RainbowCrack is a general propose implementation of Philippe Oechslin's faster time-memory trade-off technique. It cracks hashes with rainbow tables.
Version 1.4 of the RainbowCrack software is now available for download.
New features:
- New compact rainbow table file format (.rtc) reduce rainbow table size by 50% to 56.25%
- New rt2rtc utility convert rainbow table from raw file format (.rt) to compact file format (.rtc)
- New rtc2rt utility convert rainbow table from compact file format (.rtc) to raw file format (.rt)
- The rcrack/rcrack_cuda program support both .rt and .rtc rainbow table file format
- Conversion from non-perfect to perfect rainbow table is supported by rt2rtc utility
It's about abusing PHP's builtin PRNG functions to attack web applications.
It starts where Stefan Esser's wonderful article "mt_srand and not so random numbers" ( http://www.suspekt.org/2008/08/17/mt_srand-and-not-so-random-numbers/ ) ended.
I've made some improvements to his idea. Since mt_srand()/mt_rand() are very slow (~17 hours to try all possible 2^32 seeds on my AMD Phenom 2.6 ghz machine) and lookup tables are huge (at least 32 GB), I implemented rainbow tables. With a chain length of 10000 and 512k rows, the table size is 11MB and average search takes only about 35 min. Rainbow table parameters can be tuned (longer chains = less space, but slower seed crack, shorter chains and more rows = more space, but less time to crack the seed).
Since it's about password reset attacks, time to predict the random string is crucial for the effectiveness of the attack.
I also demonstrate a real PoC against installations of PHP-Nuke and PunBB hosted on a same server with keep-alives enabled. In my example, it took 7 minutes and 4 HTTP requests to reset the PunBB's admin password by predicting the "password reset" URL.
Enhanced Encryption is only slightly better since it takes the
Standard Encryption rotational keyed password and then sends it to the
database to be stored in a binary field instead of a text/varchar
field. Even using this "encryption" once the password is over four
characters the first returned hash (16 HEX characters after a standard
lead in) is the same no matter what follows. Making a rainbow table
of the first four characters would be annoying but takes less than a
day done by hand. Once you had the first four characters making the
next four would take another day for any given first four, again by
hand. So cracking any one account's 1-8 character password would take
1-2 days (1-12 characters would take 1-3 days and so on). Given how
bits WEP encryption by default by the way), we can narrow down the
number of possible keys to about 80. In order to avoid the
brute-forcing computation time required by the "stkeys" tool, I
created "BTHHkeygen" which looks up the possible keys for a given SSID
from a pre-generated "SSID->keys" table. Think of it as a rainbow
table for cracking the BT Home Hub's default WEP encryption key. Once
the list of around 80 keys is obtained, the second step in the attack
is to try each of them automatically, until the valid key is
identified. For this purpose I created "BTHHkeybf" which is a fancy
wrapper around the "iwconfig" Linux tool. We tested three different
BT Home Hubs, and the the attack seems to work fine.
bits WEP encryption by default by the way), we can narrow down the
number of possible keys to about 80. In order to avoid the
brute-forcing computation time required by the "stkeys" tool, I
created "BTHHkeygen" which looks up the possible keys for a given SSID
from a pre-generated "SSID->keys" table. Think of it as a rainbow
table for cracking the BT Home Hub's default WEP encryption key. Once
the list of around 80 keys is obtained, the second step in the attack
is to try each of them automatically, until the valid key is
identified. For this purpose I created "BTHHkeybf" which is a fancy
wrapper around the "iwconfig" Linux tool. We tested three different
BT Home Hubs, and the the attack seems to work fine.
bits WEP encryption by default by the way), we can narrow down the
number of possible keys to about 80. In order to avoid the
brute-forcing computation time required by the "stkeys" tool, I
created "BTHHkeygen" which looks up the possible keys for a given SSID
from a pre-generated "SSID->keys" table. Think of it as a rainbow
table for cracking the BT Home Hub's default WEP encryption key. Once
the list of around 80 keys is obtained, the second step in the attack
is to try each of them automatically, until the valid key is
identified. For this purpose I created "BTHHkeybf" which is a fancy
wrapper around the "iwconfig" Linux tool. We tested three different
BT Home Hubs, and the the attack seems to work fine.
PW> providing reasonably good entropy sources, there's little reason not to
PW> "do it right". It's not the worst mistake I've seen, by far not the most
PW> dangerous. But it's sloppy of the Apache Group to have ignored it for half
PW> a decade.
It's quite easy. Precomputing rainbow table for MD5 crypt with known
salt is somehow equivalent to MD5 crypt bruteforcing, if you don't mind
about required amount of storage. So, predictable salt and narrowed salt
space will have some impact if salt changes in a time comparable with
time required for bruteforcing. Salt changing once in a second is really
good one, because bruteforcing takes much longer.
bits WEP encryption by default by the way), we can narrow down the
number of possible keys to about 80. In order to avoid the
brute-forcing computation time required by the "stkeys" tool, I
created "BTHHkeygen" which looks up the possible keys for a given SSID
from a pre-generated "SSID->keys" table. Think of it as a rainbow
table for cracking the BT Home Hub's default WEP encryption key. Once
the list of around 80 keys is obtained, the second step in the attack
is to try each of them automatically, until the valid key is
identified. For this purpose I created "BTHHkeybf" which is a fancy
wrapper around the "iwconfig" Linux tool. We tested three different
BT Home Hubs, and the the attack seems to work fine.
