Showing posts from May, 2010 - General Observations and Updates - Part 3

Digging into this data is like watching an episode of Lost . Whenever it seems like one question gets answered, about ten other questions pop up. Before I get into details, I want to start with a comment Per Thorsheim sent me as to what other password cracking programs support salted sha1 hashes: The sha1(lowercase_username.password_guess) is at least supported by these: Extreme GPU Bruteforcer ( ) hashcat and oclhashcat (cpu/gpu respectively) I'm kicking myself for not thinking about hashcat, since it's a extremely powerful password cracker; plus it's free. Unfortunately the GPU version doesn't support the salted sha1 hash type, but even the non-gpu version is quite nice. As for InsidePro, it also is very good, though it does cost some money. I've had a license-free version of questionable origin offered to me before, but I turned that down. Legality aside, installing pirated software given to you by shady people at a hacker confe - Analysis of Password Cracking Techniques - Part 2

So I figure I probably should get around to looking at the passwords in this list, since password cracking techniques are the focus of this blog... First though, a real quick definition. I needed to decide what to call the various parties involved in this whole shenanigans. For example, when I'm talking about the 'hackers', am I referring to the people collecting stolen credit card data who belonged to the board, or the people who hacked Likewise, if I use the term criminals, that could refer to both groups as well. Therefore, in my blog posts I'm going to use the following terms to refer to the two groups: Carders/Users : The people who belonged to the board. Normally I would also use the term 'victims', but I don't want to honor them with that title. Hackers/Attackers : The people who broke into the forum and posted the data online. Ok, now that we have that out of the way, the rest of this post is going to be broken up into four parts: Executi - Analysis of E-mail Addresses

I just wanted to point everyone over to Cedric Pernet's bog where he did an amazing job analyzing the e-mail addresses that the carders had used. You can view his work at the following link: It shouldn't come as a surprise, but just because someone is a cybercriminal doesn't mean they are smart. Also, if you or anyone you know is doing research into this, feel free to forward me the links. I only found Cedric's blog on a reference in another post on page 8 of a Google search I did, (aka I stumbled on it by pure luck). Thanks! Hacked - Initial Analysis of IP addresses

As the title says,, a German forum for the buying and selling of stolen credit cards was hacked and a ton of information was posted publicly online. For a more detailed description, I highly recommend reading the always excellent Brian Krebs writeup on the incident . I'm going to skip right past my feelings on the subject. The short version is, while part of me is laughing inside, I tend to think such vigilante justice is often counter-productive. I just wish people like that could work with the system because by doing so you can sometimes achieve spectacular results . Instead I'm going to focus on the data itself and what it can tell us from a research perspective. So far I've managed to download the writeup of the attack, which also includes IP addresses, usernames, e-mail addresses, and password hashes. I'm also currently in the process of downloading what I think is the listing of all the private messages, though it may just turn out to be viruses and fa

They'll Let Anyone Graduate: My Password Cracking Dissertation

You've all heard me complain/stress out about writing my dissertation, so now that it's done of course I'm going to post it online. My PhD. dissertation, "Using Probabilistic Techniques to Aid in Password Cracking Attacks" is available for download from my tools page here . A lot of it is going to look fairly familiar if you've seen my talks or been reading this blog, which makes sense since my dissertation is a summary of what I've been up to for the last three years. Here's a quick breakdown of what's in it: Chapter 1: Overview + background info The need for password cracking General terms and techniques Obtaining the datasets, and basic statistics about the datasets A quick survey of common password hashes and popular password cracking tools Chapter 2: Brute Force Attacks 95% of it I've talked about on this blog before The remaining 5%, which I really should post an entry on, is a comparison of a targeted brute force attack against a pure Ma

E-mail Address Change

Since I'm graduating, I was informed that I might not be able to keep my e-mail address. I'm trying to see what I can do to hold onto it, but for the time being I'd recommend e-mailing me at