You got hacked!!! Heres the reason why...password encryption!! - Page 3 - GoFuckYourself.com

borked · 08-30-2006, 10:18 AM

Quote:

Originally Posted by interracialtoons

Ahhhhh! Put a sock in it!

I had said that a 3char encrypted (using crypt() )password was bad and could be cracked in no time by someone who saw the encrypted password(like a employee of the site).

That's all I said. The you go off into space and make a big deal about it.

Did you run the last fucking code I posted?

Go ahead and try your 3char encryption in my code and it will undo that shit in less than 3 secs!

what you actulaly said was that a 6char passwd was better than an 8char passwd

interracialtoons · 08-30-2006, 10:19 AM

Quote:

Originally Posted by darksoul

haha, so you finnaly read what a rainbow table is

HAHAHA! I bet a million dollars you don't have a fucking rainbow table and you will have to wait 2 fucking years to build one.

darksoul · 08-30-2006, 10:21 AM

Quote:

Originally Posted by borked

anyway, I said random salts.
rainbow tables are lookup tables. No good if the salt is random - the encrypted pass will change each time

sure, but there are better ways to crack DES
I was mainly pointing that bf is not as time expensive as it used to be

darksoul · 08-30-2006, 10:22 AM

Quote:

Originally Posted by interracialtoons

HAHAHA! I bet a million dollars you don't have a fucking rainbow table and you will have to wait 2 fucking years to build one.

lets see the money

MaddCaz · 08-30-2006, 10:23 AM

ssuspect witness dont come OUTSIIIIDE...

borked · 08-30-2006, 10:23 AM

Quote:

Originally Posted by darksoul

sure, but there are better ways to crack DES
I was mainly pointing that bf is not as time expensive as it used to be

no, i do agree. But like all, there are limitations.
Best to use blowfish as cipher anyways ;)

ServerGenius · 08-30-2006, 10:23 AM

Quote:

Originally Posted by borked

if you have access to the encrypted passwd file, yeah. but then wouldn't the server be already hacked?

You'd be suprised how many people store password files in web accessible folders and have Options +Indexes in their httpd.conf

darksoul · 08-30-2006, 10:26 AM

Quote:

Originally Posted by ServerGenius

You'd be suprised how many people store password files in web accessible folders and have Options +Indexes in their httpd.conf

Options +Indexes
doesn't make .ht* files show.

ServerGenius · 08-30-2006, 10:29 AM

Quote:

Originally Posted by darksoul

Options +Indexes
doesn't make .ht* files show.

no but people who have this their password file is called htpasswd

darksoul · 08-30-2006, 10:32 AM

Quote:

Originally Posted by ServerGenius

no but people who have this their password file is called htpasswd

the standard is .htpasswd tho which is the most used.
but yea, some are that stupid.

interracialtoons · 08-30-2006, 10:39 AM

Quote:

Originally Posted by borked

anyway, I said random salts.
rainbow tables are lookup tables. No good if the salt is random - the encrypted pass will change each time

Will you stop with the random salts shit! It doesn't fucking matter.

Here's the code to brute force any three letter password no matter how is was created or whatever "salt":

$alphadata = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLM NOPQRSTUVWXYZ";
@one = split(//, $alphadata);
@two = @one;
@three = @one;
$a = 0;
foreach (@one) {
$b=0;
foreach(@two) {
$c = 0;
foreach (@three) {
$pw = "$one[$a]$two[$b]$three[$c]";
#### HTTP REQUEST LOGIN USING $pw;
#### IF RETURN CODE = 20 BAMM!!!!! I'M IN!!
$c++;}
$b++;}

$a++;}

Yeah, you can limit login tries to defeat it; but get off the random salt shit. That does fucking nothing.

borked · 08-30-2006, 10:41 AM

Quote:

Originally Posted by interracialtoons

Will you stop with the random salts shit! It doesn't fucking matter.

Here's the code to brute force any three letter password no matter how is was created or whatever "salt":

$alphadata = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLM NOPQRSTUVWXYZ";
@one = split(//, $alphadata);
@two = @one;
@three = @one;
$a = 0;
foreach (@one) {
$b=0;
foreach(@two) {
$c = 0;
foreach (@three) {
$pw = "$one[$a]$two[$b]$three[$c]";
#### HTTP REQUEST LOGIN USING $pw;
#### IF RETURN CODE = 20 BAMM!!!!! I'M IN!!
$c++;}
$b++;}

$a++;}

Yeah, you can limit login tries to defeat it; but get off the random salt shit. That does fucking nothing.

