[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-Disclosure] MD5 hash cracking service

To: ggilliss@xxxxxxxxxxxxxxxxx
Subject: Re: [Full-Disclosure] MD5 hash cracking service
From: "Troy" <tjk@xxxxxxxxxx>
Date: Fri, 2 Jul 2004 08:12:32 -0700 (PDT)

> 
> Interesting, since MD5 hashes are supposed to be "one way", are they not?
> 
> I've often discussed setting up an "online cracking service" (think Alex
> Moffet's crack seriously networked a la Beowulf with a Web interface).
> Aside from the technical challenges of setting up and maintaining such
> a project, the obvious issue, from a security perspective, would be trust.
> For example, if I know that Alice connected from 12.3.4.5 and supplied 
> a hash/password, and I retained the unencrypted hash/password, would I
> not now (potentially) have access to "something" (maybe accessible, maybe
> privileged, maybe not) at 12.3.4.5?
> 
> Still, bravo to you for setting it up :-)



If an authentication system used an md5sum of a password, then you would have 
secret
information. Normally you would add a timestamp to the text you apply the md5 
hash to,
though. Therefore the md5sum is only same if the timestamp is the same. If the 
system
requires accurate time, then the acquired md5sum is only useful in the sense 
that
you can theoretically break it by going through all possible combinations for 
the
text.



Troy

Troy Korjuslommi                Tksoft Inc.
tjk@xxxxxxxxxx












> 
> G
> 
> On or about 2004.07.01 19:03:33 +0000, md5er (info@xxxxxxxxxxxxxxxx) said:
> 
> > I've set up a quick website and system to crack md5 hashes online using 
> > Rainbow tables. The project is using RainbowCrack and currently ~47 Gb of 
> > tables. At the moment it can crack hashes of lowercase letters and/or 
> > numbers up to 8 characters long.
> > 
> > The cracking service is free
> > 
> > If you are interested you can check out the site here: 
> > http://passcracking.com
> > 
> > 
> > 
> > Regards, 
> > 
> > staff
> > 
> > 
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.netsys.com/full-disclosure-charter.html
> 
> -- 
> Gregory A. Gilliss, CISSP                              E-mail: 
> greg@xxxxxxxxxxx
> Computer Security                             WWW: 
> http://www.gilliss.com/greg/
> PGP Key fingerprint 2F 0B 70 AE 5F 8E 71 7A 2D 86 52 BA B7 83 D9 B4 14 0E 8C 
> A3
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
> 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

References:
- Re: [Full-Disclosure] MD5 hash cracking service
  - From: Gregory A. Gilliss

Prev by Date: Re: [Full-Disclosure] Comparison of Network Security Scanners
Next by Date: RE: [Full-Disclosure] Presidential Candidates' Websites Vulnerabl e
Previous by thread: Re: [Full-Disclosure] MD5 hash cracking service
Next by thread: [Full-Disclosure] Comparison of Network Security Scanners
Index(es):
- Date
- Thread