Rainbow Crackalack

Cracking NTLM - methodology

If the database of NTLM password hashes for a Windows domain were obtained, the optimal strategy would be:

Use hashcat to brute-force all 1-7 character passwords (this can be done quickly).
Use hashcat to crack passwords based on rules (variable time).
Use rainbow tables to break complex 8-character passwords (a few hours).
Use rainbow tables to break complex 9-character passwords (a few days).

While brute-forcing 8-character passwords is very much possible with hashcat, it is inefficient to do so for smaller numbers of hashes:

As shown in the graph above, on a machine with a single NVIDIA RTX 2070 GPU, hashcat takes roughly 75 hours to brute-force one hundred 8-character NTLM passwords, whereas the Rainbow Crackalack software (with the NTLM-8 tables) achieves a 93% success rate in an hour and a half!

The following graph shows the cracking times for 9-character NTLM hashes:

Rainbow Crackalack Download

The source code for table generation and lookup is available on Github. Pre-compiled executables for Windows are available as well.

NTLM 8-character tables can be downloaded for free via BitTorrent. These are 93% effective and are 486 GB in size.

NTLM 9-character tables can also be downloaded for free via BitTorrent. These are 50% effective and are 6.7 TB in size.

Generate NTLM 8 lenght

 .\crackalack_gen.exe ntlm ascii-32-95 8 8 0 803000 67108864 0

Crack NTLM

# .\crackalack_lookup.exe /export/ntlm8_tables/ /home/user/hashes.txt

OPHCrack

It's also interesting during the cracking process passing the hashes through OPHCrack.

Generate: LM:NT => LOAD

 cat .\ntlm.txt | awk.exe -F':' '{print $2, $2}' OFS=":" | Out-File -FilePath .\hash_ophcrack.txt -Encoding utf8

Sources

PreviousTips NextStatic Code Analysis

Last updated 2 years ago

Was this helpful?