Time to Crack Chart
Page 1 of 3 123 LastLast
Results 1 to 10 of 21

Thread: Time to Crack Chart

  1. #1
    King Tutorial-ankhamun
    Join Date
    Jul 2004
    Posts
    897

    Time to Crack Chart

    Time to Crack Chart

    Hi folks, Iím looking for some data and so far Google ainít cutting it.

    Iím looking for a chart that lists the amount of time it takes for a tool like john or L0phtcrack to run thought a keyspace (example: all alphanumerical, all type able characters, etc) given a certain system. Iíve found some of this kind of data for RainbowCrack, but not the other two.

    By the way, I assume johnís notation of ďc/s:Ē is the number of keys tried per sec, but if thatís the case L0phtcrack would be around 6 times faster which I find hard to believe.

  2. #2
    Senior Member
    Join Date
    May 2003
    Posts
    1,199
    there are too many factors to consider to make a table like this I believe, or atleast to make one that is remotley accurate.

    for one, it would depend completly on the password it self, in comparison ot the charaters used. and in which order it plugged in the characters. It would also depend on the system running the crack, and what it was running it against. (a pop server, a sam file, etc) Legnth of the password, difficutly of the password, type of attack. you can use modified workdlists that include "leet speak" in them that way you dont have to use a pure brute for attack, or ones that add ! to the begining, end, or both of a word.

    cracking passwords has way to many factors to even attempt to make a table even semi accurate, I think.
    Everyone is going to die, I am just as good of a reason as any.

    http://think-smarter.blogspot.com

  3. #3
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    I don't think you'll find any kind of sensible comparison of the password cracking products against the entire keyspace simply because of resources.

    You also have to remember that in their default config there isn't a publicly available cracker that even considers extended ASCII which factorizes the issue by 128(?) and therefore extends the crack time to near impossible under current technology.

    There's also the issue, as mentioned by XTC, where a dictionary can be "massaged" with common substitutions to help find the more difficult passwords where people use the easy "leetspeak" substitutions but this adds time to the crack time, (dog = |)0g)....

    If I want a secure password I like to throw in the extended ASCII somewhere simply because most of the common cracking tools don't even bother to go there. After the kiddie has been going for a week or more he'll most likely get bored.... after a month or so he'll probably have forgotten that it's even running....
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  4. #4
    King Tutorial-ankhamun
    Join Date
    Jul 2004
    Posts
    897
    I know I canít get the utmost accuracy, just ball park figures for certain keyspaces when done with L0phtcrack and John. Just ballpark figures that other folks got on their system. Kind of like how the RainbowCrack project tells you a little about the system they ran it on (processor and RAM) and the amount of time to load and run the keyspace.

    By the way, two other questions:

    Anyone know for sure that ďc/sĒ in John is the same as Keys per sec?

    Iím looking at L0phtcrack 5 and I cant seem where to set it to bruteforce with a certain key length. Iím sure it only goes up to 7 if you have the LM hashes, but if it has the NT hashes only then it would seem to me like you should be able to set it. Anyone know where the setting is?

  5. #5
    Senior Member
    Join Date
    May 2003
    Posts
    1,199
    If I remember correctly there should be a config section for theattackes. its in the part where you select your dictionaries too. I dont have my "security auditing" box with em so I cant confirm, but you should be able to set a minimum and maxam character legnth.

    as far as the tables go the best you could do would be have a hcart of how long it would take to rn every combination. This can take YEARS decadeson the average computer. I remember running a program (not LC5 or John the ripper) but its estimated time was like 13 years becasue it was on a slow box and i had it set for brute force with every characteron the kyeboard, and running a range from 8-13 characters.
    Everyone is going to die, I am just as good of a reason as any.

    http://think-smarter.blogspot.com

  6. #6
    King Tutorial-ankhamun
    Join Date
    Jul 2004
    Posts
    897
    Thanks XTC46, but I looked in that section first and I can's seem to find the password length part.

  7. #7
    Senior Member
    Join Date
    Oct 2002
    Posts
    1,130
    As far as I know the c/s stands for characters per second, which is also the number of keys tried per second.
    Government is like fire - a handy servant, but a dangerous master - George Washington
    Government is not reason, it is not eloquence - it is force. - George Washington.

    Join the UnError community!

  8. #8
    King Tutorial-ankhamun
    Join Date
    Jul 2004
    Posts
    897
    That would make sense.

  9. #9
    Super Moderator: GMT Zone nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,191
    Irongeek,

    Please forgive me if I am being stupid, as I would hardly class myself as an expert here.............this is more like what I have understood from things I have read

    I believe that with rainbow tables, depending on the encryption, character set used and the password length it is possible to calculate a pretty accurate figure of the probability of cracking a password. Given the factors of computational speed available, it is also possible to calculate the probable MAXIMUM time that this might take.

    My simplistic understanding is that Rainbow Tables are effectively pre-computed cracks, that have taken masses of computing power to develop in advance of the crack.

    Now, (and please correct me if I am wrong) first generation brute forcing tools like john the ripper have to start from scratch. This is a completely different scenario is it not? You are actually trying to crack the pass "on the fly". With the Rainbow Tables, assuming that they are perfect (totally comprehensive) you know that you CAN crack it, it is just a matter of how long, which should be relatively easy to calculate.

    With first generation tools you are generating and testing/comparing each cycle, rather than just doing a straight comparison?

    I seem to recall that someone posted a link to a site a while back where there was a tool that asked you things like password length, complexity, encryption algorithm and the number of cycles per second. It would then estimate how long it would take to crack.

    There was an emphatic statement on the laws of probability............like it could crack on the very first or very last attempt.

    You would also need to know how the cracking tool works?............if it starts 123.........abc........ABC etc then a reasonably complex password would take a very long time. On the other hand I am sure you are familiar with the concept of "bubble searching"?

    Just a few thoughts, or hopefully some food for them
    If you cannot do someone any good: don't do them any harm....
    As long as you did this to one of these, the least of my little ones............you did it unto Me.
    What profiteth a man if he gains the entire World at the expense of his immortal soul?

  10. #10
    Senior Member
    Join Date
    May 2003
    Posts
    1,199
    There was an emphatic statement on the laws of probability............like it could crack on the very first or very last attempt.
    this was the point I was trying to make. The guess could be off by YEARS depepnding on the passowrd. I mean if somone made their password. ABCDEFG and the scanner did that compbo right away bag, your cracked in less then a second, but if they made it !AbCdEfG! it might take a while longer.
    Everyone is going to die, I am just as good of a reason as any.

    http://think-smarter.blogspot.com

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides