Penetration Testing mailing list archives
Password Brute Forcer
From: Ian Lyte <ILyte () richmondevents com>
Date: Fri, 7 Dec 2001 16:50:30 -0000
I know a lot of people consider LC3 one of the 'defacto' standards for cracking NT passwords. What I was wondering was is there a password cracker that substitutes numbers for letters? As an example, we all know people do tend to use words as a password, occasionally improving their strength with the use of numbers i.e. password99. I also think that a lot of people may use p4ssw0rd. I thought of this when a recovered password came up recently as 1M4G1NE (imagine). Since neither the Hybrid (set on the default of 2) or dictionary attacks in LC3 would recover this, I had to wait for the bruteforce to work its way up to it. I'm not sure but I think it would only be about 5-7 times slower than a dictionary attack it would still be significantly faster that a hybrid attack set to 3. I did email @stake with this suggestion but they have yet to reply (maybe its because I asked if they used this idea could I have a free copy!) so I was wondering if anyone on the list knew of a password cracker that could do this. Even if you had to set up your own definition file for the substitutions (which would probably be best infact, allowing you to substitute @ and 4 for a etc) it would still IMHO be a huge improvement on the standard LC3. Maybe even run alongside? Then again - I could be wrong. It has be known to happen!! Ian ___________________________________________________________________________ Internet communications are not secure and therefore Richmond Events Ltd does not accept any liability for the contents of this message. Any views or opinions presented are solely those of the author and do not necessarily represent those of Richmond Events Ltd. If you are not the intended recipient of the message please notify the sender immediately. ___________________________________________________________________________ ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
Current thread:
- Password Brute Forcer Ian Lyte (Dec 10)
- Re: Password Brute Forcer Ryan Russell (Dec 10)