5234627
story
Posted
by
kdawson
on Friday July 17, @12:24PM
from the all-the-colors dept.
lee writes
"After almost three years online, the admin of Free Rainbow Tables has decided to call it a day, citing a lack of time to keep it running. (I'm sure that you all know a rainbow table is essentially a giant list of precomputed hashes.) This is a shame, as the site is a useful resource for those occasions when you really need an existing password exposed, rather than simply changing it. I'm a Windows admin, and this site has come in very handy in the past. The currently computed tables weigh in at well over half a terabyte, are available as torrents from the site, or from a couple of mirrors (and alternatives are available). When the site was active, it featured a downloadable BOINC client to put your idle cycles to work computing ever-greater tables, and a space-saving format for storing the tables. The admin is willing to hand over source code if you wish to take over, though I suspect hosting is not included!"
Related Stories
You know you're hungry when (Score:5, Funny)
The headline 'Free Rainbow Tables' makes you immediately think of a table covered in Skittles
Re: (Score:2, Funny)
Re: (Score:3, Funny)
think of a table covered in Skittles
Billy Mays here for Free Rainbow Tables dotcom. Have you ever needed a giant list of pre-computed hashes? Have you ever forgotten the password to that old Linux box sitting in the corner of the accounting department's coat closet? Then have I got just the thing for you! All you need to do is, and this part's amazing, is go to freerainbowtables.com, that's freerainbowtables.com, enter your hash-string, and voila, there's your password. It's so easy, a paraplegic blind
Re: (Score:2)
You forgot to yell.
HI, BILLY MAYS HERE WITH A FANTASTIC NEW PRODUCT....
Filter fodder: "Filter error: Don't use so many caps. It's like YELLING."
Re: (Score:3, Funny)
Billy Mayes didn't yell. It seemed like it because, just like Chuck Norris, when he spoke the rest of the world knew the STFU.
Re: (Score:2)
It makes me think of smarties you insensitive clod.
Re: (Score:2)
But if you were hungry, wouldn't you think of actual *food* instead? ^^
Support is pending (Score:5, Insightful)
I am sure that plenty of groups that may "need an existing password exposed" are interested in anonymously donating hosting for this project.
Re: (Score:3, Insightful)
Or pay-for-download and/or pay-for-lookup service, and keep the site online.
Re: (Score:2)
They already accept money to buy more credits for heavier access of their service. For those that are unwilling to pay in cash, they offer credits for populating their system with hashes through the use of their client.
Somehow I think that if money were the issue, they would just say they lack money instead of saying they lack time. Considering that they've had two upsets in the last two months, a lack of time sounds like an honest reason.
Re: (Score:2)
Or pay-for-download and/or pay-for-lookup service, and keep the site online.
In such a case, they would clearly need to change their SLD name, to not have the word 'free' in it.
Re: (Score:3, Insightful)
You think? Personally, I think you'd have to be a glutton for punishment, to want to admin a site for people interested in rainbow tables.
Reading Rainbow Tables (Score:5, Funny)
Buy the domain, contact LeVar Burton to help promote it, and post video testimonials on how great they work.
LeVar: "Crack passwords now! But you don't have to take my word for it..." *dun dun dunnn!*
Salts? (Score:5, Informative)
I thought the prevelance of using salts with hashes obsoleted rainbow tables years ago.
Re: (Score:3, Informative)
Once you've reverted the hash back to salt+plaintext, it's *much* easier to remove the salt (often some string concatenated with the plaintext).
Re: (Score:2)
That would be true but with something like a 20 character salt the required rainbow tables to cut down the time to a reasonable level would take a ridiculous amount of storage. You could of course compile a set of rainbow tables for that specific salt but then you may as well give up on rainbow tables.
Re: (Score:2)
Perhaps that's why they are offering to sell the entire set of indexed hashes for just under $600? (shipped on a 1.5 TB usb disk drive). Considering their relative lack of mark-up on the 1.5 TB usb disk drive, I don't get the impression that these guys were in it for the money.
Re: (Score:2)
Lack of markup? Last I checked, a USB 1.5TB drive was around $150, tops. Not $600.
http://www.newegg.com/Product/Product.aspx?Item=N82E16822148406 [newegg.com]
Re: (Score:2)
No the tables they are selling on those disks would not cope with a 10 character password. They have a 12 character table listed but that is for pure numeric, the rest have a maximum of 9 characters. Using the calculator http://www.insidepro.com/rainbow.php [insidepro.com] you can see that to get tables for a 16 character password (which is still a lot less that a password + 20 character salt) you would need more hard disk space than you could expect to be able to buy (several orders of magnitude more). So that leaves t
Re:Salts? (Score:5, Insightful)
Once you've reverted the hash back to salt+plaintext, it's *much* easier to remove the salt (often some string concatenated with the plaintext).
Often? That's the definition of salt.
Also, rainbow tables don't revert the hash back to salt+plaintext. Rainbow Tables don't work if salt was (correctly) used. Well, I guess you could make a set of RTs for every possible salt value ... if you have an ice age or two to wait.
Parent
Re: (Score:3, Informative)
Using salts with hashes obsoleted rainbow tables years ago (if you know what you're doing).
There, corrected it for you.
Re:Salts? (Score:5, Insightful)
The site host/cracked NTLM LM MD5
NTLM is still used in the following situations:
* The client is authenticating to a server using an IP address.
* The client is authenticating to a server that belongs to a different Active Directory forest, or doesn't belong to a domain.
* No Active Directory domain exists (commonly referred to as "workgroup" or "peer-to-peer").
