Re: [Full-disclosure] anybody know good service for cracking md5?



You can try gpu brute-force, where the c/s is bigger than a normal
quad-core processor.

But you can't use wordlist because isnt make sense compared with c/s you
try to break a hashe using something like incremental way on JTR.

Actually BT4 comes with a md5_gpu_crack you need a VGA support with CUDA
or the ATI technology ( i don't remember the name right now )

On Thu, 2010-02-04 at 12:59 +0100, Christian Sciberras wrote:
Uh, in the sense that they are finally becoming actually useful...





On Thu, Feb 4, 2010 at 12:58 PM, Anders Klixbull <akl@xxxxxxxxxxx>
wrote:
seems to be cropping in?
as far as know rainbow tables has been around for years...





______________________________________________________________
From: full-disclosure-bounces@xxxxxxxxxxxxxxxxx
[mailto:full-disclosure-bounces@xxxxxxxxxxxxxxxxx] On Behalf
Of Christian Sciberras
Sent: 3. februar 2010 23:02
To: Valdis.Kletnieks@xxxxxx
Cc: full-disclosure@xxxxxxxxxxxxxxxxx
Subject: Re: [Full-disclosure] anybody know good service for
cracking md5?




Actually dictionary attacks seem to work quite well,
especially for common users which typically use dictionary
and/or well known passwords (such as the infamous "password").
Another idea which seems to be cropping in, is the use of hash
tables with a list of known passwords rather then dictionary
approach.
Personally, the hash table one is quite successful, consider
that it targets password groups rather than a load of wild
guesses.

Cheers.




On Wed, Feb 3, 2010 at 10:26 PM, <Valdis.Kletnieks@xxxxxx>
wrote:
On Wed, 03 Feb 2010 23:42:07 +0300, Alex said:

> i find some sites which says that they can brute md5
hashes and WPA dumps
> for 1 or 2 days.


Given enough hardware and a specified md5 hash, one
could at least
hypothetically find an input text that generated that
hash. However, that
may or may not be as useful as one thinks, as you
wouldn't have control over
what the text actually *was*. It would suck if you
were trying to crack
a password, and got the one that was only 14 binary
bytes long rather than
the one that was 45 printable characters long. ;)

Having said that, it would take one heck of a botnet
to brute-force an MD5 has
in 1 or 2 days. Given 1 billion keys/second, a true
brute force of MD5 would
take on the order of 10**22 years. If all 140 million
zombied computers on the
internet were trying 1 billion keys per second, that
drops it down to 10**16
years or so - or about 10,000 times the universe has
been around already.

I suspect they're actually doing a dictionary attack,
which has a good chance
of succeeding in a day or two.


_______________________________________________
Full-Disclosure - We believe in it.
Charter:
http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



Relevant Pages

  • Re: [Full-disclosure] anybody know good service for cracking md5?
    ... Actually dictionary attacks seem to work quite well, ... list of known passwords rather then dictionary approach. ... Personally, the hash table one is quite successful, consider that it targets ... Hosted and sponsored by Secunia - http://secunia.com/ ...
    (Full-Disclosure)
  • Re: MD5 vs. SHA1 hashed passwords in /etc/master.passwd: can we configure SHA1 in /etc/login.conf?
    ... Hash: SHA1 ... md5, ... hash algorithms like des, md5, sha1, blf or even sha256. ... can compromise system passwords, as cryptmd5 scheme doesn't store ...
    (FreeBSD-Security)
  • Re: Writing U3060, U0C exists for QM
    ... If these are real passwords being stored, ... I concur the U3060 hash seems to be of low quality; I tried to use it when ... as part of any migration away from d3, since you cannot generate an md5 hash ... file items so the department manager can log on to staff accounts with that ...
    (comp.databases.pick)
  • Re: [Full-disclosure] anybody know good service for cracking md5?
    ... [Full-disclosure] anybody know good service for cracking md5? ... Another idea which seems to be cropping in, is the use of hash tables ... with a list of known passwords rather then dictionary approach. ...
    (Full-Disclosure)
  • Re: [PHP] md5
    ... It is likely possible to find alternate passwords if the md5 is known - if a user can get a hold of your md5'ed passwords, they may be able to come up with another password that will create the same MD5 hash, thus would be capable of logging in to the system. ... I'd much rather have an algorithm that is well known, well analysed and *still* secure over an unknown and untested algorithm. ...
    (php.general)