Free Rainbow Tables Looking For New Admin 95
lee writes "After almost three years online, the admin of Free Rainbow Tables has decided to call it a day, citing a lack of time to keep it running. (I'm sure that you all know a rainbow table is essentially a giant list of precomputed hashes.) This is a shame, as the site is a useful resource for those occasions when you really need an existing password exposed, rather than simply changing it. I'm a Windows admin, and this site has come in very handy in the past. The currently computed tables weigh in at well over half a terabyte, are available as torrents from the site, or from a couple of mirrors (and alternatives are available). When the site was active, it featured a downloadable BOINC client to put your idle cycles to work computing ever-greater tables, and a space-saving format for storing the tables. The admin is willing to hand over source code if you wish to take over, though I suspect hosting is not included!"
Salts? (Score:5, Informative)
I thought the prevelance of using salts with hashes obsoleted rainbow tables years ago.
Only MD5/LM/NTLM? (Score:5, Informative)
I was expecting more tables than just MD5 and two types of Windows passwords. You can already download the Ophcrack DVD to do Windows passwords with rainbow tables.
Renderlab offer wifi WPA rainbow tables: http://www.renderlab.net/projects/WPA-tables/ [renderlab.net] . I hope whoever takes over takes note of projects like that, and tries to expand the range of tables available.
Re:Salts? (Score:3, Informative)
Once you've reverted the hash back to salt+plaintext, it's *much* easier to remove the salt (often some string concatenated with the plaintext).
Re:Salts? (Score:3, Informative)
Using salts with hashes obsoleted rainbow tables years ago (if you know what you're doing).
There, corrected it for you.
Re:Salts? (Score:5, Informative)
I thought the prevelance of using salts with hashes obsoleted rainbow tables years ago.
True. Correctly salting your password hashes will make rainbow tables useless.
But ... Guess which system still doesn't salt passwords? Windows!
Re:OMG is that annoying... (Score:2, Informative)
.
Re:why Rainbow Tables when there is KonBoot? (Score:3, Informative)
I can't imagine that a tool like this would allow you to authenticate to the domain controller. Cracking the hash cached on the local system would.
Unless windows is so insecure that the domain controller just takes the local workstation's word that you successfully logged in. I can't imagine such a design lasting this long. If it did you could get the machine's key off the local hard drive and then authenticate as anybody over the network.
rainbow table? (Score:3, Informative)
Re:Salts? (Score:1, Informative)
NTLMv1 maybe, but NTLMv2 closed that hole and doesn't use LM hashes.
It took a few years for the default to be *not* to send the v1 hash, but it has been now since 2003 server (which is why you used to get the problem that early samba implementations don't work with newer windows domains.. the 'workaround' given was to shaft the security of the network, although these days I'd just upgrade samba).
Not exactly (Score:1, Informative)
(I'm sure that you all know a rainbow table is essentially a giant list of precomputed hashes.)
The whole point of a rainbow table is that it's not a giant list of pre-computed hashes, though those do exist also. It is a large table, but it's not simply a one-to-one dictionary of plaintext and hashes.
Anyhoo, though RTs are still valid, they are becoming much less useful as an attack method.
Re:why Rainbow Tables when there is KonBoot? (Score:2, Informative)
Re:why Rainbow Tables when there is KonBoot? (Score:3, Informative)
Granted, EFS (Encrypted File System - the "encrypt" option on NTFS) isn't the greatest, but it's there, it's included with Windows (and thus, perceived as "free as in beer"), and people use it.
Kon-Boot will grant you access to the account, but not to anything that the user encrypted using EFS. I have just tested this today to be sure before posting.
That is one reason why people would want to know the current password rather than just bypass the password, though Kon-Boot certainly still has its uses.