Bitcoin Forum
December 03, 2016, 07:48:42 PM *
News: Latest stable version of Bitcoin Core: 0.13.1  [Torrent].
 
   Home   Help Search Donate Login Register  
Pages: [1]
  Print  
Author Topic: Security, rainbow tables and other wonderful things.  (Read 1358 times)
wewillfightintheshade
Newbie
*
Offline Offline

Activity: 4


View Profile
July 31, 2011, 01:20:43 AM
 #1

So, I've just reinvented my online self. All HDs encrypted with TrueCrypt, double-layer Tor via a background user, every incoming & outgoing port on the system blocked but for Tor with my own personal firewall, so on, and so forth...

Now to the interesting part. I've written a rainbow table generator in OpenCL. It can generate tables in SHA2, MD5 and AES128-192-256, for passwords up to 20 characters in length with salt for each up to 128 characters. Letting it run for 24 hours it's generated 6 TB (and counting) of JSON-formatted passwords and hashes.

Would anyone be willing to pay BTC for it? (this is the 'other wonderful things' part!) I'm aware that you're all about open source, but this is a powerful tool. Wink
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
nmat
Hero Member
*****
Offline Offline

Activity: 602


View Profile
July 31, 2011, 03:39:20 AM
 #2

I am not a security expert, but isn't salt used to make it impossible to create rainbow tables? Well, not really impossible, but I think rainbow tables with salt take so much space that it becomes unfeasible to create/store them.

Those 6TB correspond to what exactly? How many passwords do you have? I bet that hundreds of years will pass and you will not be even close to the 20 characters + 128 salt.
JBDive
Full Member
***
Offline Offline

Activity: 238


View Profile
July 31, 2011, 05:17:31 AM
 #3

The problem as I understand it in using such large tables is even though you have the table and it's clearly faster than running a brute force it still takes an extremely long time to run a password against such a table that it's just not worth it. It would depend on the need for the password I guess and your objective.

I am glad I use a password that exceeds 16 characters though as it's clear in the long term GPU hashing attacks will make short passwords extremely vulnerable.
SomeoneWeird
Hero Member
*****
Offline Offline

Activity: 700


View Profile
July 31, 2011, 06:11:07 AM
 #4

The problem as I understand it in using such large tables is even though you have the table and it's clearly faster than running a brute force it still takes an extremely long time to run a password against such a table that it's just not worth it. It would depend on the need for the password I guess and your objective.

I am glad I use a password that exceeds 16 characters though as it's clear in the long term GPU hashing attacks will make short passwords extremely vulnerable.

+1. Even alphanumeric passwords longer than 9 characters are safe.
wewillfightintheshade
Newbie
*
Offline Offline

Activity: 4


View Profile
July 31, 2011, 06:32:04 AM
 #5

The 6 TB is all MD5 hashes, up to 8 characters in length so far, with 1-128 characters of alphanumeric salt each. Hash and salt any 7 character password with any combination of ASCII characters, with MD5, and I'll tell you your password. Smiley
nmat
Hero Member
*****
Offline Offline

Activity: 602


View Profile
July 31, 2011, 06:59:00 AM
 #6

Hum... I don't think you will get past the 9th or 10th character... At least in 2011 Tongue But good luck with that. Maybe someone is interested.
JBDive
Full Member
***
Offline Offline

Activity: 238


View Profile
July 31, 2011, 01:59:08 PM
 #7

Hum... I don't think you will get past the 9th or 10th character... At least in 2011 Tongue But good luck with that. Maybe someone is interested.

The NSA, oh nevermind they already have their own tables.

I'm very interested since it's my job to be interested but the requirement to have a 50TB device just to house the tables required to solve a 16 character password not to mention the CPU/Bandwidth requirements to still process that amount of data against a password is something only the folks with unlimited budgets are able to buy into, as in those folks in DC or just outside it in VA.

It does or should make you wonder how long it would take the NSA to actually crack those 16+ character passwords as you know they surely have their own tables, most likely stored on some form of SSD and able to cluster the attack using multiple systems polling those tables.
nmat
Hero Member
*****
Offline Offline

Activity: 602


View Profile
July 31, 2011, 08:40:18 PM
 #8

The NSA, oh nevermind they already have their own tables.

I'm very interested since it's my job to be interested but the requirement to have a 50TB device just to house the tables required to solve a 16 character password not to mention the CPU/Bandwidth requirements to still process that amount of data against a password is something only the folks with unlimited budgets are able to buy into, as in those folks in DC or just outside it in VA.

