PDA

View Full Version : How to Double Dutch (PHP)



Moonbat
08-28-2007, 01:57 PM
This tutorial was NOT written by me, it was written by a person with the handle "bouncer" (no quotes) from http://www.hellboundhackers.org


Most of the people use md5() or sha*() encryption these days and that is good because it's safe.... unless.... someone else got your hash and tries to bruteforce it.

Well i love to secure passwords very much so i always use my Double Dutch method ;)

We will now encrypt the word: "cookie" in md5 + sha* with php:

<?php
md5("cookie");
sha*("cookie");
?>
You'll see the encryption of "cookie" in md5:
2dccd*ab*e0***0aea77*5*8**c85ca2
and the encryption of "cookie" in sha*:
5*c826fc854**7cbd4d*08*bce8fc00d076*e8b*

Now people can bruteforce this really easy so when encrypting your password you can do:


<?php
md5(sha*("cookie"));
?>
Encryption of the Double Dutch method is:
aca8*f6e****e*f7dae00**2fd*8fca*

This encryption incudes the sha* encryption! So even when trying to bruteforce it, it will be like almost impossible to crack it (Nothing is impossible, only difficult).

So happy securing!

You can take this Double Dutch method to extremes, like doing md5(sha*(md5(sha*("hashhere")))) or even bigger!

SyntaXmasteR
08-28-2007, 02:21 PM
Unfortunately this is untrue. Take a look at my wordlist generator (http://www.all-nettools.com/forum/showthread.php?t=6**4) in C++. You can remove the line that creates the data, and replace it with a comparison operator:

if(md5(sha*(currentword))==hash){ PASSWORD WOULD BE FOUND }

If you compute the MD5 & SHA* functions to the current word and compare it to the hash, you could crack it just as easily.

~SyntaX

Moonbat
08-28-2007, 03:16 PM
This is more centered around 'security by obscurity' i.e., you wouldn't go telling everyone that you are using this method. Double Dutching is good for the 'naughty admin' scenario.

Suppose your running a phpBB forum (which you modify to use Double Dutching, which I wouldn't recommend doing if you're a PHP newbie), and you decide to make a good buddy of yours an admin. He acts all good for a week, but then suddenly downloads a copy of your phpBB database, removes you as admin, deletes the whole ***rd, and tells you he will release the DB (which happens to be *000+ users) unless you pay him $*00 bucks.

Now, what he doesn't know is that the passwords are Double Dutched, so even if he does release the DB to people, you're the only one that knows they are Double Dutched (and hence gonna take a long while to crack, especially if you went md5-sha*-md5-sha*, which looks like a normal md5 hash in the end, and nobody will suspect a thing), and so all you have to worry about is the last time you backed up your forum's DB. :D

SyntaXmasteR
08-28-2007, 04:15 PM
This is the way I look at the situation:

If you obtained one hash, you can get another. You create your own account with a password you know. Once you have your own passwords hash you can easily figure out what method is used to encrypt the password and start your brute force.

I believe the best way to avoid brute force is to attach a 20(random number I just made up) character string onto each password before md5 hashing it. This will eliminate any chance that a brute forcer will ever crack the password. So you would actually:


$password="PlainTextPassword";
$password .= "PrimaryTextStringAttachedToPassword!";
$password = md5($password);


Of course the question arises "What about the Log In Validation?"

Since the database will have the encrypted version of the password stored, you would reapply the same process to compare for validation.

Moonbat
08-28-2007, 04:23 PM
I see where your coming from, but if you pull a huge Double Dutch (I'm talking md5-sha*-md5-md5-md5-sha*-sha*-md5), the sheer amount of time it would take to bruteforce each and every hash's hash to get to the actual pass would not be worth wasting time and CPU power for. And notice I threw in a few md5's in a row, and two sha*'s in a row, that way just when the person thinks they've got the pattern, they hit a road block.

Also, combining your s***estion with Double Dutching would be virtually unstoppable (or should I say, uncrackable).

SyntaXmasteR
08-28-2007, 04:59 PM
I would like to demonstrate how easy it is to find a hash process & crack a password if your choices are only MD5 & SHA*. Again, I will use my random combination script for this.

Lets set up the scenario I gave in the previous message.

I need these two things from you:

*. Your password hash
2. My password hash

Rules you must follow for time purposes

*. Your password must contain the following character set a-z,A-Z,0-* and no other characters.
2. Your password must be 5 or less characters in length
*. You must hash my password using the same method as you hash your password.
4. You can apply up to twenty hashes in a row. Ex: md5(sha*(md5(sha*( etc... up to 20

My password: aa

If you can give me this information I will crack your password and display it in the next post.

Theory
The total possible combination for 20 hashes (using MD5 & SHA*) = 20*7*5* Possible Combinations. If my theory of cracking this works, I should be able to figure out your password hash method in less than * hour. Once I figure this out, I can crack your password (*-5 characters a-zA-Z0-* in less than an hour) The variable here is "Time" I'm not sure how much time will be added for each power of possible hashing but I guess we will find out.

Moonbat
08-28-2007, 05:22 PM
Well then, I'll take you up on that challenge! :p

I used my own custom Double Dutch (made it up on the spot), and here are the hashes:


My Hash - *6d2f2fd***a6*0e6767b*bd4b*f72e6c25c8dce
Your Hash - 4fe04d0bd**ab*0***045*a50776c25c***b75cf

I followed all of your rules, using nothing but numbers and letters. Didn't go past twenty hashing sequences, and followed the same method for both passwords.

