From b961ffa86208e052cb9515c689d99e7ffdb4e07f Mon Sep 17 00:00:00 2001 From: Will Pennell Date: Tue, 23 Sep 2014 08:00:22 -0400 Subject: [PATCH 1/8] Half-ass attempt at pwdump There is not a lot of information to steal online, need to revisit this file --- tools/pwdump.md | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100644 tools/pwdump.md diff --git a/tools/pwdump.md b/tools/pwdump.md new file mode 100644 index 0000000..c22f746 --- /dev/null +++ b/tools/pwdump.md @@ -0,0 +1,27 @@ +# pwdump + +Notes +------- +General information about the tool. + +What would you use this tool for? +Why would you use it? + + +Help Text +------- +``` +usage: /usr/bin/pwdump +``` + +Example Usage +------- +Any helpful examples found around the web or from personal experience + +``` +Actual commands can go here +``` + +Links +------- +[creddump](https://code.google.com/p/creddump/source/browse/trunk/pwdump.py) From c476ac386c87264a5aee5365dcfa802b28f74f3b Mon Sep 17 00:00:00 2001 From: Will Pennell Date: Tue, 23 Sep 2014 08:01:18 -0400 Subject: [PATCH 2/8] Update index to include pwdump --- password/index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/password/index.md b/password/index.md index 8665e99..a2ccaa2 100644 --- a/password/index.md +++ b/password/index.md @@ -24,7 +24,7 @@ Offline Attacks * [ophcrack](../tools/ophcrack.md) * [ophcrack-cli](../tools/ophcrack-cli.md) * [policygen](../tools/policygen.md) - * [pwdump](../tools/_template.md) + * [pwdump](../tools/pwdump.md) * [pyrit](../tools/pyrit.md) * [rainbowcrack](../tools/_template.md) * [rcracki_mt](../tools/_template.md) From 07666804c2fcec3711e760a661284c238ddf0176 Mon Sep 17 00:00:00 2001 From: Will Pennell Date: Tue, 23 Sep 2014 21:16:18 -0400 Subject: [PATCH 3/8] added rainbowcrack I hope the table format works! --- password/index.md | 2 +- tools/rainbowcrack.md | 213 ++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 214 insertions(+), 1 deletion(-) create mode 100644 tools/rainbowcrack.md diff --git a/password/index.md b/password/index.md index a2ccaa2..0114442 100644 --- a/password/index.md +++ b/password/index.md @@ -26,7 +26,7 @@ Offline Attacks * [policygen](../tools/policygen.md) * [pwdump](../tools/pwdump.md) * [pyrit](../tools/pyrit.md) - * [rainbowcrack](../tools/_template.md) + * [rainbowcrack](../tools/rainbowcrack.md) * [rcracki_mt](../tools/_template.md) * [rsmangler](../tools/_template.md) * [samdump2](../tools/_template.md) diff --git a/tools/rainbowcrack.md b/tools/rainbowcrack.md new file mode 100644 index 0000000..e8f5aae --- /dev/null +++ b/tools/rainbowcrack.md @@ -0,0 +1,213 @@ +# rcrack (rainbowcrack) + +Notes +------- +RainbowCrack is a general propose implementation of Philippe Oechslin's faster time-memory trade-off technique. It crack hashes with rainbow tables. + +RainbowCrack uses time-memory tradeoff algorithm to crack hashes. It differs from brute force hash crackers. + +A brute force hash cracker generate all possible plaintexts and compute the corresponding hashes on the fly, then compare the hashes with the hash to be cracked. Once a match is found, the plaintext is found. If all possible plaintexts are tested and no match is found, the plaintext is not found. With this type of hash cracking, all intermediate computation results are discarded. + +A time-memory tradeoff hash cracker need a pre-computation stage, at the time all plaintext/hash pairs within the selected hash algorithm, charset, plaintext length are computed and results are stored in files called rainbow table. It is time consuming to do this kind of computation. But once the one time pre-computation is finished, hashes stored in the table can be cracked with much better performance than a brute force cracker. + +In this project, we focus on the development of optimized time-memory tradeoff implementation. GPU acceleration is another key feature of RainbowCrack software. By offloading most runtime computation to NVIDIA/AMD GPU, overall hash cracking performance can be improved further. + + +Help Text +------- +``` +RainbowCrack 1.5 +Copyright 2003-2010 RainbowCrack Project. All rights reserved. +Official Website: http://project-rainbowcrack.com/ + +usage: rcrack rt_files [rt_files ...] -h hash + rcrack rt_files [rt_files ...] -l hash_list_file + rcrack rt_files [rt_files ...] -f pwdump_file + rcrack rt_files [rt_files ...] -n pwdump_file +rt_files: path to the rainbow table(s), wildchar(*, ?) supported +-h hash: load single hash +-l hash_list_file: load hashes from a file, each hash in a line +-f pwdump_file: load lanmanager hashes from pwdump file +-n pwdump_file: load ntlm hashes from pwdump file + +hash algorithms implemented in alglib0.so: + lm, plaintext_len limit: 0 - 7 + ntlm, plaintext_len limit: 0 - 15 + md5, plaintext_len limit: 0 - 15 + sha1, plaintext_len limit: 0 - 20 + mysqlsha1, plaintext_len limit: 0 - 20 + halflmchall, plaintext_len limit: 0 - 7 + ntlmchall, plaintext_len limit: 0 - 15 + oracle-SYSTEM, plaintext_len limit: 0 - 10 + md5-half, plaintext_len limit: 0 - 15 + +example: rcrack *.rt -h 5d41402abc4b2a76b9719d911017c592 + rcrack *.rt -l hash.txt + +``` + +Example Usage +------- +TThe rcrack program lookup existing rainbow tables for the plaintext of user supplied hash. + +Six similar programs are available: + +|Program |User Interface |GPU Acceleration| +|rcrack |Command Line|| +|rcrack_cuda |Command Line |NVIDIA CUDA| +|rcrack_cl |Command Line |AMD OpenCL| +|rcrack_gui |GUI || +|rcrack_cuda_gui |GUI NVIDIA CUDA| +|rcrack_cl_gui |GUI |AMD OpenCL| +Command line program is ideal for batch processing, and GUI program is easy to use. + +Rainbow tables used by rcrack program must already be sorted with rtsort program, and optionally converted to .rtc file format with rt2rtc program. + +Rainbow Table Lookup with rcrack/rcrack_cuda/rcrack_cl Program + +*General Use* + +Assume rainbow tables are in directory c:\rt. + +To crack single hash: + +``` +rcrack/rcrack_cuda/rcrack_cl c:\rt\*.* -h fcea920f7412b5da7be0cf42b8c93759 +``` +To crack multiple hashes: + +``` +rcrack/rcrack_cuda/rcrack_cl c:\rt\*.* -l hash_list_file +``` +In the example above, hash_list_file is a text file with each hash in one line. + +To lookup rainbow tables in multiple directories: + +``` +rcrack/rcrack_cuda/rcrack_cl c:\rt1\*.* c:\rt2\*.* -l hash_list_file +``` +In the example above, the rcrack/rcrack_cuda/rcrack_cl program will lookup rainbow tables in c:\rt1 and c:\rt2 directories sequentially. + +*Special Consideration for LM/NTLM Hash* + +LM/NTLM hashes are usually saved in text file of pwdump format. + +Content of typical pwdump file: + +``` +Administrator:500:1c3a2b6d939a1021aad3b435b51404ee:e24106942bf38bcf57a6a4b29016eff6::: +Guest:501:a296c9e4267e9ba9aad3b435b51404ee:9d978dda95e5185bbeda9b3ae00f84b4::: +``` +To load and crack LM hashes from pwdump file: + +``` +rcrack/rcrack_cuda/rcrack_cl c:\rt\*.* -f pwdump_file +``` +To load and crack NTLM hashes from pwdump file: + +``` +rcrack/rcrack_cuda/rcrack_cl c:\rt\*.* -n pwdump_file +``` + +*Rainbow Table Generation* + +The rtgen program generate rainbow tables based on parameters specified by user, and the rtsort program post processing the rainbow tables to enable fast lookup. + +After the two steps above (rtgen and rtsort), rainbow tables can be used to crack hashes with rcrack program. + +*Generate Rainbow Table with rtgen Program* + +Command line syntax of rtgen program: + +``` +rtgen hash_algorithm charset plaintext_len_min plaintext_len_max table_index chain_len chain_num part_index +``` +An example to generate a rainbow table set with 6 rainbow tables: + +``` +rtgen md5 loweralpha-numeric 1 7 0 3800 33554432 0 +rtgen md5 loweralpha-numeric 1 7 1 3800 33554432 0 +rtgen md5 loweralpha-numeric 1 7 2 3800 33554432 0 +rtgen md5 loweralpha-numeric 1 7 3 3800 33554432 0 +rtgen md5 loweralpha-numeric 1 7 4 3800 33554432 0 +rtgen md5 loweralpha-numeric 1 7 5 3800 33554432 0 +``` +Options: + +|hash_algorithm |Rainbow table is hash algorithm specific. Rainbow table for a certain hash algorithm only helps to crack hashes of that type.| +The rtgen program natively support lots of hash algorithms like lm, ntlm, md5, sha1, mysqlsha1, halflmchall, ntlmchall, oracle-SYSTEM and md5-half. +In the example above, we generate md5 rainbow tables that speed up cracking of md5 hashes.| +|charset |The charset includes all possible characters for the plaintext. +"loweralpha-numeric" stands for "abcdefghijklmnopqrstuvwxyz0123456789", which is defined in configuration file charset.txt. +|plaintext_len_min +plaintext_len_max| +These two parameters limit the plaintext length range of the rainbow table. +In the example above, the plaintext length range is 1 to 7. So plaintexts like "a" and "abcdefg" are likely contained in the rainbow table generated. But plaintext "abcdefgh" with length 8 will not be contained.| +|table_index1 |The table_index parameter selects the reduction function. +Rainbow table with different table_index parameter uses different reduction function.| +|chain_len1 |This is the rainbow chain length. Longer rainbow chain stores more plaintexts and requires longer time to generate.| +|chain_num1 |Number of rainbow chains to generate. +Rainbow table is simply an array of rainbow chains. Size of each rainbow chain is 16 bytes.| +part_index |To store a large rainbow table in many smaller files, use different number in this parameter for each part and keep all other parameters identical.| + +There are many rainbow table characteristics determined implicitly by table generation parameters: + +|Table Size |With .rt rainbow table format, file size of a rainbow table equals to chain_num parameter multiplied by 16.