like this:

  1. Online hash crackers like gdataonline.com or www.netmd5crack.com
  2. Wordlist attacks via cain and able oxid.it
  3. Rainbow table attacks via ophcrack or rcracki
  4. Brute Force via john or cain

Very nice write up

Nice writeup. I normally go about cracking hashes in a different way though. Rainbow tables are great if you have a single hash that needs to be cracked, but they can take a very long time if you have hundreds of hashes. My order goes something like this:

  1. Online hash crackers like gdataonline.com or www.netmd5crack.com
  2. Wordlist attacks via cain and able oxid.it
  3. Rainbow table attacks via ophcrack or rcracki
  4. Brute Force via john or cain

Very nice write up

The basic idea is that although nobody in their right minds stores passwords except in hashed form, even this is easy to crack if you have enough time and memory to compute all hashes in advance

I think that a random salt is possible when used with expires times (ex.: 30sec) and 2 requests (first to get random salt and second to send hash(salt + hash(pwd)). Of course this approuch is only viable when used in auth remote systems (like websites). =)

I think that a random salt is possible when used with expires times (ex.: 30sec) and 2 requests (first to get random salt and second to send hash(salt + hash(pwd)). Of course this approuch is only viable when used in auth remote systems (like websites). =)

a href="http://www.owasp.org/index.php/Hashing_Java"http://www.owasp.org/index.php/Hashing_Java/a

Using a server-wide salt value for all passwords is akin to wrapping your bullet-resistant glass in cellophane. You’ve just taken a reasonably strong, industry-standard security measure and wrapped it in the naivest possible form of security, the good ole’ hard-coded password.

Random salts are intended to prevent a dictionary attack. Nothing more, nothing less. To accomplish this, as well as the side benefit of defeating rainbow tables, they do not need to private or cryptographically strong. It also does not matter if the salt is appended, prepended, or randomly distributed within the original password, as long as the process is repeatable. The point is, if two users have the same password (something crackers frequently try to make use of), they won’t have the same hash. And if someone wants to run a dictionary or even a brute-force attack, they now have to re-run it for every single user.

Most importantly, if you’ve secured your database properly and your hacker does NOT have direct access to every password, then they may try to sniff the password over a network, and assuming your security takes replays into account, a random salt makes the sniffed hash much more difficult to use. I suppose a constant, hard-coded salt provides some security here - unless the hacker happens to be a disgruntled ex-employee who knows what it is, which is actually the most common cause of espionage.

By all means, secure your salts too if you’re paranoid. Put them in a separate table or a separate database or even a separate server. Or even better, use a nonce, or a much stronger scheme like Kerberos. It can’t hurt. But a global hard-coded shared secret is no substitute for a random salt. It’s a feel-good measure, effectively useless and bordering on superstition, but enough for someone to give himself a pat on the back for being more secure.

If you want to be really clever about your salts, then don’t just stick them at the beginning or end; use an algorithm that distributes the salt characters within the original password in a way that’s dependent on the password itself. That way, a 10-character salt is essentially useless to anyone who doesn’t know the distribution algorithm. You’ll get all the benefits of secrecy without sacrificing the security itself.