what you actulaly said was that a 6char passwd was better than an 8char passwd:error

HAHAHA! I bet a million dollars you don't have a fucking rainbow table and you will have to wait 2 fucking years to build one.:1orglaugh

sure, but there are better ways to crack DES
I was mainly pointing that bf is not as time expensive as it used to be

lets see the money

ssuspect witness dont come OUTSIIIIDE...

no, i do agree. But like all, there are limitations.
Best to use blowfish as cipher anyways ;)

You'd be suprised how many people store password files in web accessible folders and have Options +Indexes in their httpd.conf

Options +Indexes
doesn't make .ht* files show.

no but people who have this their password file is called htpasswd :winkwink:

the standard is .htpasswd tho which is the most used.
but yea, some are that stupid.

Will you stop with the random salts shit! It doesn't fucking matter.


Here's the code to brute force any three letter password no matter how is was created or whatever "salt":



$alphadata = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLM NOPQRSTUVWXYZ";
@one = split(//, $alphadata);
@two = @one;
@three = @one;
$a = 0;
foreach (@one) {
$b=0;
foreach(@two) {
$c = 0;
foreach (@three) {
$pw = "$one[$a]$two[$b]$three[$c]";
#### HTTP REQUEST LOGIN USING $pw;
#### IF RETURN CODE = 20 BAMM!!!!! I'M IN!!
$c++;}
$b++;}

$a++;}



Yeah, you can limit login tries to defeat it; but get off the random salt shit. That does fucking nothing.

Will you shut the fuck up and read the context of my post?

Yeah, but if you're smart like me you don't even use .htpassword.
You can use any file in any directory to store passwords.

You tell htaccess where the file is in the .htacces file!

AuthUserFile /usr/home/Rootdirectory/8usdn2873hs772nas723a.txt

Stupid name in the root directory...not accessible to the web even if not password protected.

I know I wasn't talking about me. If you're smart like me you store user accounts into a db on a seperate server over local lan and use sessions to
avoid lookups for every file that is loaded. :2 cents:

I will STFU if you will admit that I did as promissed!

I cracked a 3char encrypted password that was made with crypt(no matter the salt) in one fucking try!


--------------------------------
$passencrypted = "fill_it_in";

$alphadata = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLM NOPQRSTUVWXYZ";
@one = split(//, $alphadata);
@two = @one;
@three = @one;

$salt = substr($passencrypted, 0, 2);
print "salt = $salt<br>";
$a = 0;
foreach (@one) {
$b=0;
foreach(@two) {
$c = 0;
foreach (@three) {
$pw = "$one[$a]$two[$b]$three[$c]";
$check = crypt($pw, $salt);
if ($check eq $passencrypted) {print "$pw - is a possible password<br>"; exit;}
$c++;}
$b++;}

$a++;}
print "Ended OK";

genius!

and btw its more than 1 try

Pulled from gooooooogle

http://www.cs.wright.edu/~pmateti/In...etc-passwd.txt

Not a real password file, but google will allow you tp find stuff.

I just realized i posted the passwd file lol

No...it took me one try to write the script and get the result needed to login.

ICQ me you cock loving thunder cunt

Why don't you post your address so I can come over and put my foot up your ass and my fist down your throat.

Hmmmm... better yet...whay don't I hack your password and post under your name.

Go ahead and challege me to do it....BITCH!

Wasn't using that to talk shit but if you want to be a crybaby keyboard warrior so be it.

"I DARE YOU TO CHALLENGE ME". Please, crack my gfy password, violate a law. You're probably the same stupid kiddy that runs around throwing out words such as "Heap Overflow" and "NOP Slides". I WILL HAX YUR INTERWEB

wats ur asn nubr

roflmao ...

I know I'm beating a dead horse, here... but is this like the first time you've seen crypt(), I mean, ever? DES is only significant to EIGHT bytes, and that's all that is guaranteed. Period.

Not to mention your proposed salt is either static, or the password itself. It doesn't work that way. Ya might want to look into ROT13. Now that will take any sized string, man.. and DAMN is it fast!

He's to busy cracking our passwords with retardo scripts from packetstormsecurity.nl to reply, so yes, beating a dead horse :thumbsup

What I'd really like to know is why you bother with

when

gets you the same thing. Then you needlessly copy the array to @two & @three... why?

would accomplish the same thing as

I just fool around with perl in my free time and even I can see you're a total novice.

Because I wanted a stupid MoFo like you to understand it.

I wasn't trying to write "secret code" to baffle webmasters who don't even write scripts. How would that illustrate anything to them?

BTW: It's really fucking lame to take a solution that you could never have done yourself and then spend 24 hours since it was posted trying to pick at it.
why didn't you post a solution yesterday and end this thread?... Because you couldn't.

Stop acting like a jealous fagot. It will not make you a better webmaster.

Now I'm done. Gotta go do something more productive than listening to stupid shit.

:1orglaugh :1orglaugh