| +|Key Space |Key space is the number of possible plaintexts, calculated based on number of characters in charset and plaintext length range parameters. +In the example above, key space is 361 + 362 + 363 + 364 + 365 + 366 + 367 = 80603140212| +|Success Rate |The time-memory tradeoff algorithm is a probabilistic algorithm. +Whatever the parameters are selected, there always exist many plaintexts (within the selected charset and plaintext length range) missing from the rainbow table generated. +In the example above, success rate is 99.9% with all 6 rainbow tables. +Success rate is determined by all table generation parameters except the hash_algorithm parameter.| + +To start generating the first rainbow table, run following command in a command window: + +``` +rtgen md5 loweralpha-numeric 1 7 0 3800 33554432 0 +``` +CPU will be busy computing rainbow chains. On system with multi-core processor, all cores are fully utilized. + +To pause table generation, just press Ctrl+C and rtgen program will exit. Next time if the rtgen program is executed with exactly same parameters, table generation is resumed. + +This command takes hours to complete with ordinary processor. + +When finished, a file "`md5_loweralpha-numeric#1-7_0_3800x33554432_0.rt`" sized 512 MB is in current directory. The file name stores all table generation parameters. + +Now generate the remaining 5 rainbow tables: + +``` +rtgen md5 loweralpha-numeric 1 7 1 3800 33554432 0 +rtgen md5 loweralpha-numeric 1 7 2 3800 33554432 0 +rtgen md5 loweralpha-numeric 1 7 3 3800 33554432 0 +rtgen md5 loweralpha-numeric 1 7 4 3800 33554432 0 +rtgen md5 loweralpha-numeric 1 7 5 3800 33554432 0 +``` +Finally, there are 6 rainbow tables generated: + +``` +536,870,912 md5_loweralpha-numeric#1-7_0_3800x33554432_0.rt +536,870,912 md5_loweralpha-numeric#1-7_1_3800x33554432_0.rt +536,870,912 md5_loweralpha-numeric#1-7_2_3800x33554432_0.rt +536,870,912 md5_loweralpha-numeric#1-7_3_3800x33554432_0.rt +536,870,912 md5_loweralpha-numeric#1-7_4_3800x33554432_0.rt +536,870,912 md5_loweralpha-numeric#1-7_5_3800x33554432_0.rt +``` +Sort Rainbow Table with rtsort Program + +Rainbow table is an array of rainbow chains. Each rainbow chain has a start point and an end point. The rtsort program sorts the rainbow chains by end point to make binary search possible. + +Run following command to sort all .rt rainbow tables in current directory: + +``` +rtsort *.rt +``` +Never interrupt the rtsort program; otherwise the rainbow table being sorted may be damaged. + +If free memory size is smaller than the size of rainbow table being sorted, temporary hard disk space as large as the rainbow table size is needed to store intermediate results. + + + +Links +------- +* [rainbowcrack](http://project-rainbowcrack.com/) +* [rainbow tables](http://project-rainbowcrack.com/table.htm) \ No newline at end of file From 8503e3e9eee63b5e49c40b8bb5f794bd70391530 Mon Sep 17 00:00:00 2001 From: Will Pennell Date: Tue, 23 Sep 2014 21:36:15 -0400 Subject: [PATCH 4/8] added rcracki_mt --- password/index.md | 2 +- tools/rcracki_mt.md | 223 ++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 224 insertions(+), 1 deletion(-) create mode 100644 tools/rcracki_mt.md diff --git a/password/index.md b/password/index.md index 0114442..6729643 100644 --- a/password/index.md +++ b/password/index.md @@ -27,7 +27,7 @@ Offline Attacks * [pwdump](../tools/pwdump.md) * [pyrit](../tools/pyrit.md) * [rainbowcrack](../tools/rainbowcrack.md) - * [rcracki_mt](../tools/_template.md) + * [rcracki_mt](../tools/rcracki_mt.md) * [rsmangler](../tools/_template.md) * [samdump2](../tools/_template.md) * [sipcrack](../tools/_template.md) diff --git a/tools/rcracki_mt.md b/tools/rcracki_mt.md new file mode 100644 index 0000000..f927740 --- /dev/null +++ b/tools/rcracki_mt.md @@ -0,0 +1,223 @@ +# rcracki_mt (rainbowcrack multi-threaded) + +Notes +------- +Rcracki_mt can be used to perform a rainbow table attack on password hashes. It is intended for indexed&perfected rainbow tables, mainly generated by the distributed project [freerainbowtables](www.freerainbowtables.com) + + +Help Text +------- +``` +RainbowCrack (improved, multi-threaded) - Making a Faster Cryptanalytic Time-Memory Trade-Off +by Martin Westergaard +multi-threaded and enhanced by neinbrucke +*nix/64-bit compatibility and co-maintainer - James Nobis +http://www.freerainbowtables.com/ +All code/binaries are under GPL2 Copyright at a minimum +original code by Zhu Shuanglei + +usage: rcracki_mt -h hash rainbow_table_pathname + rcracki_mt -l hash_list_file rainbow_table_pathname + rcracki_mt -f pwdump_file rainbow_table_pathname + rcracki_mt -c lst_file rainbow_table_pathname + +-h hash: use raw hash as input +-l hash_list_file: use hash list file as input, each hash in a line +-f pwdump_file: use pwdump file as input, handles lanmanager hash only +-c lst_file: use .lst (cain format) file as input +-r [-s session_name]: resume from previous session, optional session name +rainbow_table_pathname: pathname(s) of the rainbow table(s) + +Extra options: -t [nr] use this