Need help with Brute Force cracking.
Page 1 of 3 123 LastLast
Results 1 to 10 of 29

Thread: Need help with Brute Force cracking.

  1. #1
    Member e><ius's Avatar
    Join Date
    Mar 2007
    Location
    So.Cal.
    Posts
    61

    Need help with Brute Force cracking.

    (lots of text but please read!)

    1)
    I've been having a hard time brute forcing my own password on winxp pro using L0phtcrack 5. I made a new user name/pw on my machine and typed J!K@j1k2 as my pw. It spent 3-4days working on a P4 3.4ghz 2gb ram, using "Strong Password Audit", and enabling "Dictionary Crack" default dictionary list, "Dictionary/Brute Hybrid Crack", "Precomputed", "Brute Force Crack".
    I got terrible results. It came up with *******2 and I also did enable check for symbols, numbers, and letters. What can I do to improve my find?

    2)
    Is there a way to submit passwords via brute force in an application? software: game; user name: known; pass: not stored in hashes (server reliant); pw submit limit/lock: unknown.
    I used to pw my accounts in key patterns just like how I do that with my v-mail pw - yes, Im a visual learner. Here's are the variables "J" "K" "L" "U" "I" "O" (not in order), length is 8-11 characters.
    John the Ripper, as I know, can only brute force pw using hashes. The only thing i think i can do is find a way to submit thru the program's password box 262144-1771561 different combinations. Tell me if I'm wrong or if there's another method.

    (i know, i shoulda made two topics instead.)
    Last edited by e><ius; March 26th, 2007 at 09:57 PM.

  2. #2
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    Quote Originally Posted by e><ius
    What can I do to improve my find?
    Get a faster machine....

    Seriously...

    Calculate the total keyspace, divide it by the number of tries per second and you have the total time it takes to deplete the keyspace. The mean time is half of the total time.

    Or use the time/memory trade off and use rainbow tables.
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  3. #3
    Senior Member Aardpsymon's Avatar
    Join Date
    Feb 2007
    Location
    St Annes (aaaa!)
    Posts
    434
    If you try to brute force most things they will lock you out long before you get the password. You also run the risk of them tracing your IP.

    Its not too hard to make one app control another app such as to submit user/pass. But you need the source for your password cracker. Or to write something that will take output from it and try it.

    And yes, brute force will take a while on that sort of password, thats why security experts recommend you use that kind of password.
    If the world doesn't stop annoying me I will name my kids ";DROP DATABASE;" and get revenge.

  4. #4
    @ΜĮЙǐЅŦГǻţΩЯ D0pp139an93r's Avatar
    Join Date
    May 2003
    Location
    St. Petersburg, FL
    Posts
    1,696
    Astalavista.net has an online rainbow table cracker available Here. Only 10 LM and 10 MD5 hashes are available for the public each day, however, I believe that members ahve unlimited access. Not that I would pay to be a member.

    Todays hashes:

    Results MD5 (queries remaining today: 0)
    Hash Plain-Text
    9651A3614A30B569132600A1F753BF29 5253185
    B2DA7959DB5D0616F261721DF9DD8AE1 petru
    F66B67EE2D752A11BF81FB55946518A0 16mon
    5A25E9C15A5ED6A23234354AC30D28BF garuruga
    3AEF5FA442B3DFE1F6DD92DF21AE4D49 nwgdhdz
    D8871301C9199D775CACAE51A5303922 kad4ever
    63B855C7167D7F4E4193CE31E924D0F8 hassowu
    CDA901ECFAC787880D7C2E97C4E47F93 helmanis
    1D765AE564B53DF332C11C41449C6FC5 mash2691
    E021114CDFB17C63380116E58C26941B noche627


