if a password is weak enough, chances are that it's "password1". Try that
Otherwise you can let me know how many permutations of letters and numbers (and symbols, but that instantly makes it "above-medium") one can come up with.
Computer Science Canada Brute forcing |
| Author: | Monduman11 [ Mon Jun 21, 2010 5:50 pm ] |
| Post subject: | Brute forcing |
Im just wondering does turing have enough power to make a bruteforcing program in it? or is it to weak? |
|
| Author: | Tony [ Mon Jun 21, 2010 5:55 pm ] |
| Post subject: | RE:Brute forcing |
obviously you would need to define "brute-forcing program" and "weak" first. |
|
| Author: | Monduman11 [ Mon Jun 21, 2010 6:10 pm ] |
| Post subject: | Re: RE:Brute forcing |
Tony @ Mon Jun 21, 2010 5:55 pm wrote: obviously you would need to define "brute-forcing program" and "weak" first.
lol what i mean by bruteforcing is, that is turing a good enough program to make a password bruteforcing program in? or does it not have enough capabilities? like i know you can make it delete files and shut down your computer and stuff, but is it good enough to make a program that can figure out weak to medium passwords? btw this is just for educational purposes and to have something that could take a while to do, or just simply to annoy my sis when im bored lol |
|
| Author: | Insectoid [ Mon Jun 21, 2010 6:25 pm ] |
| Post subject: | RE:Brute forcing |
Well it could do that, yes. Without advanced implementations though it will be very, very slow. |
|
| Author: | Tony [ Mon Jun 21, 2010 6:27 pm ] |
| Post subject: | RE:Brute forcing |
if a password is weak enough, chances are that it's "password1". Try that
Otherwise you can let me know how many permutations of letters and numbers (and symbols, but that instantly makes it "above-medium") one can come up with. |
|
| Author: | Euphoracle [ Mon Jun 21, 2010 6:57 pm ] |
| Post subject: | RE:Brute forcing |
Your question doesn't make any sense. Turing can generate lots of passwords quickly, but how can it use them? It can't really interact with anything to try them. |
|
| Author: | 2goto1 [ Mon Jun 21, 2010 7:18 pm ] | ||
| Post subject: | Re: Brute forcing | ||
When it comes to Turing you're better off with social engineering
Other than that perhaps if your password cracking program was trying to crack a user account on a certain website, and if the website exposed a RESTful or HTTP GET based API to validate user names and passwords without the use of SSL (HTTPS), you might be able to do this in Turing. Perhaps the http://compsci.ca/holtsoft/doc/net_openurlconnection.html could fit then. For example:
You could then parse the HTTP response to try to determine if the combination were successful. But the problem is that no website in the real world supports user authentication this way...if they did they definitely wouldn't have any members! As far as trying to crack username / password combinations for programs running on your desktop, I don't think that can be done with Turing. I think Sys.Exec, http://compsci.ca/holtsoft/doc/sys_exec.html, is about the only way you can interact with external processes.. If you could do HTTP posts then maybe you could attempt this on some websites that didn't require SSL (HTTPS)...but HTTP posts don't appear to be supported. There are a lot of advanced Turing gurus on this site though, maybe they know of a way to do it! |
|||
| Author: | Monduman11 [ Mon Jun 21, 2010 9:03 pm ] |
| Post subject: | RE:Brute forcing |
kk thanks guys you have actually answered my question and no i wasnt intending to use this on websites lol i just wanted to create a little program and see if i could get it to guess my pass |
|
| Author: | Monduman11 [ Mon Jun 21, 2010 9:05 pm ] |
| Post subject: | Re: RE:Brute forcing |
Euphoracle @ Mon Jun 21, 2010 6:57 pm wrote: Your question doesn't make any sense. Turing can generate lots of passwords quickly, but how can it use them? It can't really interact with anything to try them.
well thats what i was wondering if it was somehow possible to make it interact with my desktop stuff and see if it could figure out the passwords for certain things, like password encrypted files and such that i have on my pc... it is just a little experiment that im trying to do |
|
| Author: | Cezna [ Tue Jun 22, 2010 2:57 pm ] |
| Post subject: | Re: RE:Brute forcing |
Monduman11 @ Mon Jun 21, 2010 9:05 pm wrote: Euphoracle @ Mon Jun 21, 2010 6:57 pm wrote: Your question doesn't make any sense. Turing can generate lots of passwords quickly, but how can it use them? It can't really interact with anything to try them.
