# Rainbow Crackalack

## Cracking NTLM - methodology

If the database of NTLM password hashes for a Windows domain were obtained, the optimal strategy would be:

1. Use hashcat to brute-force all 1-7 character passwords (this can be done quickly).
2. Use hashcat to crack passwords based on rules (variable time).
3. Use rainbow tables to break complex 8-character passwords (a few hours).
4. Use rainbow tables to break complex 9-character passwords (a few days).

![](/files/P1x3DTR2bUeuLZRdnYUp)

While brute-forcing 8-character passwords is very much possible with hashcat, it is inefficient to do so for smaller numbers of hashes:

![](/files/DHW6Thr1Rhwuymfux2r4)

As shown in the graph above, on a machine with a single NVIDIA RTX 2070 GPU, hashcat takes roughly 75 hours to brute-force one hundred 8-character NTLM passwords, whereas the Rainbow Crackalack software (with the NTLM-8 tables) achieves a 93% success rate in an hour and a half!

The following graph shows the cracking times for 9-character NTLM hashes:

![](/files/VITXnERM6m1dEJ6tgjjx)

## Rainbow Crackalack Download

The source code for table generation and lookup [is available on Github](https://github.com/jtesta/rainbowcrackalack). Pre-compiled executables for Windows [are available as well](https://github.com/jtesta/rainbowcrackalack/releases).

NTLM 8-character tables can be downloaded for free [via BitTorrent](https://www.rainbowcrackalack.com/rainbow_crackalack_ntlm_8.torrent). These are 93% effective and are 486 GB in size.

NTLM 9-character tables can also be downloaded for free [via BitTorrent](https://www.rainbowcrackalack.com/rainbow_crackalack_ntlm_9.torrent). These are 50% effective and are 6.7 TB in size.

## Generate NTLM 8 lenght

```
 .\crackalack_gen.exe ntlm ascii-32-95 8 8 0 803000 67108864 0
```

![](/files/33X3uhJ79mPQLYUrUbUK)

{% embed url="<https://github.com/jtesta/rainbowcrackalack>" %}

## Crack NTLM

```
# .\crackalack_lookup.exe /export/ntlm8_tables/ /home/user/hashes.txt
```

## OPHCrack

It's also interesting during the cracking process passing the hashes through OPHCrack.

**Generate: LM:NT => LOAD**

```
 cat .\ntlm.txt | awk.exe -F':' '{print $2, $2}' OFS=":" | Out-File -FilePath .\hash_ophcrack.txt -Encoding utf8
```

![](/files/ZtcTJSkGwB8H4ndFKSNA)

## Sources

{% embed url="<http://project-rainbowcrack.com/table.htm>" %}

{% embed url="<https://www.rainbowcrackalack.com/#download>" %}

{% embed url="<https://ophcrack.sourceforge.io/tables.php>" %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://gitbook.seguranca-informatica.pt/tools/password-and-cracking/rainbow-crackalack.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.