Follow us on Twitter!
Never in the field of human conflict was so much owed by so many to so few. - Winston Churchill
Sunday, April 20, 2014
Navigation
Home
HellBoundHackers Main:
HellBoundHackers Find:
HellBoundHackers Information:
Learn
Communicate
Submit
Shop
Challenges
HellBoundHackers Exploit:
HellBoundHackers Programming:
HellBoundHackers Think:
HellBoundHackers Track:
HellBoundHackers Patch:
HellBoundHackers Other:
HellBoundHackers Need Help?
Other
Members Online
Total Online: 21
Guests Online: 19
Members Online: 2

Registered Members: 82843
Newest Member: hx47
Latest Articles
View Thread

HellBound Hackers | Computer General | Cryptography

Page 5 of 8 << < 2 3 4 5 6 7 8 >
Author

RE: Uncrackable encryption


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 20-04-07 18:13
Yeah, what i was thinking, but he said:
not able to login for 5 mins


which makes me think you have to sign up to the website and login. In which case the ban would be on your account + ip. If so, you'd have to create several different accounts and then send the data to login, then bruteforce it. After 9 (assuming lockout is on 10) tries logout, change proxy, and re-login with someone else and continue to bruteforce that way. In which case you could keep circulating between registered users until kaksii figures out what is going on. Depending on how he set up the user tracking.


Author

RE: Uncrackable encryption


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 20-04-07 18:17
Or just get a member list and run multiple copies of the program simultaneously, effectively DOS'ing the entire community. Grin



Author

RE: Uncrackable encryption

richohealey
Member



Posts: 1022
Location: #!/usr/local/bin/python
Joined: 01.05.06
Rank:
Monster
Posted on 20-04-07 18:48
anyone of them would work. so i'll probably do most of them Grin


bitchohealey at hotmail dot com skype:richohealey www.psych0tik.net
Author

RE: Uncrackable encryption


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 20-04-07 19:27
I didn't mean to ban that account if he had 10 wrong attemps. It would be disaster.

But I have some ideas about protecting it from bruteforcing.

Actually, lots of ideas.

They aren't related to ip adress.

And I have to keep my mouth shutted.

...Besides

I made encryption system. Not some protection against cracking.
You need to tell me how my encryption is. Not how you will bruteforce the login box, because some other people will be thinking about protecting the login box. It isn't related to my encryption. It is related to hacking a website. It has nothing to do with the encryption system.



Author

RE: Uncrackable encryption


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 23-04-07 09:27
The other point worth noting is that you're assuming that the source is completely secure.

All it takes is for someone to get a hold of the source (how is irrelevant for the purposes of the post) and a list of hashed passes. They then code a bruteforcer (if they're like me, in ASM) and let it go.

I'll start working on my forcer this week. I'm guessing it should recover a 4 letter pass in a fraction of a second ('fish' Smile )
Author

RE: Uncrackable encryption


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 23-04-07 10:50
Nobody knows the latest source. And of yourse you can make bruteforcer. Same thing goes with SHA, MD5 and others. But you don't know the latest source. And I am about to add some more functions to the code, so it will be hard to crack the algorithm.



Author

RE: Uncrackable encryption


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 27-04-07 16:55
Started working on the brute forcer about 10 mins ago (Richo's encryptions took most of my free time this week). Might get more time over the weekend but not sure.

Will post it when done.
Author

RE: Uncrackable encryption


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 27-04-07 16:56
Started working on the brute forcer about 10 mins ago (Richo's encryptions took most of my free time this week). Might get more time over the weekend but not sure.

Will post it when done.
Author

RE: Uncrackable encryption


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 03-05-07 19:32
A good way to defeat internet brute force or DOS attacks is by making the attacking computer do something really hard (mathmatically) for each request. Normal users wouldn't much notice the delay, since they're not pounding out 100s of requests. But an attacking machine would be hard pressed to complete the tasks fast enough,

A neat way to implement this would be with an md5 hash. If your server hashes a psuedorandom 4 digit code and you require users to brute force it for every password attempt they make, anybody making sick amounts of attempts might be overwhelmed.

