mastodontech.de ist einer von vielen unabhängigen Mastodon-Servern, mit dem du dich im Fediverse beteiligen kannst.
Offen für alle (über 16) und bereitgestellt von Markus'Blog

Serverstatistik:

1,4 Tsd.
aktive Profile

#passwordcracking

1 Beitrag1 Beteiligte*r0 Beiträge heute
Alec Muffett<p>July 15th 1991: 34 years ago I published the first “modern” password cracker…<br><a href="https://alecmuffett.com/article/113704" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="">alecmuffett.com/article/113704</span><span class="invisible"></span></a><br><a href="https://mastodon.social/tags/ComputerHistory" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ComputerHistory</span></a> <a href="https://mastodon.social/tags/PasswordCracking" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>PasswordCracking</span></a> <a href="https://mastodon.social/tags/crack" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>crack</span></a></p>
Jabbercracky!<p>The monthly casual event for July will start this Friday! </p><p>1 hash list will be created with 250k hashes based on a hidden theme. The competition portion will last 7 days and the write-up will be prepared and released shortly after.</p><p><a href="https://infosec.exchange/tags/jabbercracky" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>jabbercracky</span></a> <a href="https://infosec.exchange/tags/ctf" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ctf</span></a> <a href="https://infosec.exchange/tags/passwords" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>passwords</span></a> <a href="https://infosec.exchange/tags/passwordcracking" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>passwordcracking</span></a> <a href="https://infosec.exchange/tags/cracking" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cracking</span></a></p>
Pyrzout :vm:<p>16 Billion Passwords Stolen From 320 Million+ Computers Leaked Online <a href="https://gbhackers.com/16-billion-passwords-stolen-from-320-million-computers-leaked-online/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">gbhackers.com/16-billion-passw</span><span class="invisible">ords-stolen-from-320-million-computers-leaked-online/</span></a> <a href="https://social.skynetcloud.site/tags/CyberSecurityNews" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CyberSecurityNews</span></a> <a href="https://social.skynetcloud.site/tags/PasswordCracking" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>PasswordCracking</span></a> <a href="https://social.skynetcloud.site/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cybersecurity</span></a> <a href="https://social.skynetcloud.site/tags/FACEBOOK" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>FACEBOOK</span></a> <a href="https://social.skynetcloud.site/tags/Google" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Google</span></a> <a href="https://social.skynetcloud.site/tags/Apple" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Apple</span></a></p>
Royce Williams<p>Well, this cracking attack is going to take 5.5 days on 2x 4090s.</p><p><a href="https://infosec.exchange/tags/PasswordCracking" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>PasswordCracking</span></a> <a href="https://infosec.exchange/tags/hashcat" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>hashcat</span></a></p>
Royce Williams<p>TIL if you generate and store all even <em>faintly</em> possible IPv4 IPs - 0.0.0.0 through 255.255.255.255 - as ASCII strings ... it takes about 58GB.</p><p>This is a <a href="https://infosec.exchange/tags/HaveIBeenPwned" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>HaveIBeenPwned</span></a> subtoot. 😜 </p><p><a href="https://infosec.exchange/tags/PasswordCracking" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>PasswordCracking</span></a></p>
Royce Williams<p>Password crackers:</p><p>If you're still mashing up all of your wordlists into a single monolithic file for deduplication purposes ... let me suggest an option that scales better, simply by approaching the problem differently:</p><p>Deduplicate each new source as it arrives, and then add it to a repository, by removing all strings already in your repository ...and then <em>preserve it as a separate file</em>! (You might call this the "sort once, deduplicate often" method.)</p><p><a href="https://blog.techsolvency.com/2025/04/managing-unique-wordlists-password-cracking.html" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">blog.techsolvency.com/2025/04/</span><span class="invisible">managing-unique-wordlists-password-cracking.html</span></a></p><p>The key benefit: the memory usage required is a factor of the size of the new file alone, rather than of the entire corpus.</p><p>Also useful for other medium-sized "dedupe a recurring stream of new sets of strings over time" use cases.</p><p>(And if you're not doing this anymore, now you have a reference to share with the folks who still are!)</p><p><a href="https://infosec.exchange/tags/PasswordCracking" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>PasswordCracking</span></a></p>
