| Author | Thread |
|
|
01/24/2013 02:42:08 PM · #26 |
Originally posted by Ann:
It took 11 days to build the multi-terabyte rainbow table that it took to crack the password. Once the rainbow table was built, I think he cracked the password in less than 10 minutes. |
Translation:
Originally posted by wiki:
A rainbow table is a precomputed table for reversing cryptographic hash functions, usually for cracking password hashes. Tables are usually used in recovering the plaintext password, up to a certain length consisting of a limited set of characters. It is a practical example of a space-time tradeoff, using more computer processing time at the cost of less storage when calculating a hash on every attempt, or less processing time and more storage when compared to a simple lookup table with one entry per hash. Use of a key derivation function that employ a salt makes this attack infeasible. Rainbow tables are a refinement of an earlier, simpler algorithm by Martin Hellman.
Any computer system that requires password authentication must contain a database of passwords, encrypted or in plaintext. While various methods of password storage exist, most databases store a cryptographic hash of a user's password in the database. In such a system, it is not possible to determine what a user's password is, simply by looking at the value stored in the database. Instead, in order to determine what a user's password is, there must be some way to reverse the hash.
Rainbow tables are one tool people have developed in an effort to figure out what a password is by looking only at a hashed value.
Rainbow tables are not always needed, for there are simpler methods of hash reversal available. Brute-force attacks and dictionary attacks are the simplest methods available, however these are not adequate for systems that use large passwords, because of the difficulty of both storing all the options available, and searching through such a large database to perform a reverse-lookup of a hash.
To address this issue of scale, reverse lookup tables were generated that only stored a smaller selection of hashes that when reversed could generate long chains of passwords. Although the reverse lookup of a hash in a chained table takes more computational time, the lookup table itself can be much smaller, so hashes of longer passwords can be stored. Rainbow tables are a refinement of this chaining technique and provide a solution to a problem called chain collisions. |
Fascinating stuff :-) |
|
|
|
01/24/2013 02:55:38 PM · #27 |
Originally posted by Ann:
Originally posted by IAmEliKatz:
Originally posted by Ann:
One of my coworkers spent an entire Christmas break trying to break into some neighbor's wifi that had the SSID "Get your own wifi, b*tch!" He eventually got in, but it took 11 days on a 128 core blade server to break the password. Once he got in, he changed the SSID to something else that was even more unprintable, changed the password, and went back to using his own wifi. |
11 days??? He needs some new software. |
It took 11 days to build the multi-terabyte rainbow table that it took to crack the password. Once the rainbow table was built, I think he cracked the password in less than 10 minutes. |
That is a hilarious prank, I love this guy ! :-D
|
|
|
|
01/24/2013 03:08:36 PM · #28 |
Originally posted by Bear_Music:
[quote=Ann] It took 11 days to build the multi-terabyte rainbow table that it took to crack the password. Once the rainbow table was built, I think he cracked the password in less than 10 minutes. |
Translation:
Originally posted by wiki:
A rainbow table is ....
Fascinating stuff :-) |
Thanks, Bear. I figured if anyone cared, they'd look it up.
Essentially, there are two different ways of cracking passwords. The first way is to just try a bunch of passwords. If the password is something easy, then this is the easiest and fastest way to crack the password. If, like the guy with the wifi, the password is strong, then the easier way is to build a table that maps what is essentially every possible password to its hash value. Then, for wifi, you send a command to the guy's wifi to cause his computer have to login again (his computer handles the login, the person doesn't know anything happened), and then grab the hash value out of the air when he logs in again. Once you have the hash value, you look it up in the rainbow table, and get the original password.
The trouble with using rainbow tables on wifi is that the wifi hashes are "salted" with the SSID. This means that the SSID is used as part of the calculation of the hashed value. So the 5 terabyte rainbow table that my friend spent two weeks creating will only work if the SSID is set to "Get your own wifi, b*tch!"
In dollars and cents, it would cost about $5000 in computing resources to use the Amazon cloud to crack this one guy's wifi.
