tag:blogger.com,1999:blog-6881326265222951171.post5008145009743075688..comments2022-12-05T19:28:18.502+01:00Comments on Distracted: Cacheebr, the MS Cache password brute forcerDaniel Niggebruggehttp://www.blogger.com/profile/02053201958307619797noreply@blogger.comBlogger26125tag:blogger.com,1999:blog-6881326265222951171.post-68119892759835983322013-12-25T16:50:53.127+01:002013-12-25T16:50:53.127+01:00Hi there, looks like tbhost.eu is down, could you ...Hi there, looks like tbhost.eu is down, could you please upload the Cacheebr files somewhere else?<br /><br />Thanks and regards :)Danielhttps://www.blogger.com/profile/08895008646675050525noreply@blogger.comtag:blogger.com,1999:blog-6881326265222951171.post-83949678452413260112010-08-22T15:33:57.558+02:002010-08-22T15:33:57.558+02:00Sources for GNU/Linux users : http://bobotig.fr/co...Sources for GNU/Linux users : http://bobotig.fr/contenu/programmes/Cacheebr_0.1_src_gnulinux.7z<br /><br />Great job and good continuation ;)BoboTiGhttp://www.bobotig.frnoreply@blogger.comtag:blogger.com,1999:blog-6881326265222951171.post-3186768349166449582010-08-21T16:26:30.460+02:002010-08-21T16:26:30.460+02:00On depositfiles have removed. Has loaded on http:/...On depositfiles have removed. Has loaded on http://sourceforge.net/projects/mscashe/.Stationnoreply@blogger.comtag:blogger.com,1999:blog-6881326265222951171.post-6639731236312288062010-08-13T17:08:01.708+02:002010-08-13T17:08:01.708+02:00Would be nice a restore point like rracki :D
But a...Would be nice a restore point like rracki :D<br />But anyway, thanks for the toolAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-6881326265222951171.post-76191387088962868312010-07-16T16:42:28.922+02:002010-07-16T16:42:28.922+02:00I have written bruteforcer MSCashe on GPU.
Somethi...I have written bruteforcer MSCashe on GPU.<br />Something is certainly crookedly written, but works. Gives out 215 Mp/s for one hash on mine 8800GT.<br />But well still a code for CPU to add.<br />http://depositfiles.com/files/3t8w5dzlfStationnoreply@blogger.comtag:blogger.com,1999:blog-6881326265222951171.post-33920142109218679302009-12-25T22:32:24.935+01:002009-12-25T22:32:24.935+01:00hello daniel, the speed of this tool is great. can...hello daniel, the speed of this tool is great. can u please implement such functions like: last password that after one attack no need to start again from begin? i'm interested in the question, this tool use also already gpu-power? there are some nice projects about this like pyrit - a python-app or the cuda-multiforcer. it would be great if u can transfer ur knowledge with this tools. it's also possible to implement dict-attacks? there is a lot of potential. with the best regards. u have knowledge about reversengenering? and u know, how how to organize a gpu-farm?Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-6881326265222951171.post-59978484502273473922009-11-19T17:05:28.682+01:002009-11-19T17:05:28.682+01:00i didn't port Cacheebr to Linux... it shouldn&...i didn't port Cacheebr to Linux... it shouldn't be too hard to fix it yourself. I have no plans to fix this stuff anytime soon, sorry.Daniel Niggebruggehttps://www.blogger.com/profile/02053201958307619797noreply@blogger.comtag:blogger.com,1999:blog-6881326265222951171.post-75063321080226610272009-11-19T16:35:57.666+01:002009-11-19T16:35:57.666+01:00I try compile it on Linux, but:
$ g++ *.cpp