Will Hunt<p>Top <a href="https://infosec.exchange/tags/hashcat" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>hashcat</span></a> tip:</p><p>Want per-position duplication in your rules to leverage your GPU?</p><p>It's not available in a single op, but you can emulate it by incrementally duplicating the first N chars, and then incrementally deleting the position and frequency of the redundant characters</p><p><a href="https://infosec.exchange/tags/password" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>password</span></a> <a href="https://infosec.exchange/tags/passwordcracking" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>passwordcracking</span></a> <a href="https://infosec.exchange/tags/pentest" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>pentest</span></a> <a href="https://infosec.exchange/tags/redteam" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>redteam</span></a></p>
postmodern<p>Should I build a password cracking rig in the year 2025 just to have around? Or should I use cloud based GPUs?</p><p><a href="https://infosec.exchange/tags/passwordcracking" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>passwordcracking</span></a></p>
Royce Williams<p>If you need to sort and dedupe a ton of strings/records, Cynosure Prime member blazer has released rlite, a 'lite' version of rling. I helped debug early versions. A nice balance of performant and simple, but with useful knobs like frequency counting, writing dupes to another file, etc.</p><p>(And heavy on the 'performant' - multi-threaded sort + dedupe time for 1.4B records in a 16GB file is 45 seconds on 48 EPYC 7642 cores, and uses 26GB of RAM)</p><p><a href="https://github.com/Cynosureprime/rlite" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="">github.com/Cynosureprime/rlite</span><span class="invisible"></span></a></p><p><a href="https://infosec.exchange/tags/PasswordCracking" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>PasswordCracking</span></a></p>
Royce Williams<p>Next time password cracking comes up conversationally and someone says "And can't you can just use rainbow tables" ... send them this.</p><p><a href="https://hashcat.net/faq/rainbowtables" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="">hashcat.net/faq/rainbowtables</span><span class="invisible"></span></a></p><p>tl;dr They are only worthwhile in a very specific (and rare) set of circumstances.</p><p><a href="https://infosec.exchange/tags/PasswordCracking" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>PasswordCracking</span></a> <a href="https://infosec.exchange/tags/RainbowTables" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>RainbowTables</span></a></p>
Royce Williams<p>Today's traditional UNIX crypt / descrypt / hashcat -m 1500 trivia.</p><p>if you see a descrypt crack ending in <code>\x8a</code> ... no you didn't.</p><p>These actually end in <code>\x0a</code> -- descrypt drops all high bits, turning <code>\x8a</code> into <code>\x0a</code>!</p><p><a href="https://infosec.exchange/tags/PasswordCracking" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>PasswordCracking</span></a></p>
Royce Williams<p>Password cracking tip: </p><p>Grow your ability to understand the math of your attack space.</p><p>One nice way to practice this: for a given attack, use Wolfram Alpha (or a calculator, etc.) to roughly confirm the math of your tool's ETA for your attack.</p><p>If they don't match, check your assumptions, your setup, or your understanding until they do.</p><p>In this example, the total number of guesses scheduled for this attack will take these two GPUs, running at the hashrate shown, a little under 46 days to complete.</p><p><a href="https://wolframalpha.com/input?i=%281408965009*47622827%29+%2F+%2816989*1000000*60*60*24%29" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">wolframalpha.com/input?i=%2814</span><span class="invisible">08965009*47622827%29+%2F+%2816989*1000000*60*60*24%29</span></a></p><p>Practicing this estimation until you can do it very "back of the napkin" / order of magnitude in your head is valuable, just as it is with any "large numbers" effort / industry / exercise.</p><p><a href="https://infosec.exchange/tags/PasswordCracking" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>PasswordCracking</span></a> <a href="https://infosec.exchange/tags/hashcat" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>hashcat</span></a></p>
