Domain: antsight.com
Stories and comments across the archive that link to antsight.com.
Comments · 16
-
Re:BSD?
BSD is a type of oral Sex, geez dont you watch any porno?
j/k ... It think this is great, because OpenBSD is a great OS and is worth downloading an ISO of a live version.
What i dont understand is why you would make it live? this software cant be something you would use for surfing the web or something. More for breaking and entering i would think. thats what im going to use it for ... System repairs, although im not sure is BSD supports NTFS? Some quick googling shows that NTFS is not enabled by default and requires a custom kernel .. So did they include it? and do i get a copy of rainbowCrack with it? -
Re:TFA very light on details
Assuming LanMan hashing hasn't been disabled in favor of NTLanMan and that the password is 14 characters or less, it is that simple. It'll take a few hours with a complete set of rainbow tables, or L0phtCrack can do a alphanumeric password in a day or two.
-
Cracking "weak" passwords is trivially easy
Cracking passwords when you have access to the non-reversible hashed versions of the passwords (aka "/etc/shadow") can be trivially easy on modern hardware, when using a tool such as John the Ripper, or, if you have a lot of spare harddrive space (and RAM), RainbowCrack. If this box was using md5 hashes (most likely), JTR on modern hardware can easily crack 8,000+ passwords a second, which, when combined with advanced password guessing techniques, will most likely find weak passwords within an hour or two.
-
Re:Actually, that is not a secure password...Now a truly secure password is something like "h3$xF1@"
Not necessarily true - pre-computed "rainbow tables" which benefit from use of time-memory tradeoff - no password is safe, no matter how complex.RainbowCrack is available for LanMan, MD5, SHA, etc. hashes.
The only real protection from this attack is salting.
Strong authentication is the only way to go - I am very surprised that the FBI is protecting its secret and top secret stuff with passwords only...maybe not so surprised
-
Re:Since I don't remember the earlier stories...
What would be interesting is using the grid to generate rainbow tables...generating rainbow tables and selling them on DVD is a lucrative business. (well, except for LANMAN tables -- which shmoo gives away gratis)
-
Re:No such thing as "256-bit triple des"
Ok what about with rainbow tables, vast stores of precomputed hashes? They say that with a 64GB table, it'll take a few minutes to crack any Windows lanmanager password up to 14 characters in size using "all possbile characters on a standard keyboard (not including those alt+xxx characters)" on a standard 666 MHz system. Some individual table sets have been known to reach 600+GB in size. How do the likes of 3DES and AES stand up to that? I'm an encryption noob.
-
So LM hashes are out! Yay!
If this is true then LM hashes, which use DES, are on their way out finally. It's going to break some backwards compatibility, but it will go a long way in fixing some of the most obvious, http://www.antsight.com/zsl/rainbowcrack/, privelage escalation problems.
-
Re:Downloadable database form?
You can create it, actually if you asked that a few months ago I had 100GB worth of md5 0-8 alpha-ALPHA-num every combination for sale (which I later made free if you sent me DVD's) but I deleted since no one was much interested and it was much needed space for other stuff. I used rainbowcrack (http://www.antsight.com/zsl/rainbowcrack) for some reason the linux client seems to work much faster than the windows one (although it made no sense to why)
-
Rainbow TablesIf your passwords are less than 14 characters in length, periodically changing them will not improve security. It only takes 64GBs to hold every possible combination of password up to 14 characters using the following (include the space as part of the character set):
"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuv
Using the Rainbow Tables in a Time-Memory Trade-Off, it only takes a few minutes to crack any password up to 14 characters. http://lasecwww.epfl.ch/php_code/publications/seaw xyz0123456789!@#$%^&*()-_+=~`[]{}|\:;"',.?/ "r ch.php?ref=Oech03You can either spend a few months creating your own Rainbow Tables http://www.antsight.com/zsl/rainbowcrack/, or you can buy the 64GB tables for $640, http://www.antsight.com/zsl/rainbowcrack/rt_price
. txt. -
Rainbow TablesIf your passwords are less than 14 characters in length, periodically changing them will not improve security. It only takes 64GBs to hold every possible combination of password up to 14 characters using the following (include the space as part of the character set):
"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuv
Using the Rainbow Tables in a Time-Memory Trade-Off, it only takes a few minutes to crack any password up to 14 characters. http://lasecwww.epfl.ch/php_code/publications/seaw xyz0123456789!@#$%^&*()-_+=~`[]{}|\:;"',.?/ "r ch.php?ref=Oech03You can either spend a few months creating your own Rainbow Tables http://www.antsight.com/zsl/rainbowcrack/, or you can buy the 64GB tables for $640, http://www.antsight.com/zsl/rainbowcrack/rt_price
. txt. -
Re:Even worse...
