Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: MD5 Password encoding (was: Defeating Citi-Bank Virtual Keyboard Pro

from [Serban Ghita] Network Security [Permanent Link]
Subject: Re: MD5 Password encoding (was: Defeating Citi-Bank Virtual Keyboard Protection)
Date: Tue, 23 Aug 2005 18:12:25 +0300
i don't think 12 milions is a big number especially when the database contains only a hash (32 chars) and plain text passwd (eg max 10-12 chars).
if you run a simple bruteforce text + md5(text) function on a sql database on an average computer and insert the results, you get in a couple of hours over half a bilion results. but it's still no big deal because you only have passwords up to maybe 6-7 characters and with a simple charset of alphanumeric [0-9][a-z] (whithout uppercase), and without special characters including space.

as a paragraph here: i tested to see what is more efficient (besides the rainbow crack) method to find a hash, and tried both SQL like databases and flat text. Flat text records require less space, but have high search times/results.

my oppinions were based on real tests, if you want i can publish more details if you are interested.

Serban Gh. Ghita
coordonator
Departament Web
VERASYS Intl.
serban@verasys.ro
zamolxe@php.net
http://web.verasys.ro
phone: +40-21-201.67.62
cell:     +40-788.28.29.10

----- Original Message ----- From: "Jean-Jacques Halans" <halans@gmail.com>
To: "Gary Gwin" <ggwin@cafesoft.com>
Cc: <webappsec@securityfocus.com>
Sent: Monday, August 22, 2005 11:57 AM
Subject: Re: MD5 Password encoding (was: Defeating Citi-Bank Virtual Keyboard Protection)


Still on the topic of MD5 hashes...,
here's an online (multilingual) database with md5 hashes,
containing "12,289,330 unique entries".
http://gdataonline.com/

--
Halans

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Windows 2003 Server Hardening, ray bradbury fan
Next by Date:  Re: Entrust - Identity Guard - Any experience?, Saqib Ali
Previous by Thread:  Re: MD5 Password encoding (was: Defeating Citi-Bank Virtual Keyboard Protection), Jean-Jacques Halans
Next by Thread:  Re: RE: MD5 Password encoding (was: Defeating Citi-Bank Virtual Keyboard Protection), mike
Indexes:  [Date] [Thread] [Top] [All Lists]