Will you shut the fuck up and read the context of my post?

interracialtoons · 08-30-2006, 10:46 AM

Quote:

Originally Posted by ServerGenius

no but people who have this their password file is called htpasswd

Yeah, but if you're smart like me you don't even use .htpassword.
You can use any file in any directory to store passwords.

You tell htaccess where the file is in the .htacces file!

AuthUserFile /usr/home/Rootdirectory/8usdn2873hs772nas723a.txt

Stupid name in the root directory...not accessible to the web even if not password protected.

ServerGenius · 08-30-2006, 10:56 AM

Quote:

Originally Posted by interracialtoons

Yeah, but if you're smart like me you don't even use .htpassword.
You can use any file in any directory to store passwords.

You tell htaccess where the file is in the .htacces file!

AuthUserFile /usr/home/Rootdirectory/8usdn2873hs772nas723a.txt

Stupid name in the root directory...not accessible to the web even if not password protected.

I know I wasn't talking about me. If you're smart like me you store user accounts into a db on a seperate server over local lan and use sessions to
avoid lookups for every file that is loaded.

interracialtoons · 08-30-2006, 10:57 AM

Quote:

Originally Posted by borked

Will you shut the fuck up and read the context of my post?

I will STFU if you will admit that I did as promissed!

I cracked a 3char encrypted password that was made with crypt(no matter the salt) in one fucking try!

--------------------------------
$passencrypted = "fill_it_in";

$alphadata = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLM NOPQRSTUVWXYZ";
@one = split(//, $alphadata);
@two = @one;
@three = @one;

$salt = substr($passencrypted, 0, 2);
print "salt = $salt<br>";
$a = 0;
foreach (@one) {
$b=0;
foreach(@two) {
$c = 0;
foreach (@three) {
$pw = "$one[$a]$two[$b]$three[$c]";
$check = crypt($pw, $salt);
if ($check eq $passencrypted) {print "$pw - is a possible password<br>"; exit;}
$c++;}
$b++;}

$a++;}
print "Ended OK";

darksoul · 08-30-2006, 11:04 AM

Quote:

Originally Posted by interracialtoons

I will STFU if you will admit that I did as promissed!

I cracked a 3char encrypted password that was made with crypt(no matter the salt) in one fucking try!

genius!

and btw its more than 1 try

mrkris · 08-30-2006, 11:13 AM

Quote:

Originally Posted by borked

if you have access to the encrypted passwd file, yeah. but then wouldn't the server be already hacked?

Pulled from gooooooogle

http://www.cs.wright.edu/~pmateti/In...etc-passwd.txt

Not a real password file, but google will allow you tp find stuff.

mrkris · 08-30-2006, 11:18 AM

Quote:

Originally Posted by mrkris

Pulled from gooooooogle

http://www.cs.wright.edu/~pmateti/In...etc-passwd.txt

Not a real password file, but google will allow you tp find stuff.

I just realized i posted the passwd file lol

interracialtoons · 08-30-2006, 11:21 AM

Quote:

Originally Posted by darksoul

genius!

and btw its more than 1 try

No...it took me one try to write the script and get the result needed to login.

mrkris · 08-30-2006, 11:29 AM

Quote:

Originally Posted by interracialtoons

No...it took me one try to write the script and get the result needed to login.

ICQ me you cock loving thunder cunt

interracialtoons · 08-30-2006, 11:38 AM

Quote:

Originally Posted by mrkris

ICQ me you cock loving thunder cunt

Why don't you post your address so I can come over and put my foot up your ass and my fist down your throat.

interracialtoons · 08-30-2006, 11:40 AM

Hmmmm... better yet...whay don't I hack your password and post under your name.

Go ahead and challege me to do it....BITCH!

mrkris · 08-30-2006, 11:40 AM

Quote:

Originally Posted by interracialtoons

Why don't you post your address so I can come over and put my foot up your ass and my fist down your throat.

Wasn't using that to talk shit but if you want to be a crybaby keyboard warrior so be it.

mrkris · 08-30-2006, 11:50 AM

Quote:

Originally Posted by interracialtoons

Hmmmm... better yet...whay don't I hack your password and post under your name.

Go ahead and challege me to do it....BITCH!

