This feature enables password cracking using the ‘Faster Cryptanalytic time – memory trade off’ method introduced by Philippe Oechslin. This cracking technique uses a set of large tables of pre-calculated encrypted passwords, called Rainbow Tables, to improve the trade-off methods known today and to speed up the recovery of clear text passwords.
It is fully compatible with the well known software RainbowCrack by Zhu Shuanglei, the first software implementation of the above algorithm, and supports Rainbow Tables for the following hashing/encryption algorithms: LM, FastLM, NTLM, CiscoPIX, MD2, MD4, MD5, SHA-1, SHA-2 (256), SHA-2 (384), SHA-2 (512), MySQL (323), MySQL (SHA1), RIPEMD160.
Rainbow Tables can be generated using the "rtgen.exe" program, included with RainbowCrack, or the Windows "winrtgen" utility available at www.oxid.it.
This cracking technique is pretty fast however it is useful to crack only some kind of encrypted passwords only. In challenge-response authentication protocols for example, a variable length array of bytes (the challenge) is encrypted using a key derived from the user's password. The challenge varies at each authentication so even if the user inputs the same password, two encrypted hashes are always different. The same thing happens if the encrypted password is generated using a variable "salt", which provides some sort of perturbation in the algorithm; to successfully crack a password in the above situations you should generate different Rainbow Tables for each challenge/salt used and this is really impractical.
Please note that the majority of modern network protocols already use the challenge-response mechanism so, generally speaking, this attack is not suitable for password hashes captured from the network; on the contrary it is really effective to crack straight hashes often used to store encrypted passwords locally.
The following image shows the recovery of a Cisco PIX Firewall "enable mode" password using the cryptanalysis attack:
As you can see the above password (c1sc0pw), encrypted by the PIX using the MD5 algorithm, has been cracked in 3.25 seconds only.
From version 2.9 Cain is also compatible with Ophcrack's RainbowTable format (http://www.objectif-securite.ch/ophcrack/). Ophcrack's tables are more compact then those used by RainbowCracks and they are freely available at the following link: http://lasecwww.epfl.ch/~oechslin/projects/ophcrack.
Cain's cryptanalysis attack can be launched, where possible, using the cracker's list pop up menu as illustrated below:
The program will load all selected hashes, into the cracking dialog, accordingly to the type of attack chosen. When using RainbowCracks tables, custom charsets can be loaded from a RainbowCrack's compatible "charsets.txt" file by mean of the relative dialog button.