Anyways, crack this by this same time tomorrow (the time I've posted this message) and I'll declare Double Dutch a piece of crap. If you can't however, you will have to post the words "PWNT" (no quotes), and then a link to a picture of a dead animal of your choice in this thread.

I will be waiting (and praying that I"m right :D)

SyntaXmasteR
08-28-2007, 05:28 PM
Offer accepted.

I will need to locate my PHP version of my C++ code for the SHA* hashing. Then I will need to tweak the code for MD5 & SHA*. Once this is completed I will run the combination script once to figure out your hash method. After I get your hash method I will run the combination script once again to crack your password. I will be running this on a P4 with little RAM so it will take longer than usual, but I will have it cracked by tomorrow, promised!

~SyntaX

Once I give you your password you must post a sticky for one week saying you were Pwned by Syntax******! And post a link to http://Moonbat.justgotowned.com/ showing everyone on the forum you were pwned.

Moonbat
08-28-2007, 05:34 PM
For some reason, justgotowned isn't working anymore, or else I would've made you do the same :p

But, you wanted it, so I'll do it anyway, even though the link won't do anything

SyntaXmasteR
08-28-2007, 06:28 PM
I just finished tweaking the script for md5 and sha*. The first script is running at 6500 combinations a second. The second one at *00,000. You will soon be PWNED!

SyntaXmasteR
08-28-2007, 06:36 PM
You have broken the rules! Every possible combination of MD5 SHA* (Up to twenty) has been tried and none work. You have not followed the rules!

My password is lowercase aa

No combination of MD5 SHA* will output the string you provided.

Moonbat
08-28-2007, 06:39 PM
Err.. what are you talking about? I did follow the rules, But I didn't do md5-sha*-md5-sha*.. etc., I did some switcheroos, like md5-md5-md5-sha*-md5-sha*, etc. I didn't just pick a pattern and stick with it. You assumed that I just did it normally.

I did a few md5s and sha*s in a row, or I could have done ** md5's and * sha*, or all sha*'s, or any other possible combination that puts a few of the encryptions in a row, so unless you want to find every combination of sha* and md5 figuring in every single instance of repeatability of md5 or sha*, then j00 my friend, have lost.

SyntaXmasteR
08-28-2007, 06:43 PM
Your not understanding what has been tried. EVERY SINGLE POSSIBLE combination has been tried and none output the string 4fe04d0bd**ab*0***045*a50776c25c***b75cf for the password aa

I'm running 2* just in case you miscounted but this will take about a half hour...

UPDATE: Nope finished running in 2* places and no match. Make sure you code is correct. Do this combination and tell me what you get: sha*(md5(sha*(sha*(md5(md5(sha*("aa")))))));

Moonbat
08-28-2007, 06:48 PM
Lemme get this straight:

You tried EVERY SINGLE COMBINATION EVER IN THE HISTORY OF THE UNIVERSE OF TWENTY MD5 AND SHA*?

Like...


md5-md5-md5-md5-md5-md5-md5-md5-md5-md5-md5-md5-md5-md5-md5-md5-md5-md5-md5-md5-sha*
md5-md5-md5-md5-md5-md5-md5-md5-sha*-md5-md5-md5-sha*-md5-md5-md5-md5-md5-md5-md5-sha*
sha*-md5-md5-md5--md5-md5-md5-md5-md5-md5-md5-md5-md5-md5-md5-md5-md5-md5-md5-md5-sha*

etc..?

Also, just to let you know, I didn't use 20 hash sequences. I find it hard to believe you found every single combo of sha* and md5 from 2 hash sequences all the way to 20 hash sequences, figuring in repeatability in each and every one.

EDIT: I didn't use PHP's hashing system (too lazy to set up a free hosting account somewhere to try), I used Yellowpipe Encrypter Decrypter tool.

Also, if you are telling the truth, tell me the exact hash sequence used when I hashed your password 'aa' After all, you should be able to mod your prog to tell me which sequence out of all the combos you used is the one used to hash aa

SyntaXmasteR
08-28-2007, 06:59 PM
YES EVERY POSSIBLE COMBINATION IN THE UNIVERSE (BUT THERE ARE ONLY 20*7*52 combinations) for 2* spaces.

Your still not getting the point. I DID try every single possible combination of SHA* and MD5 UP TO 2* and ZERO match. I will show you my code, but not until you fix your error. Use PHP not some online crap that doesnt encrypt correctly or this will not work.

Moonbat
08-28-2007, 07:03 PM
Dude, Yellowpipe decrypter does work, I've used it before. If you want, I can give you the sequence I used, and we'll see if you can get the password after that, cus if you can't, then your theory fails.

SyntaXmasteR
08-28-2007, 07:10 PM
In case you are wondering how many possible combinations for the total number of sets use simple math. 2^2* = 20*7*52

I do not want you to give me the sequence of hashes. That is for my script to figure out and it is *00&#*7; accurate because I programmed it precisely for that purpose.

If you give me the sequence I would have your password cracked in less than *0 seconds, but I do not want the sequence.

If encrypted wrong by your website, it will decrypt wrong but still output your original text. You never gave me an answer for this:

sha*(md5(sha*(sha*(md5(md5(sha*("aa")))))));

This will test your sites accuracy.

Moonbat
08-28-2007, 07:13 PM
b42*60e2c667d**5*2ac*e0aeab20260**d6*f00

That's the hash that comes out of it.