amount of threads/cores, default is 1 + -o [output_file] write (temporary) results to this file + -s [session_name] write session data with this name + -k keep precalculation on disk + -d run sha1 hashes against mysqlsha1 tables + -m [megabytes] limit memory usage + -v show debug information + +example: rcracki_mt -h 5d41402abc4b2a76b9719d911017c592 -t 2 [path]/MD5 + rcracki_mt -l hash.txt [path_to_specific_table]/* + rcracki_mt -f hash.txt -t 4 -o results.txt *.rti + +``` + +Example Usage +------- +stolen from the readme on source forge + +``` +USAGE +================ +example: rcracki_mt -h 5d41402abc4b2a76b9719d911017c592 -t 4 -o save.txt C:\md5 + +Start rcracki_mt without any arguments to view usage information in short. This README describes the various +options in more detail. Many options can be set to a default value by editing rcracki_mt.ini. Command line +arguments get priority over settings in the ini file. + +INPUT +---------------- +rcracki_mt takes one hash on the command line (using -h) or an input file containing the hashes. rcracki_mt supports +three formats for the input file. Use one of the following options to specify the format followed by the filename: + +-l: specify a list of hashes (one hash per line) +-f: specify a pwdump file +-c: specify a .lst file (format in which Cain stores hashes and results) + +SELECTING RAINBOW TABLES +---------------- +Any command line argument that is not an option will be interpreted as a directory to search for rainbow tables, +multiple directories can be specified. rcracki_mt recursively scans all specified directories for *.rti (indexed) +and *.rt (old/original) files. You can use .rt & .rti files at once, but this hasn't been tested thoroughly. + +You can set default locations to search for rainbow tables in rcracki_mt.ini. You need to use these in combination +with the command line argument -a [algorithm]. See the comments in the ini file for examples. + +SESSIONS & RESUMING +---------------- +Rcracki_mt has session support, which means that it stores its progress. This allows you to interrupt the session +and resume later on. This also allows sessions that stopped because of a crash (application or even system) to +resume. To use this feature, start rcracki_mt with all the options you'd like, then specify a session name with: + +-s session_name: specify a session name + +Now during cracking, all your valuable precalculations are stored to disk, as well as progress (which files have +been checked) and cracked hashes. If you decide to interrupt the session (using CTRL+C), you can resume it using +the -r option. For example: + +rcracki_mt -r -s my_personal_hashes + +While resuming rcracki_mt you can/have to specify the less important options again, like number of threads and +showing debug information. Usually you will have these settings set to a default value in the .ini file anyway. +Session are deleted after the run is completed. You can choose to keep the precalculation work on disk, for example +if you want to reuse your session later on. Use the '-k' option to enable this feature. + +Rcracki_mt has a default session which gets overwritten every time you start a new job without specifying a session +name. It might be interesting to always keep precalculation work by enabling this feature in rcracki_mt.ini. But +pay attention, these precalculations can become quite large on disk. Currently there is a maximum of around 500 GB +of storage for these precalculations. You can always decide to manually remove the .precalc and .precalc.index +files from disk. Always remove both at the same time, you will screw up your results if you don't. A possible +'todo' for development is to do some verification before using stored precalculations. + +OPTIONAL +---------------- +-t: Number of threads to use (for precalculation and false alarm checking) +Note: In Windows the crack threads run with lower priority. + +-o: specify an output file to store found hashes in a colon (:) separated format. + Hashes are saved immediately when found. Especially useful if you have a large list of hashes. + +-v: Show more information during cracking, for debugging purposes. Please use this flag if you want to show +output and report a bug. + + +EXTRA FEATURES +---------------- +You can pause a running rcracki_mt by using 'P'. It might not pause right away, it actually pauses after doing +precalculation or false alarm checking for one hash. Resume by pressing 'P' again. This pause option is different +from the session/resume feature, as this just pauses a running job, you don't stop rcracki_mt this way. + +If you are trying to crack a pwdump or Cain (.lst) file, containing both LM and NTLM hashes, rcracki_mt will try +and crack the LM hashes. The result will be an uppercase password, which rcracki_mt will then try to correct with +the right casing, using the NTLM hashes. If this fails it will try and perform