AccessData Portable Office Rainbow Tables
User Guide
| 1
AccessData Legal and Contact Information
Document date: April 3, 2012
Legal Information ©2012 AccessData Group, LLC All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or transmitted without the express written consent of the publisher. AccessData Group, LLC makes no representations or warranties with respect to the contents or use of this documentation, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, AccessData Group, LLC reserves the right to revise this publication and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. Further, AccessData Group, LLC makes no representations or warranties with respect to any software, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, AccessData Group, LLC reserves the right to make changes to any and all parts of AccessData software, at any time, without any obligation to notify any person or entity of such changes. You may not export or re-export this product in violation of any applicable laws or regulations including, without limitation, U.S. export regulations or the laws of the country in which you reside.
AccessData Group, LLC. 384 South 400 West Suite 200 Lindon, Utah 84042 U.S.A. www.accessdata.com
AccessData Trademarks and Copyright Information AccessData® Distributed DNA®
Network Attack® is a registered trademark of AccessData Group, LLC.
is a registered trademark of AccessData Group, LLC.
Forensic FTK®
is a registered trademark of AccessData Group, LLC.
Toolkit® is a registered trademark of AccessData Group, LLC.
is a registered trademark of AccessData Group, LLC.
Password PRTK®
Recovery Toolkit® is a registered trademark of AccessData Group, LLC.
is a registered trademark of AccessData Group, LLC.
Registry
Viewer® is a registered trademark of AccessData Group, LLC.
AccessData Legal and Contact Information
Legal Information
| 2
A trademark symbol (®, ™, etc.) denotes an AccessData Group, LLC. trademark. With few exceptions, and unless otherwise notated, all third-party product names are spelled and capitalized the same way the owner spells and capitalizes its product name. Third-party trademarks and copyrights are the property of the trademark and copyright holders. AccessData claims no responsibility for the function or performance of third-party products. Third party acknowledgements: FreeBSD
® Copyright 1992-2011. The FreeBSD Project .
AFF®
and AFFLIB® Copyright® 2005, 2006, 2007, 2008 Simson L. Garfinkel and Basis Technology Corp. All rights reserved.
Copyright
© 2005 - 2009 Ayende Rahien
Documentation Conventions In AccessData documentation, a number of text variations are used to indicate meanings or actions. For example, a greater-than symbol (>) is used to separate actions within a step. Where an entry must be typed in using the keyboard, the variable data is set apart using [variable_data] format. Steps that required the user to click on a button or icon are indicated by Bolded text. This Italic font indicates a label or non-interactive item in the user interface. A trademark symbol (®, ™, etc.) denotes an AccessData Group, LLC. trademark. Unless otherwise notated, all third-party product names are spelled and capitalized the same way the owner spells and capitalizes its product name. Third-party trademarks and copyrights are the property of the trademark and copyright holders. AccessData claims no responsibility for the function or performance of third-party products.
Registration The AccessData product registration is done at AccessData after a purchase is made, and before the product is shipped. The licenses are bound to either a USB security device, or a Virtual CmStick, according to your purchase.
Subscriptions AccessData provides a one-year licensing subscription with all new product purchases. The subscription allows you to access technical support, and to download and install the latest releases for your licensed products during the active license period. Following the initial licensing period, a subscription renewal is required annually for continued support and for updating your products. You can renew your subscriptions through your AccessData Sales Representative. Use LicenseManager to view your current registration information, to check for product updates and to download the latest product versions, where they are available for download. You can also visit our web site, www.accessdata.com anytime to find the latest releases of our products. For more information, see Managing Licenses in your product manual or on the AccessData web site.
AccessData Contact Information Your AccessData Sales Representative is your main contact with AccessData Group, LLC. Also, listed below are the general AccessData telephone number and mailing address, and telephone numbers for contacting individual departments.