It should be correct to yours. There is a slight possibility that your coding is wrong *waits for SyntaX to murder me for insulting his coding skillz*

SyntaXmasteR
08-28-2007, 07:35 PM
That is the correct hash. The reason it cannot be an error in my code is because I have tested many different combinations to crack and it has cracked them all. Try to re-encrypt aa and see if you get the same answer. If you do, post your sequence so we can find the problem. There is a very tiny, I mean really 0.00*&#*7; chance that something is wrong on one of my comparison operators in the code but highly unlikely. EDITED: NOPE, no chance I made an error.

Moonbat
08-28-2007, 07:37 PM
Sure thing, tomorrow. I gotta go for now, but we can figure this out tomorrow.

But mark my words SyntaX, you will be posting PWNT and dead animal pics, very very soon :D

SyntaXmasteR
08-28-2007, 07:42 PM
You underestimate mathematics. Math is a science not an art. You are forced to calculate human error into your hash. My code will never make an error. Do NOT post your sequence tomorrow. Give your sequence to Mike and let him get the correct hash using PHP. Then give me the hash.

Get ready to post a STICKY!

Moonbat
08-28-2007, 09:04 PM
Yellowpipe decrypter (being a PHP page) is obviously using the md5() and sha*() functions, so there is no doubt in my mind that it is accurate.. But I will PM mike with the details and such, and I'll recalculate both hashes myself.

Might I s***est a dead cow as your pic? :p

SyntaXmasteR
08-28-2007, 09:09 PM
I would focus more of your time writing your sticky. :cool:

Want me to really make you nervous? Post the hash of a shorter sequence that you wont make a mistake copying and pasting from one hash to another like you did on the last one. I will have it cracked in 5 minutes.

Oh yeah, you must also post a video on ************ exclaiming that syntax****** pwned joo! and explaining why he pwns joo!

Ezekiel
08-29-2007, 07:34 AM
I believe the best way to avoid brute force is to attach a 20 character string onto each password before md5 hashing it. This will eliminate any chance that a brute forcer will ever crack the password. So you would actually:

This is what I do with my site. It's called a salt.

Every user password is appended with a 2 character salt, hashed, then stored in the database on registration. Then this salt is appended to their password when they login, hashed, then checked against the database copy.

It prevents bruteforce/dictionary attacks.

I guess 2 characters is pretty poor as a salt, but I couldn't be bothered to make it ultra-secure. I'm not going to reveal the 2 character system, but they are generated individually based on registration info.

Response to thread: too busy to get involved, but Moonbat can run some PHP on my site if he wants, or tell me what to make and I'll make it.

I read a couple of posts, and I believe Syntax is correct. You can apply as many hash functions as you want, but if the attacker knows the whole procedure, they can do exactly the same to brute force the password. You hash once with sha*()? They apply the SHA* hash to common words to find the password. You hash ten times with sha*(md5(sha*(md5(sha*(md5(sha*(md5(sha*(md5("lol"))))))))))? They apply the same to common words to discover your password.

It's security by obscurity, but I believe salting works equally as well as this -- you have to never reveal the salt string, just as here you have to never reveal the whole hashing procedure. However, if you salt with random information (or smartly-generated information), that is stronger than this.

So in conclusion, salting owns all, but security-by-obscurity usually is fine. My salting method is weaker than most, but still effective.

SyntaXmasteR
08-29-2007, 07:43 AM
Awesome. Just post the real hash once he give you his hash sequence. He really doesn't believe I will crack it.


They generate a wordlist of SHA*-hashed common words.
I do not have a common word list. I try every single possible combination. If it does not find one, it does not exist. Yes there is a time trade off, but time is not a factor in this case. Once you allow passes over 5 letters the run times get a little crazy. I've come up with my own formulas & theories to fight time though. I just dont have the extra computers to implement them.

Ezekiel
08-29-2007, 07:50 AM
He hasn't PMed me yet, so we'll have to wait.

In other news, it looks like some bastard has been using my account! The rules thread was deleted by 'mike*5*', but I never remember doing that.

Memory loss could be explained by a certain thing, but I'd never be moderating at such a time.

Who has been using my god damn account?

SyntaXmasteR
08-29-2007, 08:03 AM
Can you tell in the admin logs? I really doubt anyone hacked the database.

Ezekiel
08-29-2007, 08:17 AM
I looked at the deletion IP address, and it seems to be mine (at least the first two octets, I think).

My bad. I have no idea why I deleted it then, or when I deleted it.

I should stop coming on here at *AM in no state to manage anything.

Moonbat
08-29-2007, 08:20 AM
Saudi Arabia has some good hackers, one of them could be targeting us. After this whole Saudi thing, I changed my pw up big time.

Anyway, now that I've had a night to think about it, I think SyntaX will win this no matter what. With those password restrictions (5 chars, A-Z, a-z, and 0-*), all he has to do is generate every possible combination of those 62 alphanumeric characters in groups of *-5. That shouldn't take too long at all.

Then he sees how long my hash is, and brutes it accordingly (SHA* is longer than MD5 in terms of characters).

So no matter what I do, SyntaX (nay, the power of t*h ub4r cod*r) will find it out anyway, after all, we have rules, and in a real life situation, I would never make 5-char passwords.

Here's what I'll do: SyntaX, if you release your source code (all of it) publicly, then I'll admit defeat, post a sticky with PWNED by SyntaX******, and some dead animals and a justgotowned.com link.

SyntaXmasteR
08-29-2007, 08:28 AM
Are you giving up before posting the hash? :rolleyes:

Your making it sound like its an easy crack. Want to switch roles in the challenge? I give you the two hashes and you give me my password.

