> For the complete documentation index, see [llms.txt](https://gitbook.seguranca-informatica.pt/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://gitbook.seguranca-informatica.pt/tools/password-and-cracking/rainbow-crackalack.md). # Rainbow Crackalack ## Cracking NTLM - methodology If the database of NTLM password hashes for a Windows domain were obtained, the optimal strategy would be: 1. Use hashcat to brute-force all 1-7 character passwords (this can be done quickly). 2. Use hashcat to crack passwords based on rules (variable time). 3. Use rainbow tables to break complex 8-character passwords (a few hours). 4. Use rainbow tables to break complex 9-character passwords (a few days). ![](/files/P1x3DTR2bUeuLZRdnYUp) While brute-forcing 8-character passwords is very much possible with hashcat, it is inefficient to do so for smaller numbers of hashes: ![](/files/DHW6Thr1Rhwuymfux2r4) As shown in the graph above, on a machine with a single NVIDIA RTX 2070 GPU, hashcat takes roughly 75 hours to brute-force one hundred 8-character NTLM passwords, whereas the Rainbow Crackalack software (with the NTLM-8 tables) achieves a 93% success rate in an hour and a half! The following graph shows the cracking times for 9-character NTLM hashes: ![](/files/VITXnERM6m1dEJ6tgjjx) ## Rainbow Crackalack Download The source code for table generation and lookup [is available on Github](https://github.com/jtesta/rainbowcrackalack). Pre-compiled executables for Windows [are available as well](https://github.com/jtesta/rainbowcrackalack/releases). NTLM 8-character tables can be downloaded for free [via BitTorrent](https://www.rainbowcrackalack.com/rainbow_crackalack_ntlm_8.torrent). These are 93% effective and are 486 GB in size. NTLM 9-character tables can also be downloaded for free [via BitTorrent](https://www.rainbowcrackalack.com/rainbow_crackalack_ntlm_9.torrent). These are 50% effective and are 6.7 TB in size. ## Generate NTLM 8 lenght ``` .\crackalack_gen.exe ntlm ascii-32-95 8 8 0 803000 67108864 0 ``` ![](/files/33X3uhJ79mPQLYUrUbUK) {% embed url="" %} ## Crack NTLM ``` # .\crackalack_lookup.exe /export/ntlm8_tables/ /home/user/hashes.txt ``` ## OPHCrack It's also interesting during the cracking process passing the hashes through OPHCrack. **Generate: LM:NT => LOAD** ``` cat .\ntlm.txt | awk.exe -F':' '{print $2, $2}' OFS=":" | Out-File -FilePath .\hash_ophcrack.txt -Encoding utf8 ``` ![](/files/ZtcTJSkGwB8H4ndFKSNA) ## Sources {% embed url="" %} {% embed url="" %} {% embed url="" %} --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://gitbook.seguranca-informatica.pt/tools/password-and-cracking/rainbow-crackalack.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.