------------------------------------------------
         "Introduction to Rainbow Tables"
------------------------------------------------
  C/O :: arp of DynamicHell Development Team
------------------------------------------------
  http://dynamichell.org | irc.dynamichell.org
------------------------------------------------


Rainbow Tables are a special kind of table (or database) which contain
thousands of passwords and their hash counter-part.  Crackers normally 
continually add entries in the hope of creating a vast table of plain-text 
values (normally passwords) with their cipher-text representation 
(usually hashes).  It is hoped that by calculating password and hash
combinations in advance, future hash queries will quickly result in a 
password hit, thus saving considerable time compared to traditional brute-force
methods--which can themselves take days.  Often this generation and addition 
to the tables is also automated. 

Rainbow Tables are pre-calculated password/hash records.  Theoretically 
antiquating brute-force dictionary and permutation based attacks; resulting in
virtually instantaneous hash/password lookup.

Tables can be created for any conceivable hash algorithm, though 
traditionally--due to their widespread adoption by GNU/Linux and UNIX 
distributors--MD5 Rainbow Tables are most popular.

MD5 (and other) hashes are commonly obtained by the cracker through techniques
such as SQL injection and cookie interception.  Unfortunately many programmers
still use hashing functions without a salt.

There is, however, one main issue that questions the true value of
Rainbow Tables:

It has been argued that Rainbow Tables are ineffective against any
hash created with a salt because of the need to maintain completely seperate 
tables for every possible salt.  It is suggested that Rainbow Tables are only 
effective against non-salted hashes.  However, as disk space is becoming ever
cheap and increasing in size rapidly, it could be argued that maintaining 
multiple tables against possible salts is possible.  Especially as salts
are traditionally quite short.


Example
=======

A typical /etc/shadow entry on GNU/Linux (MD5):

eileen:$1$ZhYANsmY$0456PinTlRW0CToazuDpp1:13182:0:99999:7:::

Plain-text	Salt		Hash
----------	----		----
crackerjack	ZhYANsmY	0456PinTlRW0CToazuDpp1

A Rainbow Table consists of thousands of similar records which can easily be 
queried.  All a cracker would need to do is query his table(s) for the
following hash and salt combination: $1$ZhYANsmY$0456PinTlRW0CToazuDpp1 and 
assuming this hash had previously been generated the table would return 
'crackerjack', the plain-text equivalent, instantaneously.



Copright (c) 2006.  Alastair Poole.

Verbatim copying and distribution of this entire article are permitted
worldwide, without royalty, in any medium, provided this notice, and the
copyright notice, are preserved.
