Bay 12 Games Forum

Please login or register.

Login with username, password and session length
Advanced search  
Pages: 1 [2] 3 4 ... 6

Author Topic: Password Breaker  (Read 7007 times)

Cthulhu

  • Bay Watcher
  • A squid
    • View Profile
Re: Password Breaker
« Reply #15 on: March 13, 2010, 05:52:41 pm »

More than that matters. There's also the strength of the password to consider.

If Windows is storing a legacy LM hash (old LANManager crap, it's really bad), and you can do it that way, brute-forcing is hilariously simple.

There are definitely tools to recover a Windows admin password, but I'm honestly not sure what's out there that's decent and legitimate.


So half that to a quarter.

500 million years or one billion.  Have fun.

That's not how math works. A 10-character passwords takes EXPONENTIALLY shorter time to crack than a 20-character password. Same with case-sensitive vs. all-lowercase.

Let me put it to you this way.

Say you have a 10-character password, and you want to consider all uppercase and lowercase letters.
Numbers of possibilities = (26*2)^10 = 52^10 =144,555,105,949,057,024
But what if you know they're all lowercase?
Number of possibilities = 26^10 = 141,167,095,653,376

So it's not 1/2 the possibilities, it's 1/1024 the possibilities. There's a big difference between 2 and 1024.


Now let's compare the difference between a 20-char long, case-sensitive password and a 10-char long, only-lowercase password.

(52)^20 = 20,896,178,655,943,101,411,324,274,803,736,576
(26)^10 = 141,167,095,653,376

One is 148,024,428,491,834,392,576 greater than the other.


For a 10-character-long password, only lowercase, brute-forcing still takes a hideously long time.

Probability of any given password being wrong: ((26^10) - 1)/(26^10)
Probability of you never getting it right within N tries: [((26^10) - 1)/(26^10)]^N

So for a 50% chance to have gotten it right:

[((26^10) - 1)/(26^10)]^N = 0.50
N ~= 100,000,000,000,000

At 50 tries per second, that's about 63,419 years. Still a damn long time, but certainly not 500,000,000,000.


Now, if you do 50 tries per second on 50 computers, just as an exercise... that's (50*50) = 2500 tries per second. At this rate, it's only a little over a millenium! (about 1268 years).

Of course, my numbers could be off. 50 computers trying 10000 times per second might do it in your lifetime. If you're lucky.



Again, this is just straight brute-forcing. Rainbow tables are something completely different, and one may exist, and if the computer is storing an LM hash of the password, and you can use that, then all bets are off, because those suck beyond belief.

Yeah, I know, I wasn't thinking.

You could brute force the computer with your fists.  If you punch it enough it might start working.
Logged
Shoes...

Aqizzar

  • Bay Watcher
  • There is no 'U'.
    • View Profile
Re: Password Breaker
« Reply #16 on: March 13, 2010, 05:54:14 pm »

GIANT FUCKING QUOTE BOXES

Can anyone figure out another way?

Yes.  Remember your damn password.  Have you actually tried just sitting there are thinking about it?  Try to visualize some context clues?  Because it's sounding more and more like you didn't forget any password, and just want someone to hand you a +1 Wand of Hacking.
Logged
And here is where my beef pops up like a looming awkward boner.
Please amplify your relaxed states.
Quote from: PTTG??
The ancients built these quote pyramids to forever store vast quantities of rage.

G-Flex

  • Bay Watcher
    • View Profile
Re: Password Breaker
« Reply #17 on: March 13, 2010, 05:55:39 pm »

Well,  I was giving times it would take to have a 50% probability of finding it.

And yeah, 8-letter passwords are going to be a lot quicker. That would still take decades, though, unless you're doing thousands of checks per second.


http://en.wikipedia.org/wiki/LAN_Manager_hash

This is what I was referring to earlier. If you're using XP or earlier, there's probably one there for your password.

The issue with LM hashes is that they're not salted (meaning a rainbow table attack is feasible; basically, look on a giant table of hashes, find yours, and you'll see a password that matches it that you can use), they're single-case alphabetical, and the password is split into 7-character segments that can be cracked individually.

Of course, I could be way off on my times. I probably am, because I'm assuming what is probably a very low number of calculations per second. With enough calculations per second, even on a single computer it could wind up just taking hours instead of days or months or what-have-you.