AccessData Legal and Contact Information
Documentation Conventions
| 3
Mailing Address and General Phone Numbers You can contact AccessData in the following ways:
TABLE 1-1 AD Mailing Address, Hours, and Department Phone Numbers Corporate Headquarters:
AccessData Group, LLC. 384 South 400 West Suite 200 Lindon, UT 84042 USA Voice: 801.377.5410 Fax: 801.377.5426
General Corporate Hours:
Monday through Friday, 8:00 AM – 5:00 PM (MST) AccessData is closed on US Federal Holidays
State and Local Law Enforcement Sales:
Voice: 800.574.5199, option 1 Fax: 801.765.4370 Email:
[email protected]
Federal Sales:
Voice: 800.574.5199, option 2 Fax: 801.765.4370 Email:
[email protected]
Corporate Sales:
Voice: 801.377.5410, option 3 Fax: 801.765.4370 Email:
[email protected]
Training:
Voice: 801.377.5410, option 6 Fax: 801.765.4370 Email:
[email protected]
Accounting:
Voice: 801.377.5410, option 4
Technical Support Free technical support is available on all currently licensed AccessData products. You can contact AccessData Customer and Technical Support in the following ways:
TABLE 1-2 AD Customer & Technical Support Contact Information
Domestic Support Americas/Asia-Pacific Standard Support:
Monday through Friday, 5:00 AM – 6:00 PM (MST), except corporate holidays. Voice: 801.377.5410, option 5 Voice: 800.658.5199 (Toll-free North America) Email:
[email protected]
After Hours Phone Support:
Monday through Friday 6:00 PM to 1:00 AM (MST), except corporate holidays. Voice: 801.377.5410, option 5
After Hours Email-only Support: Monday through Friday 1:00 AM to 5:00 AM (MST), except corporate holidays. Email:
[email protected]
International Support Europe/Middle East/Africa Standard Support:
AccessData Legal and Contact Information
Monday through Friday, 8:00 AM – 5:00 PM (UKLondon), except corporate holidays. Voice: +44 207 160 2017 (United Kingdom) Email:
[email protected]
AccessData Contact Information
| 4
TABLE 1-2 AD Customer & Technical Support Contact Information (Continued) After Hours Support:
Monday through Friday, 5:00 PM to 1:00 AM (UK/ London), except corporate holidays. Voice: 801.377.5410 Option 5*.
After Hours Email-only Support:
Monday through Friday, 1:00 AM to 5:00 AM (UK/ London), except corporate holidays. Email:
[email protected]
Other Web Site:
http://www.AccessData.com/Support The Support web site allows access to Discussion Forums, Downloads, Previous Releases, our Knowledgebase, a way to submit and track your “trouble tickets”, and in-depth contact information.
AD SUMMATION
Americas/Asia-Pacific: 800.786.2778 (North America). 415.659.0105. Email:
[email protected]
Standard Support:
Monday through Friday, 6:00 AM– 6:00 PM (PST), except corporate holidays.
After Hours Support:
Monday through Friday by calling 415.659.0105.
After Hours Email-only Support:
Between 12am and 4am (PST) Product Support is available only by email at
[email protected].
AD Summation CaseVault
866.278.2858 Email:
[email protected] Monday through Friday, 8:00 AM – 6:00 PM (EST), except corporate holidays.
AD Summation Discovery Cracker
866.833.5377 Email:
[email protected]
Support Hours:
Monday through Friday, 7:00 AM – 7:00 PM (EST, except corporate holidays.
Note: All support inquiries are typically responded to within one business day. If there is an urgent need for support, contact AccessData by phone during normal business hours.