Cach...I try compile it on Linux, but:<br /><br />$ g++ *.cpp <br />Cacheebr.cpp: In function 'int main(int, char**)':<br />Cacheebr.cpp:185: error: 'memcpy' was not declared in this scope<br />Cacheebr.cpp:270: error: 'ETIMEDOUT' was not declared in this scope<br />crackThread.cpp: In member function 'void crackThread::run()':<br />crackThread.cpp:96: error: 'align' was not declared in this scope<br />crackThread.cpp:96: error: '__declspec' was not declared in this scope<br />crackThread.cpp:96: error: expected `;' before 'unsigned'<br />crackThread.cpp:98: error: 'pMuteMe1' was not declared in this scope<br />crackThread.cpp:98: error: 'memset' was not declared in this scopexkillhttp://www.locolandia.netnoreply@blogger.comtag:blogger.com,1999:blog-6881326265222951171.post-52704336038506117472009-10-27T19:17:51.061+01:002009-10-27T19:17:51.061+01:00(links back)(links back)Daniel Niggebruggehttps://www.blogger.com/profile/02053201958307619797noreply@blogger.comtag:blogger.com,1999:blog-6881326265222951171.post-64499493731644410372009-10-25T13:56:57.280+01:002009-10-25T13:56:57.280+01:00hi Daxter, i'll be moving tbhost, so it'll...hi Daxter, i'll be moving tbhost, so it'll be back.Daniel Niggebruggehttps://www.blogger.com/profile/02053201958307619797noreply@blogger.comtag:blogger.com,1999:blog-6881326265222951171.post-27285079518397273482009-10-25T06:22:23.973+01:002009-10-25T06:22:23.973+01:00Daniel is your code still around the link you prov...Daniel is your code still around the link you provided is dead?Anonymoushttps://www.blogger.com/profile/07993406812008303549noreply@blogger.comtag:blogger.com,1999:blog-6881326265222951171.post-58913329693881649062009-07-17T15:29:06.150+02:002009-07-17T15:29:06.150+02:00check out this code by jci:
http://freerainbowtab...check out this code by jci: <br />http://freerainbowtables.com/phpBB3/viewtopic.php?p=8454#p8454Daniel Niggebruggehttps://www.blogger.com/profile/02053201958307619797noreply@blogger.comtag:blogger.com,1999:blog-6881326265222951171.post-66041087732302101922009-07-17T15:16:52.226+02:002009-07-17T15:16:52.226+02:00Ah. I see. Yeah, the MD4_NEW actually only suppor...Ah. I see. Yeah, the MD4_NEW actually only supports input lengths <32 bytes :( I will try to modify this - unless you already have another reference implementation that supports 56 bytes or more? I used MD4_NEW because I could not find the fast_MD4 function you referred to in rcracki_mt. I will look around.dzhugashvilihttp://www.cerberusgate.comnoreply@blogger.comtag:blogger.com,1999:blog-6881326265222951171.post-77131717202720297682009-07-16T19:16:38.874+02:002009-07-16T19:16:38.874+02:00the issue is probably found in the length of your ...the issue is probably found in the length of your username. both MD4_NEW and my own used md4 code do not implement inputs larger then 56 bytes, that is why cacheebr doesn't support usernames longer then 19 characters. it shouldn't be too much of a problem to fix that if you want to.Daniel Niggebruggehttps://www.blogger.com/profile/02053201958307619797noreply@blogger.comtag:blogger.com,1999:blog-6881326265222951171.post-5470069993598460412009-07-16T15:16:08.700+02:002009-07-16T15:16:08.700+02:00One interesting thing about your code. I got it to...One interesting thing about your code. I got it to work using OpenSSL's MD4, but then I tried to upgrade to the reference implementation MD4_NEW() you used in rcracki_mt. I was able to use the MD4_NEW function for the first MD4 (the one that produces the NTLM hash), but not the second one. I also noticed that in rcracki_mt, you also used openssl for the mscache algorithm, so evidently you ran into the same problem? Quite unfortunate, as the second MD4 is really the essential one for a multihash brute forcer. The first MD4 is run once per candidate, but the second is run once per hash