TrackSomebody.com

october27thgroup.com pentesting, pci, red team

illmob.org

NetSPI’s Top Cracked Passwords for 2014

March 2nd, 2015 by admin in cracking

2014-barGraph
NetSPI collected 90,977 domain hashes during their penetration tests this year. Of the collected hashes, 27,785 were duplicates, leaving 63,192 unique hashes. Of the total 90,977 hashes, we were able to crack 77,802 (85.52%). Out of those hashes they calculated the top 10 passwords used.

Here’s nine of the top passwords that we used for guessing during online brute-force attacks:

  • Password1 – 1,446
  • Spring2014 – 219
  • Spring14 – 135
  • Summer2014 – 474
  • Summer14 – 221
  • Fall2014 – 150
  • Autumn14 – 15*
  • Winter2014 – 87
  • Winter14 – 63

*Fall14 is too short for most complexity requirements
Source: https://blog.netspi.com/netspis-top-cracked-passwords-for-2014/

Researcher releases 10 million username and password combinations

February 10th, 2015 by admin in cracking, Life

Security researcher Mark Burnett has released 10,000,000 username/password combos he’s downloaded from well-publicized hacks. https://xato.net/passwords/ten-million-passwords/

 

You can quickly check here: https://rehmann.co/projects/10mil/ (limited to first 25 results)

GPU Cracking PDFs in 4 hours

November 9th, 2014 by admin in cracking

The hashcat guys have been working on code for oclHashcat guaranteed to crack PDFs within 4 hours. This is for PDF versions 1.1 – 1.3, which uses RC4-40,(v5 and 6 implement 128 bit RC4, v7 128 bit AES and X and later 256 bit AES).

  • Guaranteed to crack every password protected PDF of format v1.1 – v1.3 regardless of the password used
  • All existing documents at once as there’s no more salt involved after the key is computed
  • In less than 4 hours (single GPU)

More info: hashcat forums

Older similar code for john the ripper using cpu https://github.com/kholia/RC4-40-brute-pdf which would take about 2 days

Unlock systems infected by CryptoLocker.

August 6th, 2014 by admin in cracking, News


Researchers have struck back at the operators of the CryptoLocker ransom trojan that has held hundreds of thousands of hard drives hostage, the researchers managed to recover the private encryption keys that CryptoLocker uses to lock victims’ personal computer files until they pay a $300 ransom. Thanks to the security experts, an online portal has been created where victims can get the key for free.

To use the free service, victims must upload one of the files encrypted by CryptoLocker along with the e-mail address where they want the secret key delivered. They will then email you a master decryption key along with a download link to their recovery program that can be used together with the master decryption key to repair all encrypted files on your system.

https://www.decryptcryptolocker.com/

Heart Bleed SSL Bug

April 8th, 2014 by admin in Browsers, cracking, News


A massive vulnerability has been found in OpenSSL, the open-source software package broadly used to encrypt Web communications. The flaw allows attackers to steal the information that is normally protected by SSL/TLS encryption, which is used to protect Web applications, e-mail communications, instant messaging (IM) and some virtual private networks (VPNs).
Essentially, that means a lot of Internet users are affected. And potentially, passwords, private communications and even credit card information could be available to hackers courtesy of this newly-discovered bug.
A few people have been checking major websites to check if they’re vulnerable

Offline NT Password & Registry Editor

March 25th, 2014 by admin in cracking, Privilege Escalation, windows

Offline NT Password & Registry Editor, finally got an update last month after a 4 yr hiatus. The new version of this awesome bootdisk includes support for Win8.1 and a working ‘promote user to admin’ feature among other fixes and driver updates.

2 new commandline functions are:
samusrgrp: a command line tool to add users to groups or remove users from groups. Users and groups must be local (cannot be domain / AD). It can also list the groups with their members in several forms, the output can be used in scripts of course. Listing groups will also list domain users that are members of the group (if any), but it will not be able to look up the name, so it will be listed as a SID only.

sampasswd: Password reset from command line (scriptable) Or list users in SAM file in a few different formats.

More information on these new tools ::here::
The bootdisk can be ran from a floppy,CD, or USB and can be Download from http://pogostick.net/~pnh/ntpasswd/

Top 100 Adobe Passwords

November 24th, 2013 by admin in cracking, News, Privilege Escalation


As you may already know Adobe was breached weeks back. This Breach affected roughly 152989508 users. Adobe encrypted the passwords with 3DES in ECB mode, the passwords in this leak are were all encrypted with the same key. Without that key, we cannot crack a single password. Since the key used to encrypt the passwords isn’t known (yet), researchers have been using a guessing technique of the user’s password hint. That’s right, Whilst Adobe encrypted their passwords (even though done poorly), password hints had absolutely no security whatsoever. Matching this information with what we know about the ciphertext thanks to ECB mode, we are able to determine a number of passwords with a reasonable degree of certainty. This list below was compiled by Jeremi Gosney. (more…)

Capturing Windows Logon Credentials

November 3rd, 2013 by admin in cracking, Privilege Escalation, windows


Microsoft GINA technology which stands for Graphical Identification ‘N Authentication is responsible for graphically handling logon requests when events such as CTRL-ALT-DEL are received. Tyler Wrightson finally released his modified GINA stub that silently logs usernames and domains for XP and Win2k. You can dpwnload it ::here::. More information about how GINA works can be found in his excellent blog post.

This will not work for Vista and later Operating Systems, as they have switched to the Credential Provider model. Microsoft claims the reasoning behind this is to make it easier for developers to meet the demands for next generation authentication technologies (like biometrics, two factor and single sign on). Have no fear he also released a version for Vista/7 ::here::. More information can be found in his blog post.

The Bible Is Helping Crack Your Passwords

October 15th, 2013 by admin in cracking

The Bible might not be quite the good book it claims to be. It’s being employed to help crack passwords to great effect.

The article explains how security researchers Kevin Young and John Dustin have been using books acquired from the Project Gutenberg repository to help them create a massive database of words and phrases to help crack passwords. Feeding in the contents of the Bible, plenty of other books, and Wikipedia, then testing it on 344,000 passwords leaked from intelligence firm Stratfor in 2011, the pair had great success.

Src: arstechnica.com

Bypass IOS 7 Logon Screen

September 20th, 2013 by admin in Apple, cracking

Here’s how it works:

  • Swipe up on the locked phone to get to the control panel
  • Open the stopwatch app
  • Go over to alarm clock
  • Hold the power button until you get the “Power down” prompt
  • Hit the cancel button and immediately hit the home button twice, holding it down just a little longer on the second press. Like, buh-baah. It takes a try or two to get the hang of.

Then you’re in the target’s multitasking menu. If you go to the camera app, you’ll have unrestricted access to the Photo Stream, and can share the pictures from there with email, Twitter, and more.

Update:
someone else figured out another work-around here.

« Previous ArticleNext Article »