Ezekiel
08-29-2007, 09:10 AM
Saudi Arabia has some good hackers, one of them could be targeting us. After this whole Saudi thing, I changed my pw up big time.

I just changed mine to be secure. Now, it's related to one of my favourite quotes, so I shouldn't need to look at passwords.txt every time I log in.

Just for the record though, we could own all mid-eastern hackers. The most I've seen coming from there are the Turkish kiddies defacing sites proclaiming their patriotism and that they rule us all. That's pretty far from Saudi Arabia though.

The other sort of 'hacking' communities I've seen are the wannabe terrorist groups. These probably produce such successes as the recent 'attacks' here in England/Scotland. Self-pwnage.

Ha, no.

It's sad that they kill themselves in the name of their delusions, but it's hard to feel pity for someone who may hijack your next flight and turn it into a raging inferno.

We should seriously boot these terrorist bastards off our internet. Maybe that'll be my next project: internet vigilantism.

Moonbat
08-29-2007, 10:12 AM
Are you giving up before posting the hash? :rolleyes:

Your making it sound like its an easy crack. Want to switch roles in the challenge? I give you the two hashes and you give me my password.

Actually, I'm too lazy to rehash. :rolleyes: And I suck at coding.

I really just want to see the code.

I think I need a big vacation from forums like SyntaX took to learn more...

SyntaXmasteR
08-29-2007, 11:22 AM
This entire thread was to demonstrate that using the Double Dutch method does not further help secure a password. :mad:

Someone, anyone, follow the rules and throw two hashes at me.

Moonbat
08-29-2007, 11:23 AM
The rules themselves are the undoing of this test. No #, (, @, or anything else, only 5 char passwords. Ideally, the attack has no idea of the length or composition of a password.

SyntaXmasteR
08-29-2007, 11:32 AM
The rules were created to lessen the actual crack time

The password could be *0,20,50 characters long but it would take longer to crack. If you add more possible characters combinations this only ads to the cracking time.

These two variables have nothing to do with Double Dutch. Again, this post is to prove that the Double Dutch method does not further secure a password. There is no correlation between what you are saying and double dutch.

Moonbat
08-29-2007, 02:28 PM
Aight well, I did a totally new method, so these hashes will be different from the ones I posted earilier. But rest assured, they are still following your rules.


My Hash - *e0*fb4**70da6adb7a*2a*d54e48ac2
Your Hash - bd*de5d78f*ecf75*0f885edf7a7f*ef

But after you prove me wrong, please release your code, I needz0r it! :p

SyntaXmasteR
08-29-2007, 04:27 PM
Ok. Found your hashing method: Proof (http://www.syntax******.info/img/proof_*.jpg)

It took me *0 seconds to find your hashing method as you can see in the image I provided. You may ask what the hell 0:*:*:0:0:* is right?

0=MD5
*=SHA*

So your method of hashing the password is as follows:

md5(sha*(sha*(md5(md5(sha*("aa"))))))

On to cracking the password... :cool:

Moonbat
08-29-2007, 04:43 PM
It was pretty easy, only 6 times, *0 less than my previous hashing method. But no matter what, you would've found out how many times and in what order I hashed the password. After all, if it took you *0 secs to find that, you easily could've found my original one in less than * minute.

SyntaXmasteR
08-29-2007, 07:48 PM
It will take a maximum of 27 hours to crack the password using 6 hash over hashes, so I will post back once my CPU catches fire, or the password is cracked. I have the computer opened up with fans blowing directly on the processor so hopefully it will make it that through the night running at *00% CPU.

Moonbat
08-29-2007, 07:49 PM
You should turn off some of your unneccesary processes, if you have any running.

SyntaXmasteR
08-29-2007, 08:01 PM
Nope, just php at *00% - Its an older AMD processor but will eventually get the job done.

Ezekiel
08-29-2007, 08:27 PM
It will take a maximum of 27 hours to crack the password using 6 hash over hashes, so I will post back once my CPU catches fire, or the password is cracked. I have the computer opened up with fans blowing directly on the processor so hopefully it will make it that through the night running at *00&#*7; CPU.

Are you sure that you will make it through the night? It's an obvious fire risk.

What if you had a cat/dog in your house, and it licked the open computer mother***rd? What if it spilled the [copious amounts of] coffee on your desk onto the open computer?

Well, don't say we didn't warn you. You might want to write out a will though.

I have to say, when someone challenges you, you never seem to give up.

Moonbat
08-29-2007, 08:50 PM
SyntaX is stubborn :rolleyes:

I told him I'd admit defeat if he just gave out the code for generating every possible Double Dutch combo (from 2 times to 20) of a ASCII string, cus after all I just wanna learn in the end, but he insists on winning fair and square.

But by some miracle he doesn't win, he'll have wasted all his time, wasted electricity, and I'll be seeing a nice little sticky from him named "PWNED BY MOONBAT" and dead animals

P.S. - The reason I <* dead animal pics so much is because the first time I ever defaced a site (milw0rm 'sploit, PHP-Fusion CMS site for some Counter-Strike clan) I posted a pic of a dead dog hanging from a tree. Yes, it's morbid. No, I don't care how sick you think I am. :)

SyntaXmasteR
08-29-2007, 09:31 PM
I would consider myself more persistent. Stubborn hangs on to a negative connotation. The only reason I'm really being "persistent" with this case is because I have never actually tried to crack a password. I have no reason to, nor will every have any reason to. In theory, it works out in my head so I not only am proving it to you, but also to myself. I have lots of theories that should work, but have never been tested.

