And guess what, someone thought of using it to crack passwords. It seems the cut-off would be a 12 character password as even with all lower case characters it would cost USD1.5 million to crack.

It gets exponentially cheaper as you remove each character (due to the calculation using the power of the number of characters) so a 10 character password would only cost you just over USD2000!

Forget what you’ve learned about password security. A simple pass code with nothing more than lower-case letters may be all you need – provided you use 12 characters.

That’s the conclusion of security consultant David Campbell, who calculated the cost of waging a brute-force attack on various types of passwords using cloud computing services offered by Amazon.

Based on hourly fees Amazon charges for its EC2 web service, it would cost more than $1.5m to brute force a 12-character password containing nothing more than lower-case letters a through z. But user beware, an 11-character code costs less than $60,000 to crack, and a 10-letter phrase costs less than $2,300.

Adding upper-case letters and numbers to a password offers some additional security, but not as much as you might think. Such a phrase using 10 characters would cost less than $60,000 to attack, while an 11-character code would cost roughly $2.1m. Even passwords that contain an additional 32 characters such as !@#$% are relatively cheap to crack if they are short enough. An eight-character password would cost a little more than $106,000.

I’d say adding upper case letters and numbers makes quite a difference, a 10 character passwords jumps from just over USD2000 to crack all the way up to USD60,000. That’s a factor of 30!

I’d say a 10 character password containing uppercase, lowercase, numbers and specials characters should be well into the millions and keep you fairly safe.

I did write some guidelines and tips on creating a secure password a while back, you can check it out here – Good Password Guidelines – How to Make a Strong/Secure Password.

The analysis, which Campbell posted here, builds off of research fellow security consultant Haroon Meer of SensePost presented earlier this year at the Black Hat conference. In it, he showed how EC2 could provide criminals using stolen credit cards with the equivalent of a super computer to crack encryption keys and passwords.

And that, in turn, will require new ways of thinking on the part of white hats.

“As it becomes possible now for the black hat community to get their hands on large amounts of computing power, we as security professionals are going to need to reassess threat models that we thought previously were not a factor,” said Campbell. “Using stolen credit cards, they could create a super computer that would be faster potentially than what the three-letter agencies have and they wouldn’t be paying for the CPU cycles.”

Although Amazon takes pains to ration resources it makes available to single customers, Meer showed it was possible to get around such limitations using a single credit card. Presumably, it would be even easier to bypass those controls using hundreds or thousands of stolen credit cards, something that is trivial for criminals to get a hold of. Campbell’s assumptions are based on simple arithmetic.

It’s interesting research nevertheless, I’d say Cloud Computing is only going to get more powerful and cheaper to rent so character based passwords may become completely defunct at some point in the future.

The computing power is not at the point where you have to worry about your 1024 bit RSA encryption quite yet, but it may well be in the near future as it’s already advised to use a 2048 bit key length!

Combining this platform with the abundance of stolen credit card details the blackhats have could be quite devastating.

Source: The Register

The tool is supplied with a file containing a list of usernames and requests a TGT for each user and then waits for the response. If the KDC responds with a valid TGT or with an error message stating that pre-authentication is required, a valid username has been discovered. Several guesses can be run in parallel (currently only against a single KDC) in order to improve performance.

Be careful not to run with to many threads and low timeouts as it will bring the KDC to its knees during the time of the test. The default values have been tuned against a virtual machine, and currently eat somewhere around 80% CPU which gives me roughly 700 guesses per second. In most cases the network throughput won’t be the performance bottleneck. So far I’m seeing that 2-3MBit of queries is generating a sustained 100% CPU load against both Heimdal on Ubuntu and Windows 2003.

The tool is written in Java and does not rely on any Kerberos libraries to perform the guessing. In order to successfully run the tool against a system it needs at least the realm, dictionary and a server parameters to be set. eg.

java -jar krbguess.jar -s 192.168.56.11 -r HEMMA \ -o report.txt -d ./dic.txt

You can download KrbGuess here:

krbguess-0.21-bin.tar.gz

Or read more here.

NOTE – Salt function is currently only available for md5, you need to append ‘\’ infront of every $ while lookingup or cracking salted hash

General Usage and examples :
./crack.pl [sha1|md5|lookup|salt] [salt]
./crack.pl \$1\$killme\$TVUPnlxfX62j2D/fUVRqp1 bruteforce
./crack.pl 15191b869d2918ebeb0409dbee90f201 /pentest/wireless/cowpatty/dict
./crack.pl 15191b869d2918ebeb0409dbee90f201 bruteforce
./crack.pl 087e086132b9fb3b9c938ab646a4891b365c2f08 /pentest/wireless/cowpatty/dict
./carck.pl 087e086132b9fb3b9c938ab646a4891b365c2f08 bruteforce
./crack.pl table /pentest/wireless/cowpatty/dict md5 > table.md5
./crack.pl table /pentest/wireless/cowpatty/dict sha1 > table.sha1
./crack.pl table bruteforce md5 > bigtable.md5
./crack.pl table bruteforce sha1 > bigtable.sha1
./crack.pl table bruteforce md5 mysalt > table.mysalt

After generating a table you will need to remove any duplicates(if any). But there will be very little or none so this step is unnecessary and this step wll take a long time to run. Running the following will do that

sort -u <table name> -o <sorted table>

If you don’t mind some few errors in trade for space, open the source file and change $savespace=0 to $savespace=1. This will cause only the first 5 bytes of the hash to be stored and as such some two or more passwords may have the same beginning. To look up a hash,use the lookup feature.

