Monday, February 19, 2007

You call that a game? This is a......

Firstly; sorry for the lack of updates, I've really been too busy to come up with anything interesting to write, and haven't found anything particularly interesting to write about.

Now, onto the bad title. I found the following "game" on digg: http://crackquest.ultramuffin.com/index.php and decided to see exactly how effective the sha-1 rainbowtables I had found were.

Now, the first thing I tried was using http://www.shalookup.com/ since you can crack up to 50 hashes at a time (50 because that is the limit per IP). So I ran the list of hashes against shalookup.com (using a proxy for the second 50) and got quite good results; I think that at least 50 (I wasn't counting) of the hashes I cracked came from shalookup.com.

After this I ran the remaining hashes against http://www.hashreverse.com/ and http://md5.rednoize.com/ and was able to crack a further 20 hashes.

I tried running the remaining 30 against http://www.md5encryption.com/, but got no results (which doesn't really say anything since the only ones left were the ones no-one else could get), and I got interrupted while running the hashes against http://hashcrack.905tech.com/cracker.php, which during the time I was away went down, and I don't have an account on http://rainbowcrack.com/ (if anyone does, I'd really appreciate it if you got in contact with me), and http://passcrack.spb.ru/ seems to be down for maintenance.

So while this little anecdote can't testify to the usefulness of any single site (other than shalookup.com), it clearly illustrates that it doesn't matter what hashing algorithm you use if you do not salt the data first, and your users use poor passwords. But we already knew that, so *shrug*.

No comments: