SIT282/SIT703 Computer Forensics and Investigations Workshop Session 7 In general, you have to acquire the system administrative privilege of computer in order to launch powerful programs. Hacking passwords is one of the most popular and effective methods to gain access. We will continue to use our Ubuntu VM alongside an external website in this session. - Through this session, we will practice two forensic software tools – fcrackzip and OphCrack. The knowledge acquired in this session will help you recover passwords for ZIP files and Windows systems. Learning Objectives 1. Describe the challenges faced by digital forensic investigators when dealing with password protected files. 2. Demonstrate that you can recover encryption passwords for ZIP files. 3. Practice encrypting and decrypting files using forensic tools and techniques to recover digital evidence. 4. Identify the elements of a Windows logon password, as well as generating and recovering Windows log on hashes. 1. Introducing fcrackzip The tool fcrackzip is designed to recover the encryption passwords for ZIP files. The demo version of this program at least enables you to work on encrypted ZIP files. That is, you should be able to recover the encryption password of any ZIP file by using fcrackzip. Note: Before we go to the next step, in case "TEXT.zip" already exists, delete the file by navigating to the folder using the file manager on the Ubuntu desktop or from the command line using “rm TEXT.zip” to “remove” the file. Now, let's prepare an encrypted ZIP file. Launch the "Terminal" inside the virtual machine, change directory to "~/Desktop/Data-files/week07”. In the folder, you will find a file named TEXT.txt. This text file contains some random text. We use the 7zip program to encrypt this file to TEXT.zip with the password "ticket". The command is “7z a TEXT.zip TEXT.txt -pticket", where: 7z - File archive program a-Add files to archive TEXT.zip - Archive name -p - Set password ticket – password 1 You will see an output similar to this. user@Ubuntu1804:~/Desktop/Data-files/week07$ cat TEXT.txt ABCDEFGHIJKLMN abcdefghijklmn 0123456789 user@Ubuntu1804:~/Desktop/Data-files/week07$ 7z a TEXT.zip TEXT.txt -pticket 7-Zip [64] 16.02: Copyright (c) 1999-2016 Igor Pavlov: 2016-05-21 p7zip Version 16.02 (locale=en_AU.UTF-8, Utf16-on, HugeFiles-on, 64 bits, 1 CPU Inte L(R) Core(TM) i7-7700HQ CPU @ 2.80GHZ (906E9), ASM, AES-NI) Scanning the drive: 1 file, 42 bytes (1 KiB) Creating archive: TEXT.zip Items to compress: 1 Files read from disk: 1 Archive size: 204 bytes (1 KiB) Everything is ok user@Ubuntu1804:~/Desktop/Data-files/week07$ You may verify if the newly created zip file has the correct password protection. That is, navigate to the folder and double click the zip file. When a prompt appears asking for the password, input “ticket”. You should see something similar to the following screenshot. Once it is verified, you may proceed to the next step. Extract Name TEXT.txt Cancel TEXT.zip Size Туре Modified 42 bytes plain text d... 25 June 2019, 10:14 Password required for "TEXT.zip" Password: OK 2 Switch back to the Terminal, now we can use the tool fcrackzip to crack the zip password. Let's use a simple dictionary covering potential passwords. Type the command: "fcrackzip -u -D -p /usr/share/dict/american-english' TEXT.zip”, where: fcrackzip - Zip Password Cracker -u - use unzip to decompress the file with guessed password -D- dictionary mode to read passwords from a file -p – password file You will see the tool cracks the password correctly. (Remember to use the option u" to show the password, otherwise you will not see the cracked password.) 