2017-03-25 at 2:45 AM UTC
A new dump was just released that I'm interested in, there's several correlation attacks possible with it but it would be interesting to do a targeted attack on specific UPs. I know mass decryption of Bcrypt dumps is damn near impossible, what about targeted attacks?
2017-03-25 at 3:35 AM UTC
Get a render farm and rainbow tables. That should do the trick, also, most people use weak ass shit passwords so pre-computing a dictionary of the top 100.000 or so passwords will probably give you reasonable results. If you test them against your hashes.
The following users say it would be alright if the author of this
post didn't die in a fire!
2017-03-25 at 1:11 PM UTC
aldra
JIDF Controlled Opposition
it's based on blowfish, should be feasible to crack individual passwords, I'll see if I can find benchmarks
The following users say it would be alright if the author of this
post didn't die in a fire!
2017-03-25 at 1:14 PM UTC
aldra
JIDF Controlled Opposition
https://gist.github.com/epixoip/a83d38f412b4737e99bbef804a270c40this guy rigged up 8x GPUs for hash cracking, he was able to generate hashes around twice as fast for MD5 vs BCRYPT. mileage may vary depending on processor architecture but that's probably a good yardstick
The following users say it would be alright if the author of this
post didn't die in a fire!
2017-03-25 at 1:16 PM UTC
aldra
JIDF Controlled Opposition
in terms of methodology I think you should still go the route sophie mentioned - grab a bunch of password lists, the RockYou and PSN hacks are a good place to start, and try running through those before you bother with a bruteforce run.
The following users say it would be alright if the author of this
post didn't die in a fire!
2017-03-25 at 6:06 PM UTC
I found some render farms in Thailand that have fairly cheap server time, let's see how far i get starting from there. Thanks my niggas.
2017-03-30 at 6:37 AM UTC
If the passwords are properly salted rainbow table attacks should be infeasible. Password lists will help in targeted attacks because you can grab the salt for your targeted user, but you'll have to repeat the process for each target. And the attack obviously assumes the user's password is actually in the password lists you use. How long the attack is going to take/how much it will cost is linear on the product of the length password lists you use and the work factor used during encryption. The adjustable work factor part is bcrypts big selling point.
2017-03-30 at 9:53 AM UTC
Thanks Lanny.
It's all irrelevant at this point anyway, the fucking gooks scammed me. I knew that server time couldn't be that cheap.
2017-03-30 at 9:59 AM UTC
Never mind, I'm retarded. I'm going to find some password lists.