Saturday 10 December 2011


Theory basic of password hashing
Hashing passwords is a defense against a specific attack. The attack is: stealing a copy of the entire password file (users table, ldap db, etc), downloading it to one's computer, and attempting to retrieve the users' passwords. The goal of the attack is: to find users who reuse their usernames and passwords across websites, and log into those users' email, bank, social-network, and other accounts.
The hashing-passwords defense works like this: the passwords are not stored directly, and any attempt to retrieve the original passwords requires the attacker to perform an extremely large amount of work, at least compared with the work required to check whether a password the user enters when logging in matches the password on file. There are multiple variations on this defense, including choosing better hashes, salting the hashes, iterating the hashes, etc., the purpose of them being to make the defense better than otherwise and to defend against variants of the attack which are capable of getting around the simpler defenses.
The hashing-passwords defense is not a defense against just any attack. For example, it doesn't help against an attack where the attacker gains arbitrary write access to the database, rewrites all users' passwords to his own, and logs in to all the users' accounts on that website. The defense only defends against the offline password-stealing attack.
So you need to be aware of the different types of attacks, and to defend against each of them using a defense which works against that type of attack.


Crack password using Graphics card


WEP encryption takes like 2-5 min to crack even on any mini-laptop, you don't need much computing power for that.


However, using the GPU when cracking WPA/WPA2-PSK can reduce the time drastically. 
Here's some software


that does just that. 

Also, a lot of 2Wire routers are vulnerable to more things than I can think of. 
Hkm did a lot of research on them, you should check out his defcon presentation http://www.defcon.org/images/defcon-17/dc-17-presentations/defcon-17-pedro-hkm-joaquin-attacks_against_2wire.pdf 

might help.



No comments:

Post a Comment