./crack.pl <hash><table> lookup

This will find all possible passwords and compute the correct one, please note that fat32 system will store up to 4GB only. While generating a table the software will start from ‘aaaaaa’ onwards (six letters and up).
Less than six letter password is cracked within minutes (four minutes on mine;) ).

crack_salted.pl

This will crack md5 hashes of salted hash. The results are displayed within ’singe ticks’.

TIP : most applications set the salt as the username
: I made a program to generate random strings (genrandom.pl) the list there should definitely pass through sorting and there is absolutly no guarantee that the salt/pass will be included

./crack_salted.pl <hash> <salt|-f salt_file> <method>

This is still in development

Installing Crypt::PasswdMD5

(a windows copy of make may be downloaded from http://gnuwin32.sourceforge.net/packages/make.htm)
$ cd Crypt-PasswdMD5
$ perl Makefile.PL
$ make
$ make test

You can download crack BETA 6 here:

crack.zip

Or preferably use the SVN.

MultiISO LiveDVD Version 1.0 consists of:

• Backtrack 3
• Damn Small Linux (DSL) 4.2.5
• GeeXboX 1.1
• Damn Vulnerable Linux (Strychnine) 1.4 edition
• Knoppix 5.1.1, MPentoo 2006.1
• Ophcrack 1.2.2 (remastered to contain SSTIC04-5k [720MB] table sets)
• Puppy Linux 3.01
• Byzantine OS i586-20040404

You can download MultiISO LiveDVD here (to conserve bandwidth only a Torrent link is available, please seed after downloading):

Torrent: EmErgEs_MultiBOOT_ISO.torrent (4.03GB)

MD5SUM: 1b1f37ed6b6f958cde0529a8a1f06637
SHA1SUM: 593ffbfa3c4b665220dcd63b2e4b77bacde5237d

Or read more here.

In the current compilation state it allows to log into a Linux system as ’root’ user without typing the correct password or to elevate privileges from current user to root. For Windows systems it allows to enter any password protected profile without any knowledge of the password.

It was mainly created for Ubuntu, later the author has made a few add-ons to cover some other Linux distributions.

Entire Kon-Boot was written in pure x86 assembly, using old grandpa-geezer TASM 4.0.

Latest Updates – Kon-Boot for Windows

Kon-Boot was moved to Windows platforms. So now it provides support for Microsoft Windows systems and also the Linux systems listed below. Kon-Boot for Windows enables logging in to any password protected machine profile without without any knowledge of the password. This tool changes the contents of Windows kernel while booting, everything is done virtually – without any interferences with physical system changes. So far following systems were tested to work correctly with Kon-Boot:

• Windows Server 2008 Standard SP2 (v.275)
• Windows Vista Business SP0
• Windows Vista Ultimate SP1
• Windows Vista Ultimate SP0
• Windows Server 2003 Enterprise
• Windows XP
• Windows XP SP1
• Windows XP SP2
• Windows XP SP3
• Windows 7

No special usage instructions are required for Windows users, just boot from Kon-Boot CD/Floppy, select your profile and put any password you want. You lost your password? Now it doesnt matter at all.

It has been tested with the following Linux distributions:

• Gentoo 2.6.24-gentoo-r5 GRUB 0.97
• Ubuntu 2.6.24.3-debug GRUB 0.97
• Debian 2.6.18-6-6861 GRUB 0.97
• Fedora 2.6.25.9-76.fc9.i6862 GRUB 0.97

You can download Kon-Boot here:

Floppy Image – FD0-konboot-v1.1-2in1.zip
CD ISO Image – CD-konboot-v1.1-2in1.zip

Or read more here.

Tested on:

• Core Duo (1st gen) Macbook Pro 15″
• Core 2 Duo Macbook Pro 15″

Technical details on how it works here.

You can download EFIPW v0.1a here:

efipw_v0.1a.zip

Or read more here.

You would have thought version 1.5 would have been released in November 2008! Looks like they missed by a few months.

What is Medusa?

Medusa is a speedy, massively parallel, modular, login brute-forcer for network services. Some of the key features of Medusa are:

• Thread-based parallel testing. Brute-force testing can be performed against multiple hosts, users or passwords concurrently.
• Flexible user input. Target information (host/user/password) can be specified in a variety of ways. For example, each item can be either a single entry or a file containing multiple entries. Additionally, a combination file format allows the user to refine their target listing.
• Modular design. Each service module exists as an independent .mod file. This means that no modifications are necessary to the core application in order to extend the supported list of services for brute-forcing.

