Ophcrack and rainbow table

Ophcrack is a tool that uses rainbow tables to crack Windows passwords. Followed by two technical articles about Ophcrack: “A tool for security experts to understand the rainbow hash table cracking tool” (http://tech.ccidnet.com/art/237/20070913/1211093_1.html), using Rainbow tables and Ophcrack Combination tool to crack Windows password” (http://blog.cn-ic.org/?p=62). Through the above two articles, we learned that Ophcrack needs to use rainbow tables, rainbow table generation, and other information .

  1. Rainbow table principle
  2. First tell some basic concepts:
  3. Tables
  4. It can be said that few people who have been doing cryptography research for a long time do not know this. Many years ago, foreign hackers discovered that simply importing a dictionary and using the same algorithm as the target to crack, the speed is actually very slow, and in terms of efficiency, it cannot meet actual combat needs. After a lot of attempts and conclusions, the hackers found that if they can directly create a data file, it records in advance the hash value generated by using the same algorithm as the target, and directly call this file when it needs to be cracked. Comparing, the efficiency of cracking can be greatly improved, even hundreds of thousands of times, so that the pre-built Hash hash data file is called a table (file) in the security community.
  5. Rainbow Tables
  6. The most well-known Tables is Rainbow Tables, which is often mentioned in the security industry. It is used to crack the LM/NTLM hash of the Windows user account. To briefly explain, under Windows2000/XP/2003, the account password is not saved in plain text, but is saved as a file that cannot be directly recognized by an algorithm defined by Microsoft, which is commonly referred to as a SAM file. It cannot be directly cracked because it is called when the system is working. But we can extract it in the form of Hash, which is convenient for importing into professional tools to crack. The extracted password hash is similar to the following:
  7. Administrator:500:96e95ed6bad37454aad3b435b51404ee:64e2d1e9b06cb8c8b05e42f0e6605c74:::
  8. Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
  9. user1:1001:732b2c9a2934e481cd0a8808b19097ef:778620d5d5de064154e689fa4790129f:::
  10. user2:1002:a042f67a99758fd727b99b2375d829f9:6127ee12a83da34fc19953e538e4d580:::
  11. In terms of traditional cracking methods, whether it is local or intranet online cracking, the efficiency is not very high. According to actual tests, in a stand-alone environment, it usually takes 3~9 hours to crack a 14-bit irregular password containing uppercase and lowercase letters and numbers. This time value will increase to It can range from days to months. Although most people will not use such complex passwords, for many current passwords that are complex enough and longer than 10 digits, such as “Y1a9n7g9z0h7e”, it will still cause hackers a headache.
  12. In July 2003, Philippe Oechslin of the Federal Institute of Technology in Lausanne, Switzerland announced some experimental results. He and his affiliated Security and Cryptography Laboratory (LASEC) adopted the method of time memory replacement, which greatly improved the efficiency of password cracking. As an example, they increased the password cracking speed of a common operating system from 1 minute 41 seconds to 13.6 seconds. This method uses a large lookup table to match the encrypted password with the text entered by a person, thereby speeding up the calculations required for decryption. This method called “memory-time balance” means that hackers who use a lot of memory can reduce the time required to crack a password.
  13. Therefore, some inspired hackers made a dictionary containing almost all possible passwords in advance, and then converted all of them into NTLM Hash files, so that in the actual cracking, there is no need to convert between passwords and hashes. , You can directly crack the Windows account password through the Hash hash comparison in the file, saving a lot of system resources and greatly improving the efficiency. Of course, this is just a simple expression. The method adopted is called Time-Memory Trade-Off in the world, that is, the “memory-time balance” method just mentioned, and in some places it will also be translated as “time-memory” Alternate Algorithm”. The principle can be understood as trading memory for time.

We analyzed and sorted out other people’s blogs and published articles, and finally obtained the following information and materials:

(1) Tool download: http://sourceforge.net/project/showfiles.php?group_id=133599

(2) Ophcrack homepage: http://ophcrack.sourceforge.net/

(3) The definition and explanation of rainbow table in English: http://en.wikipedia.org/wiki/Rainbow_table

(4) Domestic research on rainbow table: http://www.antsight.com/zsl/rainbowcrack/

(5) At present, relevant research materials on Ophcrack and rainbow tables.

