Cryptohaze.com

Folks,

Anyone interested in trying to use the network functions across the Net, I would like to test exposing a server instance out my firewall, and having people connect to it and help brute force some hashes.

My though behind this is to prove that with a little community help and some tools found out in the public domain, can greatly help "evil" break through the hashes.

This will help me to prove my point that we should be using passwords with a length greater than 7-8 char.

My suggestion to people I work with was.. If you can type in your 7 char password in a second, then you can type it in twice in 2 seconds, and if you want to make it even more complex, type in this month's password, and then the last password from the last change you used, or put a char in between for a seperator. That would then get the length to 14 char for a 7 char password, and 16 char for an eight char password, etc...

In the end I just want to prove that if this average "joe" can wack password hashes in not time at all in my basement, then "evil" can do it with a few hundred bucks, and a few CPU's full of GPU's.

Anyone interested? Maybe in the end Bitweasil can set up a server, and we as the community can contribute to the server pool. I know I would.

Siggy

middle-siggy wrote:Anyone interested in trying to use the network functions across the Net, I would like to test exposing a server instance out my firewall, and having people connect to it and help brute force some hashes.

It works just fine. I've done this. Default port is 12410 - open this up on your firewall, and clients will connect with no trouble. I recommend using "--serveronly" for your server instance, as this will help prevent crashes from CUDA issues (it's fairly stable, but not perfect). I used this method with no problems during Defcon.

The main problem is that there is no authentication on clients, nor is there verification of work done. A client can easily lie to the server, claim the workunit was done, when it accomplished nothing. There is also no verification of returned hashes (feel free to code this up for me - I'd like to add it). Any client can say a returned hash matches a given password, and nothing verifies this. The network mode is intended to be used with a network of trusted systems, not with untrusted nodes over the internet. While it would be possible to add some support for untrusted nodes, it would rather significant reduce efficiency.

Feel free to go for it, though.

My though behind this is to prove that with a little community help and some tools found out in the public domain, can greatly help "evil" break through the hashes.

This will help me to prove my point that we should be using passwords with a length greater than 7-8 char.

Yes, we should. This is really a given to anyone playing in this realm. If a distributed cracking system is created and helps support this, go for it. However, I do not officially support the use of my tools to crack passwords that are not legally obtained. The stated purpose is to assist pentesters in matching that which is out there by other means. If you do set this up, feel free to post something here, unless you are using dumped/leaked lists. I would prefer not to draw attention by the use of those.

My suggestion to people I work with was.. If you can type in your 7 char password in a second, then you can type it in twice in 2 seconds, and if you want to make it even more complex, type in this month's password, and then the last password from the last change you used, or put a char in between for a seperator. That would then get the length to 14 char for a 7 char password, and 16 char for an eight char password, etc...

That's true, though if you simply double your password (12345671234567), my DUPMD5 hash type deals nicely with this. md5($pass.$pass) - to deal with people who are using this techniques. Using two different passwords is not vulnerable to this attack technique.

In the end I just want to prove that if this average "joe" can wack password hashes in not time at all in my basement, then "evil" can do it with a few hundred bucks, and a few CPU's full of GPU's.

Yes, this is rather well understood by people already.

Anyone interested? Maybe in the end Bitweasil can set up a server, and we as the community can contribute to the server pool. I know I would.

What would the target hashes be? As I've stated, I do not care to contribute to the cracking of leaked/dumped hashes, and I do not have any interest in setting up a "community cracking site" that allows leaked/dumped hashes to be submitted for cracking by others. My focus is on providing high quality tools for pentesters to use, not on cracking illegally obtained hashes.

I could set up a server using randomly generated passwords/hashes to allow people to demo the network capability, but I'm not sure what good this would do.

But if you wish to set something up, go for it.

That is all great to know... Thanks!

As for the lists, they are all on the up and up.. I work for a very large retailer, and I'm in the IT security side fo the house. So it's my job to educate those that just don't know the obvious... and to help with the "Can't be a profit, in your own land" I like to use real world examples of stupid ideas. But I also know a lot of secuirty is hype, and what is not hype could just be a know securet to just a few, and then there is what everone else knows, or can find out.

I'm not some super secret government contractor, we just sell stuff, and if I can make my stuff harder to get then everyone else's stuff, I call it a good day.

As for helping with the code, I already grabbed it and started looking through it... and I just might take you up on that.. I like fun projects, and this topic has always been one of those that I really enjoyed through the years.

Either way, great job, and THANKS!

Siggy

middle-siggy wrote:As for the lists, they are all on the up and up.

Ok. If you have legitimate access to them, and it's ok to spread them to the internet, go for it.