A bad multi-threaded MD5 rainbow table generator and consumer with support for source password lists and JSON storage. Written as a cryptography assignment submission to Nueva School class CS240.
Usage
No binaries are shipped with this program as Rust still lacks the ability to compile universal binaries out of the box, and no cross-compiling resources are available for this project. As such, prospective users must self-compile the binary to be able to run the program.
Begin by using your favorite package manager to install rust. Ensure that the cargo command is available.
Remember to add the rust-compiled binaries to your load path:
echo "export PATH=\"~/.cargo/bin:\${PATH}\" >> ~/.zshrc"Then, execute:
cargo install jrainbowwith jrainbow being the package name of the distributed package. This action will fetch the source code of the project along with any dependencies, compile it from source, and link it to your current system’s load path.
Finally, to run the program and get usage documentations, simply execute:
jrainbow --helpand follow on-screen instructions.
Implementation and Technicalities
The current version of the rainbow table is implemented using Rust 2018 using mostly its built-in standard library storage, serialization, and threading facilities. The implementation of md5 and ChaCha are available on the crates.io index available here and here.
The rainbow table is implemented in a typical fashion. Of note, however, is the reduction function chosen. The rough algorithm of the reduction function is as follows:
For reduction function i named f_i in reduction fn. family f: R2 {hash, i} -> R1 {pswd}, we…
- Seed a ChaCha random generator via
i - Generate a single unsigned 32-bit integer from the generator
- Create a password sequence of the aforementioned integer, mod30 in prevention of large results
- For each index
jin the list, index thejth character in original hash’s digest, add another random value from the same seeded generator, then take mod96+30 to conform charset
Ethical Considerations
Password crackers, in their inception, has demonstrated the feebleness of the systems by which (weak) hash functions are for security. Rainbow tables, while spacially efficient, is by no means an effective or efficient password cracking solution compared to more modern approaches.
Furthermore, the insertion of long, arbitrary salts in hashed passwords would prevent password-list based rainbow tables to work effectively: rendering the necessity for password chains generated by the table to be much longer.
However, if a rainbow table is leveraged, an unethical attacker would gain unauthorized access to third-party and/or privileged resources without the necessary permissions. Such actors would be able to export private data of users, act as or mimic legitimate sources, or even seek to gain control of resources (monetary and intellectual) without the knowledge of the proprietor.
As passwords, once cracked, could possibly be reused, it is important to apply salts throughout all password storage systems in order to guarantee protection for any password-recycling users on any systems.