66 user@Ubuntu1804: ~/Desktop/Data-files/week07 File Edit View Search Terminal Tabs Help user@Ubuntu1804: ~ x user@Ubuntu1804:~/Des... x 0123456789 user@Ubuntu1804: ~/Des... x user@Ubuntu1804:~/Desktop/Data-files/week07$ 7z a TEXT.zip TEXT.txt -pticket 7-Zip [64] 16.02 Copyright (c) 1999-2016 Igor Pavlov: 2016-05-21 p7zip Version 16.02 (locale=en_AU.UTF-8, Utf16-on, HugeFiles-on, 64 bits, 1 CPU Inte L(R) Core(TM) i7-7700HQ CPU @ 2.80GHZ (906E9), ASM, AES-NI) Scanning the drive: 1 file, 42 bytes (1 KiB) Creating archive: TEXT.zip Items to compress: 1 Files read from disk: 1 Archive size: 204 bytes (1 KiB) Everything is Ok user@Ubuntu1804:~/Desktop/Data-files/week07$ fcrackzip -u -D -p /usr/share/dict/ american-english TEXT.zip PASSWORD FOUND!!!!: pw == ticket user@Ubuntu1804:~/Desktop/Data-files/week07$ The following is an example of dictionary attack with the option brute-force “-b” and the option cracking length “-1 6-6”. Note: "-1" specifies the password length. It has 2 parameters: min and max; max is - optional – so “6-6” means use an initial password of 6 characters in length and check all passwords up to 6 characters in length. If the password is in the dictionary, fcrackzip can crack the password. Let us also try the brute-force attack where it applies in more general situations when you don't have a good list of passwords. The brute-force attack will complete but will take much longer to crack the password. 3 Warning: This process may take quite some time (longer than 1 hour on one of our test machines). user@Ubuntu1804: ~/Desktop/Data-files/week07 File Edit View Search Terminal Tabs Help user@Ubuntu1804:~/Des... x user@Ubuntu1804:~/Des... x user@Ubuntu1804: ~/Des... × user@Ubuntu1804:~/Desktop/Data-files/week07$ 7z a TEXT.zip TEXT.txt -pticket 7-Zip [64] 16.02: Copyright (c) 1999-2016 Igor Pavlov: 2016-05-21 ¢ p7zip Version 16.02 (locale=en_AU.UTF-8, Utf16-on, HugeFiles-on, 64 bits, 1 CPU Inte l(R) Core(TM) i7-7700HQ CPU @ 2.80GHZ (906E9), ASM, AES-NI) Scanning the drive: 1 file, 42 bytes (1 KiB) Creating archive: TEXT.zip Items to compress: 1 Files read from disk: 1 Archive size: 204 bytes (1 KiB) Everything is ok user@Ubuntu1804:~/Desktop/Data-files/week07$ fcrackzip -u -D -p /usr/share/dict/ american-english TEXT.zip PASSWORD FOUND!!!!: pw == ticket user@Ubuntu1804:~/Desktop/Data-files/week07$ fcrackzip -u-b-1 6-6 TEXT.zip Now, use 7-zip to encrypt the same TEXT.txt file to ZIP files with the following passwords "George”, “Eindhoven”, “augustina”, “anknytningsbarhet”. Compare the cracking time used by the tool fcrackzip. (Hint: for fast cracking, think about where to find a good list of passwords before applying the brute-force attack.) You can use the following table to record your results. Password George Decryption Time Eindhoven augustina anknytningsbarhet 2. Using OphCrack to Recover Windows Logon Password Switch to the "Terminal” and type “ophcrack" to launch the program. 4 user@Ubuntu1804: ~/Desktop/Data-files/week07 File Edit View Search Terminal Tabs Help user@Ubuntu1804:~/Des... x user@Ubuntu1804: ~ X user@Ubuntu1804:~/Des... x user@Ubuntu1804:~/Desktop/Data-files/week07$ ophcrack & [1] 9110 user@Ubuntu1804:~/Desktop/Data-files/week07$ ☐ ophcrack Load Delete Save Tables Crack Help Exit Progress Statistics Preferences User LM Hash NT Hash LM Pwd 1 LM Pwd 2 NT Pwd Table ▸ XP fre... Status inactive Preload on disk Progress + D OS About Preload: waiting Brute force: waiting Pwd found: 0/0 Time elapsed: Oh Om Os We can verify whether ophcrack works properly by cracking an NTLM hash. Click the "Load" button and select "Single Hash" from the drop down list, then paste a testing hash value to the text box: "c6100ace80e48267b79ae2610dd89d4c:d5e9e0db50ba46b948853221be26da2b" 5/n/n 7.2C Generating your own Rainbow tables Rainbow tables are very powerful for cracking Windows LM and NTLM hashes. Sometimes, we may have to generate rainbow tables by ourselves. The most well-known tool for generating rainbow tables is RainbowCrack. You will find a copy of RainbowCrack in the folder "Desktop/Linux-tools/rainbowcrack-1.7-linux64". Some good tutorials are available on youtube: https://www.youtube.com/results?search query=rainbowcrack+tutorial The documentation of the tools is available at http://project-rainbowcrack.com/documentation.htm 1. Charset in RainbowCrack In the main folder of RainbowCrack, there is a file with the name "charset.txt". This is the charset configuration file of RainbowCrack. Its content looks like this: Open▾ numeric = [0123456789] charset.txt ~/Desktop/Linux-tools/rainbowcrack-1.7-linux64 Save [ABCDEFGHIJKLMNOPQRSTUVWXYZ] = [ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789] alpha = alpha-numeric loweralpha = [abcdefghijklmnopqrstuvwxyz] lower alpha-numeric = [abcdefghijklmnopqrstuvwxyz0123456789] mixalpha = [abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ] mixalpha-numeric = [abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789] ascii-32-95 = [ !"#$%&'()+,-./0123456789:;<=>? = [ !"#$%&'()+,-./0123456789:;<=>? @ABCDEFGHIJKLMNOPQRSTUVWXYZ [\]^_`abcdefghijklmnopqrstuvwxyz{|}~] ascii-32-65-123-4 | @ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`{|}~] alpha-numeric-symbol32-space = [ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!@#$%^&() - _+=~`[]{}| \:;"'<>,.?/ ] Plain Text ▾ Tab Width: 8▾ Ln 1, Col 1 INS Each line contains a charset definition. To the left of character "=" is the charset name while the charset content in the right. Charset content is quoted by "[" and "]". For example, we want a charset definition of alpha and space. Just add a line to the configuration file: alpha-space = [ABCDEFGHIJKLMNOPQRSTUVWXYZ ] Note: Don't name charset randomly, stick to use the key word alpha (loweralpha, mixalpha), numeric, "-", 32, 95, symbol132 in charset name. As the charset name will appear in the filename of generated rainbow table, this convention properly avoids the "invalid filename" situation. You don't need to modify this file, unless you need a custom charset supporting non-English characters. 2. Creating Rainbow Tables First of all, we need to estimate the resources that we are going use to create rainbow tables. The more characters we have in a password, the more disk space we need to allocate for the rainbow tables. For instance, if we use the char set as "alpha (ABCDEFGHIJKLMNOPQRSTUVWXYZ)" and our password is 1 to 7 letters long (so its length would be 1, 2, 3, ..., 7), then the key space is N=26^1 +26^2 + 26^3 + 26^4 + 26^5 + 26^6 + 26^7 = 8353082582. Type ./rtgen in the terminal window, we will see the format of generating rainbow table is "rtgen hash_algorithm charset plaintext_len_min plaintext_len_max table_index chain_len chain_num part_index”. And the following table contains the explanation of these parameters: hash_algorithm The hash algorithm used in the rainbow table. charset The charset includes all possible characters for the plaintext, and defined in configuration file charset.txt plaintext_len_min These two parameters limit the plaintext length range of the plaintext_len_max rainbow table. table_index (L) The table_index parameter selects the reduction function. Rainbow table with different table_index parameter uses different reduction function. chain_len (t) chain_num (m) part_index This is the rainbow chain length. Longer rainbow chain stores more plaintexts and requires longer time to generate. Number of rainbow chains to generate. Rainbow table is simply an array of rainbow chains. Size of each rainbow chain is 16 bytes. To store a large rainbow table in many smaller files, use different number in this parameter for each part and keep all other parameters identical. To fully understand the meaning of "table_index, chain_len, chain_num” and the structure of rainbow table, better to first read rainbow table on wikipedia or even the original paper by Philippe Oechslin. By default, we can set the rainbow