------------------------------------------------ "Introduction to Rainbow Tables" ------------------------------------------------ C/O :: arp of DynamicHell Development Team ------------------------------------------------ http://dynamichell.org | irc.dynamichell.org ------------------------------------------------ Rainbow Tables are a special kind of table (or database) which contain thousands of passwords and their hash counter-part. Crackers normally continually add entries in the hope of creating a vast table of plain-text values (normally passwords) with their cipher-text representation (usually hashes). It is hoped that by calculating password and hash combinations in advance, future hash queries will quickly result in a password hit, thus saving considerable time compared to traditional brute-force methods--which can themselves take days. Often this generation and addition to the tables is also automated. Rainbow Tables are pre-calculated password/hash records. Theoretically antiquating brute-force dictionary and permutation based attacks; resulting in virtually instantaneous hash/password lookup. Tables can be created for any conceivable hash algorithm, though traditionally--due to their widespread adoption by GNU/Linux and UNIX distributors--MD5 Rainbow Tables are most popular. MD5 (and other) hashes are commonly obtained by the cracker through techniques such as SQL injection and cookie interception. Unfortunately many programmers still use hashing functions without a salt. There is, however, one main issue that questions the true value of Rainbow Tables: It has been argued that Rainbow Tables are ineffective against any hash created with a salt because of the need to maintain completely seperate tables for every possible salt. It is suggested that Rainbow Tables are only effective against non-salted hashes. However, as disk space is becoming ever cheap and increasing in size rapidly, it could be argued that maintaining multiple tables against possible salts is possible. Especially as salts are traditionally quite short. Example ======= A typical /etc/shadow entry on GNU/Linux (MD5): eileen:$1$ZhYANsmY$0456PinTlRW0CToazuDpp1:13182:0:99999:7::: Plain-text Salt Hash ---------- ---- ---- crackerjack ZhYANsmY 0456PinTlRW0CToazuDpp1 A Rainbow Table consists of thousands of similar records which can easily be queried. All a cracker would need to do is query his table(s) for the following hash and salt combination: $1$ZhYANsmY$0456PinTlRW0CToazuDpp1 and assuming this hash had previously been generated the table would return 'crackerjack', the plain-text equivalent, instantaneously. Copright (c) 2006. Alastair Poole. Verbatim copying and distribution of this entire article are permitted worldwide, without royalty, in any medium, provided this notice, and the copyright notice, are preserved.