Waraxe IT Security Portal
Login or Register
July 23, 2024
Menu
Home
Logout
Discussions
Forums
Members List
IRC chat
Tools
Base64 coder
MD5 hash
CRC32 checksum
ROT13 coder
SHA-1 hash
URL-decoder
Sql Char Encoder
Affiliates
y3dips ITsec
Md5 Cracker
User Manuals
AlbumNow
Content
Content
Sections
FAQ
Top
Info
Feedback
Recommend Us
Search
Journal
Your Account
User Info
Welcome, Anonymous
Nickname
Password
(Register)

Membership:
Latest: MichaelSnaRe
New Today: 0
New Yesterday: 0
Overall: 9144

People Online:
Visitors: 225
Members: 0
Total: 225
Full disclosure
CyberDanube Security Research 20240722-0 | Multiple Vulnerabilities in Perten/PerkinElmer ProcessPlus
[KIS-2024-06] XenForo <= 2.2.15 (Template System) Remote Code Execution Vulnerability
[KIS-2024-05] XenForo <= 2.2.15 (Widget::actionSave) Cross-Site Request Forgery Vulnerability
CVE-2024-33326
CVE-2024-33327
CVE-2024-33328
CVE-2024-33329
CyberDanube Security Research 20240703-0 | Authenticated Command Injection in Helmholz Industrial Router REX100
SEC Consult SA-20240627-0 :: Local Privilege Escalation via MSI installer in SoftMaker Office / FreeOffice
SEC Consult SA-20240626-0 :: Multiple Vulnerabilities in Siemens Power Automation Products
Novel DoS Vulnerability Affecting WebRTC Media Servers
APPLE-SA-06-25-2024-1 AirPods Firmware Update 6A326, AirPods Firmware Update 6F8, and Beats Firmware Update 6F8
40 vulnerabilities in Toshiba Multi-Function Printers
17 vulnerabilities in Sharp Multi-Function Printers
SEC Consult SA-20240624-0 :: Multiple Vulnerabilities allowing complete bypass in Faronics WINSelect (Standard + Enterprise)
Log in Register Forum FAQ Memberlist Search
IT Security and Insecurity Portal

www.waraxe.us Forum Index -> General discussion -> Brute forcing improving ideas...
Post new topicReply to topic View previous topic :: View next topic
Brute forcing improving ideas...
PostPosted: Fri Oct 31, 2008 11:10 am Reply with quote
_mranderson_
Valuable expert
Valuable expert
Joined: Oct 30, 2008
Posts: 51




I was thinking, in the last few days, of a way to improve bruteforcing... here what came in my mind:

Let's define bruteforce improving:
we should aim at the most high probability to find the password using the less time possible.

well, assuming that most passwords are readable words plus (possibly) some numbers, we could improve our password-generating algorithm so that, instead of picking any possible password (thus even unreadable passwords like "abbbttk") it would generate just readable passwords..

one thing we must keep in mind is that the slower our password algorihm is the worst it is (I mean it's better to try more passwords but faster than less but a lot slower).

so, if we want to achieve this goal, we have to put rules to create readable words:
I think that a simple (and fast) rule to apply would be to never put more than 2 consonants or vocals one past another while generating the password (some letters like "h" should not be considered vocals nor consonants and others like "y" should be considered vocals), so that generated words would always fit the charset but never be unreadable (numbers could be considered vocals/consonants too, eg.: "1" is "i"/"l", "2" is "r", "3" is "e"...) thus reducing the keyspace, and conseguently the time needed to generate all the possible passwords. Of course this method should never be used untill the keyspace doesn't become big enough to be impossible to be completed (like passwords over 8-9 chars length with a charset length of 36 could be quite a pain to be completed).