Documentation Please email AccessData regarding any typos, inaccuracies, or other problems you find with the documentation:
[email protected]
Professional Services The AccessData Professional Services staff comes with a varied and extensive background in digital investigations including law enforcement, counter-intelligence, and corporate security. Their collective experience in working with both government and commercial entities, as well as in providing expert testimony, enables them to provide a full range of computer forensic and eDiscovery services. At this time, Professional Services provides support for sales, installation, training, and utilization of FTK, FTK Pro, Enterprise, eDiscovery, and Lab. They can help you resolve any questions or problems you may have regarding these products AccessData Legal and Contact Information
Professional Services
| 5
Contact Information for Professional Services Contact AccessData Professional Services in the following ways:
TABLE 1-3 AccessData Professional Services Contact Information
Contact Method
Number or Address
Phone
Washington DC: 410.703.9237 North America: 801.377.5410 North America Toll Free: 800-489-5199, option 7 International: +1.801.377.5410
Email
AccessData Legal and Contact Information
[email protected]
Professional Services
| 6
Table of Contents
AccessData Legal and Contact Information . . . . . . . . . . . Legal Information . . . . . . . . . . . . . . . . . . . . . . . AccessData Trademarks and Copyright Information Documentation Conventions . . . . . . . . . . . . . . . . Registration . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . .2 . . . . . . . . . . . . . . . . . . . .2 . . . . . . . . . . . . . . . . . . . .2 . . . . . . . . . . . . . . . . . . . .3 . . . . . . . . . . . . . . . . . . . .3
Subscriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3
AccessData Contact Information
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3
Mailing Address and General Phone Numbers . . . . . . . . . . . . . . . . . . . . .4 Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4 Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5
Professional Services
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5
Contact Information for Professional Services . . . . . . . . . . . . . . . . . . . . .6
Table of Contents
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7
Chapter 1: Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 Introduction to AccessData Rainbow Tables . . . . . . . . . . . . . . . . . . . . . . . . . .9 Three types of AccessData Hash tables . . . . . . . . . . . . . . . . . . . . . . . . .9 One Type of AccessData Portable Tables . . . . . . . . . . . . . . . . . . . . . . . .9
How AccessData Hash Tables Work .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9
MS Office . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 Adobe PDF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 Windows LAN Hash (Windows Login Password) . . . . . . . . . . . . . . . . . . . 10
System Requirements .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Chapter 2: Installing and Configuring AccessData RainbowTables . . . . . . . . . . . . . . . . . . . . . . 12 Installing AccessData Hash Tables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 Configuring Hardware for Hash Tables . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 Configuring Software for Hash Tables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 LanRainbow.exe . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 RainbowTables.exe . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Configuring Hash Tables For PRTK or DNA .
. . . . . . . . . . . . . . . . . . . . . . . . 15
MS Word and Excel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 Adobe PDF files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 LAN Hash files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Table of Contents
| 7
Installing Portable Office Rainbow Tables
. . . . . . . . . . . . . . . . . . . . . . . . . . 17
To install PORT manually . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Configuring PORT To Use RainbowTables.exe .
. . . . . . . . . . . . . . . . . . . . . . 17
Chapter 3: Using Rainbow Tables. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 Processing Files in RainbowTables.exe . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 Using PORT Tables in PRTK or DNA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 MS Word and Excel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Viewing the Statistics . Viewing the Log . . . . Uninstalling PORT . . Chapter 4: Troubleshooting
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Troubleshooting PORT
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Troubleshooting Steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 Status Errors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 Log File Errors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Table of Contents
| 8
Chapter 1
Introduction
Introduction to AccessData Rainbow Tables AccessData® Rainbow Tables™ is actually an executable User Interface program designed to manage both the AccessData Hash Tables for Microsoft Office, Microsoft LANHash, and Adobe PDF, as well as with AccessData Portable Office Rainbow Tables (PORT) for Microsoft Office Word and Excel files. The Hash Tables are a set of pre-computed lookup tables used to significantly accelerate a brute-force attack of specific cryptosystems. The PORT tables are also pre-computed lookup tables, but are developed in a way that only part of the keyspace is initially pre-computed, and the remainder is computed as it works. This saves a significant amount of disk space and money, but the tradeoff is that it is not as fast as the Hash Tables lookup. In cryptography, a brute-force attack is a process of deriving a cryptographic key by trying every possible combination within a specific key space until the correct one is found. How quickly this key can be found depends on the size of the key space and the computing resources applied. A 40-bit cryptosystem has slightly more than one trillion keys (240 = 1.099 trillion). If a single computer can test 500,000 keys per second, this computer would need approximately 25 days to exhaust the possibilities. AccessData’s Hash Tables improve the efficiency of the brute force attack by having all possibilities precomputed and saved, available from the start. As a result, a single computer can break a 40-bit encrypted file in seconds or minutes, rather than in hours, days, weeks, or even months.
Three types of AccessData Hash tables The AccessData Hash Tables include sets for MS Office, Adobe PDF, and Windows LAN hash. The MS Office and Adobe PDF tables provide a key which decrypts and opens MS Office and Adobe PDF files. The Windows LAN hash provides the actual user password needed to log in. Since 40-bit Hash Tables must store up to one trillion entries, each uses just under three (2.7) terabytes.
One Type of AccessData Portable Tables As indicated in its name, the Portable Office Rainbow Tables are designed to work only with Microsoft Office files, specifically Word and Excel files. There are currently no plans to release Portable Tables for LANHash or PDF.
