Yeah, and that's why this post is relevant because people keep fucking using them!


darksoul-logic = "Don't tell me about cigarettes causing cancer; that was discovered years ago...(begins to chain smoke)".

you damn right.
I'm already aware of the issue so I don't need to hear your preaching about.

See my point ? Everyone knows about it, move along.

Jesus christ what fucking shitstorm did i walk into.

Oh, you could here me typing this thread and had to come here to tell me to keep it down so you could concentrate.


BTW: There is no such thing as a encrytped password created by a known/accesible function that cannot be unencrypted!
There are only passwords that require too much processing to be worth anyone's time(except russians spys).

For example the 8char password could take up to 6,095,689,385,410,816 iterations of a subroutine to unencrypt. And that would requires a dedicated computer that could run for anywhere to 2 months to 2 years before giving the result. Thus the requirement of many secure sites that you change your password every 90 days. By the time the computer has figured out your encrytped password you have already changed it to something else.

:1orglaugh

shows how much you know.
http://www.antsight.com/zsl/rainbowcrack/

you can STFU now

Show how good you can read!

I said "up to" as in, the worst case scenario would require that much processing.

You must be one of those dudes who reads the want ad saying "earn up to $50,000" and you're stupid enough to think that's what YOU will make.

You should read the shit you post before posting it

It's faster only after doing all the shit I said in advance and storing the results. What a waste of fucking time for you to post such obvious bullshit.
Everything's faster when it's already done before you fucking start.

dude, shut the fuck up. You were talking about bruteforce
how much lower do you want to go ?

Here we go again:boid

The easy crack of DES is all assuming you have access to the encrypted password file to compare. If you don't, then you have to hope to god the site to hack doesn't enforce some limit on the number of tries.

And then after your 65 billion guesses, you get in. To where, an adult pay site to see some booteeee. :helpme
May have been easier to just pay the 1-month fee.


How many sites use htaccess to give free run of the server?

haha, so you finnaly read what a rainbow table is :)

I mean really. Posting shit that says the exact shit I just posted. WTF!

if you read what you wrote (lol)
you said between 2 months and 2 years
using rainbow tables with take a few minutes and nowhere near 2 months.
make up your mind

but they don't work with random salts:winkwink:

but you already have the salt.

Ahhhhh! Put a sock in it!

I had said that a 3char encrypted (using crypt() )password was bad and could be cracked in no time by someone who saw the encrypted password(like a employee of the site).

That's all I said. The you go off into space and make a big deal about it.

Did you run the last fucking code I posted?

Go ahead and try your 3char encryption in my code and it will undo that shit in less than 3 secs!

y'all need to find jesus.

if you have access to the encrypted passwd file, yeah. but then wouldn't the server be already hacked?

thats the reason this thread is useless :)

anyway, I said random salts.
rainbow tables are lookup tables. No good if the salt is random - the encrypted pass will change each time

what you actulaly said was that a 6char passwd was better than an 8char passwd:error

HAHAHA! I bet a million dollars you don't have a fucking rainbow table and you will have to wait 2 fucking years to build one.:1orglaugh

sure, but there are better ways to crack DES
I was mainly pointing that bf is not as time expensive as it used to be

lets see the money

ssuspect witness dont come OUTSIIIIDE...

no, i do agree. But like all, there are limitations.
Best to use blowfish as cipher anyways ;)

You'd be suprised how many people store password files in web accessible folders and have Options +Indexes in their httpd.conf

Options +Indexes
doesn't make .ht* files show.

no but people who have this their password file is called htpasswd :winkwink:

the standard is .htpasswd tho which is the most used.
but yea, some are that stupid.

Will you stop with the random salts shit! It doesn't fucking matter.


Here's the code to brute force any three letter password no matter how is was created or whatever "salt":



$alphadata = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLM NOPQRSTUVWXYZ";
@one = split(//, $alphadata);
@two = @one;
@three = @one;
$a = 0;
foreach (@one) {
$b=0;
foreach(@two) {
$c = 0;
foreach (@three) {
$pw = "$one[$a]$two[$b]$three[$c]";
#### HTTP REQUEST LOGIN USING $pw;
#### IF RETURN CODE = 20 BAMM!!!!! I'M IN!!
$c++;}
$b++;}

$a++;}



Yeah, you can limit login tries to defeat it; but get off the random salt shit. That does fucking nothing.

Will you shut the fuck up and read the context of my post?

Yeah, but if you're smart like me you don't even use .htpassword.
You can use any file in any directory to store passwords.

You tell htaccess where the file is in the .htacces file!

AuthUserFile /usr/home/Rootdirectory/8usdn2873hs772nas723a.txt

Stupid name in the root directory...not accessible to the web even if not password protected.

I know I wasn't talking about me. If you're smart like me you store user accounts into a db on a seperate server over local lan and use sessions to
avoid lookups for every file that is loaded. :2 cents:

I will STFU if you will admit that I did as promissed!

I cracked a 3char encrypted password that was made with crypt(no matter the salt) in one fucking try!


--------------------------------
$passencrypted = "fill_it_in";

$alphadata = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLM NOPQRSTUVWXYZ";
@one = split(//, $alphadata);
@two = @one;
@three = @one;

$salt = substr($passencrypted, 0, 2);
print "salt = $salt<br>";
$a = 0;
foreach (@one) {
$b=0;
foreach(@two) {
$c = 0;
foreach (@three) {
$pw = "$one[$a]$two[$b]$three[$c]";
$check = crypt($pw, $salt);
if ($check eq $passencrypted) {print "$pw - is a possible password<br>"; exit;}
$c++;}
$b++;}

$a++;}
print "Ended OK";

genius!

and btw its more than 1 try

Pulled from gooooooogle

http://www.cs.wright.edu/~pmateti/In...etc-passwd.txt

Not a real password file, but google will allow you tp find stuff.

I just realized i posted the passwd file lol

No...it took me one try to write the script and get the result needed to login.

ICQ me you cock loving thunder cunt