# Rainbow Crackalack

## Cracking NTLM - methodology

If the database of NTLM password hashes for a Windows domain were obtained, the optimal strategy would be:

1. Use hashcat to brute-force all 1-7 character passwords (this can be done quickly).
2. Use hashcat to crack passwords based on rules (variable time).
3. Use rainbow tables to break complex 8-character passwords (a few hours).
4. Use rainbow tables to break complex 9-character passwords (a few days).

![](https://4052868066-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MWd-VcvRHVgUtkahm85%2Fuploads%2FmQ4OHu5PuWMNS6Whp19U%2Fimage.png?alt=media\&token=4e49247f-d895-438f-b6c8-684ce1534fa8)

While brute-forcing 8-character passwords is very much possible with hashcat, it is inefficient to do so for smaller numbers of hashes:

![](https://4052868066-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MWd-VcvRHVgUtkahm85%2Fuploads%2FqJLUo24O4mTFAr2Hee5l%2Fimage.png?alt=media\&token=b7476814-0904-4346-9ef4-1669af5e5060)

As shown in the graph above, on a machine with a single NVIDIA RTX 2070 GPU, hashcat takes roughly 75 hours to brute-force one hundred 8-character NTLM passwords, whereas the Rainbow Crackalack software (with the NTLM-8 tables) achieves a 93% success rate in an hour and a half!

The following graph shows the cracking times for 9-character NTLM hashes:

![](https://4052868066-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MWd-VcvRHVgUtkahm85%2Fuploads%2FtcSgZQczInDxCBqZ4UY6%2Fimage.png?alt=media\&token=9e158bea-34e6-4ee1-8cbe-fbbfab64f451)

## Rainbow Crackalack Download

The source code for table generation and lookup [is available on Github](https://github.com/jtesta/rainbowcrackalack). Pre-compiled executables for Windows [are available as well](https://github.com/jtesta/rainbowcrackalack/releases).

NTLM 8-character tables can be downloaded for free [via BitTorrent](https://www.rainbowcrackalack.com/rainbow_crackalack_ntlm_8.torrent). These are 93% effective and are 486 GB in size.

NTLM 9-character tables can also be downloaded for free [via BitTorrent](https://www.rainbowcrackalack.com/rainbow_crackalack_ntlm_9.torrent). These are 50% effective and are 6.7 TB in size.

## Generate NTLM 8 lenght

```
 .\crackalack_gen.exe ntlm ascii-32-95 8 8 0 803000 67108864 0
```

![](https://4052868066-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MWd-VcvRHVgUtkahm85%2Fuploads%2FG9kIdzPABDk8jYW2QKO2%2Fimage.png?alt=media\&token=c31afb9e-0b17-4f83-bae8-871681c8607b)

{% embed url="<https://github.com/jtesta/rainbowcrackalack>" %}

## Crack NTLM

```
# .\crackalack_lookup.exe /export/ntlm8_tables/ /home/user/hashes.txt
```

## OPHCrack

It's also interesting during the cracking process passing the hashes through OPHCrack.

**Generate: LM:NT => LOAD**

```
 cat .\ntlm.txt | awk.exe -F':' '{print $2, $2}' OFS=":" | Out-File -FilePath .\hash_ophcrack.txt -Encoding utf8
```

![](https://4052868066-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MWd-VcvRHVgUtkahm85%2Fuploads%2F0I7hsPl3swOfyglzRX6Q%2Fimage.png?alt=media\&token=17fd14f3-cec5-48b4-9a23-fdf62dc2c8ad)

## Sources

{% embed url="<http://project-rainbowcrack.com/table.htm>" %}

{% embed url="<https://www.rainbowcrackalack.com/#download>" %}

{% embed url="<https://ophcrack.sourceforge.io/tables.php>" %}