well thats what i was wondering if it was somehow possible to make it interact with my desktop stuff and see if it could figure out the passwords for certain things, like password encrypted files and such that i have on my pc... it is just a little experiment that im trying to do To my knowledge, there is no way to make it interact with anything to input a password on a pc. Also: Monduman11 wrote: it is just a little experiment that im trying to do Monduman11 wrote: i wasnt intending to use this on websites lol i just wanted to create a little program and see if i could get it to guess my pass Monduman11 wrote: btw this is just for educational purposes and to have something that could take a while to do, or just simply to annoy my sis when im bored lol I think we all believe that you're not going to use it for malicious purposes, you don't need to pepper all your posts with disclaimers.  |
|
| Author: | Monduman11 [ Tue Jun 22, 2010 3:01 pm ] |
| Post subject: | RE:Brute forcing |
lol im just making sure that people understand that its just for fun... u never know there might be people out there that are so paranoid that they believe that everything is for mailcious purposes |
|
| Author: | Cezna [ Tue Jun 22, 2010 3:07 pm ] |
| Post subject: | Re: RE:Brute forcing |
Monduman11 @ Tue Jun 22, 2010 3:01 pm wrote: lol im just making sure that people understand that its just for fun... u never know there might be people out there that are so paranoid that they believe that everything is for mailcious purposes
I think saying you never know is overly optimistic, such people certainly exist, and I know far too many of them |
|
| Author: | Monduman11 [ Tue Jun 22, 2010 3:08 pm ] |
| Post subject: | RE:Brute forcing |
lol then it never hurts to state ur intentions more than once 
i know that you can make one in java and i think in python but im not skilled enough in either to make 1 yet lol, hopefully next year |
|
| Author: | chrisbrown [ Tue Jun 22, 2010 3:20 pm ] |
| Post subject: | RE:Brute forcing |
Let's do the math just for fun. Let's assume your password is 4 characters long, using only lowercase english letters. Using <a href="http://en.wikipedia.org/wiki/Permutation">permutations</a>, that's more than 350 thousand combinations. Assuming that you can interact with a website, and there is no retry limit, and that a round-trip response takes 1 second, that's about 4 days of continuous "brute-forcing." Include numbers and upper-case letters, and that grows to 155 days of computation time. Change that to a 5-character password and that grows to 24.6 years. I think you can see where this is going. |
|
| Author: | Monduman11 [ Tue Jun 22, 2010 3:25 pm ] |
| Post subject: | Re: RE:Brute forcing |
chrisbrown @ Tue Jun 22, 2010 3:20 pm wrote: Let's do the math just for fun. Let's assume your password is 4 characters long, using only lowercase english letters. Using <a href="http://en.wikipedia.org/wiki/Permutation">permutations</a>, that's more than 350 thousand combinations.
Assuming that you can interact with a website, and there is no retry limit, and that a round-trip response takes 1 second, that's about 4 days of continuous "brute-forcing." Include numbers and upper-case letters, and that grows to 155 days of computation time. Change that to a 5-character password and that grows to 24.6 years. I think you can see where this is going. umm ouch? lol guess thats a waste of time... how could you make it brute force faster though? cause arnt there some that can figure out your pass in like minutes? i think? |
|
| Author: | chrisbrown [ Tue Jun 22, 2010 3:36 pm ] |
| Post subject: | RE:Brute forcing |
By definition, a brute force attack is one where every possible combination is tried until the right one is found. There are undoubtedly advanced algorithms that perform better, but I haven't looked into much of that so I can't say too much on it. Regardless, Turing is not the language to use, and to be honest, your time would be better spent learning new concepts like efficient data structures, OO, etc... |
|
| Author: | Monduman11 [ Tue Jun 22, 2010 3:51 pm ] |
| Post subject: | RE:Brute forcing |
i just wanted to know if it could be done and what im actually aiming for it to try and teach myself as much c++ as i can over the summer |
|
| Author: | Tony [ Tue Jun 22, 2010 4:33 pm ] |
| Post subject: | RE:Brute forcing |
In many cases efficient algorithms and data structures in Turing will significantly outperform naive implementations in C++. The compiler can only do so much for you. |
|
| Author: | Monduman11 [ Tue Jun 22, 2010 4:36 pm ] |
| Post subject: | Re: RE:Brute forcing |
Tony @ Tue Jun 22, 2010 4:33 pm wrote: In many cases efficient algorithms and data structures in Turing will significantly outperform naive implementations in C++. The compiler can only do so much for you.
lol so what your saying is that it doesnt just depend on the program that your using but rather on the programmer as well |
|
| Author: | Tony [ Tue Jun 22, 2010 4:52 pm ] |
| Post subject: | RE:Brute forcing |
Right. Lets say that we are sorting 1024 (2^10) items. A bubble sort will compare each item against each other item and is said to have O(n^2) complexity. That's 1024*1024 = 1,048,576 comparisons. A QuickSort or MergeSort are on the order of O(n*lg(n)). 1024*lg(1024) = 10,240 So you'd need machine code that is ~100 times faster at this size, and the difference grows very very fast, as the size of the list increases. |
|
| Author: | DemonWasp [ Tue Jun 22, 2010 5:10 pm ] |
| Post subject: | RE:Brute forcing |
Incidentally, the speed difference between Turing and C++ (depending on a lot of factors, such as program type, design, compiler used, machine, etc) is that C++ is "around" 100 times as fast as Turing, so you only have to sort a list of 1024 numbers before (smart Turing implementation) outruns (naive C++ implementation). |
|
| Author: | Brightguy [ Tue Jun 22, 2010 9:04 pm ] |
| Post subject: | Re: Brute forcing |
2goto1 @ Mon Jun 21, 2010 7:18 pm wrote: But the problem is that no website in the real world supports user authentication this way...if they did they definitely wouldn't have any members!
