Details forth coming..

**noid** · June 14, 2010, 20:37

Re: Details forth coming..

That sounds much more fun than doing stuff at the conference.

**Nikita** · June 14, 2010, 21:29

Re: Details forth coming..

Originally posted by minga

Stay tuned for the announcement for this contest.

The quick and dirty:

Password cracking contest. 53000+ hashes. You have 48 hours to crack them. GO!

Yeah, A lot more details need to come. A LOT. :-P

**HighWiz** · June 15, 2010, 03:54

Re: Details forth coming..

I heard minga is offering a prize of a dollar for every password cracked*.

*This statement is a 100% fabrication of the truth.

**Nikita** · June 15, 2010, 16:05

Re: Details forth coming..

Originally posted by HighWiz

I heard minga is offering a prize of a dollar for every password cracked*.

*This statement is a 100% fabrication of the truth.

Yeah, I hope this isn't an elaborate plan to get the yahoo and hot mail passwords of his ex girlfriends, or something similar. Just curious...I mean I'd want to know these things. Rofl to the Copter.

**SHA-hi** · June 15, 2010, 18:14

Re: Details forth coming..

Passcracking.ru

Done.

:)

**eris** · June 15, 2010, 18:55

Re: Details forth coming..

Originally posted by Nikita

Yeah, A lot more details need to come. A LOT. :-P

Agreed. So much more detail is necessary. Use this thread as an example of what kind of details need to be added. Contests are srs bizness.

https://forum.defcon.org/showthread....hlight=tangent

**minga** · June 17, 2010, 08:12

Re: Details forth coming..

Originally posted by SHA-hi

Passcracking.ru

Done.

:)

That site only has MD5 rainbow tables. How many UNIX systems store their passwords in raw-md5 format? What about Active Directory? What about LDAP Servers ? Not to mention that the current queue is 64752 other hashes ;) Good luck with that.

Another thought on rainbow tables - they take a long time to complete a single lookup. How long with a lookup of xxxxx passwords take ? ;)

Details any minute now...

**SHA-hi** · June 17, 2010, 15:35

Re: Details forth coming..

Originally posted by minga

That site only has MD5 rainbow tables. How many UNIX systems store their passwords in raw-md5 format? What about Active Directory? What about LDAP Servers ? Not to mention that the current queue is 64752 other hashes ;) Good luck with that.

Another thought on rainbow tables - they take a long time to complete a single lookup. How long with a lookup of xxxxx passwords take ? ;)

Details any minute now...

? The text is probably out of date. I know for a fact it has more than md5 hashes. I've used it just last week to find some SHA-1s. Lookup times on the server was 597ms latency, and 1.48seconds download (on my 180kb/s connection). Not too bad, I would estimate the lookup actually only takes 150ms on a dedicated version of this system (one that doesn't have on average 64000~ requests indicated). Of course, without an optimized guessing algorithm we're looking at 77 years for a hash_function("CaP1s2LoCk") to collide with hash_value. (at the max in our 150ms/operation system). If we optimize it we're probably looking at maybe a week before we hit a real collision in a sizeable database?

Some passwords I've rainbow-tabled from the database my co-workers use:

myname200 (where 200 is their system ID)
Companyname1
banking123
password (I went for a two hour lunch when I saw this).

Folks, we REALLY need to get the word of salting your hashes out there.

**minga** · June 17, 2010, 20:51

Re: Details forth coming..

Originally posted by SHA-hi

?
Folks, we REALLY need to get the word of salting your hashes out there.

Most of the LDAP servers I have seen in the "wild" have stopped using SHA - and now use SSHA. Salted SHAs. What other Operating System / Application uses SHA to store password hashes? Just curious.

Details forth coming..

Details forth coming..

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment