Waraxe IT Security Portal
Login or Register
November 21, 2024
Menu
Home
Logout
Discussions
Forums
Members List
IRC chat
Tools
Base64 coder
MD5 hash
CRC32 checksum
ROT13 coder
SHA-1 hash
URL-decoder
Sql Char Encoder
Affiliates
y3dips ITsec
Md5 Cracker
User Manuals
AlbumNow
Content
Content
Sections
FAQ
Top
Info
Feedback
Recommend Us
Search
Journal
Your Account
User Info
Welcome, Anonymous
Nickname
Password
(Register)

Membership:
Latest: MichaelSnaRe
New Today: 0
New Yesterday: 0
Overall: 9144

People Online:
Visitors: 50
Members: 0
Total: 50
Full disclosure
APPLE-SA-11-19-2024-5 macOS Sequoia 15.1.1
Local Privilege Escalations in needrestart
APPLE-SA-11-19-2024-4 iOS 17.7.2 and iPadOS 17.7.2
APPLE-SA-11-19-2024-3 iOS 18.1.1 and iPadOS 18.1.1
APPLE-SA-11-19-2024-2 visionOS 2.1.1
APPLE-SA-11-19-2024-1 Safari 18.1.1
Reflected XSS - fronsetiav1.1
XXE OOB - fronsetiav1.1
St. Poelten UAS | Path Traversal in Korenix JetPort 5601
St. Poelten UAS | Multiple Stored Cross-Site Scripting in SEH utnserver Pro
Apple web content filter bypass allows unrestricted access to blocked content (macOS/iOS/iPadOS/visionO S/watchOS)
SEC Consult SA-20241112-0 :: Multiple vulnerabilities in Siemens Energy Omnivise T3000 (CVE-2024-38876, CVE-2024-38877, CVE-2024-38878, CVE-2024-38879)
Security issue in the TX Text Control .NET Server for ASP.NET.
SEC Consult SA-20241107-0 :: Multiple Vulnerabilities in HASOMED Elefant and Elefant Software Updater
Unsafe eval() in TestRail CLI
Log in Register Forum FAQ Memberlist Search
IT Security and Insecurity Portal

www.waraxe.us Forum Index -> General discussion -> Is a Nivida Graphics Card worth it?
Post new topicReply to topic View previous topic :: View next topic
Is a Nivida Graphics Card worth it?
PostPosted: Tue Nov 18, 2008 5:02 am Reply with quote
renaker
Active user
Active user
Joined: Nov 15, 2008
Posts: 27




I am new to playing with hashes, but in the last week I've become extremely addicted. There is just something about attacking hashes that keeps me coming back to the comp. I am considering getting one of Nivida's graphics card to play with some of elcomsof's software and Extreme GPU Bruteforcer.

My real question is, does running 50 - 600 million p/s actually make a difference when truly bruteforcing? If I wanted to bruteforce a pass between 1 and 15 characters that used a full character set, something like this (regex): [a-zA-Z0-9 \!\@\#\$\%\^\&\*\(\)\_\-\=\|\+\;\:\'\"\,\.\<\.\>\/\?\`\~\\]

will I even be able to bruteforce it even with those incredible speeds? I lack the mind capacity to grasp the concept of 2^128 possible hashes. That sort of number just blows me away. I don't know if that would take 3 hours with a powerful gfx card, or 3 centuries. Your thoughts are greatly appreciated.

If there is success to be expected from one of these fine gfx cards, do any of you know what kind of results I could expect from any of the following NVIDIA gfx cards?

GeForce GTX 280,
NVIDIA GeForce 9800 GX2,
NVIDIA GeForce GTX 260,
NVIDIA GeForce 8800 Ultra,
or possibly a Quadro FX 5800 if It's available and I have the cash.

Also, if any of you know where I could find a really good wordlist I'd appreciate it. I truly thank anyone who took the time to read this.
View user's profile Send private message
PostPosted: Tue Nov 18, 2008 6:23 am Reply with quote
renaker
Active user
Active user
Joined: Nov 15, 2008
Posts: 27




Sorry for the double post, but I didn't feel like waiting. I'm no mathematician, but I think these numbers are pretty close. Please tell me if I'm wayyy off. I hope I am lol. Above, I wanted to brute a 15 character pass with a 90 character set. This is what bruting a 15 char pass looks like with those specifications. This does not include the buildup from 1 char pass to 2, then 3,4,5...etc. Just a 15 char pass, and I guestimated I could test 200 million passes per second with a decent card.

QWERTYUIOPLKJHGFDSAZXCVBNMqwertyuiopasdfghjklzxcvbnm1234567890!@#$%^&*()_-+={[}]:';"<>,.?/

----------------90^15 = all possible 15 character combos with a 90 char set.