* Where a firewall would otherwise restrict the ports required by Kerberos (of which there are quite a few)
So kids getting their teeth wet on home networks, which probably explains why its not being supported. MD5 is still used by applications that arn't quite sure what they are doing/can't do much more e.g grub, im clients, etc.
Lookup tables are still useful in cracking WPA [renderlab.net]
Parent
Re: (Score:2)
Just because better security exists does not mean that people use it.
I use a properly secure passphrase on my credit card's website, but on accounts that aren't as critical (Slashdot), I use a simpler password.
P.S.: It's "hunter2".
Re:Salts? (Score:5, Informative)
I thought the prevelance of using salts with hashes obsoleted rainbow tables years ago.
True. Correctly salting your password hashes will make rainbow tables useless.
But ... Guess which system still doesn't salt passwords? Windows!
Parent
Re: (Score:2)
IIRC up to XP (which is still the most common version in buisnesses afaict) windows was still generating relatively weak lm hashes by default.
Only MD5/LM/NTLM? (Score:5, Informative)
I was expecting more tables than just MD5 and two types of Windows passwords. You can already download the Ophcrack DVD to do Windows passwords with rainbow tables.
Renderlab offer wifi WPA rainbow tables: http://www.renderlab.net/projects/WPA-tables/ [renderlab.net] . I hope whoever takes over takes note of projects like that, and tries to expand the range of tables available.
why Rainbow Tables when there is KonBoot? (Score:5, Interesting)
Re: (Score:3, Informative)
I can't imagine that a tool like this would allow you to authenticate to the domain controller. Cracking the hash cached on the local system would.
Unless windows is so insecure that the domain controller just takes the local workstation's word that you successfully logged in. I can't imagine such a design lasting this long. If it did you could get the machine's key off the local hard drive and then authenticate as anybody over the network.
Re: (Score:2, Informative)
Re: (Score:2)
Yep. As far as I understand it, Kon-Boot will only allow you to gain root to any computer to which you have *physical* access. So no domain controllers
Re: (Score:2)
Does the local machine actually cache the network credentials between sessions? I thought that it only kept a hash so that it could verify that a password is valid, but that unless the password itself were supplied it couldn't log into the domain controller.
If it did cache the actual credentials, then why would we need to crack hashes in the first place? Why not just use the stored credential?
Re: (Score:3, Informative)
Granted, EFS (Encrypted File System - the "encrypt" option on NTFS) isn't the greatest, but it's there, it's included with Windows (and thus, perceived as "free as in beer"), and people use it.
Kon-Boot will grant you access to the account, but not to anything that the user encrypted using EFS. I have just tested this today to be sure before posting.
That is one reason why people would want to know the current password rather than just bypass the password, though Kon-Boot certainly still has its uses.
Re: (Score:2)
Whoops (Score:5, Insightful)
Slashdotting the site really isn't helping to keep it online.
rainbow table? (Score:3, Informative)
Re: (Score:2)
Re:OMG is that annoying... (Score:5, Insightful)
News for Nerds.
Parent
Re: (Score:2, Funny)
Re: (Score:2)
Ok, there must be another meaning besides the literal translation.
Re: (Score:2)
3.14 [youtube.com] from Cowboy Beebop, the movie. Ed doing what Ed does best, being odd and cute.
Re: (Score:2, Informative)
.
Re: (Score:2)
Or copied from the only shitty lyrics site I could find that didn't have malware shit going on or a lame javascript protecting the lyrics they ripped off someone else. ^_^
Attribute all errors to the editor, not the author.
Re: (Score:2)
Uuum, every tried the option under "settings -> content -> extended..." in Firefox? Disable the right-click menu-hiding functionality, and you're good.
Oh, and Firebug always helps, when nothing else does.
Re: (Score:2)
Was at work, with IE 6. Even without javascript it was a pain.
Re:OMG is that annoying... (Score:4, Insightful)
Because slashdot used to be a site for geeks, however recently anytime somebody uses a simple TLA/ETLA people start bitching that they don't know what it meant and they are too lazy to google and/or wikipeida it, so instead you get a stupid thread full of people who have !RTFA commenting on a subject that is of no interest to them, if it was they would have understood the TLA in TFS, this really annoys the few geeks that actually RTFA as it dilutes the comments. As a TFS contains redundant information to prevent people going "what are rainbow tables?", lets be honest if you're the kind of geek that has ever done any 'cracking' you knew what it mean, if you're not then you don't care.
p.s irony of this post not lost on me!
Parent
Re:OMG is that annoying... (Score:5, Insightful)
Let's be honest, I'm a kind of geek that has done cracking, but I don't devote my life to it. I've never heard the term "rainbow table" applied to the lists of precomputed hashes, so it was nice to have a simple hint that said "precomputed hashes", and I do care.
Parent
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
People start bitching because it's a knee-jerk reaction at this point. We're trying to convince people that it takes less time for them to type 2-3 words explaining it than for thousands of people to Google it and figure out which of the many results are applicable based on context. Would you agree or disagree with this statement?
Also, just because I'm not familiar with it doesn't mean I won't find it interesting. Especially if I'm interested in it, and used them lots before someone invented a new name f
Re: (Score:2)
If it was nothing but precomputed hashes then indeed it would not be very interesting as it is nothing new. However, it's quite a bit different as the lookups are probabilistic, not 1:1 look ups for is the hash there yes/no.
For that matter educating people to learn how to use salts with their hash for storing passwords is no where near complete even among savy geeks.