Should I use rainbow tables or bruteforce (NTLM)?

Question

As part of security testing, I will receive around 150 to 200 Active Directory password hashes from Windows Server 2012 R2 (using NTLM?).

I have found NTLM rainbow tables (1,5 TB total), that covers all password length less or equals 8 (full ASCII), length 9 (mix-alphanumeric), length 10 (lower-alphanumeric)

http://project-rainbowcrack.com/table.htm

Should I use these tables, or is using direct bruteforcing faster since NTLM is a fast hashing algorithm and I only have around 200 hashes to crack?

I know it depends on hardware, but some insights would be appreciated.

I am not allowed to use online services.

Do you need to determine the passwords or can you [pass the hash?](https://www.sans.org/reading-room/whitepapers/testing/crack-pass-hash-33219) — DKNUCKLES, Jul 28 '17 at 17:07

Daniel Szpisjak · Accepted Answer · 2017-08-03T07:02:26.610

2

Here is how I would approach this. Given, that you will encounter real-life passwords. I would start with a dictionary attack, given that NTLM is real fast on modern hardware you should be able to go through this quickly.

Then, as suggested in the comments by Royce Williams, use rules, combinators and mask attack. This may take some time to set up but should yield some results.

Brute-force is next. According to a hashcat forum post, it is practical to brute force at least up to 8 character mixed-alpha/numeric. You can try going above but will find that the keyspace is growing exponentially and brute-force will become less practical.

As a last resort, I would go with the rainbow tables. The link you posted has tables for up to 10 characters. The site also has performance data so you can estimate how long it would take to crack the rest of the hashes.

edited Aug 03 '17 at 07:02

answered Jul 28 '17 at 17:18

Daniel Szpisjak

1,825
10
19

1

I don't mind the downvote, but please give me something to work with here. Why do you think the answer is bad? – Daniel Szpisjak Jul 28 '17 at 19:34
According to this: https://hashcat.net/forum/thread-6219.html multihash cracking is tricky with rainbowtables. – A J Jul 29 '17 at 07:18
@AJ, thanks for the tip. It is always good to learn. I edited the answer suggesting an approach I would take. Let me know, how it turns out. – Daniel Szpisjak Jul 29 '17 at 21:06
1

I would add rules, and combinator, and mask attacks to the mix as well before moving on to brute force. – Royce Williams Aug 02 '17 at 23:43
@RoyceWilliams, thanks for the tip. I added this to the answer as well. – Daniel Szpisjak Aug 03 '17 at 07:02

score 1 · Answer 2 · answered Jul 28 '17 at 18:41

1

If you need to "crack the hashes" you don't have hashes. You almost certainly have NTLM challenges and responses. Rainbow tables are useless against these, as they include random salt.

If you have the hash, there is almost no situation where you can't pass the hash.

answered Jul 28 '17 at 18:41

markgamache

153
5

I will get hashes from ntds.dit, those are password hashes, arent they? – A J Jul 28 '17 at 18:45
Oh! They are hashed and encrypted in the DIT. If you go the DIT, it is already game over. you win. Why are you still playing? You just want to know the passwords? – markgamache Jul 28 '17 at 21:52
The main goal is to crack hashes and determine passwords strenght, because the company wants to set password policy. They are interested in how good are passwords now without any security policy. – A J Jul 29 '17 at 06:47
This is the perfect case for the Rainbow tables. You have real NTLM hashes. I will say, this very misguided. Pulling your hashes off the DC and cracking them is very risky and won't tell you anything you and a million studies don't already know. 90% of your users passwords will be VERY close to as weak as allowed. If you lose the DIT to an attacker its game over. This sounds like all risk and no reward. – markgamache Jul 30 '17 at 00:15
Well, that is not up to me, but I agree with you. I just have to crack hashes. – A J Jul 31 '17 at 14:21

Should I use rainbow tables or bruteforce (NTLM)?

2 Answers2