RainbowCrack is a password recovery and cryptanalysis tool that uses rainbow tables—pre-computed lookup tables of password hashes—to rapidly crack password hashes. It’s significantly faster than brute-force approaches for dictionary-based attacks and works with multiple hash algorithms including MD5, SHA1, NTLM, and others. Used by security professionals for authorized password audits and penetration testing.
- Rainbow Table Lookup: Ultra-fast hash cracking using pre-computed tables
- Multi-Algorithm Support: MD5, SHA1, NTLM, SHA256, SHA512, and more
- GPU Acceleration: CUDA and OpenCL support for parallel processing
- Time-Memory Tradeoff: Balance between speed and storage
- Rainbow Table Generation: Create custom tables for specific charsets
- Batch Processing: Crack multiple hashes efficiently
- Distributed Cracking: Network-based rainbow table sharing
- Cross-Platform: Windows, Linux, macOS support
- Hash Validation: Verify hash integrity before processing
# Linux dependencies
sudo apt-get install libssl-dev
# macOS
brew install openssl
# Windows
# Download from official site or use WSL
# Download from official repository
wget https://project-rainbowcrack.com/rainbowcrack-linux-1.8.tar.gz
# Extract
tar xzf rainbowcrack-linux-1.8.tar.gz
cd rainbowcrack-1.8
# Make executable
chmod +x rcrack*
chmod +x rt_gen*
# Clone repository
git clone https://github.com/zerbeus/RainbowCrack
cd RainbowCrack
# Build
make
# Verify
./rcrack --version
# Pull pre-built image
docker pull rainbowcrack:latest
# Run in container
docker run -it rainbowcrack /bin/bash
# Check version
./rcrack --version
# List supported algorithms
./rcrack --help
Rainbow tables are pre-computed hash-to-password lookup tables:
Password Hash (MD5)
password --> 5f4dcc3b5aa765d61d8327deb882cf99
12345 --> 202cb962ac59075b964b07152d234b70
admin --> 21232f297a57a5a743894a0e4a801fc3
letmein --> 0d107d09f5bbe40cade3de5c71e9e9b7
RainbowCrack implements a compromise between computation time and memory:
┌─────────────────────────────────────┐
│ Computation Time vs Storage Trade │
├─────────────────────────────────────┤
│ Large tables: Fast lookup (seconds) │
│ Medium tables: Moderate (minutes) │
│ Small tables: Slow (hours) │
│ No tables: Brute force (days) │
└─────────────────────────────────────┘
| Algorithm | Hash Size | Charset | Common Use |
|---|
| MD5 | 128-bit | ASCII | Legacy web apps |
| SHA1 | 160-bit | ASCII | Git, legacy systems |
| NTLM | 128-bit | Unicode | Windows passwords |
| SHA256 | 256-bit | ASCII | Modern systems |
| MD4 | 128-bit | Unicode | NetNTLMv2 |
| LM | 56-bit | ASCII | Very old Windows |
# Simple hash cracking
./rcrack *.rt -h 5f4dcc3b5aa765d61d8327deb882cf99
# Crack multiple hashes from file
./rcrack *.rt -f hashes.txt
# Specify output file
./rcrack *.rt -f hashes.txt -o results.txt
# Verbose output
./rcrack *.rt -h 5f4dcc3b5aa765d61d8327deb882cf99 -v
# Successful cracking output:
# Hash Algorithm Plain Text Charset Time
# 5f4dcc3b5aa765d61d8327deb882cf99 MD5 password alpha,digit 0.156s
# 202cb962ac59075b964b07152d234b70 MD5 12345 digit 0.234s
| Option | Description | Example |
|---|
-h HASH | Crack single hash | rcrack *.rt -h abc123... |
-f FILE | Crack hashes from file | rcrack *.rt -f hashes.txt |
-o FILE | Output results to file | rcrack *.rt -f in.txt -o out.txt |
-v | Verbose output | rcrack *.rt -h hash -v |
-l | List available tables | rcrack -l |
*.rt | Rainbow table files | rcrack table1.rt table2.rt |
-t NUM | Thread count | rcrack *.rt -h hash -t 8 |
-g | GPU acceleration | rcrack *.rt -h hash -g |
# Basic table generation
./rt_gen md5 loweralpha 1 7 0 100 100 0
# Syntax: rt_gen <algorithm> <charset> <plaintext_len_min> <plaintext_len_max>
# <table_index> <chain_length> <chain_count> <part_index>
Algorithm: md5, sha1, ntlm, sha256, sha512, lm, md4
Charset: loweralpha, upppercase, digit, loweralpha-digit,
loweralpha-uppercase, loweralpha-uppercase-digit,
loweralpha-digit-special, etc.