Well, nevermind thats a bunch of BS. I just cant wait to see Moonbats version of justgotowned.com posted on youtube. I cant let him get out of this one!

Ezekiel
08-29-2007, 09:46 PM
P.S. - The reason I <* dead animal pics so much is because the first time I ever defaced a site (milw0rm 'sploit, PHP-Fusion CMS site for some Counter-Strike clan) I posted a pic of a dead dog hanging from a tree. Yes, it's morbid. No, I don't care how sick you think I am. :)

I've just realised that I've never defaced a site. Perhaps that's a good thing, or perhaps a bad thing.

See here:

http://tinyurl.com/yvsxh























If you looked at that pic and thought "there's ol' goatse again" without being offended at all, or even admired the great feat of anus-stretching, you are desensitised to the internet.

I'm desensitised, but I don't think I'm 'sick'.

I don't know what qualifies as sick. Perhaps you are sick.

I'm in such a weird mood that I feel like posting some Youtube videos:

My favourite music video (serious):

http://*****************/watch?v=ABqh*N-Mw5E

My favourite 'spot the difference' video (non-serious):

http://*****************/watch?v=xCvhDPq6mBI

Meme *:

http://*****************/watch?v=upvweQDrd5c

Meme 2:

http://*****************/watch?v=oHg5SJYRHA0

Meme *:

http://*****************/watch?v=EwTZ2xpQwpA
http://*****************/watch?v=caIBKOztlAo
http://*****************/watch?v=*oFS-q8BIps
http://*****************/watch?v=JNEgr6ua6VQ

Welcome to the internet.

By the way, if it's time to concede defeat (actual purpose of thread):

http://moonbat.justgotowned.com/

Edit: justgotowned is down.

SyntaXmasteR
08-29-2007, 11:29 PM
I have never defaced a site either.

I did however find an exploit in Microsoft Windows 2000 (2002 Pre-Service pack 2) that would allowed me to access any computer that was not behind a firewall. I logged onto Goodyears server, Some hotel chain in Florida, A lawyers office in Arkansas, etc... I did however contact them and let them know that their computers needed to be *******. It kinda freaks them out when you read their entire employee roster to them from across the country.

Ezekiel
08-30-2007, 05:36 AM
I did however find an exploit in Microsoft Windows 2000 (2002 Pre-Service pack 2) that would allowed me to access any computer that was not behind a firewall. I logged onto Goodyears server, Some hotel chain in Florida, A lawyers office in Arkansas, etc... I did however contact them and let them know that their computers needed to be *******. It kinda freaks them out when you read their entire employee roster to them from across the country.

You must have sounded totally badass revealing all their private information and internal network details from hundreds of miles away. Like in Bourne when he's looking at Landy through his sniper scope and says "get some rest, Pam, you look tired", but in electronic form.

You should have remote desktoped in and opened up a notepad window on their computer to talk to them, adding to the awesomeness.


Mike, that entire post is made of win and pwn.

Sleep deprivation leads to weird posts like that, for me.

Attention: this thread has officially been hijacked. Stay in your seats and no one will get hurt! (http://www.divshare.com/img/*7*0*4*-cb7.jpg)

SyntaXmasteR
08-30-2007, 07:50 AM
* hour and counting down. Either my office building will be toasted or I will have a password cracked!

Moonbat
08-30-2007, 08:17 AM
Well, I'll be waiting... :D

SyntaXmasteR
08-30-2007, 09:21 AM
Well... I have some news

SyntaXmasteR
08-30-2007, 09:52 AM
Unfortunately, when I arrived at the office building this morning there was nothing left to it. Ash & rubble covered what was left of the **000 ft^2 building's floor. It was evident that I lost the competition. I burned down the office in an attempt to prove a simple point, that I could pwn moonbat. Well everyone, there is a very important lesson to be learned here! When you get so obsessed over things that matter so little, people can get hurt, lives can be lost, forever changed. But there is an even deeper moral to this story! View Below ...













Syntax****** is a crazy liar, Proof I own Moonbat (http://www.syntax******.info/img/proof_2.jpg). Ha!

Well that was fun, and I've only had my first cup of coffee today. I know I know you want to see the code. Well here the first script I used to crack his hashing sequence. I let 0's represent MD5 hash and *'s represent SHA* hash.


<?
function combinations($maxlength,$word,$a)
{

$wordlength=$maxlength;
$combinations=$a;
$combinations_length=strlen($combinations);
$pointer=($wordlength-*);
settype($word,"string");
settype($combinations,"string");
//COUNTER FOR TOTAL COMBINATION TRIES
$counter=0;
///////////////////////////////////////////////////



for($i=0;$i<$wordlength;$i++)
{
$custom_array[$i]=0;
}

while($pointer>=0)
{
$pointer=($wordlength-*);
while($custom_array[$pointer]<$combinations_length)
{
$counter++;
$testword=$combinations[$custom_array[0]];
for($i=*;$i<$wordlength;$i++)
{
$testword=$testword . $combinations[$custom_array[$i]];
}

$hashedword="aa";

$z=strlen($testword)-*;
while(isset($testword[$z])){
if($testword[$z]==0){
$hashedword=md5($hashedword);
}else{
$hashedword=sha*($hashedword);
}
$z--;
}

if($hashedword==$word)
{
// End TIMER
// ---------
echo "Checking: " . $testword . "=" . $word . "\n\n";
echo "Location: " . implode($custom_array,":");
return($counter);
// ---------
}

