Hey,

I just started Brute Forcing my own server.
Lets start betting on how long it takes!

My Brute Force options: lowercase alphabetical characters only, anything between 8 and 10 characters. (the password falls within this criteria of course).

How long do YOU think it will take?

Silent

My guess, knowing a very small amount about brute forcing (apart from the fact that it takes ages, is unreliable and easily traceable), is that it will take:

10 hours

8-10 characters and what encryption algorithm? Is it your Windows NT/2000/XP account that you are breaking? If so, hm maybe 5-7 hours, that is if you got a speedy cpu.

Dont know about the encryption ;) Windows XP box on a 2.4GhZ Celeron...

[EDIT]I'm going to bed now, I'll bump this in the morning and let all the betters know

Hm the fact that it breaked my 6 character lowercase password in 3 minutes, I withdraw my 5-7 hours and change it too 2-4 hours.

On a Celeron?

Two days, because you'll come down in the morning to find it's overheated and shut down. :p

whats "Brute Forcing"? O_o

Its a l33t h4x0r tool. :D

Its a password breaking program. You give it parameters about the password your trying to break, and it trys every possible combination to try to crack the password (and i think also commonly used passwords). Of course the time is dependant on the complexity of the password. Alpha-numeric passwords could/will take ages.

Of course, this was back in the day when i was a warez kiddy and played with back orifice and sub7, lol. Havnt done that in 6 years (in my mischievous 15 year old stage). So it could have changed a bit.

script kiddy software

Assuming it's standard encryption - have you extracted the hash-file or are you macro-bashing a login prompt?

Hash-file might only take a few minutes.
Other methods vary from hours to years.

how dose this thing work on windows XP? when i type the password in wrong about 10 times it lockes up and turns itself off O_o

edit: were might i get this thing?

how dose this thing work on windows XP? when i type the password in wrong about 10 times it lockes up and turns itself off O_o

edit: were might i get this thing?
Try google. I'm pretty sure it's against forum rules to discuss it here.

Tom dont ask about how to get / use hacks or this thread will get closed :rolleyes:

Well if its brute force it trys every possible password and if that numbers and letters expect it to find the right password in about 50 years time :lol: :lol:

Well if its brute force it trys every possible password and if that numbers and letters expect it to find the right password in about 50 years time :lol: :lol:
There are ways to substantially improve on that ;).

There are ways to substantially improve on that ;).

I only know one way to do that and thats have many machines networked doing the same job all trying to find the password . Yeah I too when aged around 15 year old use to play around with these programs and the brute force program I used stated it could take up to 1000 years depending on number of chars in the given password. If the password is all numbers 0-9 it takes seconds to find it

Without posting any specifics I can't say too much but :
- Most "secure" systems use common systems and methodologies (MD4, DES, etc.)
- Many implementations of these systems contain flaws
- These systems rely on complexity to resist attacks but if any during part of the process the complexity level is lower then you have a weak-point.
- Knowing which flaws apply to the system you are working with is the trick.

Example - One system that boasted 128-bit encryption used a 16-bit key to generate it's hashes. (note - this was fixed a long long time ago and was not MS before anyone starts that game).


Even assuming the system were "secure" you can do a lot of compares/second these days. Not enough to break a truly secure system but enough for most you will meet. Limiting himself to lower-case alpha and knowing the number of characters helps a lot.

OK using my 6 in the morning maths skills (havent been to bed yet)

there are (26^8)+(26^9)+(26^10)

= 208827064576 + 5429503678976 + 141167095653376

= 146805426396928 (1.46805426396928x 10^13)

or 146 trillion, 805 billion, 426 million, 396 thousand, 9 hundred and 28

if it could input a million attempes a second, it could try all passwords in 4.66 YEARS

Someone check my maths please, i think i broke it.

probably talking about l0phtcrack 5 otherwise known as @stake LC5. It's a commercial brute-forcer that it looks like they've added quite a lot of new functionality to. If you have equipment you've locked yourself out of or been maliciously locked out of (perhaps by an ex employee or l33t hacker) it's worth every penny. You can even break the job up across distributed systems to speed things up.

It can't break an Active Directory password database last I heard but it is capable of working from network packet captures which could include single instances of domain passwords going across the wire. I ran an older version against a 10 character complex password one time on a roughly 1ghz xeon processor and it estimated somewhere around 30-40 days to crack it. Lost interest before it finished out though.