Seriously though, there are rainbow-table based cracking methods that can get through an LMhashed password in minutes, if that. There's an implementation of it referred to in that Wikipedia article.



[EDIT]

http://en.wikipedia.org/wiki/Ophcrack
http://ophcrack.sourceforge.net/

Here you are. Have fun.

You can burn this to a bootable CD and do what you will from there. Please use these powers for good and not evil.
« Last Edit: March 13, 2010, 06:09:07 pm by G-Flex »
Logged
There are 2 types of people in the world: Those who understand hexadecimal, and those who don't.
Visit the #Bay12Games IRC channel on NewNet
== Human Renovation: My Deus Ex mod/fan patch (v1.30, updated 5/31/2012) ==

Schilcote

  • Bay Watcher
    • View Profile
Re: Password Breaker
« Reply #18 on: March 13, 2010, 06:15:48 pm »

http://pogostick.net/~pnh/ntpasswd/

You just write that ISO to a disc, then slip it in and boot off of it. Piece of cake. It works on everything Vista and earlier, don't know about later versions because I haven't tried it.

Umm...

There seems to be some curse upon me that makes my posts invisible on all forums that I join.
Logged
WHY DID YOU HAVE ME KICK THEM WTF I DID NOT WANT TO BE SHOT AT.
I dunno, you guys have survived Thomas the tank engine, golems, zombies, nuclear explosions, laser whales, and being on the same team as ragnarock.  I don't think something as tame as a world ending rain of lava will even slow you guys down.

G-Flex

  • Bay Watcher
    • View Profile
Re: Password Breaker
« Reply #19 on: March 13, 2010, 06:34:55 pm »

I think I skipped over some of the beginning of the thread. Whoops.

That is, however, a different tool: The one you linked to doesn't crack the password, it just resets it. This might have disadvantages.
Logged
There are 2 types of people in the world: Those who understand hexadecimal, and those who don't.
Visit the #Bay12Games IRC channel on NewNet
== Human Renovation: My Deus Ex mod/fan patch (v1.30, updated 5/31/2012) ==

Fooj

  • Bay Watcher
    • View Profile
Re: Password Breaker
« Reply #20 on: March 13, 2010, 07:13:29 pm »

Quote
The one you linked to doesn't crack the password, it just resets it. This might have disadvantages.
I've used a linux live CD that surgically removes the password and resets it. If you've got any encrypted files that can only be viewed by the admin (If you made the admin my documents private) it will ruin them, but you'll still get into the admin account.
Logged

G-Flex

  • Bay Watcher
    • View Profile
Re: Password Breaker
« Reply #21 on: March 13, 2010, 08:04:41 pm »

Yeah, that's the tradeoff, really: Anything else using that admin password will have problems. Aside from that, it'll still work.

Presuming the one I linked to works, it should be fine in all cases.
Logged
There are 2 types of people in the world: Those who understand hexadecimal, and those who don't.
Visit the #Bay12Games IRC channel on NewNet
== Human Renovation: My Deus Ex mod/fan patch (v1.30, updated 5/31/2012) ==

Blacken

  • Bay Watcher
  • Orange Polar Bear
    • View Profile
Re: Password Breaker
« Reply #22 on: March 13, 2010, 10:30:00 pm »

Trust me, wracking your brain for the code is going to work a Hell of a lot faster than hotboxing your way in.
Only sometimes. Ophcrack will blow open most passwords in under a couple hours. Hooray for rainbow tables.

John the Ripper's another decent choice.

(Then again, it sounds a lot like he's looking for something for remote password access or something--i.e., not his own machine.)
Logged
"There's vermin fish, which fisherdwarves catch, and animal fish, which catch fisherdwarves." - Flame11235

Jookia

  • Bay Watcher
    • View Profile
Re: Password Breaker
« Reply #23 on: March 13, 2010, 10:48:15 pm »

The point of a password is for it not to be crackable easily.
You can't recover this password.
Logged

Schilcote

  • Bay Watcher
    • View Profile
Re: Password Breaker
« Reply #24 on: March 13, 2010, 11:43:45 pm »

Yeah, that's the tradeoff, really: Anything else using that admin password will have problems. Aside from that, it'll still work.

