Announcement

Collapse
No announcement yet.

MD5 Decryption

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • #16
    Originally posted by Weasel526
    eiSecure: 8 characters is nothing.

    As I mentioned in the other encryption (errr, hashing) thread, mdcrack can do 4,000,000 hashes per second.

    so (32^8 / 4,000,000) / 60 / 60 / 24 is only 3.18 days

    leadZERO: I said cracking, didn't I say cracking?

    After you load the dictionary file (which takes all of 10 seconds after the initial (one time) sorting), it will crack as many passwords as you fancy in less than a second. Well I shouldnt say that. Cracking all of vBulletin.com's passwords would probably take more than a second, but atleast it's faster than trying to brute force each one.

    The whole point is that this program gives you all or nothing. It doesnt try to spend days brute forcing hashes, it just does a simple binary search. If it can't find the password immediatly it can't find it at all. I admit my forum isn't the greatest test environment but when you have close to 100 users you can get a fairly good average percentage.
    You're claiming that your program can crack MD5 in under a week.

    If it can, then how come you're the one who came up with this, instead of the hundreds of thousands of security experts that test an algorithm from the second it comes out, until even after it's labeled 'secure', which is what MD5 is labeled.


    If you want to test it for real, how about I give you a MD5 sum, and you tell me what the contents of it are.
    :)

    Comment


    • #17
      your confusing the two programs I'm talking about. There's lots of programs that can easily crack a short password, but I havn't found any that will use a dictionary brute force on MD5. This is what I've wrote.

      Now people can use both. And the whole point is MD5 is not secure if you have a) a short password or b) an easy password.

      Now you have both tools available to you, so dont complain. If you don't want to use them, dont.

      BTW, the other program I mentioned (mdcrack) will crack any 8 character password you give me in the charset you mentioned (abcdefghijklmnopqrstuvwxyz1234567890) in no more than 3.2 days
      Last edited by Weasel; Tue 30th Jul '02, 1:30pm.
      http://www.almostsmart.com/misc/sig/sig.php

      Comment


      • #18
        Nobody said anything about using your tools.

        What I'm saying is that your program does not crack MD5. All it does is brute-force the PASSWORD -- not MD5.
        :)

        Comment


        • #19
          That makes no sense. It cracks the MD5 to reveal the password, which was hashed with the MD5 function. I sense this conversation is degenerating..
          http://www.almostsmart.com/misc/sig/sig.php

          Comment


          • #20
            Originally posted by Weasel526
            That makes no sense. It cracks the MD5 to reveal the password, which was hashed with the MD5 function. I sense this conversation is degenerating..
            Fine. Be that way.

            I can sense things as well, and I sense that you're not going to change your mind if it's just me that says this.

            Go to any, and I mean *ANY* information security forum/site and post your program there.

            Trust me when I say this -- your program does not crack MD5, not to mention do it in under a week.
            :)

            Comment


            • #21
              oh wait, I think I see what your saying. Your saying that the program doesn't guess MD5 hashes and compare them to passwords, it guesses passwords and compares them to MD5s. Isn't this what all Brute force programs do? guess the password and see if it works?

              Like another way to do the problem would go like this:

              md5(aaaaaaaa) ?= hash
              md5(aaaaaaab) ?= hash

              this is the time consuming way, which like I mentioned earlier takes 3.2 days for 8 character passwords using the 32 chars you mentioned. There's also the dictionary (my) way which only uses known passwords, instead of trying every combination. Either way works to some extent. Either get small accuracy (40% in my case) in a short ammount of time, or get 100% accuracy in a long amount of time:

              8 chars (36 chars in charset) = 3.2 days
              8 chars (62 chars in charset) = 7 days
              12 chars = 100,000 centuries, or whatever I found it to be over in the other thread.

              MD5 isn't perfect.
              Last edited by Weasel; Tue 30th Jul '02, 2:28pm.
              http://www.almostsmart.com/misc/sig/sig.php

              Comment


              • #22
                Exactly.

                What you're doing is using a dictionary attack on a small amount of MD5 hashes. That's not cracking MD5.

                Cracking MD5 would be either reversing it mathmatically (in which would turn MD5 into the world's greatest compression algorithm), or brute-forcing all combinations of hashes for a moderately long sentence.


