 |
|
 |
 |
|
 |
IT Security and Insecurity Portal |
|
 |
Heya, few questions - md5(md5($salt).md5($pass)) |
 |
 Posted: Sun Oct 05, 2008 7:19 pm |
 |
|
| tnok85 |
| Regular user |
 |
|
| Joined: Oct 05, 2008 |
| Posts: 6 |
|
|
|
 |
|
 |
|
Hey all,
I used waraxe's great program to find the salt and hash from an IPB. (Yes, I used a proxy  )
Hash: 9cab354cb10c4c3961232f51f8363a07
Salt: ZGyB6
It was a great learning experience, learned how to set up Apache, PHP, and get Curl running.
So, I read up some more, and found PasswordsPro. Great. Now, the problem is that for the forums, there's no minimum password length (as short as 1) and very long (I entered up to 15 chars without getting a warning that it was too long) so, to brute force 1-15 using caps, lower case, and numbers, it'd take.. umm.. >10000 days. Obviously, that's way too long.
So I set it length 1-8, and it came out to about 1700 days. Heh. Still unacceptable.
Finally, I set it to only use lower case letters and numbers, and it's down to 22 days. Really, that's still a bit too long from what I'm reading - on the requests page, I see passwords cracked in a matter of hours or a day after it's posted.
So does anybody have any tips for cracking a md5(md5($salt).md5($pass))? I checked out Extreme GPU Bruteforcer, and I have a GeForce8800 Ultra, so that was running in the hundreds of millions of passwords per second (so it said) but it's only 3 minutes long.
Am I going to have to shell out for Extreme GPU Bruteforce to have a reasonable chance at cracking this password?
Thanks in advance! Great info here.
Edit: After reading more, it looks like people say that these types of salted hashes are too much to brute force crack. So I'm downloading the 28gb wordlist that's in the wordlist section, and I'm going to give that a shot.
Edit #2: Just came back and found that the 28gb didn't find a password. That's kind of disheartening, hehe. Any advice on what I should do to crack this sucker?
I'd really like to learn this stuff rather than just have somebody crack it - but if somebody does want to crack it and post it, feel free. I would rather learn though. "Give a man a fish, and he eats for a day... teach a man to fish, and he eats for a lifetime" or something along those lines. |
|
|
|
|
|
|
|
|
| Posted: Mon Oct 06, 2008 5:06 am |
|
|
| SnIpEr |
| Active user |
 |
|
| Joined: Sep 25, 2008 |
| Posts: 37 |
|
|
|
|
|
|
|
| We usually dont use brute Force. Hybrid Dictionary is the way to go in this case |
|
|
|
|
| Posted: Mon Oct 06, 2008 6:15 am |
|
|
| tnok85 |
| Regular user |
|
|
| Joined: Oct 05, 2008 |
| Posts: 6 |
|
|
|
|
|
|
|
| SnIpEr wrote: | | We usually dont use brute Force. Hybrid Dictionary is the way to go in this case |
Alright, thanks. I'll read up on Hybrid Dictionary and how to use it effectively and give that a go. |
|
|
|
|
| Posted: Thu Oct 09, 2008 7:31 pm |
|
|
| PoisonedV |
| Regular user |
|
|
| Joined: Jan 19, 2008 |
| Posts: 18 |
|
|
|
|
|
|
|
| I'm trying to the the same ATM, so if anyone can help me out setting up my rainbow tables on PasswordsPro? I've only used Cain & Abel and a small cli unix program. |
|
|
|
|
www.waraxe.us Forum Index -> Newbies corner
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
All times are GMT
Page 1 of 1
|
|
|
|
Powered by phpBB © 2001-2008 phpBB Group
|
|
|
|
|
Discussions
Tools
Content
Info
Membership:
Latest: 
New Today: 0
New Yesterday: 0
Overall: 9144
People Online:
Visitors: 63
Members: 0
Total: 63