It does or should make you wonder how long it would take the NSA to actually crack those 16+ character passwords as you know they surely have their own tables, most likely stored on some form of SSD and able to cluster the attack using multiple systems polling those tables.


But aren't these tables sort of useless? I mean, If a website decides that the salt is: "websitename.com"+128 characters, your 50TB of data is completely worthless. You have to brute force it again...
SomeoneWeird
Hero Member
*****
Offline Offline

Activity: 700


View Profile
July 31, 2011, 10:07:16 PM
 #9

The NSA, oh nevermind they already have their own tables.

I'm very interested since it's my job to be interested but the requirement to have a 50TB device just to house the tables required to solve a 16 character password not to mention the CPU/Bandwidth requirements to still process that amount of data against a password is something only the folks with unlimited budgets are able to buy into, as in those folks in DC or just outside it in VA.

It does or should make you wonder how long it would take the NSA to actually crack those 16+ character passwords as you know they surely have their own tables, most likely stored on some form of SSD and able to cluster the attack using multiple systems polling those tables.


But aren't these tables sort of useless? I mean, If a website decides that the salt is: "websitename.com"+128 characters, your 50TB of data is completely worthless. You have to brute force it again...

+1
Dansko
Jr. Member
*
Offline Offline

Activity: 40



View Profile WWW
August 01, 2011, 01:55:25 AM
 #10

You would be surprised in the amount of websites that do not salt there passwords and use a simple md5 call to encrypt the passwords.

timmey
Newbie
*
Offline Offline

Activity: 28


torchat: q23xl6bdgdzhawhf


View Profile
August 01, 2011, 08:27:02 PM
 #11

Isn't generating salted rainbow tables a bit pointless?  Huh

I will sign you up anonymously at realitykings.com (http://rk.com)[NSFW] for Bitcoins with 20% discount!
http://timmey.orgfree.com/s.php
read all details in this thread (https://bitcointalk.org/index.php?topic=3242Cool
Xephan
Jr. Member
*
Offline Offline

Activity: 42


View Profile
August 01, 2011, 08:37:11 PM
 #12

Isn't generating salted rainbow tables a bit pointless?  Huh

Well, MtGox showed that it isn't entirely pointless Wink

Despite the well established basic rules regarding storage of passwords (or more specifically storing only the salted hash), many sites (or maybe just the same irresponsible coder's code being widely used) are still doing very stupid things.

There are some sites, as recent as this year, that I came across that apparently saves the password in recoverable form. If I see a link to "Send me my password" and verifies they do indeed send the actual password, I very quickly stop using them.

So yeah, I suspect there are still plenty of site that would be vulnerable to a MD5 rainbow table attack.

186q9YUW3x8TVHC5aYBEqgZZYMxft8Cw9f
timmey
Newbie
*
Offline Offline

Activity: 28


torchat: q23xl6bdgdzhawhf


View Profile
August 01, 2011, 09:49:38 PM
 #13

Well, MtGox showed that it isn't entirely pointless Wink
The MtGox hashes were mostly salted, the unsalted accounts were dead accounts where nobody has logged in for months. Each salted hash used a unique salt. You would need to generate a unique rainbow table for every single password(salt) in the list. And generating a rainbow table for every single salt in the list, would take just as long as "simply" brute-forcing them from the start. That's what i meant by "it's pointless to create salted rainbow tables"

I will sign you up anonymously at realitykings.com (http://rk.com)[NSFW] for Bitcoins with 20% discount!
http://timmey.orgfree.com/s.php
read all details in this thread (https://bitcointalk.org/index.php?topic=3242Cool
nmat
Hero Member
*****
Offline Offline

Activity: 602


View Profile
August 01, 2011, 11:37:46 PM
 #14

The MtGox hashes were mostly salted, the unsalted accounts were dead accounts where nobody has logged in for months. Each salted hash used a unique salt. You would need to generate a unique rainbow table for every single password(salt) in the list. And generating a rainbow table for every single salt in the list, would take just as long as "simply" brute-forcing them from the start. That's what i meant by "it's pointless to create salted rainbow tables"

Yes, but our fellow wewillfightintheshade claims he has such tables Smiley

Unless your password is longer than what he has or the salt is bigger than 128.
DJStealth
Newbie
*
Offline Offline

Activity: 7


View Profile
August 01, 2011, 11:59:25 PM
 #15

This almost seams like far too much work. Only used for MD5 hash cracking so whats the use? unless your planing on hacking passwords and such from dumped tables.
Pages: [1]
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!