Length Min: Minimum password length
Length Max: Maximum password length
Table Index: Rainbow table index number
Chain Length: Length of reduction chains
Chain Count: Number of chains to generate
Part Index: Table partition number
# MD5 lowercase alphabet 1-7 chars, 100M chains
./rt_gen md5 loweralpha 1 7 0 100000000 100000000 0
# NTLM 8-8 chars mixed case, 1B chains
./rt_gen ntlm loweralpha-uppercase-digit 8 8 0 1000000000 1000000000 0
# SHA256 6-6 digits only (small table)
./rt_gen sha256 digit 6 6 0 100000000 100000000 0
# Multiple partitions (parallel generation)
./rt_gen md5 loweralpha 1 7 0 100000000 100000000 0
./rt_gen md5 loweralpha 1 7 0 100000000 100000000 1
./rt_gen md5 loweralpha 1 7 0 100000000 100000000 2
# Create hashes file
cat > hashes.txt << 'EOF'
5f4dcc3b5aa765d61d8327deb882cf99
202cb962ac59075b964b07152d234b70
21232f297a57a5a743894a0e4a801fc3
EOF
# Crack with rainbow tables (assumes tables downloaded)
./rcrack md5_*.rt -f hashes.txt
# Check results
cat results.txt
# Extract NTLM hashes from Windows
# Example: from SAM database or captured ntlmv2 hashes
cat > ntlm_hashes.txt << 'EOF'
c23413a8a1e7665faad3b435b51404ee
5f4dcc3b5aa765d61d8327deb882cf99
EOF
# Crack NTLM
./rcrack ntlm_*.rt -f ntlm_hashes.txt -v
#!/bin/bash
# Process multiple hash files
for hashfile in /path/to/hashes/*.txt; do
echo "Processing $hashfile..."
output="${hashfile%.txt}_cracked.txt"
./rcrack /path/to/tables/*.rt -f "$hashfile" -o "$output"
# Count successful cracks
cracked=$(grep -c "cracked" "$output" 2>/dev/null || echo 0)
total=$(wc -l < "$hashfile")
echo "Cracked $cracked/$total passwords"
echo "---"
done
#!/bin/bash
# Generate small table for testing
echo "Generating rainbow table..."
./rt_gen md5 digit 4 4 0 100000 100000 0
# Create test hash (MD5 of "1234")
TEST_HASH="81dc9bdb52d04dc20036dbd8313ed055"
# Crack
echo "Testing crack with generated table..."
./rcrack md5_*.rt -h $TEST_HASH
# Verify result
echo "Expected: 1234"
# Check GPU support
./rcrack -g
# Crack with GPU acceleration
./rcrack -f hashes.txt -g -t 8
# Monitor GPU usage
nvidia-smi watch -n 1
# Tables available from:
# - Project Rainbow Crack official site
# - Free Rainbow tables repositories
# - Academic resources
# Example download (MD5 lowercase 1-7)
wget http://example.com/md5_loweralpha_1-7_0.rt
# Extract if compressed
tar xzf tables.tar.gz
# Organize
mkdir -p ./tables/md5
mv md5_*.rt ./tables/md5/
rainbow_tables/
├── md5/
│ ├── md5_loweralpha_1-7_*.rt
│ ├── md5_loweralpha_digit_1-8_*.rt
│ └── md5_loweralpha-uppercase_1-8_*.rt
├── sha1/
│ ├── sha1_loweralpha_1-7_*.rt
│ └── sha1_digit_1-6_*.rt
├── ntlm/
│ └── ntlm_*.rt
└── sha256/
└── sha256_*.rt
# Check table file size
ls -lah *.rt
# Estimate lookup performance
# Smaller chains = faster but less accurate
# Larger chains = slower but better coverage
# File size formula: chains × chain_length × hash_size
# Lookup time: milliseconds to seconds typically
# Use only necessary tables
./rcrack /path/to/tables/md5_lowercase*.rt -f hashes.txt
# Sort tables by usage frequency
# Try most comprehensive tables first
# Monitor memory usage
top -p $(pgrep -f rcrack)
#!/bin/bash
# Distribute hashes across processors
split -n l/4 hashes.txt hash_split_
# Process in parallel
for file in hash_split_*; do
./rcrack *.rt -f "$file" -o "${file}_results.txt" &
done
wait
# Combine results
cat hash_split_*_results.txt > combined_results.txt
# Measure performance
time ./rcrack *.rt -f test_hashes.txt
# Expected speeds:
# - Small tables (10GB): seconds
# - Medium tables (100GB): minutes
# - Large tables (500GB+): hours
# Using impacket (remote extraction)
python3 secretsdump.py -sam SAM -system SYSTEM local
# Output: NTLM hashes
# Administrator:500:aad3b435b51404eeaad3b435b51404ee:d9485863448ca45ef6e9fbac68f37e73:::
# Extract hashes (requires root)
cat /etc/shadow | cut -d: -f1,2 | grep -v '!' | grep -v '*'
# Convert to hashcat/rainbowcrack format
cut -d: -f2 /etc/shadow | grep '\$' > hashes.txt
# MySQL
mysql -u user -p database -e "SELECT password FROM users;" > mysql_hashes.txt
