A complete brute force attack

[Nulled] » Information security » Protection and hacking » A complete brute force attack

Now let's focus on a radical way to open the encryption key or password.

Let's assume that the author avoided common implementation errors and did not provide the cracker with either the key (password) in plain text, or comparison commands and explicit conditional transitions. In addition, the password is chosen according to all the rules and cannot be selected "manually". In this case, the hacker will try to iterate through all possible passwords.

A few years ago, the power of computers made it possible for the authors of the protections to declare that a complete search of passwords / encryption keys is impossible due to the huge number of possible passwords /keys. Even now, to demonstrate the effectiveness of the protection system, the power of many keys (passwords) is cited, and the reliability is confirmed by the length of the key.

"According to Bruce Schneier, an attack on a 128-bit key requires 4.2 x 1022 processors with a capacity of 256 million encryption operations per second. In this case, the key will be hacked in 1 year. The cost of such a number of processors by 2000 is estimated at 3.5 x 1024 dollars" [25].

"The RSA method is absolutely reliable. Even when using MailSafe (a product based on RSA technology) in the lowest level of secrecy mode, it will take about 10 years of operation of the Gray-1 supercomputer to "crack" the cipher. If it is necessary to achieve a high level of secrecy, MailSafe can use a 700-bit key instead of a 400-bit one. This will slow down the encryption process by 5 times, and decryption on Gray (by trial and error) will take 36 million years" [26].

But modern computer capacities and the latest computing technologies, for example, using computer clustering, allow for a complete search of even sufficiently long passwords within an acceptable period of time[2].

Experiments with hacking the famous cryptographic standard of the USA - DES-algorithm (Data Encryption Standart) are widely known. The 56-bit key of the DES algorithm was undisclosed for about twenty years. "... it fell on June 17, 1997, 140 days after the start of the competition (about 25% of all possible keys were tested and ≈ 450 MIPS years were spent[3]"[24]. In 1998, a report appeared about the hacking of the DES algorithm in 56 hours [19].

The RSA algorithm first encountered a sharp jump in computing performance, for the opening of which it is necessary to solve the factorization problem. In March 1994, the factorization of a number of 129 digits (428 bit6), which lasted for 8 months, was completed. 600 volunteers and 1,600 machines connected via e-mail were involved in this. The machine time spent was equivalent to about 5,000 MIPS-years [24].

On January 29, 1997, RSA Labs announced a competition to open the symmetric RC5 algorithm. The 40-bit key was opened 3.5 hours after the start of the competition! (This did not even require connecting computers via the Internet - a local network of 250 machines at Berkeley University was enough). After 313 hours, the 48-bit key was also opened [ 24].

Even a novice programmer can write a program that builds all possible sequences of characters from a given sequential enumerable set. Obviously, the calculation of the author of the defense should be based on the fact that a complete search takes a period of time beyond the reasonable. And the first thing that developers use for this is to increase the length of the key (password). In their own way, they are right. But

Firstly, as already noted, the power of computers is growing, and if a full search required a long period of time yesterday, the time that the computer will need tomorrow will most likely be acceptable to remove protection.

Due to the sharp increase in computing power, brute force attacks have a much better chance of success than before. If for the UNIX system the crypt() function, which is responsible for hashing passwords, was implemented in such a way that it was performed for almost 1 second on a PDP-class machine, then in twenty years the speed of its calculation increased 10,000 times (!). Therefore, if earlier hackers (and developers who limited the password length to 8 characters) and they could not imagine a complete bust, but today such an attack will lead to success in 125 days on average [24].

Secondly, effective algorithms (usually based on formal logic and using set theory, probability theory and other areas of mathematics) have already been proposed and can be improved to increase the speed of iteration. In addition, fast search algorithms are also used. (For example, it is proposed to use self-organizing tabular search to attack RSA and similar systems.)

Moreover, special equipment has already been created that performs the functions of brute force.

It is important to note that storing the password hash function does not exclude the possibility of a complete search, but only changes the time required for hacking. Indeed, now the program that performs password brute force must be supplemented by calculating the hash function of each option and comparing the result with the hash standard.

Let's pay attention to another circumstance related to password hashing protection. Some hash functions may return a result that matches the original, and for an incorrect password. To remove the protection in this case, it is enough to find any suitable password, which obviously weakens the protection and reduces the cost of hacking. (This property is possessed by hash functions that give a result comparable in length (in bits) to a password.)

Let's focus on another type of password brute force technique - the so-called dictionary attack. This is a method by which you can open a meaningful password. The method is based on the fact that the user selects an existing (dictionary) word in some language for easier memorization. Considering that there are no more than 100,000 words in any language, it is obvious that a complete search of vocabulary words will occur within a short period of time.

There are now widespread programs that select passwords based on dictionary words. Now only an irresponsible or lazy user can choose a meaningful password. Recall that, in addition to checking the dictionary, such programs "know how" to change the case of characters, "know" punctuation marks, "guess" that the user can flip a word, glue two words using a punctuation mark or a number, etc. transformations.

It is noteworthy that modern advanced means of protection against unauthorized access, allowing the user to independently choose a password for access, are equipped with modules that verify the selected password for belonging to such dictionaries and do not allow the password to be used in this case.

Programs that carry out dictionary attacks work quite quickly, as they implement effective search and comparison algorithms. For example, they do not use slow string comparison, but checksum comparison, etc. Many of them do not even contain a database of words, but use dictionaries built into common text editors.

Let's draw conclusions and give some recommendations for strengthening protection.

* Password protection should be used in cases where either a brute force attack will be ineffective, or an attacker will obviously not have access to sufficiently powerful computing tools to perform a complete brute force (we must not forget about the possibility of using network technologies).

* To enhance password protection, you should use any original techniques that reduce the speed of password brute force.