Unicode correction, using a built-in +mapping. If you happen to have an LM hash coupled with the wrong NTLM hash, this attempt to perform Unicode +correction might take 'forever'. You can press 'S' to skip this step for the current hash. + + +HISTORY AND AUTHORS +================ +rcracki_mt originally started as a modification of a modification (rcracki) of the original RainbowCrack (rcrack). +These programs are all used to perform a rainbow table attack on password hashes, implementing Philippe Oechslin's +faster time-memory trade-off technique. + +Original rcrack code was written by Zhu Shuanglei . + +Martin Westergaard Jørgensen wrote rcracki (improved) to support the rainbow tables +generated by the distributed project www.freerainbowtables.com. These tables are perfected and indexed, making them +faster and smaller. Rcracki also supported hybrid tables. + +Daniël Niggebrugge further enhanced this version and made it multi threaded, creating rcracki_mt. More +features were added over time, making it less of an unofficial version with every release. + +James Nobis - improved *nix compatibility and 64-bit compatability and +continues work on the project. + + +SUPPORTED HASH ALGORITHMS +================ +Hash types supported by rcracki_mt are: LM, NTLM, MD2, MD4, MD5, DoubleMD5, SHA1, RIPEMD160, MSCACHE, MySQL323, +MySQLSHA1, PIX, LMCHALL, HALFLMCHALL, NTLMCHALL, ORACLE + +Actual indexed&perfected tables that were generated by the Free Rainbow Tables project: LM, MD5, NTLM, FASTLM, HALFLMCHALL, SHA1 + + +SUPPORTED PLATFORMS +================ +Rcracki_mt is released both as win32 binary and as source package. Rcracki_mt should work on any Microsoft Windows system, but is only tested on a 32 bit Windows XP. + +The source should work on Linux distributions. It has been tested on: +32-bit Ubuntu +32-bit Debian GNU/Linux +64-bit Debian GNU/Linux + +The source should also work on other platforms and has been tested on: +32-bit MacOSX + +32-bit FreeBSD +64-bit FreeBSD +32-bit NetBSD +32-bit OpenBSD - you must install and use eg++ from ports +64-bit OpenBSD + +Only compilation has been tested on: +64-bit MacOSX + +Please note that to compile under the BSDs you must use gmake. + +OpenBSD threading is a work in progress. + +'OPTIONAL' TODO +================ +- verification of an endpoint when restoring a chainwalkset from disk. +- read multiple chainwalksets from disk at once to try and speed up this process. +- read next table (part) from disk while doing cryptanalysis + + +LINKS +================ +rcracki_mt @ SourceForge: https://sourceforge.net/projects/rcracki/ +Original rcrack: http://www.antsight.com/zsl/rainbowcrack/ +Free Rainbow Tables: http://www.freerainbowtables.com/ +My personal blog: http://blog.distracted.nl/ +Download free rainbow tables: http://tbhost.eu/ +Download free rainbow tables (mirror): http://freerainbowtables.mirror.garr.it/mirrors/freerainbowtables/ + + +THANKS +================ +the_drag0n Writing part of this README + Patch to support Cain .lst files +Joao Inacio Supplying some faster algorithm implementations + + +FAQ +================ +Q: Why do I get this message all the time? "this table contains hashes with length 8 only" +A: You are probably trying to crack LM hashes. You have to split up the hash in 2 parts of 16 hex characters each. + +Q: rcracki_mt is so slow when I'm cracking 5000 hashes, why is that? +A: Rainbow table attacks are only useful for a certain amount of hashes, mainly because of the precalculations that +are needed for every hash you are cracking. At a certain point it is faster to brute force the same key space then +to try and use rainbow tables. Especially if you use a GPU enabled brute forcer, this limit might be reached very +soon. Play around with these to find you limits. + +Q: How can I speed up rcracki_mt? +A: This depends on quite some factors. If your jobs usually comprise of disk access time, you can try and speed up +your storage. For example by using RAID and/or by using solid state disks. If you are trying to crack many hashes +at the same time, you might be better off with buying a faster CPU. +``` + +Links +------- +* [sourceforge](http://sourceforge.net/projects/rcracki/) +* [How to use rainbow tables with rcracki_mt](https://www.freerainbowtables.com/articles/how_to_use_rainbow_tables_with_rcracki_mt/) \ No newline at end of file From e8a9f01f8fad56482dabc101634bdeaba5f52ff5 Mon Sep 17 00:00:00 2001 From: Will Pennell Date: Tue, 23 Sep 2014 21:53:28 -0400 Subject: [PATCH 5/8] added rsmangler need to develop example usage --- password/index.md | 2 +- tools/rsmangler.md | 62 ++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 63 insertions(+), 1 deletion(-) create mode 100644 tools/rsmangler.md diff --git a/password/index.md b/password/index.md index 6729643..82c6faf 100644 --- a/password/index.md +++ b/password/index.md @@ -28,7 +28,7 @@ Offline Attacks * [pyrit](../tools/pyrit.md) * [rainbowcrack](../tools/rainbowcrack.md) * [rcracki_mt](../tools/rcracki_mt.md) - * [rsmangler](../tools/_template.md) + * [rsmangler](../tools/rsmangler.md) * [samdump2](../tools/_template.md) * [sipcrack](../tools/_template.md) * [sucrack](../tools/_template.md) diff --git a/tools/rsmangler.md b/tools/rsmangler.md new file mode 100644 index 0000000..6a5cc3e --- /dev/null +++ b/tools/rsmangler.md @@ -0,0 +1,62 @@ +# rsmangler + +Notes +------- +General information about the tool. + +What would you use this tool for? +Why would you use it? + + +Help Text +------- +``` +rsmangler v 1.4 Robin Wood (robin@digininja.org) + +To pass the initial words in on standard in do: + +cat wordlist.txt | ./rsmangler.rb --file - > new_wordlist.rb + +All options are ON by default, these parameters turn them OFF + +Usage: rsmangler.rb [OPTION] + --help, -h: show help + --file, -f: the input file, use - for STDIN + --max, -x: maximum word length + --min, -m: minimum word length + --perms, -p: permutate all the words + --double, -d: double each word + --reverse, -r: reverser the word + --leet, -t: l33t speak the word + --full-leet, -T: all posibilities l33t + --capital, -c: capitalise the word + --upper, -u: uppercase the word + --lower, -l: lowercase the word + --swap, -s: swap the case of the word + --ed, -e: add ed to the end of the word + --ing, -i: add ing to the end of the word + --punctuation: add common punctuation to the end of the word + --years, -y: add all years from 1990 to current year to start and end + --acronym, -a: create an acronym based on all the words entered in order and add to word list + --common, -C: add the following words to start and end: admin, sys, pw, pwd + --pna: add 01 - 09 to the end of the word + --pnb: add 01 - 09 to the beginning of the word + --na: add 1 - 123 to the end of the word + --nb: add 1 - 123 to the beginning of the word + --force - don't check ooutput size + --space - add spaces between words + +``` + +Example Usage +------- +Any helpful examples found around the web or from personal experience + +``` +Actual commands can go here +``` + +Links +------- +Include a link to the tools source / github / sourceforge / etc. +Include any links to helpful example such as videos, webpages, etc. From 8631096f31c97f8c9762b0a36d7431d24bbe5f1e Mon Sep 17 00:00:00 2001 From: Eid010n Date: Wed, 24 Sep 2014 07:07:56 -0400 Subject: [PATCH 6/8] Fixed intro --- tools/rsmangler.md | 38 +++++++++++++++++++++++++++++++++----- 1 file changed, 33 insertions(+), 5 deletions(-) diff --git a/tools/rsmangler.md b/tools/rsmangler.md index 6a5cc3e..64fd5d4 100644 --- a/tools/rsmangler.md +++ b/tools/rsmangler.md @@ -2,10 +2,38 @@ Notes ------- -General information about the tool. +RSMangler will take a wordlist and perform various manipulations on it similar to those done by John the Ripper the main difference being that it will first take the input words and generate all permutations and the acronym of the words (in order they appear in the file) before it applies the rest of the mangles, for example given the following three input words: -What would you use this tool for? -Why would you use it? +* freds +* national +* bank + +RSMangler would generate the following initial word list: + +* freds +* national +* bank +* fredsnational +* fredsbank +* nationalfreds +* nationalbank +* bankfreds +* banknational +* fredsnationalbank +* fredsbanknational +* nationalfredsbank +* nationalbankfreds +* bankfredsnational +* banknationalfreds +* fnb + +Each of these new words is then subject to the other mangles, because of this we strongly recommend with permutations mode enabled (default) you use a very small wordlist, 3 start words create a final list containing 4245 words and 5 start words creates a list containing 91975. As a test we tried it with a few hundred words and gave up when the output file got to 3G. + +If you try to use a file with more than 5 words you will get a warning and the option to abort. + +Other mangles include adding the numbers 1 to 123 to the start and end, 01 to 09 to the start and end, various case manipulations, leet speak, word reversal, ed and ing on the end and doubling words up. + +The initial wordlist can either be specified as a file or can be piped in through STDIN. Help Text @@ -58,5 +86,5 @@ Actual commands can go here Links ------- -Include a link to the tools source / github / sourceforge / etc. -Include any links to helpful example such as videos, webpages, etc. +* [digininja](http://digi.ninja/projects/rsmangler.php) +* [randomstorm](https://www.randomstorm.com/resources/free-tools/rsmangler/) From e60c43f9809d438954e79b9d8430f85694789f71 Mon Sep 17 00:00:00 2001 From: Eid010n Date: Wed, 24 Sep 2014 07:14:01 -0400 Subject: [PATCH 7/8] formatting resolving #109 --- tools/rainbowcrack.md | 38 ++++++++++++++++++++++---------------- 1 file changed, 22 insertions(+), 16 deletions(-) diff --git a/tools/rainbowcrack.md b/tools/rainbowcrack.md index e8f5aae..f805e91 100644 --- a/tools/rainbowcrack.md +++ b/tools/rainbowcrack.md @@ -134,28 +134,34 @@ rtgen md5 loweralpha-numeric 1 7 5 3800 33554432 0 ``` Options: -|hash_algorithm |Rainbow table is hash algorithm specific. Rainbow table for a certain hash algorithm only helps to crack hashes of that type.