ppel123
ppel123

Reputation: 93

Rainbow tables and John the Ripper

I am working on a uni project and I have to present the tool "John the Ripper" and the usage of "Rainbow tables" with it.

I played around with the different modes of "John the Ripper" and searched the concept of the "Rainbow tables".

The problem is that I cannot understand how these two are connected and how, if possible, can I use my own "Rainbow tables" in the decryption of the password hash?

Upvotes: -2

Views: 5184

Answers (1)

Royce Williams
Royce Williams

Reputation: 1639

They solve the same problem, but in opposite directions:

  • Password-cracking software like JtR dynamically performs hashing of large lists of candidate plaintexts until a plaintext is found that produces a hash that matches the target hash. If no candidate plaintext produces a match, then the original plaintext has not been discovered and the hash has not been "cracked".

  • Rainbow tables compare a given hash to a large (but finite) list of precomputed hashes. If a matching hash is not already present in the rainbow table, the plaintext cannot be discovered with that table.

This is the classic "time/memory trade-off" concept. Cracking takes more computation power and time, but less storage. Rainbow tables take less computation power and time, but much more storage (often terabytes in size).

And because modern GPUs can attempt billions of unsalted candidate passwords per second, rainbow tables are only more useful than GPU-based attacks in a very specific and constrained set of circumstances:

  • The length of the password and it composition (whether specific characters are required, etc.) are known in advance, and small enough to be generated in bulk and stored in a rainbow table (often no more than 9 or 10 characters, depending on composition)
  • The password was probably randomly generated (because most non-randomly-generated candidates, of much greater length and complexity, can be attempted on GPU)

So unless you're a pentester with specific knowledge that a high-value password was randomly generated but is also relatively short (which would be rare in practice), rainbow tables are largely outdated.

It also makes no sense to "build a rainbow table" on the fly for a new target because the speed of using a rainbow table is only achievable after it has been built. You can simply run through the equivalent GPU attack faster ... and still have your 4TB of disk space available for something else.

Upvotes: 2

Related Questions