Download Free Rainbow Tables

1) Rainbow tables general

1.1) What are rainbow tables used for?
Rainbow tables are used to find the original plaintext for a hashed password. The password can be hashed using different hashroutines, where the most common are MD5, LM and NTLM.

1.2) Why use rainbow tables?
With rainbow tables, you spend some time to precompute the hashes and store specific data in a file. This file is later used to speed up the cracking process. That's the time-memory tradeoff of rainbow tables.

1.3) Time-memory tradeoff?
Using bruteforce methods to crack password hashes it takes a longer time, but it doesn't require much memory, and requires no disk space. Rainbow tables requires time to generate, takes up diskspace and use more memory in the cracking process, but are much faster to crack the hash.

2) Freerainbowtables.com

2.1) What is freerainbowtables.com?
freerainbowtables.com is a project dedicated to generating these rainbow tables and distributing them for free (hence the name).
Using a distributed approach, we have hundreds of clients helping us to generate rainbow tables. This makes it faster to generate better and larger rainbow tables.

2.2) What services do freerainbowtables.com provide?
Everyone can download all of the tables we have, free of charge. If you want all of them it can consume alot of diskspace.
That is the reason we also provide an online cracker (which again, is free).
Create a user account at freerainbowtables.com and submit your hashes (remember to select the correct hash routine). They should be processed within minutes.
To prevent it from getting misused we have to limit the amount of hashes you can queue in our online cracker to 10 hashes / day.
If you want to be able to process more hashes, you either have to download the tables yourself, contribute to the project by downloading and running the client or give a donation to keep the project running.

2.2.2) How is the online cracker working?
The hashes queued for cracking are distributed to the connected clients. They will begin to preprocess the hashes before they can be looked up in the rainbow tables. The result of the clients is recieved by the server which performs the lookups in the rainbow tables.
The matching chains are then distributed to the clients for further processing. If there is a hit, the client reports it to the server which verifies the result. By using this distributed approach we can process thousands of hashes every hour.

2.2.3) In my hashlist, the hash is shown as "not cracked". What does that mean? That means the server has scanned through all of the rainbow tables and it didn't find a result. When more tables becomes available, it will be scanned through these new tables. So you do NOT need to resubmit a hash at a later time.

3) DistrRTgen

3.1) What is the DistrRTgen application used for?
DistrRTgen is a DISTRistributed RainbowTable GENerator. It's what makes it possible for us to generate huge rainbow tables and release them for free.
When installed and logged in, it retrieves a few pieces of work and starts crunching on them. The result is sent back to the server. All the pieces are then combined on the server into the rainbow tables we makes available on the website.

3.2) Why should I run DistrRTgen?
By installing and running DistrRTgen, you help us to make even better (larger) rainbow tables which we can provide for FREE on our site. You will also be rewarded accordingly with cracking credits, which can be used if you want to test the security of your own hashes.

4) Rainbow tables in depth

4.1) Why do rainbow tables have these weird names?
The name is used to describe the abilities of the rainbow table.
Lets take an example name: md5_loweralpha-numeric-symbol32-space#1-7_0_10000x67108864_file01.rt
The first part of the name, md5, is the hashroutine used to generate the rainbow table. In this case it's md5. This means it can only be used to crack md5 hashes passwords.
The next part, loweralpha-numeric-symbol32-space, is the character set used. This is the letters that has been used to generate the tables. A quick look in the charset.txt shows us its the following letters: [abcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*()-_+=~`[]{}|\:;"'<>,.?/ ]. The rainbow table can only crack hashes which contains the letters used in the generation process. In this case, if the password is "pasS", it can NOT be cracked by this rainbow table because of the uppercase letter. For that password, you need a table with the mixalpha charset.
The third part, #1-7, means it can crack passwords with length 1-7 only. In this case, "password" cannot be cracked because its 8 characters long. The fourth part, _0_, is an identifier of the table. In this case its table 0. (More about this later) See section 4.11 for an explanation of table index The fifth part, 10000, is the chainlength of the table. See section 4.11 for an explanation of chain length.
The sixth part, 67108864, is the amount of chains the table contains. Together with the chainlength, it tells how many plaintext passwords the table will contain in theory. In this case 10000x67108864 = 671088640000 (671,08864 billions). However, there will be duplicate plaintexts in the table, so don't rely too much on it.
The seventh part, file01, is a file descriptor. Its the only part of the filename that can be changed to whatever you like.

4.2) So what do the filenames used on freerainbowtables.com mean?
We improved the rainbow tables and added a bunch of new features. Lets take an example: md5_hybrid(loweralpha#7-7,numeric#1-3)#0-0_1_13000x67108864_distrrtgen[p][i]_00.rt
The new parts here is: hybrid(loweralpha#7-7,numeric#1-3). This means it's a hybrid table and is, so far, only compatible with rcracki. Research of realcase scenarios shows that alot of passwords end in 1 or more numbers, just like password123. This hybrid table is able to crack passwords that start with 7 characters starting with a-z and end in 1-3 numbers. An example of this is a password like "rainbow123".
For the file descriptor, we use distrrtgen to advertise its generated using our distributed clients, and [p] means its perfected. (See section 4.9). [i] means its indexed to reduce the file size and speedup lookups. (See section 4.10)

4.3) What is the "keyspace"?
The keyspace is the amount of words needed to cover a given characterset with the specific password length. For a rainbow table with the character set loweralpha-numeric and the password length 1-7 the math is 36^1 + 36^2 + 36^3 + 36^4 + 36^5 + 36^6 + 36^7 = 80603140212. (80,6 billion words) 36 is the amount of characters in the character set. a-z = 26 characters and 0-9 = 10 characters.