chain length as t=100, the chain_num as m=2,000, and the rainbow table count L=3, then the disk space is m16L=96,000 B = 96KB, since each rainbow chain will take 16 bytes (8 bytes for a start point and 8 bytes for an end point). For example, given the key length from 1 to 3 letters, t value 100, m value 2,000 and L value 3, we can use the following commands to create a set of three rainbow tables: ./rtgen Im alpha 13 n 100 2000 all where n = 0, 1 or 2. (Note: These parameters are not optimized. Next section describes how to derive suitable rainbow table sizes to achieve reasonable success rate for cracking different passwords.) The program rtgen may take a few hours to generate these tables. Before anyone can use these tables for cracking, they need to be sorted by using the rtsort command. If you check the files generated, you should recognize how the vales of m, t and L are organized in the file names. Finally, we will have to specify the success rate. The higher the success rate, the more rainbow chains, and therefore, the more disk space. 3. Success Rate and Configuration of Rainbow Tables In the previous section, you notice that the size of rainbow tables is related to the following parameters: ⚫N is the key space • t is the rainbow chain length • m is the rainbow chain number L is the number of rainbow tables The disk usage is calculated by multiplying m, L and 16, which is m16L. However, L is related to the success rate. If a success rate of a rainbow table is P, then L tables will give you the success rate as 1- (1-P)^L. That is, the overall success rate can be very close to 1, but you need many rainbow tables. The P value, the success rate of an individual rainbow table with size mt is calculated by using the following recursive algorithm: t Ptable = - П(1 mi N i=1 where m1 = m and mn+1 = N -e N We have implemented this algorithm in C and provided with both source code and executable in calc.zip (see the task resource zip file. Extract it to a proper place, e.g. ~/Desktop/win-tools/hashcalc/calc"). As calc_success_probability.exe is a Windows program, we will use the "wine" emulator to execute it by typing “wine path/calc/calc_success_probability Nt m" as shown in the following figure (say N=26^3+26^2+26): File Edit View Search Terminal Help user@Ubuntu1804: ~ user@Ubuntu1804:~$ wine ~/Desktop/win-tools/hashcalc/calc/calc success probabili ty 18278 10 100 001c:err:module: import_dll Library MSVCR100_CLR0400.dll (which is needed by L"C: \\windows\\Microsoft.NET\\Framework64\\v4.0.30319\\mscorsvw.exe") not found 001c:err:module: import_dll Library mscoree.dll (which is needed by L"C:\\windows \\Microsoft.NET\\Framework64\\v4.0.30319\\mscorsvw.exe") not found 001c:err:module: attach_dlls Importing dlls for L"C:\\windows\\Microsoft.NET\\Fra mework64\\v4.0.30319\\mscorsvw.exe" failed, status c0000135 000f:err:service: process_send_command service protocol error - failed to write p The probability of using (N=18278, t=10, m=100) is 0.046171user@Ubuntu1804:~$ ☐ ipe! Spend some time to calculate the p values for some configurations according to which you would like to create your rainbow tables (This is a trial-and-error process). You can also use this site (https://www.tobtu.com/rtcalc.php) for the size of rainbow tables. 4. Your Tasks Create rainbow tables for cracking 3-characters long LM alpha-numerical (not alpha-only) passwords. (Hint: To have a success rate P above 99.5%, the recommended sizes for the rainbow tables are t=800 and m=4000. rcrack is used to crack hash.) LM hash E660F8899B270102AAD3B435B51404EE 8BD716FF43485CC0AAD3B435B51404EE 12B8DBE400888CC2AAD3B435B51404EE List all the steps especially the commands you used to create the rainbow tables and calculate the sizes with screenshots, as well as the passwords you cracked using your tables. Submit your attempt (.pdf) to on Track.