The legality of it depends on how you use it. It's not like you can just point the thing at a box across the internet and root right into it.

http://www.atstake.com/products/lc/

Its a l33t h4x0r tool. :D

No, it's a stupid timeconsuming method for reversing ciphertext into plaintext.

Yeah brute force is a STUPID idea for anything illegal/suspect. It's traceable as all hell, even if you're bouncing, takes for bloody ever and doesn't give you results against a good password.

The only thing it's good for is password recovery against a system that you are authorized to have the passwords to and administrate/know the admin. on and know he's not going to think that you're trying to crack.

I've used it that way a few times to recover my friends windows password (typed in something on install, forgot what it was... didn't have boot disk...) and it took about 10 minutes, then again her password was "spunky", all lowercase, dictionary word, no advanced ASCII.

I think 450 days ...

Hey,

I just started Brute Forcing my own server.
Lets start betting on how long it takes!

My Brute Force options: lowercase alphabetical characters only, anything between 8 and 10 characters. (the password falls within this criteria of course).

How long do YOU think it will take?

Silent

Depends on the type of brute forcing software and what way are you doing it.

If you attempting logins directly then most servers will (SHOULD) disable the account after the 6th attempt at the most.

If you have the password file directly on your local machine and your using brute force with a dictionary file then a couple of minutes.

... btw about 12 years ago I had to make a program to brute force a payroll system. Basically the previous admin got fired so he changed all the passwords of everything and fecked off. It took three days before we could log in again (using a 286).

Yeah brute force is a STUPID idea for anything illegal/suspect. It's traceable as all hell, even if you're bouncing, takes for bloody ever and doesn't give you results against a good password.

The only thing it's good for is password recovery against a system that you are authorized to have the passwords to and administrate/know the admin. on and know he's not going to think that you're trying to crack.

I've used it that way a few times to recover my friends windows password (typed in something on install, forgot what it was... didn't have boot disk...) and it took about 10 minutes, then again her password was "spunky", all lowercase, dictionary word, no advanced ASCII.
Anyone hitting a modern system in situ will get nowhere except maybe the local courthouse. Hence why I asked if he had extracted the hash-file. Without either that or a known vulnerability in the system you won't even get to step one on the script-kiddie-check-list.

Lose the password of the xp or 2000 administrator account?

Just use the ERD COMMANDER (software) bootcd use the locksmith tool on it and change the password to 1234.

Voila, you now have access to your system.

Lose the password of the xp or 2000 administrator account?

Just use the ERD COMMANDER (software) bootcd use the locksmith tool on it and change the password to 1234.

Voila, you now have access to your system.
I read it that he was interested in how long it would take.

If you have physical access to the system there are hundreds of ways in.

Oh, he's trying to see if he can hack people's webservers and all?
Well, i'm pretty damn sure they'll notice with the logfiles etc being completely filled.
That's unless he is able to clear all his traces.

Oh, he's trying to see if he can hack people's webservers and all?
Well, i'm pretty damn sure they'll notice with the logfiles etc being completely filled.
That's unless he is able to clear all his traces.You read the bit about it being his own server?

Besides, once you have admin access it's not hard to scrub logs.

Hey,

I kind of skipts trough most of the post heres and I kind of read a few negative comments.

1)I am in no way using this on anything else
*I'm not sucky or silly enough
*I woudn't use it from my own box (way to unsecure)
*I in no way need to know other people's password.

2)It Brute Forced quite abit (5 hours long) and then I got a 'Connection rejected'. My Brute Force was owned! But then it switched to use a dictionary file and still cracked the password in 54 seconds O.o
The password wasn't really complex :-D

3)After reading more post, I wasn't using it on my Windows account, on my FTP server O_o

4)Ugh it might also be a good ideato say that I am in no means a script kiddy, I'm no hacker, no cracker, no nothing in that way :) I just had this program and went 'hay, lets test it!'

Hey,



4)Ugh it might also be a good ideato say that I am in no means a script kiddy, I'm no hacker, no cracker, no nothing in that way :) I just had this program and went 'hay, lets test it!'
u'se a crackah boi ;O

Depends how long it is, how many characters are involved, i say between 24 - 48 hours.

to take a guess i'd say 48.

Brute Forcing is as was said a matter of decrypting a password..

Most brute force programs, do it by attempting every possible combination of letters and numbers, and in extreme cases symbols, after a while successfully finding the right combination.



It is a slow, and painfull process, but it is a 90 % certain way of finding the right password... however it could take from 0 seconds till the end of time..


Most people would use the normal trojans, spyware, backdoors, and whatnot to obtain the password directly instead of having their computer guess at it.