Re: Internet Explorer Bug #4

[pokee () MAXWELL EE WASHINGTON EDU (Aaron Spangler)]

> To: Aaron Spangler <pokee () MAXWELL EE WASHINGTON EDU>, BUGTRAQ () NETSPACE ORG
> From: Dominique Brezinski <dominique.brezinski () CyberSafe COM>
> Subject: Re: Internet Explorer Bug #4

> A sequential brute force attack would be akin to brute forcing DES, a non
> trivial task. I have been playing the lottery by trying to brute force the
> RSA DES challenge on my machine, it has been running for weeks and has
> covered a trivial portion (hundreds of millions of keys!) of the key space.
>
> Basically the "sequential search" attack Aaron mentions (by narrowing the
> key space by limiting the character set) could be all alpha and numeric
> combinations (62 possible characters) for an eight char password and it
> would take about 90 days on my P133(a P133 will do about 490,000 DES crypts
> a second, plus there is some overhead for the hashing, pick MD4 here!) to
> go through the key space.  So, an average attack would take 45 days to
> recover a password that was only alpha (upper and lower) and numeric.

Dominique,

Regarding how difficult you make it sound above:  (READ BELOW!!!!!)

I wrote a small (125 lines) program which simply uses a medium size
crackers dictionary (1,455,814 words) and runs MD4 and then DES on each
word once. (there is no salt permutation like in unix crypt) and compared
it to the 595 passwords I captured on my web page since Friday.  It only
took 4 1/2 minutes on my Hewlett Packard C100 (120 Mhz) and it CRACKED 90
ACCOUNTS!  (most of which were 'administrator')

Be afraid, be very afraid!

 - Aaron

--
Aaron Spangler                 EE Unix System Administrator
Electrical Engineering FT-10        pokee () ee washington edu
University of Washington            Phone    (206) 543-8984
Box 352500                             or    (206) 543-2523
Seattle, WA 98195-2500              Fax      (206) 543-3842