Question

SIT282/SIT703 Computer Forensics and Investigations Workshop Session 7 In general, you have to acquire the system administrative privilege of computer in order to launch powerful programs. Hacking passwords is one of the most popular and effective methods to gain access. We will continue to use our Ubuntu VM alongside an external website in this session. - Through this session, we will practice two forensic software tools – fcrackzip and OphCrack. The knowledge acquired in this session will help you recover passwords for ZIP files and Windows systems. Learning Objectives 1. Describe the challenges faced by digital forensic investigators when dealing with password protected files. 2. Demonstrate that you can recover encryption passwords for ZIP files. 3. Practice encrypting and decrypting files using forensic tools and techniques to recover digital evidence. 4. Identify the elements of a Windows logon password, as well as generating and recovering Windows log on hashes. 1. Introducing fcrackzip The tool fcrackzip is designed to recover the encryption passwords for ZIP files. The demo version of this program at least enables you to work on encrypted ZIP files. That is, you should be able to recover the encryption password of any ZIP file by using fcrackzip. Note: Before we go to the next step, in case "TEXT.zip" already exists, delete the file by navigating to the folder using the file manager on the Ubuntu desktop or from the command line using “rm TEXT.zip” to “remove” the file. Now, let's prepare an encrypted ZIP file. Launch the "Terminal" inside the virtual machine, change directory to "~/Desktop/Data-files/week07”. In the folder, you will find a file named TEXT.txt. This text file contains some random text. We use the 7zip program to encrypt this file to TEXT.zip with the password "ticket". The command is “7z a TEXT.zip TEXT.txt -pticket", where: 7z - File archive program a-Add files to archive TEXT.zip - Archive name -p - Set password ticket – password 1 You will see an output similar to this. user@Ubuntu1804:~/Desktop/Data-files/week07$ cat TEXT.txt ABCDEFGHIJKLMN abcdefghijklmn 0123456789 user@Ubuntu1804:~/Desktop/Data-files/week07$ 7z a TEXT.zip TEXT.txt -pticket 7-Zip [64] 16.02: Copyright (c) 1999-2016 Igor Pavlov: 2016-05-21 p7zip Version 16.02 (locale=en_AU.UTF-8, Utf16-on, HugeFiles-on, 64 bits, 1 CPU Inte L(R) Core(TM) i7-7700HQ CPU @ 2.80GHZ (906E9), ASM, AES-NI) Scanning the drive: 1 file, 42 bytes (1 KiB) Creating archive: TEXT.zip Items to compress: 1 Files read from disk: 1 Archive size: 204 bytes (1 KiB) Everything is ok user@Ubuntu1804:~/Desktop/Data-files/week07$ You may verify if the newly created zip file has the correct password protection. That is, navigate to the folder and double click the zip file. When a prompt appears asking for the password, input “ticket”. You should see something similar to the following screenshot. Once it is verified, you may proceed to the next step. Extract Name TEXT.txt Cancel TEXT.zip Size Туре Modified 42 bytes plain text d... 25 June 2019, 10:14 Password required for "TEXT.zip" Password: OK 2 Switch back to the Terminal, now we can use the tool fcrackzip to crack the zip password. Let's use a simple dictionary covering potential passwords. Type the command: "fcrackzip -u -D -p /usr/share/dict/american-english' TEXT.zip”, where: fcrackzip - Zip Password Cracker -u - use unzip to decompress the file with guessed password -D- dictionary mode to read passwords from a file -p – password file You will see the tool cracks the password correctly. (Remember to use the option u" to show the password, otherwise you will not see the cracked password.) 