"I DARE YOU TO CHALLENGE ME". Please, crack my gfy password, violate a law. You're probably the same stupid kiddy that runs around throwing out words such as "Heap Overflow" and "NOP Slides". I WILL HAX YUR INTERWEB

GrouchyAdmin · 08-30-2006, 12:08 PM

wats ur asn nubr

mrkris · 08-30-2006, 12:08 PM

Quote:

Originally Posted by toonpornblog

wats ur asn nubr

roflmao ...

GrouchyAdmin · 08-30-2006, 12:17 PM

I know I'm beating a dead horse, here... but is this like the first time you've seen crypt(), I mean, ever? DES is only significant to EIGHT bytes, and that's all that is guaranteed. Period.

Not to mention your proposed salt is either static, or the password itself. It doesn't work that way. Ya might want to look into ROT13. Now that will take any sized string, man.. and DAMN is it fast!

mrkris · 08-30-2006, 12:23 PM

Quote:

Originally Posted by toonpornblog

I know I'm beating a dead horse, here... but is this like the first time you've seen crypt(), I mean, ever? DES is only significant to EIGHT bytes, and that's all that is guaranteed. Period.

Not to mention your proposed salt is either static, or the password itself. It doesn't work that way. Ya might want to look into ROT13. Now that will take any sized string, man.. and DAMN is it fast!

He's to busy cracking our passwords with retardo scripts from packetstormsecurity.nl to reply, so yes, beating a dead horse

AgentCash · 08-30-2006, 01:04 PM

What I'd really like to know is why you bother with

Quote:

$alphadata = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHI JKLM NOPQRSTUVWXYZ";
@one = split(//, $alphadata);
@two = @one;
@three = @one;

when

Quote:

@one = (A..Z, a..z, 0..9);

gets you the same thing. Then you needlessly copy the array to @two & @three... why?

Quote:

$pw = "$one[$a]$one[$b]$one[$c]";

would accomplish the same thing as

Quote:

$pw = "$one[$a]$two[$b]$three[$c]";

I just fool around with perl in my free time and even I can see you're a total novice.

interracialtoons · 08-30-2006, 01:29 PM

Quote:

Originally Posted by AgentCash

What I'd really like to know is why you bother with

when

gets you the same thing. Then you needlessly copy the array to @two & @three... why?

would accomplish the same thing as

I just fool around with perl in my free time and even I can see you're a total novice.

Because I wanted a stupid MoFo like you to understand it.

I wasn't trying to write "secret code" to baffle webmasters who don't even write scripts. How would that illustrate anything to them?

BTW: It's really fucking lame to take a solution that you could never have done yourself and then spend 24 hours since it was posted trying to pick at it.
why didn't you post a solution yesterday and end this thread?... Because you couldn't.

Stop acting like a jealous fagot. It will not make you a better webmaster.

Now I'm done. Gotta go do something more productive than listening to stupid shit.

AgentCash · 08-30-2006, 01:31 PM

08-30-2006, 10:23 AM	#105
MaddCaz Confirmed User Join Date: Mar 2006 Location: Illinois Posts: 9,483	ssuspect witness dont come OUTSIIIIDE... __________________ BigCocks.com - MatureWomen.com - Tranny.com - DrunkGirls.com - TeenGirls.com - MonsterCock.com and many more... Click here to see them all!

08-30-2006, 12:08 PM	#125
GrouchyAdmin Now choke yourself! Industry Role: Join Date: Apr 2006 Posts: 12,085	wats ur asn nubr __________________ AIM: GrouchyGfy

08-30-2006, 11:40 AM	#122
interracialtoons Confirmed User Join Date: May 2006 Posts: 1,910	Hmmmm... better yet...whay don't I hack your password and post under your name. Go ahead and challege me to do it....BITCH!

08-30-2006, 12:17 PM	#127
GrouchyAdmin Now choke yourself! Industry Role: Join Date: Apr 2006 Posts: 12,085	I know I'm beating a dead horse, here... but is this like the first time you've seen crypt(), I mean, ever? DES is only significant to EIGHT bytes, and that's all that is guaranteed. Period. Not to mention your proposed salt is either static, or the password itself. It doesn't work that way. Ya might want to look into ROT13. Now that will take any sized string, man.. and DAMN is it fast!

08-30-2006, 01:31 PM	#131
AgentCash Confirmed User Join Date: Feb 2002 Posts: 720