$custom_array[$pointer]=(($custom_array[$pointer])+*);
}
$custom_array[$pointer]=0;
$pointer--;
if($custom_array[$pointer]==($combinations_length-*))
{
while($custom_array[abs($pointer)]==($combinations_length-*))
{
$custom_array[$pointer]=0;
$pointer--;
}
}
$custom_array[$pointer]=(($custom_array[abs($pointer)])+*);
}
return(0);
}


///////////////////////////////////////////////
///////////////////////////////////////////////
/* BEGINNING OF SCRIPT */
$maxlength=20;
$word="bd*de5d78f*ecf75*0f885edf7a7f*ef";
$possible_characters="0*";
$stats=0;
$statcounter=0;

// Start TIMER
// SCRIPT FOUND HERE: http://www.desilva.biz/php/timer.html
// -----------
$stimer = explode( ' ', microtime() );
$stimer = $stimer[*] + $stimer[0];
////////////////////////////////////////

for($i=$maxlength;$i>0 && $stats==0;$i--)
{
$stats=combinations($i,$word,$possible_characters);
if($stats==0)
{
$statcounter=$statcounter+pow(strlen($possible_characters),$i);
}
}
$statcounter=$statcounter+$stats;

// End TIMER
// ---------
$etimer = explode( ' ', microtime() );
$etimer = $etimer[*] + $etimer[0];
printf( "\n\nTime: &#*7;f seconds.", ($etimer-$stimer) );
printf( "\n\nCombinations: $statcounter" );
// ---------

?>


That wasn't so difficult to understand was it? What made this script so easy to work with is the floating array pointer I created. Anyways, here is the second part of the script that I used to crack moonbats passwords after I found his hashing sequence:



<?
function combinations($maxlength,$word,$a)
{

$wordlength=$maxlength;
$combinations=$a;
$combinations_length=strlen($combinations);
$pointer=($wordlength-*);
settype($combinations,"string");
settype($word,"string");
//COUNTER FOR TOTAL COMBINATION TRIES
$counter=0;
///////////////////////////////////////////////////



for($i=0;$i<$wordlength;$i++)
{
$custom_array[$i]=0;
}

while($pointer>=0)
{
$pointer=($wordlength-*);
while($custom_array[$pointer]<$combinations_length)
{
$counter++;
$testword=$combinations[$custom_array[0]];
for($i=*;$i<$wordlength;$i++)
{
$testword=$testword . $combinations[$custom_array[$i]];
}

$hashedword=md5(sha*(sha*(md5(md5(sha*($testword))))));

if($hashedword==$word)
{
// End TIMER
// ---------
echo "Checking: " . $testword . "=" . $word . "\n\n";
echo "Location: " . implode($custom_array,":");
return($counter);
// ---------
}/*else{
echo "\nHASHWORD: " . $hashedword;
}*/
$custom_array[$pointer]=(($custom_array[$pointer])+*);
}
$custom_array[$pointer]=0;
$pointer--;
if($custom_array[$pointer]==($combinations_length-*))
{
while($custom_array[abs($pointer)]==($combinations_length-*))
{
$custom_array[$pointer]=0;
$pointer--;
}
}
$custom_array[$pointer]=(($custom_array[abs($pointer)])+*);
}
return(0);
}


///////////////////////////////////////////////
///////////////////////////////////////////////
/* BEGINNING OF SCRIPT */
$maxlength=5;
$word="*e0*fb4**70da6adb7a*2a*d54e48ac2";
$possible_characters="abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0*2*45678*";
$stats=0;
$statcounter=0;

// Start TIMER
// SCRIPT FOUND HERE: http://www.desilva.biz/php/timer.html
// -----------
$stimer = explode( ' ', microtime() );
$stimer = $stimer[*] + $stimer[0];
////////////////////////////////////////

for($i=$maxlength;$i>0 && $stats==0;$i--)
{
$stats=combinations($i,$word,$possible_characters);
if($stats==0)
{
$statcounter=$statcounter+pow(strlen($possible_characters),$i);
}
}
$statcounter=$statcounter+$stats;

// End TIMER
// ---------
$etimer = explode( ' ', microtime() );
$etimer = $etimer[*] + $etimer[0];
printf( "\n\nTime: %f seconds.", ($etimer-$stimer) );
printf( "\n\nCombinations: $statcounter" );
// ---------

?>


Enjoy~ and Moonbat! Your password is stfuk. I win. :cool: Start making your youtube video! Can't wait to see it. If anyone has any questions about the script, post them here and I'll explain. (except the timer - I added that in just to see how long it takes to run.)

Moonbat
08-30-2007, 10:04 AM
I hate you....

J/k, you won fair and square, time for dead animals and a YouTube vid...:(

SyntaXmasteR
08-30-2007, 11:40 AM
For some odd reason I removed the comments to post it. I'll add more than enough comments and repost.

SyntaXmasteR
08-30-2007, 12:43 PM
Ok first take a good look at this picture which I tried to explain how everything is actually working. VIEW IMAGE (http://www.syntax******.info/img/explaination.jpg)

After you view the image look at the code again with the comments I added. Hopefully it will help. It REALLY HURT my brain to write this. I have lost several childhood memories because of this, so please do not feel lost if you can not fully understand it the first time you look at it. I think I will recode it using better variable names so everyone can better understand it. The first time I wrote it, it was hard enough to keep the theory in my head so I wasn't worried about making the code user friendly.