Believe it or not, I belong to a site which uses exactly that method. An odd choice, but it does happen for casual sites. chrisbrown @ Tue Jun 22, 2010 3:20 pm wrote: Let's do the math just for fun. Let's assume your password is 4 characters long, using only lowercase english letters. Using <a href="http://en.wikipedia.org/wiki/Permutation">permutations</a>, that's more than 350 thousand combinations.
Since passwords can repeat letters, permutations are not proper here. The answer is just 26^4. Monduman11 @ Tue Jun 22, 2010 3:25 pm wrote: umm ouch? lol guess thats a waste of time... how could you make it brute force faster though? cause arnt there some that can figure out your pass in like minutes? i think?
That's easy, you just try out more likely passwords first. You can't brute force a strongly chosen password efficiently. Tony @ Tue Jun 22, 2010 4:52 pm wrote: A bubble sort will compare each item against each other item and is said to have O(n^2) complexity. That's 1024*1024 = 1,048,576 comparisons.
In the worst case, of course. Also you should say you are abusing the notation. Formally big-oh doesn't tell you anything about a finite problem size. |
|
| Author: | Tony [ Wed Jun 23, 2010 11:20 am ] |
| Post subject: | RE:Brute forcing |
Right, the Big-O notation is abused. There are no mentions of constants, and comparisons are done at an arbitrary n0, which is not what Big-O is meant for. (And Bubble-Sort is n^2 in worst case and average case.) |
|
| Author: | Srlancelot39 [ Mon Aug 02, 2010 4:25 pm ] |
| Post subject: | RE:Brute forcing |
...what if...the brute forcing program was able to check each character one by one instead of trying everything at once. eg. insted of trying: aaaa (wrong) baaa (wrong) caaa (wrong) it tried a*** (wrong) b*** (wrong) c*** (correct) ca** (wrong) cb**(correct) cba*(wrong) ... etc. this way, it is not wasting time trying all 4 characters at once. is there a way for the program to only check an individual character...I don't know; maybe there is maybe there isnt =P |
|
| Author: | Brightguy [ Mon Aug 02, 2010 6:16 pm ] |
| Post subject: | Re: RE:Brute forcing |
Srlancelot39 @ Mon Aug 02, 2010 4:25 pm wrote: ...what if...the brute forcing program was able to check each character one by one instead of trying everything at once.
Then you can determine the password in linear time. (In the real world you can quickly find the combination of an unlocked combination bike lock using this strategy.) Srlancelot39 @ Mon Aug 02, 2010 4:25 pm wrote: is there a way for the program to only check an individual character...
Depends on how cryptograpically-savvy the implementator was. For example, a password submission should not be checked with something like memcmp, since the standard implementation of memcmp will check the memory byte-by-byte and return false after the first mismatch. This makes you vulnerable to a timing attack. Tony wrote: (And Bubble-Sort is n^2 in worst case and average case.)
Though bubble sort wont always compare each item against each other item. (Nitpick.) |
|
| Author: | DtY [ Mon Aug 02, 2010 7:16 pm ] |
| Post subject: | Re: RE:Brute forcing |
Monduman11 @ Tue Jun 22, 2010 3:25 pm wrote: umm ouch? lol guess thats a waste of time... how could you make it brute force faster though? cause arnt there some that can figure out your pass in like minutes? i think? Generally, if it can run in a minute, it's not going to be brute forcing, it will probably be exploiting weaknesses in whatever was used. |
|
| Author: | jmarsiglio [ Sun Oct 17, 2010 7:15 pm ] |
| Post subject: | Re: RE:Brute forcing |
DtY @ Mon Aug 02, 2010 7:16 pm wrote: Generally, if it can run in a minute, it's not going to be brute forcing, it will probably be exploiting weaknesses in whatever was used.
Brute-forcing takes way too long for it to be efficient, so it is mainly used for website hacking, even then finding an exploit is far easier than bruteforcing the form. Rainbow tables are the way to go nowadays. |
|
| Author: | DtY [ Sun Oct 17, 2010 8:11 pm ] |
| Post subject: | Re: RE:Brute forcing |
jmarsiglio @ Sun Oct 17, 2010 7:15 pm wrote: DtY @ Mon Aug 02, 2010 7:16 pm wrote: Generally, if it can run in a minute, it's not going to be brute forcing, it will probably be exploiting weaknesses in whatever was used.
Brute-forcing takes way too long for it to be efficient, so it is mainly used for website hacking, even then finding an exploit is far easier than bruteforcing the form. Rainbow tables are the way to go nowadays. |
|
| Author: | SNIPERDUDE [ Mon Oct 18, 2010 12:22 pm ] |
| Post subject: | RE:Brute forcing |
Mmm, salted hashbrowns |
|
| Author: | Coldkick [ Tue Oct 19, 2010 9:00 pm ] |
| Post subject: | RE:Brute forcing |
Bubble sort is (n-1)^2. Ie. An 8 string check would have to run through (8-1)^2=7^2=49 checks. The last value at each run does not have a check. 1->2, 2->3, 3->4, 4->5, 5->6, 6->7, 7->8 |
|