How to Double Dutch (PHP)

[Moonbat]

This tutorial was NOT written by me, it was written by a person with the handle "bouncer" (no quotes) from [url]http://www.hellboundhackers.org[/url]

Most of the people use md5() or sha*() encryption these days and that is good because it's safe.... unless.... someone else got your hash and tries to bruteforce it.

Well i love to secure passwords very much so i always use my Double Dutch method

We will now encrypt the word: "cookie" in md5 + sha* with php:
[PHP]<?php
md5("cookie");
sha*("cookie");
?>[/PHP]
You'll see the encryption of "cookie" in md5:
2dccd*ab*e0***0aea77*5*8**c85ca2
and the encryption of "cookie" in sha*:
5*c826fc854**7cbd4d*08*bce8fc00d076*e8b*

Now people can bruteforce this really easy so when encrypting your password you can do:

[PHP]<?php
md5(sha*("cookie"));
?>[/PHP]
Encryption of the Double Dutch method is:
aca8*f6e****e*f7dae00**2fd*8fca*

This encryption incudes the sha* encryption! So even when trying to bruteforce it, it will be like almost impossible to crack it (Nothing is impossible, only difficult).

So happy securing!

You can take this Double Dutch method to extremes, like doing md5(sha*(md5(sha*("hashhere")))) or even bigger!

[SyntaXmasteR]

Unfortunately this is untrue. Take a look at my [url=http://www.all-nettools.com/forum/showthread.php?t=6**4]wordlist generator[/url] in C++. You can remove the line that creates the data, and replace it with a comparison operator:

if(md5(sha*(currentword))==hash){ PASSWORD WOULD BE FOUND }

If you compute the MD5 & SHA* functions to the current word and compare it to the hash, you could crack it just as easily.

~SyntaX

[Moonbat]

This is more centered around 'security by obscurity' i.e., you wouldn't go telling everyone that you are using this method. Double Dutching is good for the 'naughty admin' scenario.

Suppose your running a phpBB forum (which you modify to use Double Dutching, which I wouldn't recommend doing if you're a PHP newbie), and you decide to make a good buddy of yours an admin. He acts all good for a week, but then suddenly downloads a copy of your phpBB database, removes you as admin, deletes the whole ***rd, and tells you he will release the DB (which happens to be *000+ users) unless you pay him $*00 bucks.

Now, what he doesn't know is that the passwords are Double Dutched, so even if he does release the DB to people, you're the only one that knows they are Double Dutched (and hence gonna take a long while to crack, especially if you went md5-sha*-md5-sha*, which looks like a normal md5 hash in the end, and nobody will suspect a thing), and so all you have to worry about is the last time you backed up your forum's DB.

[SyntaXmasteR]

This is the way I look at the situation:

If you obtained one hash, you can get another. You create your own account with a password you know. Once you have your own passwords hash you can easily figure out what method is used to encrypt the password and start your brute force.

I believe the best way to avoid brute force is to attach a 20(random number I just made up) character string onto each password before md5 hashing it. This will eliminate any chance that a brute forcer will ever crack the password. So you would actually:

Code:

$password="PlainTextPassword";
$password .= "PrimaryTextStringAttachedToPassword!";
$password = md5($password);

Of course the question arises "What about the Log In Validation?"

Since the database will have the encrypted version of the password stored, you would reapply the same process to compare for validation.

[Moonbat]

I see where your coming from, but if you pull a huge Double Dutch (I'm talking md5-sha*-md5-md5-md5-sha*-sha*-md5), the sheer amount of time it would take to bruteforce each and every hash's hash to get to the actual pass would not be worth wasting time and CPU power for. And notice I threw in a few md5's in a row, and two sha*'s in a row, that way just when the person thinks they've got the pattern, they hit a road block.

Also, combining your s***estion with Double Dutching would be virtually unstoppable (or should I say, uncrackable).

[SyntaXmasteR]

I would like to demonstrate how easy it is to find a hash process & crack a password if your choices are only MD5 & SHA*. Again, I will use my random combination script for this.

Lets set up the scenario I gave in the previous message.

I need these two things from you:

*. Your password hash
2. My password hash

Rules you must follow for time purposes

*. Your password must contain the following character set a-z,A-Z,0-* and no other characters.
2. Your password must be 5 or less characters in length
*. You must hash my password using the same method as you hash your password.
4. You can apply up to twenty hashes in a row. Ex: md5(sha*(md5(sha*( etc... up to 20

My password: aa

If you can give me this information I will crack your password and display it in the next post.

