Waraxe IT Security Portal  
  Login or Register
::  Home  ::  Search  ::  Your Account  ::  Forums  ::   Waraxe Advisories  ::  Tools  ::
March 29, 2024
Menu
 Home
 Logout
 Discussions
 Forums
 Members List
 IRC chat
 Tools
 Base64 coder
 MD5 hash
 CRC32 checksum
 ROT13 coder
 SHA-1 hash
 URL-decoder
 Sql Char Encoder
 Affiliates
 y3dips ITsec
 Md5 Cracker
 User Manuals
 AlbumNow
 Content
 Content
 Sections
 FAQ
 Top
 Info
 Feedback
 Recommend Us
 Search
 Journal
 Your Account



User Info
Welcome, Anonymous
Nickname
Password
(Register)

Membership:
Latest: MichaelSnaRe
New Today: 0
New Yesterday: 0
Overall: 9145

People Online:
Visitors: 867
Members: 0
Total: 867
PacketStorm News
·301 Moved Permanently

read more...
Log in Register Forum FAQ Memberlist Search
IT Security and Insecurity Portal

www.waraxe.us Forum Index -> General discussion -> Brute forcing improving ideas...
Post new topic  Reply to topic View previous topic :: View next topic 
Brute forcing improving ideas...
PostPosted: Fri Oct 31, 2008 11:10 am Reply with quote
_mranderson_
Valuable expert
Valuable expert
 
Joined: Oct 30, 2008
Posts: 51




I was thinking, in the last few days, of a way to improve bruteforcing... here what came in my mind:

Let's define bruteforce improving:
we should aim at the most high probability to find the password using the less time possible.

well, assuming that most passwords are readable words plus (possibly) some numbers, we could improve our password-generating algorithm so that, instead of picking any possible password (thus even unreadable passwords like "abbbttk") it would generate just readable passwords..

one thing we must keep in mind is that the slower our password algorihm is the worst it is (I mean it's better to try more passwords but faster than less but a lot slower).

so, if we want to achieve this goal, we have to put rules to create readable words:
I think that a simple (and fast) rule to apply would be to never put more than 2 consonants or vocals one past another while generating the password (some letters like "h" should not be considered vocals nor consonants and others like "y" should be considered vocals), so that generated words would always fit the charset but never be unreadable (numbers could be considered vocals/consonants too, eg.: "1" is "i"/"l", "2" is "r", "3" is "e"...) thus reducing the keyspace, and conseguently the time needed to generate all the possible passwords. Of course this method should never be used untill the keyspace doesn't become big enough to be impossible to be completed (like passwords over 8-9 chars length with a charset length of 36 could be quite a pain to be completed).

Just let me know what you think, and I might implement an md5 bruteforcer that supports IPB md5(md5(salt).md5(pwd)) hashing algorithm and uses this method to bruteforce your hashes...
View user's profile Send private message
Re: Brute forcing improving ideas...
PostPosted: Fri Oct 31, 2008 11:30 am Reply with quote
gyan007
Advanced user
Advanced user
 
Joined: Oct 17, 2008
Posts: 106




_mranderson_ wrote:
I was thinking, in the last few days, of a way to improve bruteforcing... here what came in my mind:

Let's define bruteforce improving:
we should aim at the most high probability to find the password using the less time possible.

well, assuming that most passwords are readable words plus (possibly) some numbers, we could improve our password-generating algorithm so that, instead of picking any possible password (thus even unreadable passwords like "abbbttk") it would generate just readable passwords..

one thing we must keep in mind is that the slower our password algorihm is the worst it is (I mean it's better to try more passwords but faster than less but a lot slower).

so, if we want to achieve this goal, we have to put rules to create readable words:
I think that a simple (and fast) rule to apply would be to never put more than 2 consonants or vocals one past another while generating the password (some letters like "h" should not be considered vocals nor consonants and others like "y" should be considered vocals), so that generated words would always fit the charset but never be unreadable (numbers could be considered vocals/consonants too, eg.: "1" is "i"/"l", "2" is "r", "3" is "e"...) thus reducing the keyspace, and conseguently the time needed to generate all the possible passwords. Of course this method should never be used untill the keyspace doesn't become big enough to be impossible to be completed (like passwords over 8-9 chars length with a charset length of 36 could be quite a pain to be completed).

Just let me know what you think, and I might implement an md5 bruteforcer that supports IPB md5(md5(salt).md5(pwd)) hashing algorithm and uses this method to bruteforce your hashes...


So... You basically mean wordlists?
View user's profile Send private message
PostPosted: Fri Oct 31, 2008 12:38 pm Reply with quote
epro
Regular user
Regular user
 
Joined: Feb 11, 2008
Posts: 24




Yes, for thing like you said is wordlists! Bruteforce aim is to check all possibilities to find password! No clever algorithm! Just numbers, letters and special symbols!
View user's profile Send private message
PostPosted: Fri Oct 31, 2008 1:24 pm Reply with quote
_mranderson_
Valuable expert
Valuable expert
 
Joined: Oct 30, 2008
Posts: 51




I don't think you can find a wordlist with every possible readable password of the length you choose and with the charset you want...

I mean a wordlist contains words you use in your language, not all readable words from 1 to 8 using abcdefghijklmnopqrstuvwxyz0123456789 as charset

also this method would reduce the keyspace enourmously... try to crack a 10 chars length password with numbers and letters using the standard bruteforce method.. you will need like 1000 years, with this method maybe you need 100 (that's still a lot, but it's always 1/10 of the time) and you always have a high probability of finding the password...
View user's profile Send private message
PostPosted: Fri Nov 14, 2008 12:48 pm Reply with quote
ThoR
Regular user
Regular user
 
Joined: Nov 13, 2008
Posts: 5




And if you use a GPU enabled approach u can cut the 100 years to 1 ^^
i personally like the idea. for passlengths of over 10 chars, i would gladly forfeit the "it will sure find it" of standard bruteforce for the, let's hope it finds it of this approach ^^
View user's profile Send private message
PostPosted: Fri Nov 14, 2008 4:59 pm Reply with quote
_mranderson_
Valuable expert
Valuable expert
 
Joined: Oct 30, 2008
Posts: 51




Exactly, I mean wouldn't that be sweet if such GPU enable bruteforcers would let you choose to use this option or not? I don't think a --readable switch would be so hard to implement for those whome already implemented such programs.. that' would be really nice.

ThoR idk if you would be able to sugges this to the right ppl, but if you know any, pls do so. I think the most complex passwords would always be possible to be find.

For example:

a password like hi63624jk12 would be found.

6 = g
3 = e
2 = r
4 = a
1 = i/l

as you can see no more that 2 consonants/vocals would be put together in that password. so it's not true complex and long passwords wouldn't be found at all.
View user's profile Send private message
Brute forcing improving ideas...
  www.waraxe.us Forum Index -> General discussion
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT  
Page 1 of 1  

  
  
 Post new topic  Reply to topic  




Powered by phpBB © 2001-2008 phpBB Group






Space Raider game for Android, free download - Space Raider gameplay video - Zone Raider mobile games
All logos and trademarks in this site are property of their respective owner. The comments and posts are property of their posters, all the rest (c) 2004-2020 Janek Vind "waraxe"
Page Generation: 0.166 Seconds