                A dictionary attack on a few MD5-hashed passwords is hardly cracking it.
                :)

                Comment


                • #23
                  true true. But would you must agree that if I had a hashed password, and then performed my dictionary attack as well as a small brute force (8 characters) and if I succeded, than that Particular hash would be in fact, cracked.

                  Don't get me wrong, I'm not proclaiming that I've found the magical way to reverse something impossibly. It's not an exact science obviously, but I would say with both methods combined would produce results of 50% success on the average user.
                  Last edited by Weasel; Tue 30th Jul '02, 2:49pm.
                  http://www.almostsmart.com/misc/sig/sig.php

                  Comment


                  • #24
                    I'd agree with eSecure. It just doesn't sound right to say you cracked the password when all you did was compare it against a dictionary or known hashes. It's like saying you read a book when you just skimmed the Cliff Notes.

                    If you could decrypt MD5 I don't know about the best compression. It would compress everything at a 4:1 ratio (MD5 takes a 512 bit block and turns it into a 128bit hash, I know it breaks it down and concantates it more then that but generally speaking). Most dictionary based lossless compression quality varies but some type of files (like source code) you can compress like mad. Lossy compression like MP3 or WMA compression even claims to get 12-14:1.
                    Ryan "leadZERO" Sommers
                    Gamer's Impact President
                    [email protected]
                    ICQ: 1019590
                    AIM/MSN: leadZERO

                    -= http://www.gamersimpact.com =-

                    Comment


                    • #25
                      I always assumed that a mathamatically sure way to undo an encryption was called "decryption" and a brute force attack was called "cracking".

                      In any case we are arguing over stupid defintions. The end result is the same. You stick a hash in one end and half the time the original string will come out the other. I wouldnt call that exactly "secure".

                      Can I change the subject? this is getting boring. The fact is that easy passwords (guessable or < 8 chars) are NOT secure in vB. In VB3 they should use a combination MD5 salt encryption so that the passwords would be less guessable. That way no brute force attack no matter how intensive would not be able to crack (or WHATEVER you call it) without the proper salt.

                      (see the php manual on crypt() if you dont know what a salt is)

                      it's funny: the notes for the crypt and md5 function seem to turn into a familiar looking purpose-less argument.
                      Last edited by Weasel; Tue 30th Jul '02, 3:02pm.
                      http://www.almostsmart.com/misc/sig/sig.php

                      Comment


                      • #26
                        The first two characters of a salt encryption are the salt used to encrypt it.

                        I don't think anyone will argue with you that guessable passwords are not secure. I don't know where you got the idea we were saying guessable passwords were secure. However, blaiming this on vB or MD5 hashing is way out of line. Hashing will never be stronger then the original password. It is up to the users to use strong passwords.

                        Perhaps what you should be advocating is for a certain level of password strength be required by future releases of vBulletin. Require: 1 capital and 1 lowercase alpha, 1 numeric and 1 special character. Password not under 8 characters.


                        Please stop using your 40%. You know 98% of statistics are made up on the spot?

                        Also you just increased your self-proclaimed fame from 40% to "half the time." That's a 10% increase, in the world of cryptography you will be dealing with a lot of mathematically inclined people. I don't think many of them will use 40% and half the time interchangably.

                        Also, a better reference for crypt() would be a manual page on a Linux or UNIX system since the PHP crypt() function is basically a wrapper to it.
                        Last edited by leadZERO; Tue 30th Jul '02, 3:47pm.
                        Ryan "leadZERO" Sommers
                        Gamer's Impact President
                        [email protected]
                        ICQ: 1019590
                        AIM/MSN: leadZERO

                        -= http://www.gamersimpact.com =-

                        Comment


                        • #27
                          Originally posted by leadZERO
                          Also you just increased your self-proclaimed fame from 40% to "half the time." That's a 10% increase...
                          actually, it's a 25% increase

                          <-- annoying++
                          My open eyes see everything, and you see nothing. . .
                          That forum

                          Comment


                          • #28

                            but I would say with both methods combined would produce results of 50% success on the average user.
                            I had a 38.2% success rate. If brute force were used, it is 100% success rate for passwords under 9 characters (in a resaonable time frame). I think atleast 10% of passwords are under 9 characters.

                            read.
                            Last edited by Weasel; Tue 30th Jul '02, 4:59pm.
                            http://www.almostsmart.com/misc/sig/sig.php

                            Comment

                            widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                            Working...
                            X