90^15 = 2.05891132 × 10^29
205,891,132,000,000,000,000,000,000,000

----------------Total number of seconds to test all possible combos

1.02945566 × 10^21
1,029,455,660,000,000,000,000

----------------Total number of minutes

1.71575943 × 10^19
17,157,594,300,000,000,000

-----------------Total number of hours

2.85959905 × 10^17
285,959,905,000,000,000

----------------Total number of days

1.1914996 × 10^16
11,914,996,000,000,000

--------------Total number of years

3.26438247 × 10^13
32,643,824,700,000

------------------

yikes... I really hope I'm wrong. If I'm right, I don't understand the attraction to buying a nivida graphics card if these are the kind of results you get for the more complicated hashes. Even if you were bruting 1 billion combos a second, it'd still take 6,528,764,940,000 years. So if anybody has that awesome wordlist I've been looking for, I'm ready to resort to it.

EDIT: I redid the calculations for a 10 char pass at 200mil p/s with a 90 char set. Turns out that would only take 5,528 years. Now that's better than 32 trillion, but it won't satisfy me in my lifetime. I really hope I see the day of quantum computers. <3 Also, what am I missing? What are the hash wizards out there doing to get decent results? With a crap word list I've only had a 30% success rate doing simple dictionary attacks. What have you guys had the most success doing?
View user's profile Send private message
PostPosted: Tue Nov 18, 2008 10:24 am Reply with quote
waraxe
Site admin
Site admin
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




Bruteforce can't do miracles. Best option is to combine bruteforce, rainbow tables and various wordlist methods. In wich order to try them, what charsets and what length, hybrid wordlist algorithms, etc - all this come through experience. Right now i'm suggesting to buy as good GPU as you can, then get as good wordlists as you can and use hybrid dictionary method in passwordspro, this will improver your success rate.
And remember - password cracking is based mostly on human weaknesses, not on cryptographic weaknesses. You can break hashes, which are made from weak passwords. You can't break hashes of strong passwords with current (year 2008) hardware. Exception is, when cryptographic weaknesses are found in some algos Smile
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Tue Nov 18, 2008 7:34 pm Reply with quote
renaker
Active user
Active user
Joined: Nov 15, 2008
Posts: 27




Thanks waraxe. Could you possibly suggest some sources for decent wordlists? So far I've used various ones from these two pages. A lot of them look the same. Any help would be appreciated, thanks again for replying to my topics. :)

http://www.md5this.com/wordlists.html
http://www.insidepro.com/eng/download.shtml
View user's profile Send private message
PostPosted: Tue Nov 18, 2008 8:26 pm Reply with quote
waraxe
Site admin
Site admin
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




Lot's of wordlists are available for download and easy to find via Google. But be aware, that many wordlists are actually worthless or just very bad quality. So choose wisely. And of course, if you wanna be serious in cracking bussiness, then you must find your favorite way to compile and sort your own words database. Delete all duplicates, remove too short and too long words, maybe split by word length, etc. My personal favorite method is php/mysql and i have millions of words in my database tables. Finally i'm exporting them to txt files and then use in PasswordsPro, Cain, JTR and other pass cracking utilities. So you see - wordlists handling and collecting can be kind of art or science, or hobby Smile
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Wed Nov 19, 2008 6:07 pm Reply with quote
renaker
Active user
Active user
Joined: Nov 15, 2008
Posts: 27




Well, I'm glad to hear you bring up php/mysql. Php is the only language I feel relaxed using. But I'm curious, how are gathering the words? Have you created some sort of generator? Or are you simply the admin of multiple sites that saves just the passwords from registrations and pass changes?

I wish there was a way to get a password dump from every facebook, myspace, and AOL account. Just the passes, not attached to any specific account. AND now I can tell I'm just fantasizing. lol.

If you don't mind telling me, and I hope I'm not intruding by asking this, but what sort of php jungle have you created? How are you accumulating these fabulous words?
View user's profile Send private message
PostPosted: Wed Nov 19, 2008 6:23 pm Reply with quote
waraxe
Site admin
Site admin
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




Generator? No, no. That's pointless. What i'm collecting, is real words - char combinations - that have been used somewhere before. Wordlist generation is not better than bruteforce.
Now imagine, that you write little php script, that will fetch all flickr usernames. This information is not secret and process takes some time, maybe couple of hours. As result you have txt file. Next php script will analyze that text file, sort out useful words, sanitize them (remove and/or replace some chars). Finally script will first lookup any words presence in main database. If it's allready there, then ref counter is incremented. If it's not there, then next will be google search. Now all depends on result count. If that word is in use on many pages (treshhold can be configured), then this word will be inserted to database. Such google check will minimize spamword insertion possibilities.
And of course there are export scripts. You can write php script, that will fetch from database all words starting with "z" and with length 6-12 chars for example. Or you can write script, that makes some permutations and produces hybrid wordlist.
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Thu Nov 20, 2008 12:27 am Reply with quote
renaker
Active user
Active user
Joined: Nov 15, 2008
Posts: 27




