#1
|
|||
|
|||
An instant NT password cracker
While searchin the net for some information on hash algorithms i came accross a paper by Dr Philippe Oechslin titled Advances in Time-Memory Trade-Offs claimed to crack the hash passwords in matter of seconds albeit at a cost of large hard disk space.
This is what he had to say. Quote:
I feel this could have far reaching consequences in cracking. how about trying this strategy out on a crypto crackme. any ideas or any contribution. |
#2
|
|||
|
|||
I've heard of people using this approach before for NTLM password hashes - usually they can store all the precalculated hashes on a CD. Precaluclation isn't all that new of an idea in the codebreaking world, but the fact that it can be done so easily on NTLM underscores how weak that system is. This type of attack is only useful because of the small keyspace for NTLM. NTLMv2 increased it to 128 bits, which still isn't really strong encryption by most modern standards, but it at least ups the ante when it comes to how much space it takes to store precalculated hashes.
At some point this approach becomes downright impossible. RSA is a great example. There's a powerpoint lecture on this at hxxp://www.cs.uno.edu/~golden/4621sl2/4621sl2.ppt, but powerpoint slides piss me off. Feel free to use google's HTML translation of it instead. To paraphrase: Assuming you even had the computing power to precaluclate the factors of all 200 digit numbers, you would need approximately (9 * 10^200) * 665 bits to store them all. If you had some kind of medium that could store 100GB of data in one millionth of a gram, you would have 6.75 * 10^177 tons of storage. The Chandrasekhar limit is approximately 10^27 tons. Ergo your precalculated tables would collapse into a black hole long before you got the chance to use them Edit: Crikey, my spelling and typing goes to hell after midnight! Last edited by tbone; 07-01-2004 at 13:31. |
#3
|
|||
|
|||
Yeah, I am aware of the file sizes that one would have to encounter and this link that i had mentioed earlier, has plugins for various other hash algorithm too.
Also the precomputation time is just too large. even for a seven character alphanumeric password is 200+ days and file size of around 20gb. But what i wanted to ask is that, is it worth the effort for even 7 char password. the reason why i am asking this is that often people have observed collisions in these hash algorithms (reference hxxp://www.cryptool.de/). Keeping these too in mind, would it be helpful while patching codes, in which the files itself are checked for modifications while using these algorithms, like it was done for crc ? |
#4
|
|||
|
|||
a seven character password would be pie to bruteforce, on my machine it takes about 30min with alpha-num. Getting up into 8+ is where it gets long tho.
I think you should recheck your information, because here is a person that has actually accomplished it and you can submit ones for cracking : http://sarcaprj.wayreth.eu.org/ his NTLM hashes use upper/lower alpha-num-15 symbols and are only 18gb (and for sale!) Quote:
I really wish someone would overhaul the rainbow crack app, like adding more algorithms, compression, and optimizations. |
#5
|
|||
|
|||
No such thing as 8 char passwords in NT. They are divided into two 7 char parts, which will be cracked individually.
|
#6
|
|||
|
|||
but dont Rainbow crack also offer plugins from MD2, MD4 and RIPEMD160 in addition to NTLM.
Maybe we could have a independant developement for more hash algorithms. |
#7
|
|||
|
|||
Rainbow crack algorithm
Quote:
hxxp://www.antsight.com/zsl/rainbowcrack/ search the page for 'Download' Enjoy |
#8
|
|||
|
|||
tbone, I don't know if you accounted for this in your calculations.
Also, this explanation might be useful for the casual reader: Not all hashes are actually stored in the precomputed tables. For each "initial password", its hash is computed. Then the hash itself is taken as a new password (I think it's adjusted for the valid input chars) and a new hash calculated. This process repeats a number of times until you have a final hash. The only thing you store in the table files is the initial and final hash for each of these "chains", which reduces most of the space required. Still you'll end up with 20Gb of data; just imagine all hashes being stored When cracking, the known hash is transformed with the above process to obtain a list of hashes to form a new chain of the same length as the others. If one of these hashes matches the final hash of any of the stored tables, you have found the chain where it belongs. Then you just have to find the previous hash that chain - that is the password you're seeking |
#9
|
|||
|
|||
Thankfully to crack passwords on a windows computer you only have to generate tables with 7 max length characters otherwise it would take forever.
Also there is also a mod for it to allow for computation of MySQL and Cisco PIX Hashes on oxit.it. You can also download a graphical interface if you care to. There I managed to contribute something |
#10
|
|||
|
|||
Kennus:
I've deleted your post in the Announcements and News Forum, because you obviously are not reading such posts as the one titled: "where is FTP info?" http://www.exetools.com/forum/showthread.php?t=4619 or you would already know "why" you can't access the ftp yet. Regards,
__________________
JMI |
#11
|
|||
|
|||
There are two real good apps I found. You can take the easy way out and boot with this floppy and reset the administrator password to blank and from there total control. You could also use a sam dump app and with LC4 and it will pretty much crack any password. LophtCrack 4, the name of the floppy i can't remember, but I can post an image of it if needed.
|
Thread Tools | |
Display Modes | |
|
|