by Wild King Generally speaking , a rainbow table is a lookup table which is used to recover the plain-text password that derives from a hashing or cryptographic function. Rainbow Tables offer a TIME-MEMORY trade-off for the above process. Rainbow Tables consist of a set of arrays. Each array includes data which is there for later use (lookups) . A hashing function is a very deterministic and well defined procedure which is usually a mathematical function which is used to convert a series of data ( e.g. plain text, passwords , phone numbers , file names etc.) into a datum of our liking. Reasons : •Encryption •Data Transmission Correction •Data Compression •Other Useful Terms : •Hash values, hash codes, hash sums, checksums or simply hashes. •Hashing •Collision In the field of Computer Security , hashes are widely used as a method to protect the data that is transmitted between computer systems , from outside attacks such as a “Man in the Middle Attack”. Hello I’m John Give me your pass My pass is : lamepass Now I know too! Hello, I’m E234BC59984CD Give me your pass My pass is : FF3451100C ?!?!?!?!?!?! First of all to crack the Hash back to it’s original plain text we need to know the Hashing Function ( algorithm) that was used to generate the Hash. Then we usually use the most common way of cracking , that is called “Brute Forcing”. Generally Brute Forcing a hash consists of us trying every single option of the original unknown plain text , through the hashing function. If there is a match then we have found our original text. Hashing functions most of the times consist of many , time consuming , processor hungry mathematical calculations . This is done very quickly of course for one hash. But it gets really slow when the original text: •Is long •Uses alphanumeric characters •Uses special characters (e.g. : “” $ % &) This way calculations can easily take hours, days , months , even years. And this is something not efficient. The solution to this problem are the Rainbow tables. The general idea of the Rainbow Tables is that we pre compute a great deal of the hashes , and then we store them into tables , so that we can look up the hashes later. In fact , what we really do to create a Rainbow Table , is the calculation of multiple hash chains . For the creation of the pre computed hash chain we use two Functions : •The main Hashing Function (H) •A Reduction Function (R) Then we start passing random words (that could be the original text we are looking for ) in turn through the Hash Function and the Reduction Function , thus creating a chain Example : aaaaaa —H→ 281DAF40 —R→ sgfnyd —H→ 920ECF10 —R→ kiebgt aaaaab—H→ 8676FDE1 —R→ gfirjd —H→ 6573FAC2 —R→ vhridt After the computation of each chain we store only the First and the Last Passwords into the table. The first Password is the Starting Point and the last one is the End Point. After we finish computing the whole table we sort it for faster look ups. Increasing the length of the chain decreases the size of the table. It also increases the time required to perform lookups, and this is the time-memory trade-off of the rainbow table. In a simple case of one-item chains, the lookup is very fast, but the table is very big. Once chains get longer, the lookup slows down, but the table size goes down. Now to crack the Hash we need to do the following : aaaaaa —H→ 281DAF40 —R→ sgfnyd —H→ 920ECF10 —R→ kiebgt Lets say we are given the hash : 920ECF10 First we will use the Reduction Function on this hash then the Hashing Function and so on, thus computing again a hash chain . Every time we get a product out of the Reduction Function we look it up in the End Point Array of the pre computed Rainbow tables . If we find a match then we start calculating the hash chain from the Starting Point till we get to the given Hash . Then the product prior to the given hash in the computed chain will be the password we are looking for. Back to our example : Hash = 920ECF10 —R→ kiebgt kiebgt is in our table with a Starting point of : aaaaaa Now computing the aaaaaa hash chain we get : aaaaaa —H→ 281DAF40 —R→ sgfnyd —H→ 920ECF10 So the password we are looking for is : sgfnyd While the whole idea behind the Rainbow Tables is working , and gets the desired password much much faster than a Brute Force attack it still has some problems : • • • It is quite useless against salted Hashes. Each pre computed Rainbow Table is attached to a specific Hashing Function and can’t be used for other Functions unless recomputed . It still needs quite a lot of time to compute and sort the Table (despite some faster and improved algorithms ). The first two problems come together with the way Rainbow tables are created and the logic behind their use, and we cannot do anything to solve them but to use either another cracking method (case 1), or specific Tables (case 2). What we can do, is improve the rate at which the Tables are produced. And that we can do with the help of multiprocessor or clustered computing. The general idea for creating fast an accurate Rainbow Table would be the following : The Master Server aaaaaa aaaaab aaaaac aaaaad aaaaae N Number of Workers aaaaaf aaaaag The general idea for creating fast an accurate Rainbow Table would be the following : Storage The Master Server 2FA354 7BCA72 CCCAAA 145CBD FF1903 Calculating… N Number of Workers BA5423 CF65AB The general idea for creating fast an accurate Rainbow Table would be the following : The Master Server Sorting N Number of Workers When everything is finished and the Rainbow tables are created and sorted we can access them from any computer and query the Tables for the Hash we want to crack . What is the password for : 920ECF10 ? The speed offered by the Rainbow Tables for cracking the Hashes , combined with the computing power of a multiprocessor computer , a Cuda VGA or a Computer cluster for the creation of the Rainbow Tables , can be a very powerful tool for everyone associated with Security Auditing and Computer Security in general as a science. Just imagine that passwords that are announced as “Complicated” , “Tough” or “Hard to Crack” by multiple programs , and someone trying to brute - force them would require months or years to crack, now can be broken in a matter of minutes (through pre computed Rainbow Tables) or hours (including the time we need to compute the Tables ). But don’t forget that Rainbow Tables are : Once Compute , Use Forever as long as the Hashing algorithm remains the same . http://www.ethicalhacker.net/content/view/94/24/ http://en.wikipedia.org/wiki/Rainbow_table http://en.wikipedia.org/wiki/Hash_function