* You can slightly strengthen password protection by performing two (dependent) checks in the program: both the password and the result of the password hash function, while at the same time "hiding" the protective mechanism at the proper level, or, at least, abandoning direct comparison. At the same time, it is advisable to specifically select a hash function that gives a large number of passwords suitable for the hash standard. With this implementation of the security mechanism, the attacker will need to attack two parameters.

* Protection works even more effectively if the password (or better yet, the password function) serves as the encryption key for some part of the program code. In this case, the hacker will have to decrypt the code after going through all possible passwords (giving the specified hashing result).

Note that in this type of protection, that is, when checking several parameters at the same time, the hash function, which gives the desired result for a large number of passwords, significantly complicates hacking.

A complete brute force attack

Information

Visitors who are in the group Guests they can't download files.
Log in to the site under your login and password or if you are a new user go through the process registrations on the website.

5 0

Comments:

1. 0 0
  
  Viking56 (☘Pʀᴇᴍɪᴜᴍ)
  22 March 2024 07:15 31 comments
  
  Thank you for writing such things, They sometimes help a lot, Everything works
  
  Claim

Information the publication:

Author of the publication: SmartWeb
Date of publication: 13 February 2024 07:53
Publication category(s): Information security / Protection and hacking
Number of views of the publication: 33
Number of comments to the publication: 1

Site Search

Site Menu

☑ Scripts Software

Casinos and Sports betting

Casino Scripts

Sports betting Scripts

HTML5 Games casino

Poker Scripts

Roulettes, cases Scripts

Bitcoin casino scripts

Scripts Cryptocurrencies

Bitcoin scripts

Altcoins scripts

Mining scripts

Trading scripts

Currency exchange scripts

Exchanger script

Nulled exchanger script

PHP Scripts

Gambling Software

PHP Scripts

Scripts HYIP

Economic Games HYIP

Buks scripts

Doubler Scripts HYIP

Roulette Scripts HYIP

Advertising scripts

Rating Scripts

Scripts of social networks

Online stores Scripts

Scripts Bulletin boards

Link Shortening script

Telegram script

Web Templates

HTML Templates website

HTML Control panels

Email Templates

PSD Templates

CMS Internet shop Scripts

Magento script

Modules Magento

Templates Magento

Releases Magento

PrestaShop script

Modules PrestaShop

Templates PrestaShop

Releases PrestaShop

OpenCart script

Releases OpenCart

OpenCart templates

OpenCart modules

Shop-Script(Webasyst)

Plugins Shop-Script

Templates Shop-Script

Releases Shop-Script

SimplaCMS script

Modules SimplaCMS

Templates SimplaCMS

Releases SimplaCMS

OkayCMS script

OkayCMS Releases

Modules OkayCMS

Templates OkayCMS

CS-Cart script

Releases CS-Cart

Modules CS-Cart

Templates CS-Cart

ImageCMS script

Releases ImageCMS

ImageCMS modules

ImageCMS templates

Bulletin Board scripts

Osclass script

Plugins Osclass

Revision of the themes of Osclass

General questions of Osclass

Unisite-Board script

Themes Unisite-Board

Plugins Unisite-Board

Modification Unisite-Board

General questions Unisite-Board

Forums scripts

Discuz! script

Releases Discuz!

Modules Discuz!

Templates Discuz!

Script mybb

Releases mybb

Modules mybb

Templates mybb

VBulletin

vBulletin Skins

Mods for vBulletin

vbulletin Releases

Hacks VBulletin

Forums Invision Community

Releases Invision Community

Plugins Invision Community

Styles Invision Community

Modifications Invision Community

Transfers Invision Community

General questions

XenForo forum platform

XenForo Releases

XenForo Styles

Modules XenForo

Transfers XenForo

CMS (Site management systems)

WordPress

WordPress Themes

WordPress Plugins

Joomla

Joomla Templates

Joomla modifications

Joomla components

DataLife Engine

DLE Releases

DLE templates

DLE modules

DLE hacks

1С-Bitrix

Releases 1c-bitrix

Templates 1c-bitrix

Modules 1c-bitrix

General questions 1c-bitrix

WHMCS Web Hosting Billing

Releases WHMCS

Modules WHMCS

Templates WHMCS

Email Script

Interspire Email Script

Releases Interspire

Modules Interspire

MailWizz Email Script

Releases MailWizz

Modules MailWizz

Mumara Email Script

Releases Mumara

Modules Mumara

PowerMTA Email Script

Releases PowerMTA

Modules PowerMTA

Social Networks scripts

InstantCMS script

Components InstantCMS

Widgets InstantCMS

Templates InstantCMS

LiveStreet script

Plugins LiveStreet

Templates LiveStreet

Dating scripts

skadate Х Dating script

OXWALL Dating script

Readymade PHP Scripts

Clone Scripts

Accounting Software

Banking Software

Calculators

Classified Script

CRM Application

Cryptocurrency Script

Directory Script

Ecommerce Website

Educational Software

Enterprise Application

Hospital Software

Hotel Booking Script

Job portal Script

Marketplace Scripts

MLM Application HYPE

Mobile App Codes

Online Booking Script

Point Of Sale Software Scripts

Realestate Script

Restaurant Management

Retail Management

GPS Tracking System

Calendar

« May 2024 »
Mon	Tue	Wed	Thu	Fri	Sat	Sun
	1	2	3	4	5
6	7	8	9	10	11	12
13	14	15	16	17	18	19
20	21	22	23	24	25	26
27	28	29	30	31

Survey on the website

Evaluate the work of the site

Statistics

+7 Total articles 5598
+20 Comments 3088
+39 Users : 4000

Full statistics

Contacts

Moderator

Channel

Google

RSS