How AccessData Hash Tables Work Suppose you are trying to find a number that will unlock a safe. The safe has numeric dials on it, and each numeric dial can be set between 0 and 9 (similar to a bicycle lock). There are a total of 12 dials (since the key space is 240), and to open the safe you need to set the dials to the correct numbers.
Introduction to AccessData Rainbow Tables
| 9
If the key to open the safe were the number 254,365,476,587, you could sit down in front of the safe and try every possible number until you found the key that opens the safe. You might get it right on the first try, but more likely you would make billions of attempts first. Suppose, however, you had a process that would allow you to quickly determine five of the twelve dials. In this case, you would need to try only seven dials to open the safe. All possible combinations of these seven dials could be completed in much less time. This is the difference between the Office and PDF Hash Tables, and the LAN Hash Tables.
MS Office MS Office 97 and 2000 derive a 40-bit encryption key from a user-supplied password. AccessData Hash Tables recover that 40-bit key in typically less than one minute. AccessData PORT would recover that same 40-bit key in one-to-several minutes. The key, not the password, is recovered.Once the key has been recovered, the document is decrypted.
Note: Rainbow Tables, whether Hash or PORT, recover only the decryption key. They do not find the original password. Even though MS Office XP and MS Office 2003 use as default a 40-bit encryption scheme, both programs have the capability to use 128-bit encryption keys. The Rainbow Tables are not effective against attacking 128-bit encryption. DNA is the most effective way to attack 128-bit encrypted MS Office files because it will do a password attack, and you can utilize the power of many computers to distribute the task.
Adobe PDF Older PDF versions derive a 40-bit key from the user-supplied password. AccessData Hash Tables contain that key, and recover it, usually in less than a minute. Once the key has been recovered, the document can be decrypted. Again, the key, not the password, is recovered. Newer Adobe PDF versions can use 128-bit keys and cannot be attacked with Hash Tables.
Windows LAN Hash (Windows Login Password) Windows LAN Hash Tables are different from the MS Office or PDF Hash Tables. First, LAN hash tables recover passwords, not keys. Second, the number of possible LAN passwords is actually closer to 64 trillion keys. Because of the size, the AccessData LAN Hash Table doesn’t hold a complete set of all possible LAN passwords. Rather, the LAN Hash Table represents all the possible passwords containing letters, numbers, and about 16 other symbols. This smaller set fits in about the same three terabytes of disk space as the Office and PDF Hash Tables do individually. The SAM file stores two different hashes of a user’s password: the LAN manager hash, and the NT Hash. LAN Hash passwords are limited to 14 characters, which must come from the ASCII or Extended ASCII character sets. (If the password is longer than 14 characters or has characters from outside those ranges, then only the NT Hash is generated.) Unlike the NT Hash, the LAN Hash Tables operate independently on the first seven characters of the left half, and on the last characters of the right half of the hash. Both a SAM file and a system key file are needed to attack the Windows login password. FTK and FTK Imager are both useful tools for obtaining these registry files. Note: The LAN Hash Table is effective only against Romantic language passwords. If the user logs into the computer using any Unicode password (Japanese, Korean, Chinese, etc.), a LAN Hash value is never generated. The only way to break into these is by using a DNA network to perform a traditional MS Windows Login password attack.
How AccessData Hash Tables Work
| 10
System Requirements You must have a system that meets these minimum requirements to run AccessData Hash Tables or Portable Office Rainbow Tables (PORT):
Table 1: PORT System Requirements Minimum
Recommended
Hardware 512 MB RAM minimum
1GB RAM recommended.
10 GB free drive space
10 GB or more free drive space
DVD-ROM or DVD-RW
DVD-ROM or DVD-RW
Operating System Windows 2000
Windows XP or higher
System Requirements
| 11
Chapter 2
Installing and Configuring AccessData RainbowTables
Installing AccessData Hash Tables This information applies to PRTK and DNA versions 6.2/3.2 and later. To use the Rainbow Tables in PRTK or DNA, the Hash Table drives need to be connected to the PRTK machine, or a DNA worker machine, and the drives must be recognized as drive letters by the operating system. The version of RainbowTables.exe program must be the one supplied with the Hash Tables, and it must be installed on the machine where PRTK or the DNA Supervisor is installed. To use the RainbowTables program, the latest version of RainbowTables.exe must be installed on the computer connected to the Hash Tables. RainbowTables.exe is downloadable from the AccessData website, but it does not include either the Hash Tables or the PORT Tables. It is merely the user interface for both. To use the Hash Tables with DNA, you must create a group for each set of hash tables you use. Add files to that group to send them for processing to the hash tables. Check the progress of the jobs from the DNA User Interface by double-clicking a job, or by clicking View > File Properties to see status and results with live updates. Important: Beginning with the April 2010 release, both Rainbow Hash Tables and PORT support the CodeMeter Runtime software and CmStick from WIBU-SYSTEMS. This includes both 32- and 64-bit systems.
Configuring Hardware for Hash Tables Connect the Hash Tables as indicated in the figure below:
Installing AccessData Hash Tables
| 12
FIGURE 2-1 Hash Tables Hardware Configurations
Configuring Software for Hash Tables There are two versions of the user interface for Hash Tables. There is one for LAN Hash Tables, and a different one for Office and PDF Hash Tables.
LanRainbow.exe The following figure depicts the proper configuration of LanRainbow.exe User Interface when utilizing the AccessData LAN Hash Tables. Run the UI, then click Options > Settings to access this configuration dialog.
Configuring Software for Hash Tables
| 13
FIGURE 2-2 Configuring LAN Hash Tables in the LanRainbow.exe User Interface
To configure the LanRainbow.exe settings, do the following: 1.
Browse to the various locations for the In, Out, and Fail folders.
2.
Specify or browse to a path and filename for the Log file.
3.
Under Rainbow Tables directories, click Add to open the Windows Explore dialog.
4.
Browse to the locations and select the Hash Tables files to be read when a job is added.
5.
Click OK to accept and save changes and close the dialog.
RainbowTables.exe The following figure depicts the proper configuration of RainbowTables.exe User Interface when utilizing Hash Tables for PDF or Office. To configure the RainbowTables.exe settings, for PDF or Office Word or Excel, do the following: 1.
Click Window > Settings to access this configuration dialog box.
Configuring Software for Hash Tables
| 14
FIGURE 2-3 Configuring Hash Tables in the RainbowTables.exe User Interface
2.
Browse to the various locations for the In, Out, and Fail folders.
3.
Specify or browse to a path and filename for the Log file.
4.
Under Rainbow Tables directories, click Add to open the Windows Explore dialog.
5.
Browse to the locations and select the PDF or Office Hash Tables files to be read when a job is added.
6.
Click OK to accept and save changes and close the dialog.
Configuring Hash Tables For PRTK or DNA Before adding files to PRTK or DNA to be processed with the Hash Tables, you must set up groups for the Hash Tables you have connected to your system(s). If you want to have only one group to process Office, PDF, or LAN Hash files, and all are connected to one worker, create only one Hash Tables group. If instead you have each set of tables connected to different workers, create three separate groups, so each type of file will have a dedicated worker to route the different Hash Table jobs through. The following sections describe how to add files to PRTK or DNA and process them using the Hash Tables. Use the following table for reference as you add Hash Tables jobs in PRTK or DNA.
Table 1: Hash Tables Attack Types and User Selections File Type
Attack Settings
MS Office
Uncheck all boxes except Decryption Key Attack
PDF
Uncheck all boxes except PDF User Key Attack
Configuring Hash Tables For PRTK or DNA
| 15
Table 1: Hash Tables Attack Types and User Selections File Type
Attack Settings
LAN Hash
Check only boxes that choose a LAN Hash attack for the desired user account. Note: Do not check any options for NT Type attacks.
MS Word and Excel Open PRTK or DNA and go to File > Add Files and add a Word or Excel file. You can also drag and drop a Word or Excel file into the PRTK or DNA main screen. Once the job has been identified, the job wizard page will come up requesting which type of attack to do. Mark only Decryption Key Attack. Ensure that all other choices are unmarked. Any profile can be used as the attack type does not require any specific profile. PRTK or DNA will generate levels and then add the job to the main screen. PRTK or DNA will use the correct module and send the job to the Hash Tables drives for decrypting.
