Bugtraq mailing list archives
Re: Internet Explorer Bug #4
From: pokee () MAXWELL EE WASHINGTON EDU (Aaron Spangler)
Date: Tue, 18 Mar 1997 14:14:37 PST
To: Aaron Spangler <pokee () MAXWELL EE WASHINGTON EDU>, BUGTRAQ () NETSPACE ORG From: Dominique Brezinski <dominique.brezinski () CyberSafe COM> Subject: Re: Internet Explorer Bug #4
A sequential brute force attack would be akin to brute forcing DES, a non trivial task. I have been playing the lottery by trying to brute force the RSA DES challenge on my machine, it has been running for weeks and has covered a trivial portion (hundreds of millions of keys!) of the key space. Basically the "sequential search" attack Aaron mentions (by narrowing the key space by limiting the character set) could be all alpha and numeric combinations (62 possible characters) for an eight char password and it would take about 90 days on my P133(a P133 will do about 490,000 DES crypts a second, plus there is some overhead for the hashing, pick MD4 here!) to go through the key space. So, an average attack would take 45 days to recover a password that was only alpha (upper and lower) and numeric.
Dominique, Regarding how difficult you make it sound above: (READ BELOW!!!!!) I wrote a small (125 lines) program which simply uses a medium size crackers dictionary (1,455,814 words) and runs MD4 and then DES on each word once. (there is no salt permutation like in unix crypt) and compared it to the 595 passwords I captured on my web page since Friday. It only took 4 1/2 minutes on my Hewlett Packard C100 (120 Mhz) and it CRACKED 90 ACCOUNTS! (most of which were 'administrator') Be afraid, be very afraid! - Aaron -- Aaron Spangler EE Unix System Administrator Electrical Engineering FT-10 pokee () ee washington edu University of Washington Phone (206) 543-8984 Box 352500 or (206) 543-2523 Seattle, WA 98195-2500 Fax (206) 543-3842
Current thread:
- Re: Internet Explorer Bug #4 Dominique Brezinski (Mar 14)
- Re: Internet Explorer Bug #4 Paul (Mar 16)
- bin/2983: Security bug (buffer overflow) in lib/libterm/tgoto.c Aleph One (Mar 16)
- Re: Internet Explorer Bug #4 Aaron Spangler (Mar 18)
- <Possible follow-ups>
- Re: Internet Explorer Bug #4 Alain Thivillon (Mar 15)
- Re: Internet Explorer Bug #4 Steve Birnbaum (Mar 15)
- Re: Internet Explorer Bug #4 Rubens Kuhl Jr. (Mar 15)
- Re: Internet Explorer Bug #4 Rubens Kuhl Jr. (Mar 15)