Just let me know what you think, and I might implement an md5 bruteforcer that supports IPB md5(md5(salt).md5(pwd)) hashing algorithm and uses this method to bruteforce your hashes...
View user's profile Send private message
Re: Brute forcing improving ideas...
PostPosted: Fri Oct 31, 2008 11:30 am Reply with quote
gyan007
Advanced user
Advanced user
Joined: Oct 17, 2008
Posts: 106




_mranderson_ wrote:
I was thinking, in the last few days, of a way to improve bruteforcing... here what came in my mind:

Let's define bruteforce improving:
we should aim at the most high probability to find the password using the less time possible.

well, assuming that most passwords are readable words plus (possibly) some numbers, we could improve our password-generating algorithm so that, instead of picking any possible password (thus even unreadable passwords like "abbbttk") it would generate just readable passwords..

one thing we must keep in mind is that the slower our password algorihm is the worst it is (I mean it's better to try more passwords but faster than less but a lot slower).

so, if we want to achieve this goal, we have to put rules to create readable words:
I think that a simple (and fast) rule to apply would be to never put more than 2 consonants or vocals one past another while generating the password (some letters like "h" should not be considered vocals nor consonants and others like "y" should be considered vocals), so that generated words would always fit the charset but never be unreadable (numbers could be considered vocals/consonants too, eg.: "1" is "i"/"l", "2" is "r", "3" is "e"...) thus reducing the keyspace, and conseguently the time needed to generate all the possible passwords. Of course this method should never be used untill the keyspace doesn't become big enough to be impossible to be completed (like passwords over 8-9 chars length with a charset length of 36 could be quite a pain to be completed).

Just let me know what you think, and I might implement an md5 bruteforcer that supports IPB md5(md5(salt).md5(pwd)) hashing algorithm and uses this method to bruteforce your hashes...


So... You basically mean wordlists?
View user's profile Send private message
PostPosted: Fri Oct 31, 2008 12:38 pm Reply with quote
epro
Regular user
Regular user
Joined: Feb 11, 2008
Posts: 24




Yes, for thing like you said is wordlists! Bruteforce aim is to check all possibilities to find password! No clever algorithm! Just numbers, letters and special symbols!
View user's profile Send private message
PostPosted: Fri Oct 31, 2008 1:24 pm Reply with quote
_mranderson_
Valuable expert
Valuable expert
Joined: Oct 30, 2008
Posts: 51




I don't think you can find a wordlist with every possible readable password of the length you choose and with the charset you want...

I mean a wordlist contains words you use in your language, not all readable words from 1 to 8 using abcdefghijklmnopqrstuvwxyz0123456789 as charset

also this method would reduce the keyspace enourmously... try to crack a 10 chars length password with numbers and letters using the standard bruteforce method.. you will need like 1000 years, with this method maybe you need 100 (that's still a lot, but it's always 1/10 of the time) and you always have a high probability of finding the password...
View user's profile Send private message
PostPosted: Fri Nov 14, 2008 12:48 pm Reply with quote
ThoR
Regular user
Regular user
Joined: Nov 13, 2008
Posts: 5




And if you use a GPU enabled approach u can cut the 100 years to 1 ^^
i personally like the idea. for passlengths of over 10 chars, i would gladly forfeit the "it will sure find it" of standard bruteforce for the, let's hope it finds it of this approach ^^
View user's profile Send private message
PostPosted: Fri Nov 14, 2008 4:59 pm Reply with quote
_mranderson_
Valuable expert
Valuable expert
Joined: Oct 30, 2008
Posts: 51




Exactly, I mean wouldn't that be sweet if such GPU enable bruteforcers would let you choose to use this option or not? I don't think a --readable switch would be so hard to implement for those whome already implemented such programs.. that' would be really nice.

ThoR idk if you would be able to sugges this to the right ppl, but if you know any, pls do so. I think the most complex passwords would always be possible to be find.

For example:

a password like hi63624jk12 would be found.

6 = g
3 = e
2 = r
4 = a
1 = i/l

as you can see no more that 2 consonants/vocals would be put together in that password. so it's not true complex and long passwords wouldn't be found at all.
View user's profile Send private message
Brute forcing improving ideas...
www.waraxe.us Forum Index -> General discussion
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT
Page 1 of 1

Post new topicReply to topic


Powered by phpBB 2001-2008 phpBB Group



Space Raider game for Android, free download - Space Raider gameplay video - Zone Raider mobile games
All logos and trademarks in this site are property of their respective owner. The comments and posts are property of their posters, all the rest (c) 2004-2024 Janek Vind "waraxe"
Page Generation: 0.126 Seconds