[Full-disclosure] Cracking the entire set of DES-based crypt(3) hashes. Interested ?
Let's imagine there is someone out there able to crack any hash of the entire set of DES-based crypt(3) hashes in a reasonable amount of time, say 5-10 days. Let's imagine that no matter how many hashes are submitted to the system, 1 or 1000, all of them are guaranteed to be cracked in this constant amount of time. Let's also imagine this service becomes commercially available. Even though DES-based crypt(3) is outdated and obsolete, its use is still widespread in typical large heterogeneous IT environments. So I guess this service would interest lots of legitimate clients such as pentesters, government agencies, IT departments in large companies or universities, and the likes. How much would you value this service ? Would you pay $100, $10, $1 per hash to crack ? Would you require anonymity to use the service ? -XRR ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Cracking the entire set of DES-based crypt(3) hashes. Interested ?
Le Mon, Jul 30, 2007 at 12:09:18AM -0700, n/a n/a ecrivait : How much would you value this service ? Would you pay $100, $10, $1 per hash to crack ? Would you require anonymity to use the service ? $10 sounds reasonnable for a hash. Of course, I would require anonymity to use that service. -- Frank Denis - j [at] pureftpd.org - NSI / Young Nails / CND nail tech http://forum.manucure.info - http://www.manucure-pro.com - http://00f.net ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Cracking the entire set of DES-based crypt(3) hashes. Interested ?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 $1-10/hash, and I'd actively seek/support an open source option. - --- Tremaine Lea Network Security Consultant Intrepid ACL Paranoia for hire On 30-Jul-07, at 1:09 AM, n/a n/a wrote: snip Let's also imagine this service becomes commercially available. Even though DES-based crypt(3) is outdated and obsolete, its use is still widespread in typical large heterogeneous IT environments. So I guess this service would interest lots of legitimate clients such as pentesters, government agencies, IT departments in large companies or universities, and the likes. How much would you value this service ? Would you pay $100, $10, $1 per hash to crack ? Would you require anonymity to use the service ? -XRR -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (Darwin) iQEcBAEBAgAGBQJGrdUSAAoJEKGa22zRy9WCRDYIAIZgq4FjxYJzeJ9vTyZqKuKk jX+m9wKyWwLeJ429Qd5XYOA+U5TPr6IVPKI4/3Wi2vzKDaZTKdXn7nZQsVSWWk/R qpbmrWMXtSteKTXqilk78tQmuYjWmvqXQ7uiR3NvXTPGJtJB/HWJpt0W14rvuzB9 6/y7e0f9YeUkj/ZEtDiv4O607uZtueqyIL8izUBezRcDUPNAB+0ZMV+uMAApdZrq et2gCcO7vO03l7f9IBlQjWPExlaWLCYYIy6cqdVaNB9GljG4peY/KqdAILKqPw86 24Qz+UdYc8e20LzDsmUeXAMhxI2NQG3dJajsgCIIWkf6Ao5fvaLjNxAt+gS4nyM= =hb88 -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Cracking the entire set of DES-based crypt(3) hashes. Interested ?
Dear Tremaine Lea, --Monday, July 30, 2007, 4:09:53 PM, you wrote to [EMAIL PROTECTED]: TL -BEGIN PGP SIGNED MESSAGE- TL Hash: SHA1 TL $1-10/hash, and I'd actively seek/support an open source option. 5-10 days for full bruteforce? John-the-ripper on modern multi-core PC. -- ~/ZARAZA http://securityvulns.com/ Итак, я буду краток. (Твен) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Cracking the entire set of DES-based crypt(3) hashes. Interested ?
Quoting n/a n/a [EMAIL PROTECTED]: How much would you value this service ? Would you pay $100, $10, $1 per hash to crack ? Would you require anonymity to use the service ? I would pay $1 each for md5 cracks of this type, $5 for DES crypt. Anonymity hosted outside the US would be an expected criteria. t.r. - Email solutions, MS Exchange alternatives and extrication, security services, systems integration. Contact:[EMAIL PROTECTED] ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Cracking the entire set of DES-based crypt(3) hashes. Interested ?
On 7/30/07, 3APA3A [EMAIL PROTECTED] wrote: 5-10 days for full bruteforce? John-the-ripper on modern multi-core PC. Let's be clear here. JtR will only succeed if the password is based on frequently used characters. If it is truly random and 8 characters long, JtR will not be able to crack it. I am talking about cracking the *entire* set of DES-based crypt hashes. -XRR ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Cracking the entire set of DES-based crypt(3) hashes. Interested ?
On 7/30/07, XRR . [EMAIL PROTECTED] wrote: On 7/30/07, 3APA3A [EMAIL PROTECTED] wrote: 5-10 days for full bruteforce? John-the-ripper on modern multi-core PC. ... JtR will only succeed if the password is based on frequently used characters. If it is truly random and 8 characters long, JtR will not be able to crack it. I am talking about cracking the *entire* set of DES-based crypt hashes. gotta pay off that copacobana? 10,000 hashes for breakeven @ $1, not bad... ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Cracking the entire set of DES-based crypt(3) hashes. Interested ?
On 7/30/07, coderman [EMAIL PROTECTED] wrote: gotta pay off that copacobana? 10,000 hashes for breakeven @ $1, not bad... yes, a joke. you'd need to charge at least $100 hash to make this profitable, maybe down to $40-50 if you could leverage bulk pricing for components. cmon XRR, spill the beans. a bunch of PS3's? FPGA array? quantum search? :P ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Cracking the entire set of DES-based crypt(3) hashes. Interested ?
Dear coderman, Whhooo! We will not see SPAM any more, because all botnets will be overloaded with hash hacking! --Monday, July 30, 2007, 11:30:51 PM, you wrote to [EMAIL PROTECTED]: c On 7/30/07, coderman [EMAIL PROTECTED] wrote: gotta pay off that copacobana? 10,000 hashes for breakeven @ $1, not bad... c yes, a joke. you'd need to charge at least $100 hash to make this c profitable, maybe down to $40-50 if you could leverage bulk pricing c for components. c cmon XRR, spill the beans. a bunch of PS3's? FPGA array? quantum search? :P -- ~/ZARAZA http://securityvulns.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Cracking the entire set of DES-based crypt(3) hashes. Interested ?
JtR will only succeed if the password is based on frequently used characters. If it is truly random and 8 characters long, JtR will not be able to crack it. Sure it will, it just takes adjustments to john.conf and a *lot* longer. djohn (distributed JtR) was written to address this : http://ktulu.com.ar/blog/software/djohn I am talking about cracking the *entire* set of DES-based crypt hashes. The EFF built a gizmo (in 1998 no less) that could to it in 4.5 days on average : http://www.schneier.com/crypto-gram-9808.html I'd bet a good VHDL programmer with the cash to cough up for top-notch Xlinix gear could do it cheaper and faster. Is this what you're planning on doing? ~Mike. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Cracking the entire set of DES-based crypt(3) hashes. Interested ?
On Mon, 30 Jul 2007 12:30:51 PDT, coderman said: cmon XRR, spill the beans. a bunch of PS3's? FPGA array? quantum search? :P There's probably more CPU cycles available in all the botnets of the world than there are total in the top500 list. If you want to do it a bit more legally, the EFF did a one-off box with lots of FPGA that could do it in a few days, it cost them like $250K in late-90s dollars, and they estimated building a second one would cost about half as much. Now apply Moore's Law and estimate what 2007 FPGA's could do. ;) pgpRPASdyUrPu.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Cracking the entire set of DES-based crypt(3) hashes. Interested ?
On 7/30/07, Michael Holstein [EMAIL PROTECTED] wrote: Sure it will, it just takes adjustments to john.conf and a *lot* longer. djohn (distributed JtR) was written to address this. Exactly. And my point is that it is only doable in a reasonable amount of time if you have on the order of 1e5 cpu cores in the cluster. I can do it for $4M, lower estimate. Not cheap enough. The EFF built a gizmo (in 1998 no less) that could to it in 4.5 days on average : Correct. But multiply this by the 25 iterations of DES required by crypt(). So one EFF DES cracker, or better, one copacobana box has a cracking throughput of 1 hash every 100 days or so. Not good enough. -XRR ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
