Aircrack-ng and rainbowtables

Get the latest on wired & wireless, talk network setups, get help with connectivity problems, web hosts, etc.
Post Reply
User avatar
DenKain
Sargeant at Arms
Posts: 162
Joined: Sun Sep 28, 2003 4:04 pm
Location: The eye of the storm

Aircrack-ng and rainbowtables

Post by DenKain » Wed May 21, 2008 1:44 am

I was playing around with my two laptops and my AP the other day. I set one to capture packets from my AP while the other one generated the 80,000 packets I needed to crack it. The only option for WPA is using a dictionary file so it hit me; "I wonder if I could find a rainbowtable (my understanding is that it has every possible keyboard combo), dump it into a text file and have aircrack-ng use that?"

SO the question becomes has anyone ever tried this before? When I searched google for rainbowtable generators and they all seem to be for the windows platform. Has anyone seen one that will work in linux? The tables I have seen for download all seem to be designed for "ntlm, lm, md5 and sha", is there such a table that just has every possible keyboard combination in it?

I just thought that this would be an interesting idea for testing/cracking WPA.
Peace. Or Else.

User avatar
stasik
Guru
Posts: 525
Joined: Thu Oct 12, 2006 8:38 am
Location: dublin

Re: Aircrack-ng and rainbowtables

Post by stasik » Wed May 21, 2008 2:50 am

You are right, for cracking WPA you need a dictionary to compare against it. Rainbow table is the mechanism of transforming the plain text into hash based on a particular algorithm (ntml, sha, md5,etc). Rainbow table is based on the character set you input: more letters = bigger tables (up to 500 gb or even more). The idea: you generate the table when u have time (coz generating takes time) but onced generated it can be used/reused, reducing time. hashing is one way: text -> hash, so even when you log in into the windows, the pass u entere is hashed and then the hash is compared to the hash stored in SAM (its not the other way around). So in case of brute force every atempt is hashed and then compared to the hash stored. With rainbow tables u hash it onced and then just compare the hashes until a match is found.
If you want to use the same idea for WPA u have to use sql lite. You need to know the name of the router (as it is used as an algorith for hashing) and a wordlist. So it will hash all the words from the wordlist only for the given wifi router name and store them in daba base. It drasticly reduce the time for cracking, but if the password is not in the wordlist it will not be cracked. Also it creates hashes only for the particular router (name) so u cant use the data base generated for other wifi routers unless they have the same name.
Check the wordlist generator on: http://hackerthreads.org/viewtopic.php? ... e2dbe24b72

spectre
n00b
Posts: 22
Joined: Sun Sep 28, 2008 7:17 pm

Re: Aircrack-ng and rainbowtables

Post by spectre » Sun Oct 05, 2008 4:11 am

so basically what your saying is that if one of us generates a rainbow table for cracking a wpa password it would greatly reduce our time? if someone genereates or has generated such a rainbow table PLEASE SHARE!!!

User avatar
Pleo
Guru
Posts: 587
Joined: Thu Aug 28, 2003 5:24 am
Location: eax

Re: Aircrack-ng and rainbowtables

Post by Pleo » Tue Oct 07, 2008 5:02 pm

Spectre, I think that there is a misunderstanding here in that you don't realise how specific the circumstances where you can apply rainbow tables are - what Stasik and Denkain seem to be talking about is not a rainbow table but a word list, or dictionary file.

When a password is hashed, using md5, ntlm, etc, that hash is then stored for future reference. Traditionally these hashes were publicly viewable, because only the original user could generate them using their password. The reason that only the original user could generate the hash is because when a hashing algorithm is used the original password is unrecoverable - this is called one way encryption. The only way to emulate that hash was to guess the original users password; two methods of doing this being dictionary attacks (http://en.wikipedia.org/wiki/Dictionary_attack) and brute force attacks (http://en.wikipedia.org/wiki/Brute_force_attack).

Unfortunately, for the nefarious individuals trying to guess the password, though a brute force attack is guaranteed to work - in that if it is given enough time it will always find the password - most people don't have a significant enough amount of time to sit and wait for the brute force algorithm to find the solution. Fortunately, for the nefarious individuals trying to guess the password, some bright spark came up with the idea of calculating all possible hash values and associating them with a password which would generate that hash, these hash/pass combinations would be found specificaly for each hashing algorithm and significantly cut down on the amount of time to figure out a password. These tables are, generally, very large and becoming increasingly more limited in use.

The reason rainbow tables work is because it doesn't matter what character combination you put into a hashing algorithm, it only matters what you take out of it. A rainbow table does not need to contain the exact same password as the original user used because there may be a different set of characters which the hashing algorithm will turn into the same hash, therefore, there can be no guarantee that the password the rainbow table has given you is the original one. This is fine when you are only interested in getting the hashing algorithm to generate a specific hash, such as when you are attempting to log on to a system, but does not work when you aren't interested in that hash but in the information that has actually been encrypted, such as the information travelling accross an encrypted network.

Where a rainbow table would be useful would be in obtaining the original passphrase to connect to the network. Generally it is impossible to use rainbow tables with WPA-PSK because it enforces a password salt (http://en.wikipedia.org/wiki/Salt_(cryptography)) -password salts are one of the defences against using rainbow tables - which is generally the SSID of the network, however, because the salt is known ahead of time, being the SSID of the network, you can actually create a rainbow table which factors in the salt. An example of this is at http://www.renderlab.net/projects/WPA-tables/ where there is a rainbow table that has been pre-computed using a number of popular SSIDs and a large dictionary.
There once was a lawyer named Rex
Who was small in the organs of sex.
When charged with exposure
He replied with composure,
De minimus non curat lex.

User avatar
stasik
Guru
Posts: 525
Joined: Thu Oct 12, 2006 8:38 am
Location: dublin

Re: Aircrack-ng and rainbowtables

Post by stasik » Thu Oct 09, 2008 8:41 am

what i said it is possible to create a dababase with hashes, but whis database will be usefull only for 1 particular network, as to create these hashes, the name of the network is required. these hashes are obtained from the plain text/dictioanry which u must have. so the idea is the same as in rainbowtables: spend now time and create hashes, and reduce time when cracking!!!
this is video tutorial: http://s32.photobucket.com/player.swf?r ... &os=1&ap=1...

Post Reply