Yes, because knowing the password means that you automatically know the IP address too, right?
Um, YES. You obviously have never admin'ed an apache web server. By default, it logs every IP, every request,
Yeah, a 47GB app. That'd be a snap to download.
Its not a 47GB app. The source is 44k, and the compiled binary is well under 1mb. If you bothered to check you would know that. That has nothing to do with the resources it uses when it is cranking. -
Stop yammering about your passwords, folksFrom the rainbbow crack FAQ site: http://www.antsight.com/zsl/rainbowcrack/faq.htm:
1. Is it possible to crack
Emphasis added. /etc/shadow file in linux with time-memory trade-off technique? No, you can't. Linux use salt to randomize the hash, which is originally designed to defend this kind of attack. However, any hash with salt is resistant to time-memory trade-off attack, while hashes without salt aren't. -
Interesting...From the passcracking.com page:
This project is using RainbowCrack technologyHeading on over to the RainbowCrack page, we find (at the bottom):
Contact Information
Zhu Shuanglei shuanglei[at]hotmail.com
Member of Kingnet Security, Inc.
Shanghai, China
-
Interesting...From the passcracking.com page:
This project is using RainbowCrack technologyHeading on over to the RainbowCrack page, we find (at the bottom):
Contact Information
Zhu Shuanglei shuanglei[at]hotmail.com
Member of Kingnet Security, Inc.
Shanghai, China
-
Re:Password auditing
I am unaware of open source software that meets the functionality of PWSEX or LC5.
Then you're gonna love this. Why brute LM hashes when you can precompute password/hash pairs then look them up from a database? Initial db generation takes a while, but you can customize the keyspace to whatever you want. When you're done, query a hash, get a password. This stuff works extremely well... -
Passwords? More like words.Let me give you some insight into how a 'cracker' looks at this since I just cracked an alpha-symbol-numeric Windows NT LM hash about an hour ago in about 5 minutes time. Your password isn't enough. You, as an administrator, have to get in there and modify the authentication scheme.
Or use SHA2. Cause I don't have rainbow tables to crack that. Yet. For those of you who don't or cannot follow security, the new buzz is creating your own crack tables in a couple of weeks or months. There is more info at the project rainbowcrack page.
The misconception that everyone has about passwords now (because we as sysadmins pushed it so hard in the late 90s, early 00s) is that alphanumeric is the way to go. With the advent of generating your own cracking tables, that is no longer the case anymore.
An alphanumeric md5 set of rainbow tables can be generated in about a weeks time with a 2.4 ghz processor. That's my rough estimate based on the couple days it took me to make the alphanumeric one for LM hashes.
I would highly suggest that if you want your users to come up with good passwords you have them make a "one-time" password, seed with a 20-character salt that looks like someone pounded the keyboard, and store it inside a SHA2 hash.
A good administrator is going to salt their passwords with a string of characters that already satisfies the "alpha-numeric-symbol" requirement. If there is any reason to do something other than the first name of your child it is to stop coworkers or friends or people that already know about you.
When using brute-force/guess method this is what I try first and my guess is that at least 1% of Slashdot fathers use this or a form of it as their pass. It's okay to be proud of your kid, but don't think you're honoring them by including them in your password.