It currently has modules for the following services:

• AFP
• CVS
• FTP
• HTTP
• IMAP
• MS-SQL
• MySQL
• NCP (NetWare)
• NNTP
• PcAnywhere
• POP3
• PostgreSQL
• rexec
• rlogin
• rsh
• SMB
• SMTP (AUTH/VRFY)
• SNMP
• SSHv2
• SVN
• Telnet
• VmAuthd
• VNC

It also includes a basic web form module and a generic wrapper module for external scripts.

While Medusa was designed to serve the same purpose as THC-Hydra, there are several significant differences – you can see a brief comparison here.

It’s been over a year since version 1.4 was released and there has been a bunch of changes. This release includes multiple bug fixes, several new modules and additional module functionality. The following is a quick rundown on some of the new features, if you wish to see a detailed ChangeLog it’s here.

• AFP – new module (still marked as unstable)
• HTTP – digest auth support
• IMAP – STARTTLS, NTLM support
• POP3 – STARTTLS, LOGIN, PLAIN, NTLM support
• SMBNT – LM, LMv2, NTLMv2 support
• SMTP – NTLM support
• TELNET – AS/400 (TN5250) support
• misc. core and module bug fixes

You can download Medusa v1.5 here:

medusa-1.5.tar.gz

Or read more here.

How it works?

It is very simple, You give WMAT file with usernames, file with passwords, URL of web mail app and chose pattern for attack. Patterns are XML files that define post/get fields, http method, referer, success tag, etc … for each web mail applications.

There are currently patterns for horde, squirrelmail, kerio and mdaemon web mail.

The XML pattern files look like this:

--- horde.wmat.xml ---
<xml version='1.0' encoding='UTF-8'>
<data>
<username>horde_user</username>
<password>horde_pass</password>
<action_url>login.php</action_url>
<success>sidebar.php</success>
<method>post</method>
<useragent></useragent>
<referer></referer>
<additional_fields></additional_fields>
<author>ivan.markovic@netsec.rs</author>
</data>
-----------------------

The author of WMAT requests for help from the community with the patterns, the author of the pattern will be credited in the author field of the XML file.

There are some more options like setting timeout (time between each request), bell on success and option for writing output in file. More can be seen in the Readme file here.

For future versions the following additions are planned:

• using a proxy
• special addon for generation of usernames/passwords
• automatic recognizer of web app

You can download WMAT here:

wmat.zip
Python source.

Or read more here.

This application is more towards creating custom word lists from a specific domain by crawling it for unique words. Basically you give the application a spidering target website and it will collect unique words. The application is written in Ruby and is called CeWL, the Custom Word List generator. The app can spider a given url to a specified depth, optionally following external links, and returns a list of words which can then be used for password crackers such as John the Ripper.

IF you combine the info output by CeWL and AWLG with the standard wordlists for password cracking – you should have a fairly comprehensive set.

By default, CeWL sticks to just the site you have specified and will go to a depth of 2 links, this behaviour can be changed by passing arguments. Be careful if setting a large depth and allowing it to go offsite, you could end up drifting on to a lot of other domains. All words of three characters and over are output to stdout. This length can be increased and the words can be written to a file rather than screen so the app can be automated.

Version 2 of CeWL can also create two new lists, a list of email addresses found in mailto links and a list of author/creator names collected from meta data found in documents on the site. It can currently process documents in Office pre 2007, Office 2007 and PDF formats. This user data can then be used to create the list of usernames to be used in association with the password list.

Installation

CeWL needs the rubygems package to be installed along with the following gems:

• http_configuration
• mime-types
• mini_exiftool
• rubyzip
• spider

You can download CeWL here:

cewl_2.0.tar.bz2

Or read more here.

Wyd the Password Profiling Tool also does something similar to AWLG but it’s a PERL script rather than being based online.

I’d prefer if AWLG let us download an offline version too personally.

About AWLG

The Associative Word List Generator (AWLG) is a tool that generates a list of words relevant to some subjects, by scouring the Internet in an automated fashion.

Inclusion Example: A search string including the words (without quotes): “steve carell” would give us a word list with lots of words associated with the actor Steve Carell. This includes all of the words from his MySpace page, words from the Wikipedia article on him, etc.

Exclusion Example: We know that Steve Carell is an actor for lots of things, including a show called “The Office”. A search string: “steve carell” with omissions: “office” and “michael scott” would find words from websites that mention Steve Carell, but do not mention the word “office”, “michael”, or “scott”.

Privacy policy

AWLG.org does not record any transmitted search strings or user information. AWLG.org does record statistical information such as total site usage, total number of words generated per search, etc.

You can get cracking with AWLG here:

http://awlg.org/index.gen