Theory
The total possible combination for 20 hashes (using MD5 & SHA*) = 20*7*5* Possible Combinations. If my theory of cracking this works, I should be able to figure out your password hash method in less than * hour. Once I figure this out, I can crack your password (*-5 characters a-zA-Z0-* in less than an hour) The variable here is "Time" I'm not sure how much time will be added for each power of possible hashing but I guess we will find out.

[Moonbat]

Well then, I'll take you up on that challenge!

I used my own custom Double Dutch (made it up on the spot), and here are the hashes:

Code:

My Hash - *6d2f2fd***a6*0e6767b*bd4b*f72e6c25c8dce
Your Hash - 4fe04d0bd**ab*0***045*a50776c25c***b75cf

I followed all of your rules, using nothing but numbers and letters. Didn't go past twenty hashing sequences, and followed the same method for both passwords.

Anyways, crack this by this same time tomorrow (the time I've posted this message) and I'll declare Double Dutch a piece of crap. If you can't however, you will have to post the words "PWNT" (no quotes), and then a link to a picture of a dead animal of your choice in this thread.

I will be waiting (and praying that I"m right )

[SyntaXmasteR]

Offer accepted.

I will need to locate my PHP version of my C++ code for the SHA* hashing. Then I will need to tweak the code for MD5 & SHA*. Once this is completed I will run the combination script once to figure out your hash method. After I get your hash method I will run the combination script once again to crack your password. I will be running this on a P4 with little RAM so it will take longer than usual, but I will have it cracked by tomorrow, promised!

~SyntaX

Once I give you your password you must post a sticky for one week saying you were Pwned by Syntax******! And post a link to [url]http://Moonbat.justgotowned.com/[/url] showing everyone on the forum you were pwned.

[Moonbat]

For some reason, justgotowned isn't working anymore, or else I would've made you do the same

But, you wanted it, so I'll do it anyway, even though the link won't do anything

[JayT]

Security by obscurity is OK sometimes.

Securing login data by using SHA* or MD5 is good.
If done carefully, brute force guessing can be essentially neutralized.

For example, code like

Code:

md5(sha*(sha*(md5(md5(sha*("aa"))))))

seems excessive.

A simpler way is simply to use an arbitrary, but consistent, rule to modify the hash in a way known ONLY to you and no other. Without this secret info, no amount of ordinary brute force will crack the hash in any practical time period. Mission accomplished.

Code:

$hash =  md5("John");

When I execute this, it returns

$hash = "6*40*aa*fd47d4a5**2de2*cbf5*a*6f"



Instead of leaving it that way, you could apply a 'private rule', such as swapping the **th character with the final character of the hash string before storing it.

In the above example

$hash = "6*40*aa*fd47d4a5**2de2*cbf5*a*6f"

would become:

"6*40*aa*fd47f4a5**2de2*cbf5*a*6d"

Brute force will NOT find 'John' from this hash.

The **th character 'f' was swapped with the final character 'd' to break the brute force method.

Before comparing, we repeat the swap, to restore the hash to normal.


ANY SIMPLE RULE WILL DO
It can be ANY simple convenient rule that transparently alters the hash from its original sequence but can be easily undone to restore the original hash.

To use the hash, simply reverse the process before comparing it. If someone stole your password list encrypted in this manner, would it simply occur to them to swap the **th and the final characters prior to attempting to crack it by brute force? Not likely.

The change is essentially invisible and without that special prior knowledge of the required minor change, nobody is likely to crack the hash. It's like the secret ingredient your mum uses in a recipe. Even if Russian spies steal her recipe, they still don't know about the secret ingredient not mentioned and will not get exactly the same result without it.

This is a case where security by obscurity is OK, very simple and quite effective.

The programming of this method is not difficult and its power and effectiveness lies in making sure that ONLY YOU know the secret of the hash.

I do the same with PGP encryption too. I have to change * characters before PGP can be decrypted. Knowing the pass phrase is not enough in itself if you don't know which * characters to change first prior to decryption.

Knowledge is power, and secret knowledge is even greater power.

[Moonbat]

While this is a good idea JayT, applying a salt to a password is just as effective, and IMO easier to implement. But nevertheless, it's a cool idea and it's original as far as I know.

[JayT]

While this is a good idea JayT, applying a salt to a password is just as effective, and IMO easier to implement. But nevertheless, it's a cool idea and it's original as far as I know.

The doctor told me to cut down on salt.
LOL

However, I don't think that salting a hash is any simpler to program than simply swapping 2 characters within a hash string.

That was a simple method I used with PGP before I heard of salting. One or two secretely altered characters and PGP and several other kinds of text-based encryptions are effectively immunized against brute force.

So simple, a Geico Salesman can do it!

Yadayadayada