Through the above three steps, I once again classified the data, downloaded the tool software, and downloaded the Ophcrack software and source code, as well as the rainbow table provided by Ophcrack.

(Http://ophcrack.sourceforge.net/tables.php), by checking we know that Ophcrack provides three free rainbow tables:

(1) XP free small (380MB)

Logo: SSTIC04-10k

Cracking success rate: 99.9%

Alphanumeric table:


In one sentence, the table is generated with uppercase and lowercase letters plus numbers, with a size of 388MB, and contains 99.9% of the LanManager tables in all alphanumeric passwords. These are passwords composed of uppercase and lowercase letters and numbers (about 80 billion combinations).

Since the LanManager hash table cuts the password into two copies of 7 characters each, we can use this table to crack passwords between 1 and 14. Since the LanManager hash table is also case-insensitive, the combination of 80 billion in the table is equivalent to 12*10 to the 11th power (or 2 to the 83th power) passwords, so it is also called an “alphanumeric table” 10K”.

(2) XP free fast (703MB)

Logo: SSTIC04-5k

Success rate: 99.9%

Alphanumeric table:


The alphanumeric table 5k is 703MB in size and contains 99.9% of the LanManager tables in the passwords of all alphanumeric combinations. However, since the table becomes twice as large, if your computer has more than 1GB of RAM space, its cracking speed is 4 times that of the previous one.

(3) XP special (7.5GB)

Logo: WS-20k

Success rate: 96%

XP special expansion table 7.5GB, including up to 14 uppercase and lowercase letters, numbers, and the following 33 special characters (!”#$%&'()*+,-./:;<=& gt;?@[\ ]^_`{|} ~) is composed of 96% of the LanManager table. There are about 7 trillion combinations in the table, 5*10 to the 12th power (or 2 to the 92th power) password, the table needs to spend Money to buy.

(4) Crack the rainbow table of Vista

Vista free (461MB) is free to crack the hash password of Vista, and Vista special (8.0GB) needs to be purchased.


LM is also called LanManager, which is an ancient and fragile password encryption method for Windows. Any password with more than 7 digits is divided into several parts with 7 as the unit. In the end, the password with less than 7 digits is supplemented with 0 to 7 digits, and then finally combined into a hash through the encryption operation. So in fact, after cracking the software, the upper limit of LM password cracking is 7 digits, which makes it possible to brute force the LM encrypted password in a short period of time at today’s PC computing speed (the upper limit is two weeks). If you use Rainbow tables, Then this time order may be reduced to hours.

(2) Test the downloaded tools

1. Install Ophcrack software

The installation process of the Ophcrack software is very simple, just follow the instructions to install it, you need to pay special attention during the installation process, do not choose to download the rainbow table, the installation settings will provide three download options, respectively download WinXP (380MB), Winxp (703MB) and Vista The (461MB) rainbow table is shown in Figure 2. The author downloaded it for several hours after selecting it during the installation process. This table can be downloaded after the program is installed. Otherwise, installing the Ophcrack software can only be used after the rainbow table has been downloaded.

It is recommended not to download the rainbow table during installation


2. Use Ophcrack software

Run the Ophcrack software directly from the program menu, as shown in Figure 3. The software mainly has seven main modules: “Load”, “Delete”, “Save”, “Table”, “Crack”, “Help” and “Exit” , “Load” is mainly responsible for loading Hash or sam files. “Delete” is mainly used to delete cracked entries, “Save” is mainly used to save cracking results or cracking sessions, “Table” is mainly used to set rainbow table, “Crack” is to start cracking, and “Help” is to view help files.

3. Download the rainbow table

You can download the rainbow table provided by Ophcrack (http://ophcrack.sourceforge.net/tables.php). In this case, three free rainbow tables were downloaded.

4. Set up the rainbow table

Click “Table” in the main interface of Ophcrack software, and then the Table Selection interface shown in Figure 4 will come out. By default, all tables are not installed. Through this interface, we learned that there are a total of 8 rainbow tables. , Three of them are free.

Choose Rainbow Table

Then click and select one of the items, for example, in this example, select “Vista free”, and then click the “Install” button, the system will automatically go to the installation directory of the Ophcrack software, but in this example, a compressed file is extracted to tables Under the directory, as shown in Figure 5, select “Tables”, then select the rainbow report you downloaded, and click install. I chose tables_vista_free here

1) In the Ophcrack software, the name of the parent directory of the rainbow table must be “tables”, otherwise the installation of the rainbow table will not succeed. note:

(2) After the rainbow table is installed successfully, its entry will turn green, and you can view how many tables there are in total, as shown in Figure 6.

