Follow us on Twitter!
Few are those who can see with their own eyes and hear with their own hearts. - Albert Einstein
Tuesday, April 28, 2015
HellBoundHackers Main:
HellBoundHackers Find:
HellBoundHackers Information:
HellBoundHackers Exploit:
HellBoundHackers Programming:
HellBoundHackers Think:
HellBoundHackers Track:
HellBoundHackers Patch:
HellBoundHackers Other:
HellBoundHackers Need Help?
Members Online
Total Online: 14
Guests Online: 13
TeamSpeak Online : 5 Members Online: 1

Registered Members: 88100
Newest Member: simrat
Latest Articles
Our sponsor needs your help!

One of our sponsors needs your help,
Go check out their video and Don't forget to vote !

~ Thanks for your help
View Thread

HellBound Hackers | Computer General | Web hacking


DES Cracking


Your avatar

Joined: 01.01.70
Posted on 01-10-05 16:53
Hey, I don't know if this belongs in cryptography but given it's affiliation with web hacking, I thought i'd put it here. I've recently run into some of what I believe to be DES hashes of web admin passwords. I tried using JtR to crack them, but after literally 10 hours, it had yielded nothing. DES isn't uncrackable is it? Help?


RE: DES Cracking


Your avatar

Posts: 358
Location: USA
Joined: 19.03.05
Posted on 01-10-05 23:53
DES is far from uncrackable. in fact, by modern standards it is quite weak and coinsidered to be insecure.

it all depends on the strength of the password. consider the following examples:

First, make a hash:

[n3w7yp3@localhost crypto]$ ./
enter the plaintext: test
enter that salt value: n3
your DES hash is n3w2HfYqv8H4.

The cracker's usage blurb:

[n3w7yp3@localhost crypto]$ ./
        -d <wordlist> : do a dictionary attack.
        -b <mode> : do a bruteforce. current supported modes are "c".
        -l <number> : max password length. use with -b.
        -h <hash> : Hash to crack.
Written by n3w7yp3.

Just a little info on the dictionary:

[n3w7yp3@localhost crypto]$ ls -lh words
-rw-rw-r--    1 n3w7yp3  n3w7yp3       11M Jul 19 12:28 words
[n3w7yp3@localhost crypto]$

A dictionary attack:

[n3w7yp3@localhost crypto]$ ./ -d words -h n3w2HfYqv8H4.
Starting DES Cracker, written by n3w7yp3.
Hash: n3w2HfYqv8H4. (DES, n3).
Cracking n3w2HfYqv8H4..
Cracking session started at Sat Oct  1 18:49:35 2005.
Starting dictionary attack..
Trying: testytirashpoolhedrononverdrosse
Password cracked!!
Password is: test
Password was cracked in 994172 tries.
Session ended at Sat Oct  1 18:50:03 2005.

Now, a bruteforce attack on the same hash:

[n3w7yp3@localhost crypto]$ ./ -b c -l 8 -h n3w2HfYqv8H4.
Starting DES Cracker, written by n3w7yp3.
Hash: n3w2HfYqv8H4. (DES, n3).
Cracking n3w2HfYqv8H4..
Cracking session started at Sat Oct  1 18:51:44 2005.
Starting bruteforce...
Trying: test
Password cracked!!!
Password is: test
Password was cracked in 355414 tries.
Session ended at Sat Oct  1 18:51:52 2005.

as you can see the bruteforce was faster. however, this was a weak hash. for a good password, (one that contains lowercase, uppercase symbols and numbers and is at least 10 characters long), it can eaisly tkae over 60 days to crack.

you may try to use a larger dictionary (for example, once i was cracking a DES hash with john, and it was taking a *very* long time. i ran it through my DES cracker using the dictionry that i used in the example, and it cracked. the password was 'powerful' ).

But, computationally, its a losing battle. as the user adds more characters to the password the crack time increases exponentially. you may try generating a DES pre-computated hash table (the salt is the first 2 characters), or, if you're feeling ambitious, try and code a Pasword Probability Matrix (PPM)

"Root is a state of mind" -- K0resh

Edited by n3w7yp3 on 01-10-05 23:53