| +*hash_algorithm* Rainbow table is hash algorithm specific. Rainbow table for a certain hash algorithm only helps to crack hashes of that type. The rtgen program natively support lots of hash algorithms like lm, ntlm, md5, sha1, mysqlsha1, halflmchall, ntlmchall, oracle-SYSTEM and md5-half. -In the example above, we generate md5 rainbow tables that speed up cracking of md5 hashes.| -|charset |The charset includes all possible characters for the plaintext. +In the example above, we generate md5 rainbow tables that speed up cracking of md5 hashes. + +*charset* The charset includes all possible characters for the plaintext. "loweralpha-numeric" stands for "abcdefghijklmnopqrstuvwxyz0123456789", which is defined in configuration file charset.txt. -|plaintext_len_min -plaintext_len_max| -These two parameters limit the plaintext length range of the rainbow table. + +*plaintext_len_min* or *plaintext_len_max* These two parameters limit the plaintext length range of the rainbow table. In the example above, the plaintext length range is 1 to 7. So plaintexts like "a" and "abcdefg" are likely contained in the rainbow table generated. But plaintext "abcdefgh" with length 8 will not be contained.| -|table_index1 |The table_index parameter selects the reduction function. -Rainbow table with different table_index parameter uses different reduction function.| -|chain_len1 |This is the rainbow chain length. Longer rainbow chain stores more plaintexts and requires longer time to generate.| -|chain_num1 |Number of rainbow chains to generate. -Rainbow table is simply an array of rainbow chains. Size of each rainbow chain is 16 bytes.| -part_index |To store a large rainbow table in many smaller files, use different number in this parameter for each part and keep all other parameters identical.| + +*table_index1* The table_index parameter selects the reduction function. +Rainbow table with different table_index parameter uses different reduction function. + +*chain_len1* This is the rainbow chain length. Longer rainbow chain stores more plaintexts and requires longer time to generate. + +*chain_num1* Number of rainbow chains to generate. +Rainbow table is simply an array of rainbow chains. Size of each rainbow chain is 16 bytes. + +*part_index* To store a large rainbow table in many smaller files, use different number in this parameter for each part and keep all other parameters identical.| There are many rainbow table characteristics determined implicitly by table generation parameters: -|Table Size |With .rt rainbow table format, file size of a rainbow table equals to chain_num parameter multiplied by 16.| -|Key Space |Key space is the number of possible plaintexts, calculated based on number of characters in charset and plaintext length range parameters. -In the example above, key space is 361 + 362 + 363 + 364 + 365 + 366 + 367 = 80603140212| -|Success Rate |The time-memory tradeoff algorithm is a probabilistic algorithm. +*Table Size* With .rt rainbow table format, file size of a rainbow table equals to chain_num parameter multiplied by 16. + +*Key Space* Key space is the number of possible plaintexts, calculated based on number of characters in charset and plaintext length range parameters. +In the example above, key space is 361 + 362 + 363 + 364 + 365 + 366 + 367 = 80603140212 + +*Success Rate* The time-memory tradeoff algorithm is a probabilistic algorithm. Whatever the parameters are selected, there always exist many plaintexts (within the selected charset and plaintext length range) missing from the rainbow table generated. In the example above, success rate is 99.9% with all 6 rainbow tables. Success rate is determined by all table generation parameters except the hash_algorithm parameter.| From a59f8db760ea2b1a4e0d71da3bdd0cfc1dd045d0 Mon Sep 17 00:00:00 2001 From: Eid010n Date: Wed, 24 Sep 2014 22:37:57 -0400 Subject: [PATCH 8/8] samdump2 --- password/index.md | 2 +- tools/samdump2.md | 94 +++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 95 insertions(+), 1 deletion(-) create mode 100644 tools/samdump2.md diff --git a/password/index.md b/password/index.md index 82c6faf..0f1f870 100644 --- a/password/index.md +++ b/password/index.md @@ -29,7 +29,7 @@ Offline Attacks * [rainbowcrack](../tools/rainbowcrack.md) * [rcracki_mt](../tools/rcracki_mt.md) * [rsmangler](../tools/rsmangler.md) - * [samdump2](../tools/_template.md) + * [samdump2](../tools/samdump2.md) * [sipcrack](../tools/_template.md) * [sucrack](../tools/_template.md) * [truecrack](../tools/_template.md) diff --git