66 user@Ubuntu1804: ~/Desktop/Data-files/week07 File Edit View Search Terminal Tabs Help user@Ubuntu1804: ~ x user@Ubuntu1804:~/Des... x 0123456789 user@Ubuntu1804: ~/Des... x user@Ubuntu1804:~/Desktop/Data-files/week07$ 7z a TEXT.zip TEXT.txt -pticket 7-Zip [64] 16.02 Copyright (c) 1999-2016 Igor Pavlov: 2016-05-21 p7zip Version 16.02 (locale=en_AU.UTF-8, Utf16-on, HugeFiles-on, 64 bits, 1 CPU Inte L(R) Core(TM) i7-7700HQ CPU @ 2.80GHZ (906E9), ASM, AES-NI) Scanning the drive: 1 file, 42 bytes (1 KiB) Creating archive: TEXT.zip Items to compress: 1 Files read from disk: 1 Archive size: 204 bytes (1 KiB) Everything is Ok user@Ubuntu1804:~/Desktop/Data-files/week07$ fcrackzip -u -D -p /usr/share/dict/ american-english TEXT.zip PASSWORD FOUND!!!!: pw == ticket user@Ubuntu1804:~/Desktop/Data-files/week07$ The following is an example of dictionary attack with the option brute-force “-b” and the option cracking length “-1 6-6”. Note: "-1" specifies the password length. It has 2 parameters: min and max; max is - optional – so “6-6” means use an initial password of 6 characters in length and check all passwords up to 6 characters in length. If the password is in the dictionary, fcrackzip can crack the password. Let us also try the brute-force attack where it applies in more general situations when you don't have a good list of passwords. The brute-force attack will complete but will take much longer to crack the password. 3 Warning: This process may take quite some time (longer than 1 hour on one of our test machines). user@Ubuntu1804: ~/Desktop/Data-files/week07 File Edit View Search Terminal Tabs Help user@Ubuntu1804:~/Des... x user@Ubuntu1804:~/Des... x user@Ubuntu1804: ~/Des... × user@Ubuntu1804:~/Desktop/Data-files/week07$ 7z a TEXT.zip TEXT.txt -pticket 7-Zip [64] 16.02: Copyright (c) 1999-2016 Igor Pavlov: 2016-05-21 ¢ p7zip Version 16.02 (locale=en_AU.UTF-8, Utf16-on, HugeFiles-on, 64 bits, 1 CPU Inte l(R) Core(TM) i7-7700HQ CPU @ 2.80GHZ (906E9), ASM, AES-NI) Scanning the drive: 1 file, 42 bytes (1 KiB) Creating archive: TEXT.zip Items to compress: 1 Files read from disk: 1 Archive size: 204 bytes (1 KiB) Everything is ok user@Ubuntu1804:~/Desktop/Data-files/week07$ fcrackzip -u -D -p /usr/share/dict/ american-english TEXT.zip PASSWORD FOUND!!!!: pw == ticket user@Ubuntu1804:~/Desktop/Data-files/week07$ fcrackzip -u-b-1 6-6 TEXT.zip Now, use 7-zip to encrypt the same TEXT.txt file to ZIP files with the following passwords "George”, “Eindhoven”, “augustina”, “anknytningsbarhet”. Compare the cracking time used by the tool fcrackzip. (Hint: for fast cracking, think about where to find a good list of passwords before applying the brute-force attack.) You can use the following table to record your results. Password George Decryption Time Eindhoven augustina anknytningsbarhet 2. Using OphCrack to Recover Windows Logon Password Switch to the "Terminal” and type “ophcrack" to launch the program. 4 user@Ubuntu1804: ~/Desktop/Data-files/week07 File Edit View Search Terminal Tabs Help user@Ubuntu1804:~/Des... x user@Ubuntu1804: ~ X user@Ubuntu1804:~/Des... x user@Ubuntu1804:~/Desktop/Data-files/week07$ ophcrack & [1] 9110 user@Ubuntu1804:~/Desktop/Data-files/week07$ ☐ ophcrack Load Delete Save Tables Crack Help Exit Progress Statistics Preferences User LM Hash NT Hash LM Pwd 1 LM Pwd 2 NT Pwd Table ▸ XP fre... Status inactive Preload on disk Progress + D OS About Preload: waiting Brute force: waiting Pwd found: 0/0 Time elapsed: Oh Om Os We can verify whether ophcrack works properly by cracking an NTLM hash. Click the "Load" button and select "Single Hash" from the drop down list, then paste a testing hash value to the text box: "c6100ace80e48267b79ae2610dd89d4c:d5e9e0db50ba46b948853221be26da2b" 5/n/n 7.2C Generating your own Rainbow tables Rainbow tables are very powerful for cracking Windows LM and NTLM hashes. Sometimes, we may have to generate rainbow tables by ourselves. The most well-known tool for generating rainbow tables is RainbowCrack. You will find a copy of RainbowCrack in the folder "Desktop/Linux-tools/rainbowcrack-1.7-linux64". Some good tutorials