<?
function combinations($maxlength,$word,$a)
{

$wordlength=$maxlength;
$combinations=$a;
$combinations_length=strlen($combinations); // GETS THE LENGTH OF COMBINATIONS - IF $combinations="0*" $combinations_length WILL EQUAL 2
$pointer=($wordlength-*); // IN THIS CASE THE WORDLENGTH=20 SO IT WILL SET $pointer TO ** BECAUSE IN 00000000000000000000 THE LOCATION OF THE RIGHT MOST ZERO IS **
$counter=0; // BASIC COUNTER FOR EACH COMBINATION TRY
settype($word,"string");
settype($combinations,"string");
//COUNTER FOR TOTAL COMBINATION TRIES

///////////////////////////////////////////////////



for($i=0;$i<$wordlength;$i++) // THIS BUILDS MY COUNTER ARRAY - THIS IS THE PART YOU REALLY NEED TO UNDERSTAND
{ // $wordlength=20 becuase there are a MAX of 20 possible hash tries for the sequence
$custom_array[$i]=0; // IT WILL SET AN ARRAY 00000000000000000000 WHICH ACTUALL REPRESENTS md5(md5(md5(md5( etc 20 times
}

while($pointer>=0) // HERE IS THE TRICK TO THE SCRIPT - THIS IS THE POINTER FOR THE CUSTOM ARRAY AND WILL ONLY BE LESS THAN ZERO ONLY WHEN IT HAS TRIED EVERY POSSIBLE COMBINATION
{
$pointer=($wordlength-*); // THIS RESETS THE ARRAY POINTER TO THE FARMOST ZERO TO RESTART THE INCREMENT PROCESS
while($custom_array[$pointer]<$combinations_length)
{
$counter++;
$testword=$combinations[$custom_array[0]];
for($i=*;$i<$wordlength;$i++)
{
$testword=$testword . $combinations[$custom_array[$i]];
}

echo "\n$testword";

$hashedword="aa";

$z=strlen($testword)-*;
while(isset($testword[$z])){
if($testword[$z]==0){
$hashedword=md5($hashedword);
}else{
$hashedword=sha*($hashedword);
}
$z--;
}

if($hashedword==$word)
{
// End TIMER
// ---------
echo "Checking: " . $testword . "=" . $word . "\n\n";
echo "Location: " . implode($custom_array,":");
return($counter);
// ---------
}

$custom_array[$pointer]=(($custom_array[$pointer])+*);
}
$custom_array[$pointer]=0;
$pointer--;
if($custom_array[$pointer]==($combinations_length-*))
{
while($custom_array[abs($pointer)]==($combinations_length-*))
{
$custom_array[$pointer]=0;
$pointer--;
}
}
$custom_array[$pointer]=(($custom_array[abs($pointer)])+*);
}
return(0);
}


///////////////////////////////////////////////
///////////////////////////////////////////////
/* BEGINNING OF SCRIPT */
$maxlength=20; // MAXIMUM POSSIBLE LENGTH OF HASH SEQUENCES (EX: md5(sha*(sha*(md5( ... up to twenty)
$word="bd*de5d78f*ecf75*0f885edf7a7f*ef"; // THIS IS THE HASH I WILL BE TRYING TO FIND THE "HASH SEQUENCE" FOR.
$possible_characters="0*"; // THE TWO POSSIBLE CHARACTERS ARE 0 and *. 0 WILL REPRESENT MD5, * WILL REPRESENT SHA*
$stats=0;
$statcounter=0;

// Start TIMER - SCRIPT FOUND HERE: http://www.desilva.biz/php/timer.html
$stimer = explode( ' ', microtime() );
$stimer = $stimer[*] + $stimer[0];
////////////////////////////////////////


for($i=$maxlength;$i>0 && $stats==0;$i--) // BASICALLY THIS IS SETTING THE LOOP TO RUN UNTIL (STATS!=0 which means password is found) OR UNTIL ALL POSSIBLE COMBINATIONS HAVE BEEN TRIED
{
$stats=combinations($i,$word,$possible_characters); // STATS WILL EQUAL ZERO UNLESS PASSWORD MATCH IS FOUND IN FUNCTION combinations() IF PASSWORD IS FOUND THE VARIABLE COUNTER IS RETURNED
if($stats==0)
{
$statcounter=$statcounter+pow(strlen($possible_characters),$i); // I SHOULD HAVE SIMPLY MADE $statcounter A GLOBAL, BUT I USED THIS TO CONTINUOUSLY ADD TO THE TOTAL COUNT OF TRIES IF PASSWORD IS NOT FOUND FOR THE CURRENT LOOP. THIS IS A BASIC COUNTER OF THE NUMBER OF TRIES.
}
}
$statcounter=$statcounter+$stats; // AFTER LOOP IF FINISHED - THE TOTAL OF TRIES IF CALCULATED

// End TIMER // PRINTS THE TIMER AT THE END OF SCRIPT
$etimer = explode( ' ', microtime() );
$etimer = $etimer[*] + $etimer[0];
printf( "\n\nTime: %f seconds.", ($etimer-$stimer) );
printf( "\n\nCombinations: $statcounter" );
// ---------

?>

Ezekiel
08-30-2007, 02:07 PM
Are you gonna give me a problem? You just said you're gonna give me a fucking problem! (http://www.divshare.com/img/*7*6670-*f7.png)

Serious response: good work Syntax, although this entire exercise was kind of pointless.

SyntaXmasteR
08-30-2007, 04:07 PM
Serious response: good work Syntax, although this entire exercise was kind of pointless.
Pointless! We get to see Moonbat on Youtube raping dead animals.



I kind of get where you're going with the script, but the problem is I don't know what was going through your mind when you wrote it, which is the real roadblock.
If I made a video step by step coding this, would it help? I will need to put myself in the same state of mind I was in when I wrote it, but I can do it again. I've done it twice, thrice will not kill me. I'll record my desktop while I rewrite it.