a/tools/samdump2.md b/tools/samdump2.md new file mode 100644 index 0000000..62ed05a --- /dev/null +++ b/tools/samdump2.md @@ -0,0 +1,94 @@ +# samdump2 + +Notes +------- +This tool is designed to dump Windows 2k/NT/XP password hashes from a SAM file, using the syskey bootkey from the system hive. + +This package also provides the functionality of bkhive, which recovers the syskey bootkey from a Windows NT/2K/XP system hive. + +Syskey is a Windows feature that adds an additional encryption layer to the password hashes stored in the SAM database. + + +Help Text +------- +``` +samdump2 1.1.1 by Objectif Securite +http://www.objectif-securite.ch +original author: ncuomo@studenti.unina.it + +Usage: +samdump2 samhive keyfile +``` + +Example Usage +------- +Stolen from epyxforensics + +We need to extract the syskey out of the SYSTEM hive. The syskey is a utility that encrypts the hashed password information in the SAM hive. We are going to use the program bkhive and we are going to point it to the SYSTEM hive so that we can extract that key. The SYSTEM hive is located in “Windows/System32/config/” In our setup, I will have to navigate to my windows partition, I will use the following command to tell bkhive to look at the SYSTEM hive and extract the syskey into a txt file appropriately named syskey.txt into our current directory (which if you remember is the Test folder, located on the Desktop). +``` +bkhive /media/8ADCBB5EDCBB42ED/Windows/System32/config/SYSTEM syskey.txt +``` + +After pressing enter, if everything worked, you should have received the following: + +``` +carlos@XPS-M1330:~/Desktop/Test$ bkhive /media/8ADCBB5EDCBB42ED/Windows/System32/config/SYSTEM syskey.txt +bkhive 1.1.1 by Objectif Securite +http://www.objectif-securite.choriginal author: ncuomo at studenti.unina.it +Root Key : CMI-CreateHive{2A7FB991-7BBE-4F9D-B91E-7CB51D4737F5} +Default ControlSet: 001Bootkey: 90bb26a726a7bf1150f2edf4acb8382b +carlos@XPS-M1330:~/Desktop/Test$ +``` + +Lets see if we have a file named syskey.txt in our current directory. For that we will use the LS command, which stands for list (files). Type “ls” and press enter. + +``` +carlos@XPS-M1330:~/Desktop/Test$ ls +syskey.txt +carlos@XPS-M1330:~/Desktop/Test$ +``` + +Notice that we are in the Test Directory and Yes, we do have a txt file in our directory named syskey.txt. You can open the file with a text editor and you will see unreadable characters. + +Now we are going to use the program samdump2 to point it to both the SAM hive and the syskey.txt file so that it can use the syskey and extract the hashed passwords out of the SAM hive into our current directory, into a file appropriately named hashes.txt. We will accomplish this with the following command. + +``` +samdump2 /media/8ADCBB5EDCBB42ED/Windows/System32/config/SAM syskey.txt > hashes.txt +``` + +After pressing enter, if everything worked, you should have received the following: + +``` +carlos@XPS-M1330:~/Desktop/Test$ samdump2 /media/8ADCBB5EDCBB42ED/Windows/System32/config/SAM syskey.txt > hashes.txt +samdump2 1.1.1 by Objectif Securite +http://www.objectif-securite.ch +original author: ncuomo at studenti.unina.it +Root Key : CMI-CreateHive{C4E7BA2B-68E8-499C-B1A1-371AC8D717C7} +carlos@XPS-M1330:~/Desktop/Test$ +``` + +Lets see if we have a file named hashes.txt in our current directory. For that we will again use the LS command. Type ls and press enter. + +``` +carlos@XPS-M1330:~/Desktop/Test$ ls +hashes.txt syskey.txt +carlos@XPS-M1330:~/Desktop/Test$ +``` + +Notice that we are still in the Test directory and Yes, we do have a txt file in our directory named hashes.txt along with the syskey.txt. You can now open the hashes.txt file with a text editor. Once opened, you will see a password hashdump for all of the users stored inside of the SAM hive. We are only interested in the previously created user profile that we called Test. Below is Test's hashdump. + +``` +Test:1003:aad3b435b51404eeaad3b435b51404ee:9b600b4e30254213f574bc7449524c12::: +``` + +The 32 character alphanumerical word, after the colon is the the hash of the Test user password (9b600b4e30254213f574bc7449524c12). To crack the hash, find one of the many websites that offer free hash decrypting. For the purposes of this article, I used www.xdecrypt dot com. Go to www.xdecrypt dot com and paste the hash into the top box. Click on the “decrypter” button, and wait for the results. Xdecrypt had this hash stored and provided us with the translation of this hash back into plain text. + +``` +9b600b4e30254213f574bc7449524c12(ntlm)=Forensics1 +``` + +Links +------- +* [irongeek video](http://www.irongeek.com/i.php?page=videos/samdump2auditor) +* [irongeek link](http://www.irongeek.com/i.php?page=security/cracking-windows-vista-xp-2000-nt-passwords-via-sam-and-syskey-with-cain-ophcrack-saminside-bkhive-etc) +* [expyforensics](http://epyxforensics.com/node/34) \ No newline at end of file