The cracking material here mainly refers to obtaining the system Hash password value through the quarks pwdump software. If not, find a way to get one yourself.
5. Prepare to crack the material

6. Start cracking

(1) Load the sam file

Click the “Load” button and select “PWDUMP file”, as shown in Figure 7, there are a total of 6 options, the first is mainly used to crack a single Hash, the second is to crack the obtained Pwdump file, the second
The third is to crack encrypted sam files, the fourth and fifth are mainly used to audit or crack local and remote Hash passwords.

In this example, select a file that has been Pwdump. If the hash password of the pwdump system is correct, it will be displayed correctly in the main interface of the Ophcrack software, as shown in Figure 8. The main interface displays “User” and “LM Hash” “, “NT Hash”, “LM Pwd1”, “LM Pwd2” and “NT pwd” and other information. (2) View the HASH password value

4) Perform cracking

Click the “Crack” case to start the cracking. The password is quickly cracked as “www119”, and the value of “LM Pwd1” is the same as “NT pwd”, and the time to crack the password is only “37s”.

Successfully cracked the system password

(5) View crack statistics

Click “statistics” in the main interface to view general and detailed information about cracking the hash password value, as shown in Figure 11.

View statistics about the cracked password

(6) Cracking parameter settings

Click “Preferences” to open the cracking parameter setting window, as shown in Figure 12, you can set the cracking thread, cracking method, whether to hide the user name, etc.

Set cracking parameters

(3) Rainbow table cracking password prevention strategy

Cracking the password through the rainbow table allows the intruder to easily obtain the password of the system and log in to the system “normally”, making it difficult for administrators or computer owners to find out. Through research, it is found that there are two ways to strengthen the security of the system password.

1. Strengthen password security by setting a password exceeding a certain number of digits

It is relatively easy to crack passwords with less than 14 digits using rainbow tables. For ordinary intruders, there are only three free tables, so the strength of cracking is relatively weak. Therefore, the system password security can be enhanced by increasing the number of digits in the password setting. The author recommends setting a password of more than 32 bits to strengthen the password security of the system. There are many password setting skills, which have been mentioned in our research topic. In order to take care of new friends, we can mention the password setting skills again:

Set the password in one sentence, for example, “my country hosted the Olympic Games in August 2008. I went to Beijing Bird’s Nest to watch the game. It was great!”. You can set “2008-8ywgjblayh,wqbjlcgklbs,gjhs!” in this way, take all the time, take all punctuation, take the first letter of other Chinese characters, the password length is 33, if you want to be longer, you can increase it. Its essence is to choose a sentence or a certain paragraph in a poem to set, easy to remember, and high security intensity.

2. Use NTLM encryption

The weak encryption method of LM is still used in Windows 2003. You can change the encryption method to NTLM to improve the security of the system password. In many cases, the author has also found that the hash value is obtained through pwdump and GetHashes software, but LC5 and Ophcrack No software can be cracked.

You can disable LM encryption by setting registry parameters and replace it with NTLM. The encryption method is as follows:

(1) Open the registry editor;

(2) Locate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa;

(3) Select menu “Edit”, “Add Value”;

(4) Input the value name: LMCompatibilityLevel, the value type is: DWORD, click “OK”;

(5) Double-click the newly created data, and set the following values ​​according to the specific situation:

0-Send LM and NTLM responses;

1-Send LM and NTLM responses;

2-Send only NTLM response;

3-Only send NTLMv2 response; (valid for Windows 2000)

4-Only send NTLMv2 response, reject LM; (valid for Windows 2000)

5-Only send NTLMv2 response, reject LM and NTLM; (valid for Windows 2000)

(6) Close the registry editor

(7) Restart the machine

NTLM encryption was introduced in Windows NT SP3, and NTLM 2.0 encryption was gradually introduced after Windows 2000. But the LM encryption method is still turned on by default, unless it is deliberately turned off by the above method.


There are no reviews yet.

Be the first to review “Ophcrack and rainbow table”

Your email address will not be published. Required fields are marked *