    Results LM (queries remaining today: 7)
    Hash Plain-Text
    C34CB7D13BA5AF1BCE0454AC64E83210 SYSADMIN$*1965
    8F57987C44197E81C81667E9D738C5D9 01121996
    DF55E9D4862EB232AAD3B435B51404EE KARLLA
    0713B60814DEC4C80B7EB37E244FE6CD JUSTIN3797
    AD91A1C396BA8A429DE8EC1F6767CE00 LIBERTY_707
    DE1F77CB6390BDC3417EAF50CFAC29C3 SERVTEST
    17C1A55196D3512417306D272A9441BB RESOURCE
    F9F4D196D0DEDFE30D33AF7ECD4340B4 `S%DN5:6#LE{7M
    F3372C5D8C780FE8CFBE51DBF75F44D5 .ONQ#43O3[N38{
    C0551CED1730A54225237362F21606D9 S1LV3RSH!FT3R


    As you may notice, they do not yet have an NT hash table available; not that it's really an issue, unless you either tell it otherwise, or intentionally (or unknowingly) invalidate the hash through either password length or invalid characters, Windows still defaults to LM hashes for backwards compatability.
    Real security doesn't come with an installer.

  5. #5
    Member e><ius's Avatar
    Join Date
    Mar 2007
    Location
    So.Cal.
    Posts
    61
    Quote Originally Posted by SirDice
    Get a faster machine....

    Seriously...

    Calculate the total keyspace, divide it by the number of tries per second and you have the total time it takes to deplete the keyspace. The mean time is half of the total time.

    Or use the time/memory trade off and use rainbow tables.
    the search ended and found squat. it doesnt seem like it wants to work any longer than it should have.

  6. #6
    Member e><ius's Avatar
    Join Date
    Mar 2007
    Location
    So.Cal.
    Posts
    61
    Quote Originally Posted by Aardpsymon
    If you try to brute force most things they will lock you out long before you get the password. You also run the risk of them tracing your IP.

    Its not too hard to make one app control another app such as to submit user/pass. But you need the source for your password cracker. Or to write something that will take output from it and try it.

    And yes, brute force will take a while on that sort of password, thats why security experts recommend you use that kind of password.
    i never got deep into programing (except web), so creating something of such an easy function would take me forever... unless PHP is able to grasp data. have you came across a cracker with an output built in?

  7. #7
    Member e><ius's Avatar
    Join Date
    Mar 2007
    Location
    So.Cal.
    Posts
    61
    Quote Originally Posted by Synful
    Astalavista.net has an online rainbow table cracker available Here. Only 10 LM and 10 MD5 hashes are available for the public each day, however, I believe that members ahve unlimited access. Not that I would pay to be a member.
    awesome source. that saves a lot of time. LM definately is what im looking at. funny cuz i used to used alt+0220 () as my pass for win, while LM supposedly doesnt support it. ... Astalavista.net says "LM: Supports the full keyspace "ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!@#$%^&*()-_+=~`[]{}|\:;"'<>,.?/"." I wonder how come my password was accepted even if it shoulda been rejected.

  8. #8
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,191
    Why should it have been rejected? LM supports languages other Than American English

    are not in that list but are accepted IIRC.

  9. #9
    Member e><ius's Avatar
    Join Date
    Mar 2007
    Location
    So.Cal.
    Posts
    61
    oh! i guess im ignorant. can i get a penny?

  10. #10
    Junior Member
    Join Date
    Mar 2007
    Posts
    7
    Umm... LM hashes take almost no time to crack these days using rainbow tables. If you give it to www.plain-text.info, it will probably take a few minutes; at worst a few hours.

Similar Threads

  1. brute force crack on root password using 'su'
    By pinoy in forum *nix Security Discussions
    Replies: 2
    Last Post: July 13th, 2002, 02:02 AM
  2. Brute Force
    By UnsaKreD in forum Newbie Security Questions
    Replies: 8
    Last Post: February 22nd, 2002, 09:07 AM
  3. IE patch & SQL brute force
    By VictorKaum in forum Microsoft Security Discussions
    Replies: 5
    Last Post: February 16th, 2002, 02:27 AM
  4. Java based super brute force cracker
    By antihaxor in forum Security Archives
    Replies: 10
    Last Post: January 19th, 2002, 02:00 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •