Re: [Full-disclosure] Working exploit for Debian generated SSH Keys

2008-05-23 Thread Tonnerre Lombard
Salut, Michael, On Tue, 20 May 2008 13:41:41 -0400, Michael Holstein wrote: > Smoke Detector + Webcam = cheapo RNG We were talking about PRNGs here, which are highly complex mathematical constructs, not hardware RNGs, which are also slightly hairy though. There are a couple of books on PRNG desig

Re: [Full-disclosure] Working exploit for Debian generated SSH Keys

2008-05-20 Thread Garrett M. Groff
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Yep, agreed. - - G Salut, Garrett, On Mon, 19 May 2008 13:51:29 -0400, Garrett M. Groff wrote: > Generating pseudo-random numbers isn't hard given a good API, but > writing that API is non-trivial (assuming you want high entropy/low > predictabili

Re: [Full-disclosure] Working exploit for Debian generated SSH Keys

2008-05-20 Thread Michael Holstein
> Generating real pseudo-random streams is a hard problem which is way > more than what people can handle. Usually, PRNGs are composed of > various periodic elements which, in the end, all combined produce a > repeating stream of pseudo-random numbers. OpenSSL uses a modified MAC > for this as a s

Re: [Full-disclosure] Working exploit for Debian generated SSH Keys

2008-05-20 Thread Valdis . Kletnieks
On Mon, 19 May 2008 13:51:29 EDT, "Garrett M. Groff" said: > Generating pseudo-random numbers isn't hard given a good API, but writing > that API is non-trivial (assuming you want high entropy/low > predictability). And, apparently, screwing up that API is also very easy. Of course, if you're try

Re: [Full-disclosure] Working exploit for Debian generated SSH Keys

2008-05-20 Thread Tonnerre Lombard
Salut, Garrett, On Mon, 19 May 2008 13:51:29 -0400, Garrett M. Groff wrote: > Generating pseudo-random numbers isn't hard given a good API, but > writing that API is non-trivial (assuming you want high entropy/low > predictability). And, apparently, screwing up that API is also very > easy. Gener

Re: [Full-disclosure] Working exploit for Debian generated SSH Keys

2008-05-19 Thread Garrett M. Groff
And, apparently, screwing up that API is also very easy. - - G - - Original Message - From: "Skratz0r" <[EMAIL PROTECTED]> To: "nicolas vigier" <[EMAIL PROTECTED]> Cc: Sent: Monday, May 19, 2008 7:50 AM Subject: Re: [Full-disclosure] Working exploit for Debia

Re: [Full-disclosure] Working exploit for Debian generated SSH Keys

2008-05-19 Thread Skratz0r
>_> #1: It cant be that hard to generate random numbers. #2: It's hardly the wheel. #3: Again, pointless arguments. On 19 May 2008, at 12:09, nicolas vigier wrote: > On Mon, 19 May 2008, Ronald van der Westen wrote: > >> Why reinvent the wheel? > > Why not ? > >

Re: [Full-disclosure] Working exploit for Debian generated SSH Keys

2008-05-19 Thread nicolas vigier
On Mon, 19 May 2008, Ronald van der Westen wrote: > Why reinvent the wheel? Why not ? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Working exploit for Debian generated SSH Keys

2008-05-19 Thread Ronald van der Westen
Why reinvent the wheel? On Mon, May 19, 2008 at 6:20 AM, reepex <[EMAIL PROTECTED]> wrote: > why don't you code it yourself instead of being a script kiddie faggot. and > don't use ";-)" to look cool when you beg for warez. > > On Sun, May 18, 2008 at 10:13 AM, bob harley <[EMAIL PROTECTED]> wrote

Re: [Full-disclosure] Working exploit for Debian generated SSH Keys

2008-05-18 Thread reepex
Could you never write perl again please? Perl underground should take a shot at your stuff but you are not worth it. On Thu, May 15, 2008 at 1:35 AM, Markus Müller <[EMAIL PROTECTED]> wrote: > Hi full-disclosure, > > the debian openssl issue leads that there are only 65.536 possible ssh > keys ge

Re: [Full-disclosure] Working exploit for Debian generated SSH Keys

2008-05-18 Thread reepex
why don't you code it yourself instead of being a script kiddie faggot. and don't use ";-)" to look cool when you beg for warez. On Sun, May 18, 2008 at 10:13 AM, bob harley <[EMAIL PROTECTED]> wrote: > Anyone have a copy of > rsa.2048.tar.bzip2? > The

Re: [Full-disclosure] Working exploit for Debian generated SSH Keys

2008-05-18 Thread Fredrick Diggle
Yes Fredrick Diggle will get you a copy :) On Sun, May 18, 2008 at 10:13 AM, bob harley <[EMAIL PROTECTED]> wrote: > Anyone have a copy of rsa.2048.tar.bzip2? The web server isn't playing > nicely ;-) > > On Thu, May 15, 2008 at 2:35 AM, Markus Müller <[EMAIL PROTECTED]> wrote: >> >> Hi full-disc

Re: [Full-disclosure] Working exploit for Debian generated SSH Keys

2008-05-18 Thread bob harley
Anyone have a copy of rsa.2048.tar.bzip2? The web server isn't playing nicely ;-) On Thu, May 15, 2008 at 2:35 AM, Markus Müller <[EMAIL PROTECTED]> wrote: > Hi full-disclosure, > > the debian openssl issue leads that there are only 65.536 possible ssh

[Full-disclosure] Working exploit for Debian generated SSH Keys

2008-05-14 Thread Markus Müller
Hi full-disclosure, the debian openssl issue leads that there are only 65.536 possible ssh keys generated, cause the only entropy is the pid of the process generating the key. This leads to that the following perl script can be used with the precalculated ssh keys to brute force the ssh login.