Adobe PDF files Open PRTK or DNA and go to File > Add Files and add a PDF file. You can also drag & drop a PDF file into the PRTK or DNA main screen. Once the job has been identified, the job wizard page will come up requesting which type of attack to do. Please uncheck all boxes except the 2nd item: PDF User Key Attack. Any profile can be used as the attack type does not require any specific profile. PRTK will generate levels and then add the job to the main screen. PRTK will use the correct module and send the job to the rainbow tables for decrypting.
LAN Hash files LAN Hash Tables finds the password of a user's computer account and provides the password for each user listed in the SAM file. Both a SAM file and a system key file are needed for this type of attack. FTK Imager is a useful tool for obtaining both these registry files.
Open PRTK. Click Options > Settings to add a LAN Hash file. You can also drag & drop a SAM/System file into the PRTK or DNA main screen. Once the job has been identified, a page will come up requesting which type of attack to do on which user account. Please check only boxes that choose a LAN Hash attack for the desired user account. Do NOT choose any options for NT-Type attacks. Any profile can be used as the attack type does not require any specific profile. PRTK or DNA will generate levels and then add the job to the main screen. PRTK or DNA will assign the job to the rainbow group and the correct modules will be sent to the rainbow workers for decrypting. You must also provide the system key file. Browse to its location and select it under the User Key entry box when prompted.
Configuring Hash Tables For PRTK or DNA
| 16
Installing Portable Office Rainbow Tables AccessData Portable Office Rainbow Tables (PORT) takes less space than the Hash Tables for Office. You can now easily transport and run AccessData PORT for Microsoft Office on one workstation or another via a DVD rather than be confined to running it on one system with thousands of dollars worth of heavy and combersome hardware. Important: The Installation Wizard will overwrite older versions of AccessData PORT. It is a good idea to back up the tables files themselves to a separate location prior to reinstalling.
To install PORT using the wizard: 1.
Start the Installation Wizard.
2.
Read and accept the End-user’s License Agreement.
3.
Choose a destination folder for the program, and then click Next.
4.
AccessData recommends you accept the default location. Use the Browse button to select a different location.
5.
Click Finish to run PORT. You may uncheck the box and click Finish to complete the installation without running the program.
6.
Click File > Settings to verify that the installation has populated all necessary fields.
7.
If you chose a destination folder other than the default, you will need to adjust your settings.
To install PORT manually To install PORT manually, perform the following steps: 1.
Create a folder anywhere on the workstation.
2.
Insert the AccessData PORT DVD, and copy the contents to the new folder.
3.
In the Rainbow Tables folder, create the following folders: In Out Fail
4.
Double-click Rainbow Tables.exe to start the program. Note: You can create a shortcut to this executable file, and place it on your desktop for easier access.
5.
In the Rainbow Tables User Interface, click Windows > Settings and browse to each folder location as specified.
6.
Browse to the .RB2 files and add each of them to the Rainbow Tables files list.
7.
There are six files for the Portable Office product; three for Word, and three for Excel. If all six do not appear in this list, verify that all were successfully copied from the DVD to the hard drive.
8.
Click OK.
Configuring PORT To Use RainbowTables.exe There is only one user interface for PORT, separate from PRTK or DNA. It is RainbowTables.exe. AccessData PORT uses folders to organize the files on which it is working. During setup, the autorun specifies these folders to manage new files, processed files, and logs. If you don’t want to use the default folders, you can change them at any time.
Installing Portable Office Rainbow Tables
| 17
To manually configure PORT: 1.
In the RainbowTables.exe User Interface, click Windows > Settings to open the Configuration window.
FIGURE 2-4 Configuring PORT Office Tables to Work With RainbowTables.exe
2.
In the Input Directory field, browse to or specify the folder from which you want the program to take unprocessed files. This will be your In folder. You can also browse to an existing folder, such as the one provided by AccessData.
3.
To better manage the decryption process, mark the Monitor Sub-directories check box. This causes Rainbow Tables to duplicate the folder structure of the sub-folders added to the In folder, into the Out folder for easy identification when a job is completed. Note: If the Monitor Sub-directories box is not checked, and you add a folder with encrypted files to the In folder, no processing of those files will take place. However, those same files, if added directly to the In folder will process automatically. Note: This is a useful feature if multiple users are adding files to Rainbow Tables on a network drive, or if one user is adding files from various clients and wants to keep the decrypted files together by client, or both.