Presuming the one I linked to works, it should be fine in all cases.

Oh... Didn't know that...

If you're using a named account though (not Administrator), you can use that to open it and reset your password. That should take care of all your other things too. If the Administrator account is the one you've locked yourself out of I guess you should use Ophcrack.
Logged
WHY DID YOU HAVE ME KICK THEM WTF I DID NOT WANT TO BE SHOT AT.
I dunno, you guys have survived Thomas the tank engine, golems, zombies, nuclear explosions, laser whales, and being on the same team as ragnarock.  I don't think something as tame as a world ending rain of lava will even slow you guys down.

Strife26

  • Bay Watcher
    • View Profile
Re: Password Breaker
« Reply #25 on: March 13, 2010, 11:59:09 pm »

Seriously, in the future remember your passwords.

In my case, I have about three passwords, that I just mix and match. Then I write down oblique hints to myself.

Like "BurningBayNormcap2-##fav"

Gets me a 17 digit password with letters, numbers, and symbols.



Note, I'm pretty sure that that's the password for my online banking account, so don't mess with it, okay?
Logged
Even the avatars expire eventually.

Blacken

  • Bay Watcher
  • Orange Polar Bear
    • View Profile
Re: Password Breaker
« Reply #26 on: March 14, 2010, 01:44:28 am »

The point of a password is for it not to be crackable easily.
You can't recover this password.
Provably false, in the post just above yours. Both JtR and Ophcrack are designed specifically for this purpose.
Logged
"There's vermin fish, which fisherdwarves catch, and animal fish, which catch fisherdwarves." - Flame11235

Greiger

  • Bay Watcher
  • Reptilian Illuminati member. Keep it secret.
    • View Profile
Re: Password Breaker
« Reply #27 on: March 14, 2010, 03:02:03 pm »

I heard something about booting up to something like Linux off of a USB drive allows you to access all your files.  Using that in conjunction with another program may be able to decrypt the password.

My A+ hardware and operating systems teacher claims that windows security blows horribly.  And told the class some method or another on how to bypass it.  But he was pretty much just in one of his anti-microsoft rants so I wasn't really paying attention to remember it all.

You might be able to try the stickykeys method. (Hold a key down long enough for stickykeys to activate while on the login screen and have stickykeys give you access to control panel.)  But I think that only worked with a certain version of Vista.
Logged
Disclaimer: Not responsible for dwarven deaths from the use or misuse of this post.
Quote
I don't need friends!! I've got knives!!!

G-Flex

  • Bay Watcher
    • View Profile
Re: Password Breaker
« Reply #28 on: March 14, 2010, 03:08:45 pm »

The point of a password is for it not to be crackable easily.
You can't recover this password.
Provably false, in the post just above yours. Both JtR and Ophcrack are designed specifically for this purpose.

And in at least two other posts before that.

Granted, this isn't to say that passwords should be easily recovered/cracked, but obviously in some cases they are.
Logged
There are 2 types of people in the world: Those who understand hexadecimal, and those who don't.
Visit the #Bay12Games IRC channel on NewNet
== Human Renovation: My Deus Ex mod/fan patch (v1.30, updated 5/31/2012) ==

Grakelin

  • Bay Watcher
  • Stay thirsty, my friends
    • View Profile
Re: Password Breaker
« Reply #29 on: March 14, 2010, 03:18:43 pm »

How are you guys getting the probability of these figures? I'm no math student, so I can't figure it out myself (I've been trying 26*25*24*23 like I learned in Grade 11, the last year I ever touched math, but that's tedious and leaves me to flounder a lot. Also, it's incorrect).

There seems to be an assumption that the brute force script has to get through every possible password combination before finding the right one. But if it finds it, it's not going to neglect to tell you about it until it's done (unless the programmer has left you with a sick, sick joke). So, technically, it will only take you until the universe dies if you're terribly unlucky. Instead, you have a very minute chance (which builds up bit by bit over time) that you will get the correct password with every try.

Granted, you are still likely to die before it does.
Logged
I am have extensive knowledge of philosophy and a strong morality
Okay, so, today this girl I know-Lauren, just took a sudden dis-interest in talking to me. Is she just on her period or something?
Pages: 1 [2] 3 4 ... 6