are available on youtube: https://www.youtube.com/results?search query=rainbowcrack+tutorial The documentation of the tools is available at http://project-rainbowcrack.com/documentation.htm 1. Charset in RainbowCrack In the main folder of RainbowCrack, there is a file with the name "charset.txt". This is the charset configuration file of RainbowCrack. Its content looks like this: Open▾ numeric = [0123456789] charset.txt ~/Desktop/Linux-tools/rainbowcrack-1.7-linux64 Save [ABCDEFGHIJKLMNOPQRSTUVWXYZ] = [ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789] alpha = alpha-numeric loweralpha = [abcdefghijklmnopqrstuvwxyz] lower alpha-numeric = [abcdefghijklmnopqrstuvwxyz0123456789] mixalpha = [abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ] mixalpha-numeric = [abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789] ascii-32-95 = [ !"#$%&'()*+,-./0123456789:;<=>? = [ !"#$%&'()*+,-./0123456789:;<=>? @ABCDEFGHIJKLMNOPQRSTUVWXYZ [\]^_`abcdefghijklmnopqrstuvwxyz{|}~] ascii-32-65-123-4 | @ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`{|}~] alpha-numeric-symbol32-space = [ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!@#$%^&*() - _+=~`[]{}| \:;"'<>,.?/ ] Plain Text ▾ Tab Width: 8▾ Ln 1, Col 1 INS Each line contains a charset definition. To the left of character "=" is the charset name while the charset content in the right. Charset content is quoted by "[" and "]". For example, we want a charset definition of alpha and space. Just add a line to the configuration file: alpha-space = [ABCDEFGHIJKLMNOPQRSTUVWXYZ ] Note: Don't name charset randomly, stick to use the key word alpha (loweralpha, mixalpha), numeric, "-", 32, 95, symbol132 in charset name. As the charset name will appear in the filename of generated rainbow table, this convention properly avoids the "invalid filename" situation. You don't need to modify this file, unless you need a custom charset supporting non-English characters. 2. Creating Rainbow Tables First of all, we need to estimate the resources that we are going use to create rainbow tables. The more characters we have in a password, the more disk space we need to allocate for the rainbow tables. For instance, if we use the char set as "alpha (ABCDEFGHIJKLMNOPQRSTUVWXYZ)" and our password is 1 to 7 letters long (so its length would be 1, 2, 3, ..., 7), then the key space is N=26^1 +26^2 + 26^3 + 26^4 + 26^5 + 26^6 + 26^7 = 8353082582. Type ./rtgen in the terminal window, we will see the format of generating rainbow table is "rtgen hash_algorithm charset plaintext_len_min plaintext_len_max table_index chain_len chain_num part_index”. And the following table contains the explanation of these parameters: hash_algorithm The hash algorithm used in the rainbow table. charset The charset includes all possible characters for the plaintext, and defined in configuration file charset.txt plaintext_len_min These two parameters limit the plaintext length range of the plaintext_len_max rainbow table. table_index (L) The table_index parameter selects the reduction function. Rainbow table with different table_index parameter uses different reduction function. chain_len (t) chain_num (m) part_index This is the rainbow chain length. Longer rainbow chain stores more plaintexts and requires longer time to generate. Number of rainbow chains to generate. Rainbow table is simply an array of rainbow chains. Size of each rainbow chain is 16 bytes. To store a large rainbow table in many smaller files, use different number in this parameter for each part and keep all other parameters identical. To fully understand the meaning of "table_index, chain_len, chain_num” and the structure of rainbow table, better to first read rainbow table on wikipedia or even the original paper by Philippe Oechslin. By default, we can set the rainbow chain length as t=100, the chain_num as m=2,000, and the rainbow table count L=3, then the