4.
In the Output Directory field, browse to or specify the folder for successfully processed files. This will be your Out folder. You can also browse to an existing folder, such as the one provided by AccessData Rainbow Tables. The Out folder contains a duplicate file structure of files added to the In folder for easy identification of the files in the Out folder when those jobs are complete.
5.
Specify a Failed directory for files that cannot be processed for whatever reason. Click Windows > Log to check the Log file for more information when a file fails to process.
6.
If you want a record of the process, check the Log Results to File checkbox. In the Log field, specify the file where the processing events are to be recorded. You can also browse to an existing file, such as the one provided by AccessData.
Configuring PORT To Use RainbowTables.exe
| 18
7.
Manage the list of Portable Rainbow Tables data files by clicking Add Table and browsing to the table you want to add. To remove a table file, select a table file you wish to remove and click Remove Table. For more information, see Status Errors (page 23).
8.
Manage the Hash Tables in much the same way as you do the Portable Table files.
To add a Hash Table directory, click Add Hash Table directory, and browse to a directory containing the Hash Table files, then click Add.
To
remove a Hash Table directory, select the Hash Table directory you wish to remove, then click Remove Hash Table directory.
Configuring PORT To Use RainbowTables.exe
| 19
Chapter 3
Using Rainbow Tables
Processing Files in RainbowTables.exe The PORT interface processes files automatically while you wait. Files are processed one job, or file, at a time. Files are processed in the order in which they appear on the Main window. To process a job: 1.
Copy a file, set of files, or folder to the In folder you specified in Setup, or drag and drop them to the Rainbow Tables main window. The program will process the files automatically. You can control a job by clicking these buttons:
Table 1: Rainbow Tables Buttons Button
Function Restarts a job that has been stopped or paused.
Pauses a running job. Stops a running job. Deletes a job from the Main window.
2.
Check your Out folder for the decrypted file and its key. You must have the source program installed on your system before you can double-click the file to open and view it. Note: Failed files will be moved to the Fail folder. If you do not find the file in the Out folder, be sure to check the Fail folder and refer to your log file.
Processing Files in RainbowTables.exe
| 20
Important: If you copied the files to the In folder, both files (encrypted and decrypted) will appear in the Out folder. If you dragged the file to the main window, only the decrypted files and their keys will appear. The encrypted file remains on the main window.
Using PORT Tables in PRTK or DNA Before adding files to PRTK or DNA to be processed with the Hash Tables, you must set up groups for the Hash Tables you have connected to your system(s). You must create a group to process PORT files in PRTK or DNA. The following sections describe how to add files to PRTK or DNA and process them using the Hash Tables. Use the following table for reference as you add Hash Tables jobs in PRTK or DNA.
Table 2: Hash Tables Attack Types and User Selections File Type
Attack Settings
MS Office Excel Uncheck all boxes except Decryption Key Attack MS Office Word
Uncheck all boxes except Decryption Key Attack
MS Word and Excel Open PRTK or DNA and go to File > Add Files and add a Word or Excel file. You can also drag and drop a Word or Excel file into the PRTK or DNA main screen. Once the job has been identified, the job wizard page will come up requesting which type of attack to do. Mark only Decryption Key Attack. Ensure that all other choices are unmarked. Any profile can be used as the attack type does not require any specific profile. PRTK or DNA will generate levels and then add the job to the main screen. PRTK or DNA will use the correct module and send the job to the Hash Tables drives for decrypting.
Viewing the Statistics AccessData PORT provides information about each job’s progress in the Statistics window. You can see: The
types of files being processed
The
number of these files processed
The
time it takes to decrypt each file
The
percentage of successful decryption
Using PORT Tables in PRTK or DNA
| 21
Note: You can judge the effectiveness of PORT by the Percent of Total column: if the statistics are too low, you may need to extend your libraries to the AccessData Hash Tables instead. To view the Statistics window, click Windows > Statistics.
Viewing the Log AccessData PORT tracks each job’s progress in the Event Log window. The log feature keeps track of: Dongle
and license errors
Whether Parsing
the tables loaded correctly
errors
Unrecognized
files
Whether
the decrypted files were written correctly
Whether
the files moved between folders
For more information on the Event Log and Troubleshooting, see Troubleshooting (page 23).