Royce Williams<p>So ... due to an early obsession with historical BSD hashes ... I have significantly more bcrypt hashrate-per-watt cracking capacity than most solo shops. For bcrypt cost 12, it's about 34Kh/s straight wordlist -- the equivalent of about 17 4090s -- at only 1100W (these old Bitcoin FPGAs are very efficient for bcrypt specifically). And this capacity is intermittently idle, which is kinda a shame.</p><p>I haven't really put it out there as something I can help with if needed (outside of the Hashcat team). So ... feel free to ping me if you need bcrypts cracked/audited!</p><p>(Reasonable rates, but note that I do have a pretty firmly high bar for provenance / proof of authorization)</p><p>(Rat's nest of USB has been cleaned up a bit 😅)</p><p><a href="https://infosec.exchange/tags/bcrypt" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>bcrypt</span></a> <a href="https://infosec.exchange/tags/PasswordCracking" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>PasswordCracking</span></a> <a href="https://infosec.exchange/tags/hashing" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>hashing</span></a></p>
Jeremi M Gosney :verified:<p>Team <a href="https://infosec.exchange/tags/Hashcat" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Hashcat</span></a> is pleased to present our much anticipated write-up for this year's <a href="https://infosec.exchange/tags/CrackMeIfYouCan" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CrackMeIfYouCan</span></a> contest at <a href="https://infosec.exchange/tags/Defcon32" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Defcon32</span></a> </p><p>📕 Read it here:<br><a href="https://raw.githubusercontent.com/hashcat/team-hashcat/8a72d338660cc6d8f4f8014bd8e3236f8c59cd6e/CMIYC2024/CMIYC2024TeamHashcatWriteup.pdf" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">raw.githubusercontent.com/hash</span><span class="invisible">cat/team-hashcat/8a72d338660cc6d8f4f8014bd8e3236f8c59cd6e/CMIYC2024/CMIYC2024TeamHashcatWriteup.pdf</span></a></p><p><a href="https://infosec.exchange/tags/password" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>password</span></a> <a href="https://infosec.exchange/tags/passwordcracking" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>passwordcracking</span></a> <a href="https://infosec.exchange/tags/redteam" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>redteam</span></a> <a href="https://infosec.exchange/tags/ctf" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ctf</span></a> <a href="https://infosec.exchange/tags/defcon" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>defcon</span></a> <a href="https://infosec.exchange/tags/hacking" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>hacking</span></a> <a href="https://infosec.exchange/tags/infosec" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>infosec</span></a> <a href="https://infosec.exchange/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cybersecurity</span></a></p>
Royce Williams<p>When a target hashlist has a significantly lower percentage of cracks than expected, I've started calling the remaining/missing cracks "dark matter".</p><p>Some potential causes of cracking "dark matter":</p><ul><li><p>Site changed methodologies later: switched to a nested hash, added a pepper, HSM, true encryption layer, etc.</p></li><li><p>High number of automatically random-ish passwords: defaults, resets, bots, randomized on account lock, etc.</p></li><li><p>Complexity requirements higher than expected: high minimum length, etc.</p></li><li><p>Attacker (me) is missing key info: language, encoding, demographics, etc.</p></li></ul><p>What could other causes be?</p><p><a href="https://infosec.exchange/tags/Hashing" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Hashing</span></a> <a href="https://infosec.exchange/tags/PasswordCracking" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>PasswordCracking</span></a></p>
MalwareLab<p>One example why to use strong <a href="https://infosec.exchange/tags/passwords" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>passwords</span></a> for users who use file sharing over <a href="https://infosec.exchange/tags/SMB" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>SMB</span></a> even when the file transfers are <a href="https://infosec.exchange/tags/encrypted" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>encrypted</span></a>. <br>If the SMB traffic is captured/eavesdropped, then the attacker can try to crack the user password. <br>The attacker is able to extract challenge/response values from the Session Setup and then use <a href="https://infosec.exchange/tags/passwordcracking" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>passwordcracking</span></a> tools such as <a href="https://infosec.exchange/tags/hashcat" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>hashcat</span></a></p><p>If the attack is successful, the attacker will gain not only the access to the user account, but it is also possible to decrypt the captured SMB file transfers. There is lack of perfect forward secrecy in this encryption. </p><p>For more details and practical examples, see this blog post:</p><p><a href="https://malwarelab.eu/posts/tryhackme-smb-decryption/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">malwarelab.eu/posts/tryhackme-</span><span class="invisible">smb-decryption/</span></a></p><p><a