disk space is m*16*L=96,000 B = 96KB, since each rainbow chain will take 16 bytes (8 bytes for a start point and 8 bytes for an end point). For example, given the key length from 1 to 3 letters, t value 100, m value 2,000 and L value 3, we can use the following commands to create a set of three rainbow tables: ./rtgen Im alpha 13 n 100 2000 all where n = 0, 1 or 2. (Note: These parameters are not optimized. Next section describes how to derive suitable rainbow table sizes to achieve reasonable success rate for cracking different passwords.) The program rtgen may take a few hours to generate these tables. Before anyone can use these tables for cracking, they need to be sorted by using the rtsort command. If you check the files generated, you should recognize how the vales of m, t and L are organized in the file names. Finally, we will have to specify the success rate. The higher the success rate, the more rainbow chains, and therefore, the more disk space. 3. Success Rate and Configuration of Rainbow Tables In the previous section, you notice that the size of rainbow tables is related to the following parameters: ⚫N is the key space • t is the rainbow chain length • m is the rainbow chain number L is the number of rainbow tables The disk usage is calculated by multiplying m, L and 16, which is m*16*L. However, L is related to the success rate. If a success rate of a rainbow table is P, then L tables will give you the success rate as 1- (1-P)^L. That is, the overall success rate can be very close to 1, but you need many rainbow tables. The P value, the success rate of an individual rainbow table with size m*t is calculated by using the following recursive algorithm: t Ptable = - П(1 mi N i=1 where m1 = m and mn+1 = N -e N We have implemented this algorithm in C and provided with both source code and executable in calc.zip (see the task resource zip file. Extract it to a proper place, e.g. ~/Desktop/win-tools/hashcalc/calc"). As calc_success_probability.exe is a Windows program, we will use the "wine" emulator to execute it by typing “wine path/calc/calc_success_probability Nt m" as shown in the following figure (say N=26^3+26^2+26): File Edit View Search Terminal Help user@Ubuntu1804: ~ user@Ubuntu1804:~$ wine ~/Desktop/win-tools/hashcalc/calc/calc success probabili ty 18278 10 100 001c:err:module: import_dll Library MSVCR100_CLR0400.dll (which is needed by L"C: \\windows\\Microsoft.NET\\Framework64\\v4.0.30319\\mscorsvw.exe") not found 001c:err:module: import_dll Library mscoree.dll (which is needed by L"C:\\windows \\Microsoft.NET\\Framework64\\v4.0.30319\\mscorsvw.exe") not found 001c:err:module: attach_dlls Importing dlls for L"C:\\windows\\Microsoft.NET\\Fra mework64\\v4.0.30319\\mscorsvw.exe" failed, status c0000135 000f:err:service: process_send_command service protocol error - failed to write p The probability of using (N=18278, t=10, m=100) is 0.046171user@Ubuntu1804:~$ ☐ ipe! Spend some time to calculate the p values for some configurations according to which you would like to create your rainbow tables (This is a trial-and-error process). You can also use this site (https://www.tobtu.com/rtcalc.php) for the size of rainbow tables. 4. Your Tasks Create rainbow tables for cracking 3-characters long LM alpha-numerical (not alpha-only) passwords. (Hint: To have a success rate P above 99.5%, the recommended sizes for the rainbow tables are t=800 and m=4000. rcrack is used to crack hash.) LM hash E660F8899B270102AAD3B435B51404EE 8BD716FF43485CC0AAD3B435B51404EE 12B8DBE400888CC2AAD3B435B51404EE List all the steps especially the commands you used to create the rainbow tables and calculate the sizes with screenshots, as well as the passwords you cracked using your tables. Submit your attempt (.pdf) to on Track.

Get Instant Homework HelpOn Your Mobile

Get Instant Homework HelpOn Your Mobile

Get Instant Homework HelpOn Your Mobile