And..
this brings us back to the original topic. You hash (for it is not a form of encryption) seems overly complicated. I understand that the bugs have been fixed, but is it collision free? Does entering ab provide the same hash as ba? If so, that's gonna narrow down the number of passwords a skilled attacker must go through for a sucessful attack.
ie.
If my password is ragic
and somebody guesses cigar, it seems to me that your system will let them in.


Author

RE: Uncrackable encryption


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 03-05-07 19:53
digitalchameleon wrote:
And..
this brings us back to the original topic. You hash (for it is not a form of encryption) seems overly complicated. I understand that the bugs have been fixed, but is it collision free? Does entering ab provide the same hash as ba? If so, that's gonna narrow down the number of passwords a skilled attacker must go through for a sucessful attack.
ie.
If my password is ragic
and somebody guesses cigar, it seems to me that your system will let them in.


cigar=16334A154A51521714D122A531B437105101C1523k
ragic=2EF1062061A73DE1443C11C31F73315826E21D21k

ab=262E3D28C47CF524A11248A47A10485417351513k
ba=B4E88834D2B49626F1B912BC0k
_____________

They don't look same to me. :whoa:



Author

RE: Uncrackable encryption


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 03-05-07 23:31
I'm glad to hear that the reverse string collision has been fixed. Making a working and secure hash must be very hard. I wouldn't even know where to start.

My prediction is that your 'hash' will remain secure as long as nobody puts in the time and effort to reverse engineer your algorithm.

md5 is considred a moderately secure one way hash.... No. Md5 is considered a one way hash at all because even though millions of people, thousands of respected mathematicians know how the algorithm works, none of them have been able to reverse it directly, we can only hash thousands of words and hope one of them matches.

If you want anybody to be able take a serious look at the security of your hash, you need to release the source, or at least the algorithm.

If you plan on using this on an actual site, maybe security through obscurity is what you need though. Still any attacker skilled enough to get the password file would probably get the source for the php hasher too.

Anyway, good luck.
Smile


Author

RE: Uncrackable encryption


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 04-05-07 11:32
Look. It seems that you haven't read the whole forum thread.
It is one way hash. You can't do reversing.

And as for security, the other people will find some way to make bruteforcing less possible.



Author

RE: Uncrackable encryption


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 04-05-07 18:38
Look. It seems that you haven't read the whole forum thread.
It is one way hash. You can't do reversing.

And as for security, the other people will find some way to make bruteforcing less possible.

*sighs*

>>You can't do reversing.
I wasn't saying you could. I mentioned reverse engineering, but that's not the same. And I said that I doubted it's security, but that's because it's mostly unproven.

I also mentioned the bit about 'reverse string collisions' but I think everybody else here understood. The whole 'ab'='ba' thing that greyfox reported. Just wanted to know if it was still happening, without downloading the exe.

Anyway you said earlier
>>Well, you need to know the whole 30 formulas to crack my enc.
and I don't doubt that that's true. What I'm saying is that anybody involved in crypto will tell you that for a serious one way hash, that type of 'security through obscurity' is woefully inadequate.

Without analyzing your algorithm there's no way to know if it's secure, nevermind uncrackable. Even if somebody manages to do something here without you releasing the source, it's only because they reverse engineered your algorithm from the exe.

I'm sure somebody here who is very skilled in ASM is already working out an algorithm. Am I right?

Anyway, best of luck.

DC


Author

RE: Uncrackable encryption


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 04-05-07 18:51
What surprises me most is that the person claiming an unbreakable encryption is ranked "God" here...

You'd think he'd realise that the only way to be sure that an encryption is to show people exactly how it works and let them try break it... You can't claim something is unbreakable just by not releasing source, and if it ever got popular you wouldn't need to release source, people would just disassemble


Author

RE: Uncrackable encryption


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 04-05-07 20:28
Happysmileman wrote:
What surprises me most is that the person claiming an unbreakable encryption is ranked "God" here...