href="https://infosec.exchange/tags/networktrafficanalysis" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>networktrafficanalysis</span></a> <a href="https://infosec.exchange/tags/networktraffic" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>networktraffic</span></a> <a href="https://infosec.exchange/tags/encryption" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>encryption</span></a> <a href="https://infosec.exchange/tags/netntlmv2" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>netntlmv2</span></a> <a href="https://infosec.exchange/tags/netntlm" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>netntlm</span></a> <a href="https://infosec.exchange/tags/ntlm" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ntlm</span></a> <a href="https://infosec.exchange/tags/windows" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>windows</span></a> <a href="https://infosec.exchange/tags/fileshare" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>fileshare</span></a> <a href="https://infosec.exchange/tags/pentesting" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>pentesting</span></a> <a href="https://infosec.exchange/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cybersecurity</span></a> <a href="https://infosec.exchange/tags/hardening" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>hardening</span></a> <a href="https://infosec.exchange/tags/password" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>password</span></a> <a href="https://infosec.exchange/tags/cracking" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cracking</span></a> <a href="https://infosec.exchange/tags/offensivesecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>offensivesecurity</span></a> <a href="https://infosec.exchange/tags/offsec" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>offsec</span></a> <a href="https://infosec.exchange/tags/blueteam" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>blueteam</span></a> <a href="https://infosec.exchange/tags/purpleteam" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>purpleteam</span></a></p>
Will Hunt<p><span class="h-card" translate="no"><a href="https://mastodon.online/@tomshardware" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>tomshardware</span></a></span> The only RTX A6000 hashcat benchmark I could find was from v6.1.1 @ 121.5GH/s, but still, that's enough poke to exhaust a full key space 10-char NTLM in 38 days.</p><p><a href="https://infosec.exchange/tags/passwordcracking" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>passwordcracking</span></a></p>
Royce WilliamsThe RockYou2024 compilation (9.95B strings) is so junky that most password crackers are better off just using Hashmob's founds list instead.
Royce Williams<p>No, NCSC¹, passphrases of only three (or even four) random words are not sufficient - unless the user <em>knows</em> that the password hashing method is a "slow" one (bad for the attacker). Which is rarely guaranteed.</p><p>1025 combinations -- six words from a pool of 20K words, or five words from a pool of 100K words -- should be considered the minimum.</p><p>¹<a href="https://www.ncsc.gov.uk/collection/top-tips-for-staying-secure-online/three-random-words" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">ncsc.gov.uk/collection/top-tip</span><span class="invisible">s-for-staying-secure-online/three-random-words</span></a></p><p><a href="https://infosec.exchange/tags/Passphrases" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Passphrases</span></a><br><a href="https://infosec.exchange/tags/PasswordCracking" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>PasswordCracking</span></a></p>
Royce Williams<p>So <span class="h-card" translate="no"><a href="https://bird.makeup/users/solardiz" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>solardiz</span></a></span> presented a talk on "Password cracking: past, present, future" at OffensiveCon last week. Definitely worth a read - bringing his usual disciplined thinking to a topic he knows very well.</p><p>He includes both historical and taxonomical perspectives, both of which I appreciate. Apparently, one of the first <del>password-cracking</del> contests was in 1982? (This was a password <em>cracker</em> contest - seeking the best <em>cracking software</em>!)</p><p><a href="https://www.openwall.com/presentations/OffensiveCon2024-Password-Cracking/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">openwall.com/presentations/Off</span><span class="invisible">ensiveCon2024-Password-Cracking/</span></a></p><p>[Will update post if video of the talk itself appears.]</p><p><a href="https://infosec.exchange/tags/passwords" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>passwords</span></a> <a href="https://infosec.exchange/tags/hashing" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>hashing</span></a> <br><a href="https://infosec.exchange/tags/PasswordCracking" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>PasswordCracking</span></a></p>