Message edited by author 2013-01-24 15:11:10. |
|
|
|
01/24/2013 03:33:26 PM · #29 |
| Sounds a hell of a lot easier to sneak into their house and plug in your own wifi access point. |
|
|
|
01/24/2013 04:13:37 PM · #30 |
Originally posted by Ann:
The trouble with using rainbow tables on wifi is that the wifi hashes are "salted" with the SSID... |
I do like salt with my hash!
|
|
|
|
01/24/2013 06:03:10 PM · #31 |
Originally posted by kirbic:
Originally posted by Ann:
The trouble with using rainbow tables on wifi is that the wifi hashes are "salted" with the SSID... |
I do like salt with my hash! |
OMG...If I had a nickel for every time I've heard that joke....security humor. Gotta love it! |
|
|
|
01/24/2013 06:17:24 PM · #32 |
Originally posted by bhuge:
Sounds a hell of a lot easier to sneak into their house and plug in your own wifi access point. |
Ahhh....now you're getting the picture! You're absolutely right. Having physical access makes everything so much easier....
edit to add...this is why all of the big computer security conferences have classes on things like lock picking and breaking anti-tamper defenses (ungluing and regluing tamper evident seals).
Message edited by author 2013-01-24 18:21:39. |
|
|
|
01/24/2013 06:23:46 PM · #33 |
Originally posted by Ann:
Originally posted by bhuge:
Sounds a hell of a lot easier to sneak into their house and plug in your own wifi access point. |
Ahhh....now you're getting the picture! You're absolutely right. Having physical access makes everything so much easier....
edit to add...this is why all of the big computer security conferences have classes on things like lock picking and breaking anti-tamper defenses (ungluing and regluing tamper evident seals). |
...yep, just make certain there are no guns in the house and something called the "Castle" doctrine. :O)
Ray |
|
|
|
01/24/2013 08:31:34 PM · #34 |
There is only one problem, but it may not be for all routers. I know mine easily lists the DHCP users, but does not easily list the static users. For example, I have 2 devices in my house that are connected via a static IP. The only way to view static is to go through the MAC address filter (linksys). Even then, it shows a MAC address, but no IP.
Originally posted by kirbic:
Yes, absolutely. Your router has a web interface that is accessible from within your network. For most routers,, type in address 192.168.1.1 in your browser's address bar. You will get a prompt to enter the admin password for the router. Once you enter this, you will be presented with the router's administration "website." You can go to your DHCP table, and see every device that is connected to the network, either wired or wireless.
Note that for a few routers, specifically ATT Uverse equipment, the address is 192.168.1.254 |
|
|
|
|
01/24/2013 09:07:00 PM · #35 |
Originally posted by RayEthier:
...yep, just make certain there are no guns in the house and something called the "Castle" doctrine. :O)
Ray |
But, Lunchbox Joe says you should have a shotgun..."preferably one with two barrels. They work much better cus you don't have to be as accurate."
Message edited by author 2013-01-25 09:11:22.
|
|
|
|
01/24/2013 09:16:21 PM · #36 |
| And there's always Reaver for those access points that allow WPS. |
|
|
|
01/25/2013 12:20:14 PM · #37 |
Originally posted by IAmEliKatz:
And there's always Reaver for those access points that allow WPS. |
He's right. I forgot about that. Turn off WPS. |
|
|
|
01/25/2013 02:41:57 PM · #38 |
Originally posted by PGerst:
There is only one problem, but it may not be for all routers. I know mine easily lists the DHCP users, but does not easily list the static users. For example, I have 2 devices in my house that are connected via a static IP. The only way to view static is to go through the MAC address filter (linksys). Even then, it shows a MAC address, but no IP.
|
Are you not able to still use DHCP to allocate them a specific IP? I have 15 network devices and have my router (Netgear) set to ensure each device is always allocated the same IP. That way they are sort of static in that I always know which IP is which device but they are still dished out via DHCP and always appear on the connected devices list.
I can't remember why I shied away from static IPs on the devices (I think I was having a problem with VMs or something - or maybe it was because I got fed up changing the settings on each device when I changed my IP numbering scheme and it was easier to just hit the router page and remap all the IPs)
It certainly is easier to administer now if I want to insert a new device into my numbering scheme. I used to have a bunch more than 15 devices but have consolidated various PCs into one machine now that hardware has got better and VMs are a lot easier to mess about with.
|
|
Home -
Challenges -
Community -
League -
Photos -
Cameras -
Lenses -
Learn -
Help -
Terms of Use -
Privacy -
Top ^
DPChallenge, and website content and design, Copyright © 2001-2025 Challenging Technologies, LLC.
All digital photo copyrights belong to the photographers and may not be used without permission.
Current Server Time: 08/01/2025 05:03:58 AM EDT.
