Rainbow Crackalack

Cracking NTLM - methodology

If the database of NTLM password hashes for a Windows domain were obtained, the optimal strategy would be:

1. Use hashcat to brute-force all 1-7 character passwords (this can be done quickly).

2. Use hashcat to crack passwords based on rules (variable time).

3. Use rainbow tables to break complex 8-character passwords (a few hours).

4. Use rainbow tables to break complex 9-character passwords (a few days).

While brute-forcing 8-character passwords is very much possible with hashcat, it is inefficient to do so for smaller numbers of hashes:

As shown in the graph above, on a machine with a single NVIDIA RTX 2070 GPU, hashcat takes roughly 75 hours to brute-force one hundred 8-character NTLM passwords, whereas the Rainbow Crackalack software (with the NTLM-8 tables) achieves a 93% success rate in an hour and a half!

The following graph shows the cracking times for 9-character NTLM hashes:

Rainbow Crackalack Download

Generate NTLM 8 lenght

 .\crackalack_gen.exe ntlm ascii-32-95 8 8 0 803000 67108864 0

Crack NTLM

# .\crackalack_lookup.exe /export/ntlm8_tables/ /home/user/hashes.txt

OPHCrack

It's also interesting during the cracking process passing the hashes through OPHCrack.

Generate: LM:NT => LOAD

 cat .\ntlm.txt | awk.exe -F':' '{print $2, $2}' OFS=":" | Out-File -FilePath .\hash_ophcrack.txt -Encoding utf8

Sources