You'd think he'd realise that the only way to be sure that an encryption is to show people exactly how it works and let them try break it... You can't claim something is unbreakable just by not releasing source, and if it ever got popular you wouldn't need to release source, people would just disassemble



You see, I gave source to 10 people I trust here.
They said what are the bugs and I fixed it.
Fatal_Pride is doing some asm bruteforcing.

So, don't think I am 'God' who didn't do things you just said.
Of course I tested it. And nobody said it is bad made. I patched everything they noticed.

Don't judge the unknown





Edited by on 05-05-07 14:35
Author

RE: Uncrackable encryption


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 08-05-07 08:55
Ok.. pretty much done.

Been going through the exe and writing some asm to bruteforce a key. This is obviously taking a while as VB being the bloated load of crap it is has compiled this to a few thousand lines of code - the asm should be a fraction of this. Okay so I have a lot of experience reversing code, but it was still a nice reversing exercise.

Having taken a detailed look at this (there are obviously some educated opions about this above) I'll try and give some insight.

Its certainly not 'uncrackable', but that depends on your definition of uncrackable. I agree it absolutely not reversible to the initial string, but its not beyond bruteforcing by any means.

However, that would require the attacker to have the source. Given an exe as we have here, reversing it is trivial and just takes time (kaksii isn't joking when he talks about 30+ operations/loops). However, the actual operations are very simple ones and reversing them is very easy. They are basic string/hex/mathematical operations which means that my asm bruteforcer should be quite quick to give me a key. Obviosuly though, this is subject to users using the basic 'strong password' rules though.

One major claim to strength on this one is that no-one knows the latest code (there is no exe etc). Fair enough, but it still means that you would need to keep the source safe. Implementing it in python/php (is that still happening?) is fine but means that there is always the possibility that the source will be compromised. A basic attack disclosing source would be all the attacker needs to build a bruteforcer and it would be much simpler than trawling through VB code.

Work is busy right now, but I'll post my code when its finished. None of the code is optinised (it becomes aparant going through the code that a number of the loops/operations could be combined to save time - I've not bothered as this is just prove of concept).
Author

RE: Uncrackable encryption


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 08-05-07 20:24
Any luck figuring out what the algorithm is? Does it include any likely one way functions? http://en.wikiped. . .y_function
I have no experience with ASM, but I'd love to take a shot at it.
Fatal Pride, you mentioned 'I agree it absolutely not reversible to the initial string'...'However, the actual operations are very simple ones and reversing them is very easy.'
So without the source it's not possible to reverse, but if you understand the algorithm, you could?

Kaksii: The more you let people know about this, the more secure it will be in the end. Smile


Author

RE: Uncrackable encryption


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 08-05-07 20:47
FaTaL_PrIdE wrote:

Its certainly not 'uncrackable', but that depends on your definition of uncrackable. I agree it absolutely not reversible to the initial string, but its not beyond bruteforcing by any means.


Hey. I just got an idea for my website to keep the bruteforcing the login box impossible.

-CAPTCHA

digitalchameleon wrote:
So without the source it's not possible to reverse, but if you understand the algorithm, you could?



Look. He said that it isn't reversable at all.

If you reverse the code (I can give you the source), you will get loads of errors because it is one way-hash.

Yes, the mathematical operations are really simple, BUT it is going through like 30 functions, so you can't crack it in 5 mins.

You can't reverse it even if you know the algorithm.

And, of course it will be more secure if we share the knowledge.
I don't mind that Wink

And finally...
Thanks Fatal_Pride for helping to improve the encryption.
Thanks everybody.




Edited by on 08-05-07 20:57
Author

RE: Uncrackable encryption


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 08-05-07 21:16
Can I have the source? It's been a while since I've worked in VB, but I'd like to have it. If you want, you can pm it to me, but if it's not too large, you can just send it to [mail]digitalchameleon@gmail[/mail] Thanks in advance.


Author

RE: Uncrackable encryption


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 08-05-07 21:21
I'd like to see the code ported to C/C++ and then checked for performance time and stuff


Page 5 of 8 << < 2 3 4 5 6 7 8 >