.

Challenge

<<

Hug_It

Newbie
Newbie

Posts: 28

Joined: Thu Feb 23, 2006 4:21 pm

Post Tue Aug 01, 2006 2:59 pm

Challenge

Have you seen this?

http://weblog.infoworld.com/securityadv ... and_b.html

The guy is offering prizes for cracking his NTLM passwords. The catch is they are long passwords 10-15 characters with varying complexity.

The question I have for you all is what strategy would you use to start cracking these passwords?

I was thinking the best way would be to start generating simple lowercase alpha rainbow tables with a length of exactly 15 characters. The second one just seems like it should be the easiest to tackle first. Am I way off?
CISSP
<<

don

User avatar

Administrator
Administrator

Posts: 4226

Joined: Sun Aug 28, 2005 10:47 pm

Location: Chicago

Post Tue Aug 01, 2006 3:31 pm

Re: Challenge

I actually tried this with one of my CEH classmates. He created a long and complex NTLM password and asked if I could crack it. I had 0phcrack and a set of rainbow tables that was just under 800MB. The problem ends up being that most rainbow tables don't have entries for passwords with spaces in them. So the one I used couldn't do it. So you may need to try a hybrid attack and account for spaces.

You could always use one of the password cracking services out there. You give them a hash, they will eventually crack it. Some services are free other are not. So it may not be worth the time or the money.

Could be fun though.

Don
CISSP, MCSE, CSTA, Security+ SME
<<

LSOChris

Post Tue Aug 01, 2006 3:47 pm

Re: Challenge

the 10 character one should be doable, specially if its an LM hash, he doesnt say if there are LM or NTLM...

the 15 character ones would be quite a bear to crack, i too many people have 15 character NLTM rainbow tables lying around...

have to hybrid/brute force them.

of course when i was doing research for my rainbow tables paper i read that if you could have a 1 character password that no password cracker would ever crack.  know what it was? any chracter made with the alt command because password crackers dont check for those characters...
<<

Hug_It

Newbie
Newbie

Posts: 28

Joined: Thu Feb 23, 2006 4:21 pm

Post Tue Aug 01, 2006 3:49 pm

Re: Challenge

Most services, even the commercial ones, only have NTLM tables for up to 9 characters max. So basically if you want to use rainbow tables, you're going to have to create your own. I've tried a multitude of available resources and tools. It's an interesting practical exercise that's for sure.
CISSP

Return to Other

Who is online

Users browsing this forum: No registered users and 4 guests

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software