okiwan Posted October 30, 2010 Share Posted October 30, 2010 http://www.ciozone.com/index.php/Security/...-5-Seconds.html There has been a lot of talk recently in the security community about high speed GPU (video card) processors being able to crack passwords very quickly. But there is a technology that can crack them even faster. A Swiss security company called Objectif Sécurité has created a cracking technology that uses rainbow tables on SSD drives. Apparently it is the hard drive access time and not the processor speed that slows down cracking speed. So using SSD drives can make cracking faster, but just how fast? One article in March of this year stated that the technique using SSD drives could crack passwords at a rate of 300 billion passwords a second, and could decode complex password in under 5.3 seconds. So, how long would a long complex password hold up to the SSD based cracking technology? Sounds like we need to put this to the test. Most hackers will crack passwords by decoding the password hash dumps from a compromised computer. So, I pulled several 14 character complex passwords hashes from a compromised Windows XP SP3 test machine, to see how they would stand up to Objectif’s free online XP hash cracker. The results were stunning. Let’s start out with an easy one. Here is the Administrator password hash from the machine: aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0 And putting this into Objectif’s tool we get this response: Password: Empty password… Time: 2 seconds Administrator didn’t set a password, that’s not good… Okay, that wasn’t 14 characters, let’s try a hard one. How about this one: Hash: 17817c9fbf9d272af44dfa1cb95cae33:6bcec2ba2597f089189735afeaa300d4 And the response: Password: 72@Fee4S@mura! Time: 5 Seconds Wow! that took only 5 seconds and that is a decent password. Let’s try a few more: Hash: ac93c8016d14e75a2e9b76bb9e8c2bb6:8516cd0838d1a4dfd1ac3e8eb9811350 Password: (689!!!<>”QTHp Time: 8 Seconds Hash: d4b3b6605abec1a16a794128df6bc4da:14981697efb5db5267236c5fdbd74af6 Password: *mZ?9%^jS743:! Time: 5 Seconds (Try typing that in every day!) And Finally: Hash: 747747dc6e245f78d18aebeb7cabe1d6:43c6cc2170b7a4ef851a622ff15c6055 Password: T&p/E$v-O6,1@} Time: Okay, this one really pushed it to the limits, it took a whole 11 seconds to crack! Very impressive, it took only five to eleven seconds in this test to crack 14 character complex passwords. I was able to create a password that Objectif’s site couldn’t decode; it was using characters from the extended ASII set. But, unfortunately, I could not log into the XP system using it either. Want to see how a password would do without having to exploit a system and dump the password hashes? Objectif allows you to put a password in and it will convert it for you. Then you can place the hash into the cracker and see how it does. I believe that this demonstration shows that relying on passwords alone may no longer be a good security measure. Many companies and government facilities are moving away from using just passwords to dual authentication methods. Biometrics and smartcards are really becoming popular in secure facilities. And if the rumors are true, it looks like Microsoft may include facial recognition authentication in the next version of Windows. Time to dust off the old Web Cam… Quote Link to comment Share on other sites More sharing options...
digip Posted October 31, 2010 Share Posted October 31, 2010 If these were in a premade lookup table, its kind of moot point. Brute forcing say 14 character passwords, hashes, md5's, etc on the fly is another story. The article is wrong, they aren't cracking passwords in 5-10 seconds, they are only looking up already cracked ones in a rainbow table. You would still need to generate that table(s) or have it on hand ahead of time. The whole point of GPU cracking is to do it on the fly, via brute forcing. This is one password in 5-10 seconds. Try 80,000 passwords per minute via brute forcing with multiple GPUs. Granted SSD is going to help, but would in either scenario. GPU cracking it 1,000 fold or more faster than CPU cracking in general regardless of the HDD type used. Lookup tables only as fast as Disk access, memory and cpu speed, which when used with a raid of SSD's, would be quick to look them up from premade tables. See http://hashcat.net/oclhashcat/ Quote Link to comment Share on other sites More sharing options...
Infiltrator Posted October 31, 2010 Share Posted October 31, 2010 "Cryptohaze GPU rainbow table program I can find hashes in the rainbow tables within seconds thanks to the GPU/SSD combination" http://pauldotcom.com/2010/10/your-passwor...ing-system.html Quote Link to comment Share on other sites More sharing options...
barry99705 Posted November 1, 2010 Share Posted November 1, 2010 (edited) "Cryptohaze GPU rainbow table program I can find hashes in the rainbow tables within seconds thanks to the GPU/SSD combination" http://pauldotcom.com/2010/10/your-passwor...ing-system.html Which still requires the password to be in the word list used to create the hash file. Edited November 1, 2010 by barry99705 Quote Link to comment Share on other sites More sharing options...
Infiltrator Posted November 1, 2010 Share Posted November 1, 2010 (edited) Which still requires the password to be in the word list used to create the hash file. Which would be the problem, since most wordlists does not contain all the clear-text passwords. Unless you can compile one yourself, which would take a very long time and lot effort. Edit: Even then it may or may not contain all the clear-text passwords, which I would in turn convert to traditional brute forcing, using several Nvidia Graphics cards, perhaps in a clustered environment to speed up the process. But again depending on the size of the hashes it could take a long time to crack. Edited November 6, 2010 by Infiltrator Quote Link to comment Share on other sites More sharing options...
555 Posted December 1, 2010 Share Posted December 1, 2010 <!--quoteo(post=171064:date=Sun, 31 Oct 2010 00:27:45 +0000:name=Infiltrator)--><div class='quotetop'>QUOTE (Infiltrator @ Sun, 31 Oct 2010 00:27:45 +0000) <a href="index.php?act=findpost&pid=171064"><{POST_SNAPBACK}></a></div><div class='quotemain'><!--quotec--><i>"Cryptohaze GPU rainbow table program I can find hashes in the rainbow tables within seconds thanks to the GPU/SSD combination"</i> <a href="http://pauldotcom.com/2010/10/your-password-cracking-system.html" target="_blank">http://pauldotcom.com/2010/10/your-passwor...ing-system.html</a><!--QuoteEnd--></div><!--QuoteEEnd--> Which still requires the password to be in the word list used to create the hash file. Holy shit LOL that's a beast! and the sole purpose of that thing is for PW cracking? Quote Link to comment Share on other sites More sharing options...
lostfiringpin Posted December 25, 2010 Share Posted December 25, 2010 Just noticed my office closely resembles infiltrator's avatar. An isn't the most effective method for getting a password still a glock 40cal? Quote Link to comment Share on other sites More sharing options...
Infiltrator Posted December 26, 2010 Share Posted December 26, 2010 Just noticed my office closely resembles infiltrator's avatar. An isn't the most effective method for getting a password still a glock 40cal? My office is a lot more cleaner than my Avatar. Back to the point, generating those rainbow tables, would still take a long time, you can have the fastest system, but the tables does contain all the possible hashes, its point less. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.