That's really is a sweet idea. My script isn't that great, but just to play around I made this:

I now understand why this won't solve life's problems, but it can help out just as much as some other decent dictionaries. (I'll weed out the bad chars later). Besides the script, I really like your idea of making word search scripts. That is really a great concept. But now, where to find the most password like words... hmmmmmm?....

( I understand this script sucks, I made it as fast as i could. I just wanted to toy with the concept. )
Code:
<?php

$url = "http://www.flickr.com/photos/";
$uid = 1;

$File = "flikr_usernames.txt";
$Handle = fopen($File, 'a');

echo "\n\n\ninitializing...\n\n";
while($uid < 10001)
{
$html = file_get_contents($url.$uid);

if(strstr($html,'type="text" class="Box" value="Search '))
{
$user = explode('type="text" class="Box" value="Search ',$html);
$user = explode('\'s photostream">', $user[1]);
$Data = "\n".$user[0];
$num = strlen($user[0]);
if ($num < 15)
{
fwrite($Handle, $Data);
echo "\n# ".$uid." - ".$user[0];
}
}
elseif(strstr($html,'<h1 align="center">'))
{
$user = explode('<h1 align="center">',$html);
$user = explode(' is no longer active on Flickr.</h1>', $user[1]);
$Data = "\n".$user[0];

$num = strlen($user[0]);
if ($num < 15)
{
fwrite($Handle, $Data);
echo "\n# ".$uid." - ".$user[0];
}

}

$uid++;
}

fclose($Handle);

?>
View user's profile Send private message
PostPosted: Thu Nov 20, 2008 12:45 am Reply with quote
waraxe
Site admin
Site admin
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




Try phpbb forum memberlists:

http://www.google.ee/search?hl=et&client=firefox-a&channel=s&rls=org.mozilla%3Aen-US%3Aofficial&hs=SBd&q=inurl%3Amemberlist.php+intitle%3Amemberlist+username+email&btnG=Otsi&lr=

It's amazing , how much info is available in web Smile
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Thu Nov 20, 2008 1:02 am Reply with quote
renaker
Active user
Active user
Joined: Nov 15, 2008
Posts: 27




yes!!!
View user's profile Send private message
PostPosted: Thu Nov 20, 2008 7:49 am Reply with quote
renaker
Active user
Active user
Joined: Nov 15, 2008
Posts: 27




Thanks for that suggestion waraxe, would you like me to post my scripts as I go, or would you rather have me just keep them on my comp? I think there was something seriously flawed with the flickr script. The number count only goes up to 10,001(on the site) but there also appears to user titles in the urls as well. Besides the point, I have a basic php script that reads every username from a phpbb board and it converts them to lower case. Is this something I should post, or just let others figure out? Or have you already posted yours somewhere? Also, do you have any more suggestion as far as decent publicly available words go? If not, the phpbb script will keep me busy for quite some time ahhaha. Making these mini-scripts has been quite fun. Thanks for aiming me in the right direction. Smile
View user's profile Send private message
PostPosted: Thu Nov 20, 2008 10:26 am Reply with quote
waraxe
Site admin
Site admin
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




Try vbulletin members:

http://www.google.ee/search?client=firefox-a&rls=org.mozilla%3Aen-US%3Aofficial&channel=s&hl=et&q=inurl%3Amemberlist.php+intitle%3A%22members+list%22&lr=&btnG=Google+otsing

Lot's of information Smile

And you can have huge list of working vbulletin communities, with thousands of pages filled with text in each of them. This can be useful.

And of course it's good, if you share your scripts with others. I'm sure, that many people will find them useful and interesting.

As for flickr - there are better methods for usernames crawling.

For example:

http://www.flickr.com/search/people/?q=a&page=100

It states, that here's > 110 000 names Smile
View user's profile Send private message Send e-mail Visit poster's website
Is a Nivida Graphics Card worth it?
www.waraxe.us Forum Index -> General discussion
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT
Page 1 of 1

Post new topicReply to topic


Powered by phpBB © 2001-2008 phpBB Group



Space Raider game for Android, free download - Space Raider gameplay video - Zone Raider mobile games
All logos and trademarks in this site are property of their respective owner. The comments and posts are property of their posters, all the rest (c) 2004-2024 Janek Vind "waraxe"
Page Generation: 0.045 Seconds