Moonbat
08-30-2007, 04:12 PM
Lol, don't expect too much from the vid, I gave up enough of my dignity already :p

Ezekiel
08-30-2007, 05:28 PM
Are you kidding? I'm sure this got us to think a good amount. I'd say this was one of the best threads we've had here.

It was an interesting thread, but the only point to the crack challenge was for Syntax****** and Moonbat to try to beat each other. Not that I disapprove of that -- we need more stuff like this in the forum.

Moonbat
08-30-2007, 06:25 PM
Yep, this has been the most interesting thing (on this forum) since that time that guy (trinoid) came and asked us to pentest his site, which led to us getting his email, ebay acct, paypal, etc. Of course, we didn't do anything bad, and we told him to change his pass for all his stuff (his password was 'puppies' for everything).

Ezekiel
08-31-2007, 05:48 AM
Yep, this has been the most interesting thing (on this forum) since that time that guy (trinoid) came and asked us to pentest his site, which led to us getting his email, ebay acct, paypal, etc. Of course, we didn't do anything bad, and we told him to change his pass for all his stuff (his password was 'puppies' for everything).

I think we've had more interesting threads than that, but they don't come often.

teknicalissue
04-22-2008, 11:53 PM
this thread owns in so many levels... haha i read it from pst * through now lol haha this is great

Moonbat
04-23-2008, 10:22 PM
Hehe, this thread does bring back memories. I thought I actually had a chance against the powers of SyntaX******. They don't call him that just for fun, you know :D

EDIT: Just read through SyntaX's code again, and realized that I could actually 'read' most of the code, not just stare at it in amazement like I did the last time I opened this thread. :)

SyntaXmasteR
04-24-2008, 12:10 PM
Just read through SyntaX's code again, and realized that I could actually 'read' most of the code, not just stare at it in amazement like I did the last time I opened this thread.

Well I never had any formal programming training. I just do it for the challenge when I have some extra time. Thanks to JayT I actually have started commenting all of my code. Now others can actually Read/Use the code I write. Wow, no more headaches. Go figure!

Moonbat
04-24-2008, 08:04 PM
Well I never had any formal programming training. I just do it for the challenge when I have some extra time. Thanks to JayT I actually have started commenting all of my code. Now others can actually Read/Use the code I write. Wow, no more headaches. Go figure!
I didn't mean my last post in this sense.

What I meant was, before I really didn't know alot of PHP so it was just a bunch of code, but now after learning a good deal of PHP I can actually understand most of the code. :)

JayT
04-25-2008, 02:06 PM
Security by obscurity is OK sometimes.

Securing login data by using SHA* or MD5 is good.
If done carefully, brute force guessing can be essentially neutralized.

For example, code like


md5(sha*(sha*(md5(md5(sha*("aa"))))))

seems excessive.

A simpler way is simply to use an arbitrary, but consistent, rule to modify the hash in a way known ONLY to you and no other. Without this secret info, no amount of ordinary brute force will crack the hash in any practical time period. Mission accomplished.




$hash = md5("John");

When I execute this, it returns

$hash = "6*40*aa*fd47d4a5**2de2*cbf5*a*6f"



Instead of leaving it that way, you could apply a 'private rule', such as swapping the **th character with the final character of the hash string before storing it.

In the above example

$hash = "6*40*aa*fd47d4a5**2de2*cbf5*a*6f"

would become:

"6*40*aa*fd47f4a5**2de2*cbf5*a*6d"

Brute force will NOT find 'John' from this hash.

The **th character 'f' was swapped with the final character 'd' to break the brute force method.

Before comparing, we repeat the swap, to restore the hash to normal.


ANY SIMPLE RULE WILL DO
It can be ANY simple convenient rule that transparently alters the hash from its original sequence but can be easily undone to restore the original hash.

To use the hash, simply reverse the process before comparing it. If someone stole your password list encrypted in this manner, would it simply occur to them to swap the **th and the final characters prior to attempting to crack it by brute force? Not likely.

The change is essentially invisible and without that special prior knowledge of the required minor change, nobody is likely to crack the hash. It's like the secret ingredient your mum uses in a recipe. Even if Russian spies steal her recipe, they still don't know about the secret ingredient not mentioned and will not get exactly the same result without it.

This is a case where security by obscurity is OK, very simple and quite effective.

The programming of this method is not difficult and its power and effectiveness lies in making sure that ONLY YOU know the secret of the hash.

I do the same with PGP encryption too. I have to change * characters before PGP can be decrypted. Knowing the pass phrase is not enough in itself if you don't know which * characters to change first prior to decryption.

Knowledge is power, and secret knowledge is even greater power.

Moonbat
04-25-2008, 08:03 PM
While this is a good idea JayT, applying a salt to a password is just as effective, and IMO easier to implement. But nevertheless, it's a cool idea and it's original as far as I know.

JayT
04-26-2008, 02:47 AM
While this is a good idea JayT, applying a salt to a password is just as effective, and IMO easier to implement. But nevertheless, it's a cool idea and it's original as far as I know.

The doctor told me to cut down on salt.
LOL

However, I don't think that salting a hash is any simpler to program than simply swapping 2 characters within a hash string.

That was a simple method I used with PGP before I heard of salting. One or two secretely altered characters and PGP and several other kinds of text-based encryptions are effectively immunized against brute force.

So simple, a Geico Salesman can do it!

Yadayadayada

:)