Generate Rainbow Table Using WinRTGen


Type : Tutorial

Level : Beginner, Medium, Advanced

In this Generate Rainbow Table Using WinRTGen tutorial, we will learn how to generate rainbow table using WinRTGen. Rainbow tables usually used to crack a lot of hash types such as NTLM, MD5, SHA1. This tools will create a large dictionary to crack a lot of hash type. I used this tables to crack some password on my next tutorials using rcrack.

One thing you must remember, you must be careful of your harddisk space. For this tutorial I create simple rainbow table for 1 – 5 alphanumeric, and it costs about 613MB of your harddisk. If you want to create a huge dictionary contains alphanumeric, space, characters, maybe it will be more than 5 Gigs :-). Okay let's start the tutorial.

Must Know :  (taken from :

Hash type:
The type of hash you're going to generate tables for.

lm: classic LanManager hash. Limited by its nature to 7 char,uppercase (you can generate tables for lowercase or 8 or more chars passwords, but it's a waste of time). Tables are compatible with rcrack

fastlm: LanManager hash. Same as lm but optimized for MMX instruction; It's faster than "lm" in both in generation and cryptanalysis on P4 centrino (or superior) processors. Not compatible with rcrack.

ntlm: NTLanManager hash. A newer hash for M$ authentication, and the only you'll find in the the belly of a PC that has some serious security setup. Password are not converted in 7 uppercase chars chunks.

lmchall: used to attack the sniffed (not dumped!) LM authentication as a whole. Requires the challenge to be poisoned to a corresponding value. Unconvenient: better to use halflmchall and go brute with the remaining chars.

halflmchall: used to attack the first 7 chars of a sniffed (not dumped!) LM authentication. Requires the challenge to be poisoned to a corresponding value. Using halflmchall + brute is always better than pure lmchall.

ntlmchall: used to attack the sniffed (not dumped!) ntlm authentication. Requires the challenge to be poisoned to a corresponding value. Similar to lmchall, but there can be no "halfntlmchall" so you get to go with it.

mscache: used to attack the cached credentials of the previously logged users. Requires each tableset to be generated fo a specific username. The proposed value: "Administrator" is possibly the most interesting in many cases.

md2: md2 hashes
md4: md4 hashes
md5: md5 hashes.
sha1: sha-1 hashes.
ripmed160: ripmed160 hashes
mysql323: mysql323 hashes
mysqlsha1: mysqlsha1 hashes
ciscopix: cisco pix firewall hashes
sha256: sha256 hashes
sha384: sha384 hashes
sha512: sha512 hashes
oracle: oracle hashes. Requires each tableset to be generated fo a specific username.
wpa-psk: wpa-psk hashes. Requires each tableset to be generated fo a specific ESSID. Unlike Oracle not all wlans use the proposed ESSID ("wlan") as default.

Min len / Max len: The minimun and maximum length of the included passwords. This is the first of the two parameters that define the keyspace. Note that raising the min value usually lowers the keyspace by a negligible amount.

Index: The tables discriminator. It Is very important to understand this: the table index and _not_ the file number gives you the identity of a table. Multiple files sharing the same index pertain to the same table.

Chain len (or "t" parameter): The number of hashes represented by a single chain. A chain always uses the space of two hashes (the first and the last) on disk. This is one of the parameters that define the keyspace coverage. As a rule of thumb, the longer the chains the higher the success rate but also the per-hash cryptanalisys time of the interested table.

Chain count (or "m"/"N°of tables"): The number of chains in a file. This is one of the parameters that define the keyspace coverage. As a rule of thumb, the more the chains the higner the keyspace coverage, but also the disk usage and so the disk-access time. Too much (and too long, see previous point) chains in a single table produce merging chains and wastes.

N° of tables: A misleading title. Should be: "N° of files for current table index". It's a mere extension of the chain count: since you must keep file each file below the 2Gigs barrier you're given the chance of creating more files. Note that the success rate displayed by winrtgen refers to DIFFERENT TABLES, not more files with the same index

Charset: defines what characters will be used in the randomly-chosen plaintext to hash (ok, the passwords ๐Ÿ˜‰ ). This is the second of the two parameters that define the keyspace. You can edit the file manually or by clicking on the "edit" button. The file is also used for charset selection by the bruteforcing engine.

1. Download WinRTGen below

2. Run WinRTGen, and then click Add Table

Generate Rainbow Table Using WinRTGen

3. In the Rainbow table properties, you can see my example to create ntlm table 1-5 characters, the index started from 0, so if I give the N^ of tables value to 5, the index will rename the file into index 0,1,2,3,4(5 tables)

Generate Rainbow Table Using WinRTGen

4. When you finish set up all of the properties, just click OK, and in the main program click OK once again to start build the tables. You can left your computer working and go buy some tea ๐Ÿ™‚

Generate Rainbow Table Using WinRTGen

To get  23.734% from 100% it takes about 2.5 hours in my laptop with core2duo1.5GHz and memory 4 gigs. So you can prepare yourself a lot of food maybe :p LoL.

(Visited 9,902 times, 1 visits today)

Share this article if you found this post was useful:

Blogger at Love PHP, offensive security and web.
Contact him at me[-at-]

See all posts by || Visit Website :

  • Pingback: Crack Windows Password Using RCrack, Pwdump, and Rainbow Table | Vishnu Valentino()

  • anon

    wpa option just freezes the prog

  • dhruv

    Hai Vishnu,ur blog is a really very nice:)
    I have a few questions regarding winrtgen
    Suppose i want to generate hashes(md5) of numbers from 0-9 of length 1 i.e altogether 10 hashes
    in winrtgen i enter following parameters
    min len=1
    max len=1
    chain lenth=10 (since there will be 10-hashes so i entered 10/chain)
    chain count=1 (i.e 1 chain/file)
    n of tables=1 (number of files)
    Now it shows a success probab. of 53%
    but when i increase the chain count to 20 success probab is 99% 
    now my question is with chain count 20 and chain length 10 there will be 200 hashes but actually there are only 10.
    why should we calculate 200 hashes whereas actually we have only 10 ??
    Waiting for ur reply..

    • v4L

      Hi dhruv, actually I didn’t know precisely about this calculations..if you want more specific answer, you can refer to it’s forum and throw some question there

  • dhruv

    ok problem

  • hi , i know the password witch is : hello75Robert 
    what should i have to generate of :
    min len=
    max len=
    chain length =
    chain count=
    pls with the syntax . thanks

    • v4L

      Sorry now i didn’t have this program on my pc, but you can try it yourself…set the min len = 1 and max len = 13 (this is the character length of hello75robert)
      then you can configure the number of chain len, chain count, and N tables to get success probability until more than 99%
      fyi : this table should be very huge…

  • robert

    if i have a .cap file witch mean a (wpa2/handshake) how could i crack it ? find password.
    if i use .lst or txt file it will take too long :first because i dont know the length of the password, second i dont know how to generate a wpa2 file . is any idea ?

    • v4L

      yep that’s the way…much longer your password, you need a big database resource much bigger…
      but for short way, you can use cloud cracking service here by paying $17

  • n

    how can I hack the wireless ?