Minimum investment on a descent rig for 16+ character NTLM passwords
#11
(05-08-2018, 11:52 PM)phildo Wrote: (Sorry if this post is about to go off topic- but now I'm curious!)


Wait- how? Just to make sure- a dictionary is a list of password possibilities ("MyPa55w0rd", etc...), a mask is just "piecewise brute force" ("MyPa55w0rd?d" where ?d means "replace w/ every number"), and a rule is just "character targeted brute force" ("MyPa55w0rd", but try replacing every "a" with "4", "P" with "p", etc...)?

So, you're saying you're confident that this combination (your dictionary, your masks, and your rules) casts a wide enough net (and your hardware runs through them fast enough) as to catch a majority of real-world passwords- right? To be clear- you're not claiming any workaround beyond that?

I guess I'm just incredulous that any dictionary is good enough to get 2 out of 3, and any sufficiently wide mask/ruleset is equally sufficiently impossible to run... is that just my naivety?

Results vary from list to list. Some are easier than others. In an unsalted list, as long as it is English-based (or at least not something weird like Arabic), I might get 3 out of 4 if it's easy, or I might get half if it's hard. I do have a fairly extensive script trying all sorts of combinations - straight dictionary, dictionary + masks, two dictionary words joined together, etc.


Quote:What am I misunderstanding here? How can it possibly take the same amount of time to run 700,000 vs 7,000?

With unsalted hashes, you just need to go through every password in the list, apply the hash function once, and check if the result is in the list. The act of checking is fast. Therefore it takes almost as long to do even one hash as 700,000.

With salted hashes, you need to apply the hash function to ever permutation of password + salt. If you have 7,000 different hashes, each with a different salt, you need to try each password 7,000 times.