4.4) What is the "success rate" of rainbow tables?
It is a way to measure the probability that a given hash which fits within the character set and character length of the table, will be found in the rainbow table. Its calculated based on the keyspace, chainlength and the number of rainbowchains found. Normally the aim is to get a success rate of 99.9%

4.5) What is a rainbow chain?
Rainbow chains are the spine of rainbow tables. Each table contains millions of rainbow chains.
A rainbow chain is basicly 2x 64 bit integers. The first integer is the starting point, and the last integer is the ending point. No matter how long the chain is (chainlength), the size is always the same: 16 bytes.

4.6) How is a rainbow chain generated?
As a start, the machine generates a random 64 bit number to be used as a seed for the chain. This number is then reduced to fit within the keyspace (See section 4.3 for an explanation of keyspace). The resulting number is the starting point of the chain, and is stored in the table. Using a special function (Called IndexToPlain), the starting point is mapped to a plaintext password. This plaintext password is hashed using the hash routine specified (MD5, NTLM, LM etc) Called PlainToHash.
The resulting hash is then processed by a reduction functions that converts the hash to a 64 bit integer which fits within the keyspace (Called HashToIndex).

This process is repeated L amount of times where the resulting 64 bit integer from HashToIndex() is used as the seed in the IndexToPlain function. L is the chain length of the table. The result of the last HashToIndex is the ending point of the chain.

4.7) What is a rainbow table then?
A rainbow table is simply a collection of rainbow chains. Stored within these chains are many plaintexts, one of which might be the plaintext of your target hash.

4.8) How are these numbers (rainbow chains) used to recover passwords?
When a hash is requested to be cracked, it uses the HashToIndex() function to convert the hash into a 64 bit integer. It then has to generate a 64 bit index for each position, P, in the chain. This results in L amount of indices, where L is the chainlength of the table.
It then performs a search for each of these indices in the table. If any of the endpoints in the tables matches an index number there may be a hit. To find out if it got a hit, it has to regenerate that chain. Using the startingpoint as the seed, it regenerates the chain to the current position P. The resulting index number is converted to a plaintext using IndexToPlain. To verify we got a hit, it uses PlainToHash to compare the 2 hashes. If it matches, we recovered the password and the cracking stops. If it does not match, it was a false alarm and we have to try the next match.
When all endpoints has been searched for, the process is complete.

4.9) Perfected rainbow table you say? What does that mean?
During the process of rainbow table generation the reduction function reduces the start and endpoints to fit within the keyspace. This can cause duplicate and merging chains (See section 4.12 and 4.13 for an explanation of duplicate and merging chains), increasing the file size and slowing down the cracking process.
A perfect rainbow table has NO duplicate or merging chains.

4.10) Whats the benefit of indexing a rainbow table?
Indexing tables allows us to put redundant data in a seperate file. By doing this, we can reduce the size of rainbow tables by 50%, while still maintaining the full success % Indexed tables are NOT compatible with older rainbow tables. If you want to use a indexed table with another program than rcracki, then download rti2rto from our download page and convert the table to the original rainbowcrack format.
NOTE: Hybrid tables are not supported by other programs than rcracki.

4.11) How do I set all the parameters when I want to generate a table?
It can be confusing to find the correct parameters for a table you want to generate. The parameters possible is hashroutine, character set, min letters, max letters, table index, chain length and chain count.

The first few parameters are easy to find out.
Hashroutine depends on the type of hash you want to crack. If its a md5 hash, use md5.
Character set tells the rainbow table generator what kind of passwords there should be in the rainbow table. If you choose "loweralpha-numeric" it will contain passwords like "pa12ss". Usually you want a lot of rainbow tables with different character sets.
Min and Max letters are the length of the plaintexts contained in the table.
The table index is used to create multiple tables with the same characterset and password length. If your generating a table with a small keyspace, there will quickly be a lot of merging and duplicate chains. If you switch table index often you will have less duplicate/merging chains (giving a higher success % on a smaller diskspace), but the time to crack a hash will rise dramaticly. Chain length is the size of each chain. A higher chain length will require fewer chains (thus less diskspace) to reach 99.9% success rate, but the cracking time will increase with the square of the chainlength. So cracking time with a chainlength of 20000 will take 4 times longer than with chainlength 10000.
Chain count is the number of chains you want to generate in the file. The max number of chains in a file is 134217728, which will produce a 2gb file.
To find out which parameters to use, find a rainbow table calculator and calculate the amount of chains/table, number of tables and chainlength you need to reach the success % you want. It requires a bit of tweaking to find the balance between disk space used and the time to crack a hash (thus the time-memory tradeoff)

4.12) What is a duplicate chain?
A duplicate chain is when 2 or more chains has the same startingpoint and endingpoint. As described in section 4.6 a random number is used as a seed for the chain generation. If the reduction function produces the same number twice in a table, it will become a duplicate chain. Duplicate chains can be safely removed with no impact of success rate.

4.13) What is a merging chain?
A merging chain is where only the endpoint of 2 rainbow chains are the same. It happens if the reduction function produces the same index number at the same position in 2 or more chains. All indexes after this position will be duplicate. These chains are semi useful, depending on where in the chain the merging occurs. Two chains can produce the same ouput at different positions in the chain, and they will NOT merge.