# PostgreSQL
psql -U user -d database -c "SELECT password FROM users;" > pg_hashes.txt
# Network capture (Wireshark)
# Filter: http.request.method == "POST"
# Extract HTTP Basic Auth or form submissions
# Burp Suite export
# Right-click request → Copy to file
# Extract Authorization headers
# Verify table location
ls -la *.rt
# Check table integrity
file *.rt
# Verify correct algorithm
# Table filename must match hash algorithm
# Verify hash format
echo "hash: 5f4dcc3b5aa765d61d8327deb882cf99"
# Hash not in table coverage
# - Password too long for table
# - Password uses unsupported character set
# - Table doesn't cover this hash algorithm
# Solution: Generate custom table or use brute-force
./rt_gen md5 loweralpha-special 1 10 0 100000000 100000000 0
# Load fewer tables at once
./rcrack table1.rt -f hashes.txt
./rcrack table2.rt -f uncracked.txt
# Monitor RAM
free -h
# Use smaller tables
ls -lh *.rt | sort -k5 -h | head -10
# Check CPU usage
top -p $(pgrep rcrack)
# Use appropriate table size
# Too small = multiple passes
# Too large = I/O bottleneck
# Enable GPU if available
./rcrack *.rt -g
# Use SSD for table storage (faster I/O)
# Combine multiple table sets
cat rainbow_table_part1.rt rainbow_table_part2.rt > merged.rt
# Reindex after merge
./rcrack_utils --rebuild merged.rt
# Setup network sharing
# NFS or Samba for table distribution
# Each node processes subset
./rcrack /mnt/shared_tables/*.rt -f node1_hashes.txt &
./rcrack /mnt/shared_tables/*.rt -f node2_hashes.txt &
# Combine results after processing
# Create custom charset for known patterns
# Example: Passwords with month+year
# Define in generation
./rt_gen md5 custom_charset 6 8 0 100000000 100000000 0
# Where custom_charset = digits + specific characters
| Tool | Method | Speed | Accuracy | Setup |
|---|
| RainbowCrack | Tables | Ultra-fast | Dictionary | High |
| Hashcat | GPU brute-force | Fast | Complete | Medium |
| John the Ripper | Hybrid | Moderate | Good | Low |
| Hydra | Online | Slow | Good | Low |
| Crunch | Brute-force | Slow | Complete | Low |
- Testing: Only crack hashes from systems you own or have written permission to test
- Incident Response: Use during authorized incident investigations
- Security Audits: Employ in contracted security assessments
- Research: Academic and security research with proper authorization
Example Authorization Documentation:
─────────────────────────────────
Scope: Password audit of legacy system
Target: Windows Server 2012 SAM database
Authorization: Email from IT Director (2024-01-15)
Duration: 2024-01-15 to 2024-01-30
Tester: Security Team
Purpose: Compliance verification
- Report cracked credentials securely
- Document findings with risk assessment
- Provide remediation recommendations
- Maintain confidentiality of results
- Use Salt: Add random salt to passwords before hashing
- Use Strong KDF: PBKDF2, bcrypt, scrypt, argon2
- Key Stretching: Increase iteration count
- Strong Passwords: Enforce length and complexity
- Hash Modern Algorithms: SHA-256 with salt (minimum)
# Python example: Proper password hashing
import bcrypt
password = "user_password".encode('utf-8')
salt = bcrypt.gensalt(rounds=12)
hashed = bcrypt.hashpw(password, salt)
# Result cannot be cracked via rainbow tables
# Each hash unique due to per-password salt
| Hash Type | Table Size | Avg Lookup Time | Coverage |
|---|
| MD5 6-char | 10GB | <1 second | 99%+ |
| MD5 8-char | 500GB | 10-30 sec | 90%+ |
| SHA-256 6 | 100GB | 5-15 sec | 95%+ |
| NTLM 8-char | 600GB | 30-60 sec | 85%+ |
- Official Site: http://project-rainbowcrack.com/
- Table Downloads: Various free and paid repositories
- Documentation: Official manual and guides
- Community: Forums and GitHub discussions
- Academic: Research papers on time-memory tradeoffs
| Version | Release | Key Features |
|---|
| 1.8 | 2024 | GPU support, SHA256/512 |
| 1.7 | 2022 | Performance optimization |
| 1.6 | 2020 | Cross-platform improvements |
| 1.5 | 2018 | Large table support |