Uninstalling PORT If you did an automated install from the PORT DVD, you can use either the Add or Remove Programs feature from the Windows Control Panel, or use the Installation Wizard from the DVD to uninstall PORT.
To uninstall PORT with the wizard: 1.
Close the Rainbow Tables User Interface.
2.
Browse the DVD to find the setup.exe file.
3.
Double-click Setup.exe.
4.
The setup program will run. It will recognize that Rainbow Tables has already been installed, and you will be able to choose to Reinstall, or to Uninstall.
5.
Select Uninstall Rainbow Tables.
6.
Click Next.
The Rainbow Tables uninstaller will run and when finished, the dialog will close. The Rainbow Tables User Interface and all data files will be removed.
Viewing the Log
| 22
Chapter 4
Troubleshooting
Troubleshooting PORT This chapter covers some of the errors you may see when using AccessData Hash Tables (Rainbow Tables), and AccessData Portable Office Rainbow Tables (PORT).
Troubleshooting Steps 1.
Verify you are using the latest rainbowtables.exe. The latest file date as of Feb 2009 is 7/25/07. Go to www.accessdata.com > Support > Downloads to find and donwload the latest version. This download is the User Interface only, and does not include the data files.
2.
In the Rainbow Tables User Interface, verify that all Window > Settings information is valid. If you cannot resolve the problem using the information in this chapter, please send us an email. Copy and attach the log file, and any screen shots that you feel would be helpful. Include in your message a description of the problem, and the best way to contact you other than email, if it becomes necessary. The email address is:
[email protected],
Status Errors The following errors will display in the Status field for a job, and are added to the Log. Error:
Dongle check failed. Solution: Verify Keylok drivers and dongle are installed correctly.
Error:
No tables loaded Solution: Verify PORT data files are correctly installed under correct, existing folder. The PORT data files should all be located in the same folder, and the RainbowTables.exe User Interface Windows > Settings > RainbowTables menu should point to that folder. The data files are displayed in the following table:
Table 1: PORT Data Files Filename
Filename
• Excel0.rb2
• Word0.rb2
• Excel1.rb2
• Word1.rb2
• Excel2.rb2
• Word2.rb2
Troubleshooting PORT
| 23
Error:
Decryption failed.
Log File Entry: [filename].doc' cannot be decrypted because 'C:\Program Files\AccessData\Out\test_A7z1q2R-decrypted.doc' already exists. Unable to save key for 'C:\Documents and Settings\brad\Desktop\test_A7z1q2R.doc' : The file exists. (80). Solution: Verify decrypted file does not already exist in the 'out' folder Error:
Parsing C:\TEMP\rainbow\In\[Filename].xls
Unable to proceed without known plaintext in C:\TEMP\rainbow\In\[Filename].xls Solution: This message means that the Excel file is not encrypted at the offset where the Rainbow Tables (actually Hash Tables) app looks for ciphertext. This means that the Hash Tables app has no way of indexing the key used on the file. Which means that it has no way of finding the key.
Log File Errors The following errors will not display any text in the Status field, but are added to the log. Error:
Unable to monitor input directory. Solution: Verify In Folder setting under Windows > Settings and verify that input folder actually exists in the specified location. Parsing C:\TEMP\rainbow\In\[filename.xls]. Unable to proceed without known plaintext in C:\TEMP\rainbow\In\" Solution: This means that the Excel file is not encrypted at the offset where the Rainbow Tables (actually Hash Tables) application looks for ciphertext. This means that the Hash Tables application has no way of indexing the key used on the file. This means that it has no way of finding the key.
Error:
Error:
“Parsing C:\TEMP\rainbow\In\Profit and Loss.xls: “Unable to proceed without known plaintext in C:\TEMP\rainbow\In\Profit and Loss.xls”” OR “Parsing C:\TEMP\rainbow\In\Sales Breakdown 04.xls: “Unable to proceed without known plaintext in C:\TEMP\rainbow\In\Sales Breakdown 04.xls”” Explanation: This message means that the Excel file is not encrypted at the offset where the Rainbow Hash Tables application looks for ciphertext. This means that the Hash Tables application has no way of indexing the key used on the file, and that it has no way of finding the key.
Troubleshooting PORT
| 24