per candidate. Have you find out why this is? If you happen to find out, please tell me.dzhugashvilihttp://www.cerberusgate.comnoreply@blogger.comtag:blogger.com,1999:blog-6881326265222951171.post-16787153332989384792009-07-10T17:54:34.117+02:002009-07-10T17:54:34.117+02:00Perfect. Thanks!Perfect. Thanks!dzhugashvilihttp://www.cerberusgate.comnoreply@blogger.comtag:blogger.com,1999:blog-6881326265222951171.post-44366783481391659372009-07-07T23:09:42.720+02:002009-07-07T23:09:42.720+02:00i had some short code lying around using an easy M...i had some short code lying around using an easy MD4 implementation (see sourcecode from rcracki_mt for that code), you could replace it with the appropriate MD4 functions from OpenSSL:<br /><br />// >>>>>>><br /> unsigned char pHash1[16];<br /> unsigned char pHash2[16];<br /><br /> string sPass = "hello";<br /> char u_pass[32];<br /> memset(u_pass, 0, 32);<br /><br /> // Convert password to unicode<br /> int i;<br /> for (i = 0; i < sPass.size(); i++)<br /> {<br /> u_pass[i*2] = sPass[i];<br /> u_pass[i*2+1] = 0x00;<br /> }<br /><br /> // make NTLM hash, result in pHash1<br /> fast_MD4((unsigned char*)u_pass, (sPass.size()*2), pHash1);<br /><br /> string sUsername = "administrator";<br /> char u_username[40];<br /> memset(u_username, 0, 40);<br /><br /> // Convert username to unicode and lowercase it<br /> for (i = 0; i < sUsername.size() && i < 19; i++)<br /> {<br /> u_username[i*2] = tolower(sUsername[i]);<br /> u_username[i*2+1] = 0x00;<br /> }<br /><br /> // u_temp will be the plaintext for the second MD4 calculation<br /> char u_temp[56];<br /> // set it to 0 first<br /> memset(u_temp, 0, 56);<br /> // pHash contains result of first MD4 calculation = NTLM hash<br /> memcpy(u_temp, pHash1, 16);<br /> // NTLM hash + username<br /> memcpy(u_temp+16, u_username, (sUsername.size()*2));<br /><br /> // Hash it, pHash2 contains ms cache hash for password 'hello' with username 'administrator'<br /> fast_MD4((unsigned char*)u_temp, (sUsername.size()*2+16), pHash2);<br /><br /> // print it<br /> for (i = 0; i < 16; i++) printf("%02x", pHash2[i]);<br /><br />// <<<<<<<<br /><br />haven't tested it, but i think this should work, or at least make things clear enough to implement it yourself.Daniel Niggebruggehttps://www.blogger.com/profile/02053201958307619797noreply@blogger.comtag:blogger.com,1999:blog-6881326265222951171.post-80061657461978449432009-07-07T22:17:00.593+02:002009-07-07T22:17:00.593+02:00Hello. I was wondering if you might have access to...Hello. I was wondering if you might have access to or be able to program a simple example of the mscache algorithm? Something that would just take 'char username[]' and 'char password[]' and produce an mscache hash, using the OpenSSL libraries if, necessary. I have been scouring the net looking for a simple example of mscache, but no luck. Cacheebr's code was a little to complicated for me to follow, having insufficient understanding of the algorithm to start with. I tried Alain Espinosa's mscache demonstration (http://openwall.info/wiki/john/Algorithms), but it doesn't work. He confirmed that it 'had a few bugs' but he didn't have time to find them. I tried to fix it, but can't.<br /><br />If you could make a simple program, or point out or fix the problem in Espinosa's code, it would be greatly appreciated. I am collecting examples of such algorithms on my website (http://www.cerberusgate.com) and would also like to include mscache algorithm support in the next release of Havok.<br /><br />I understand if you don't have time, just thought it would be worth a try. Thanks!dzhugashvilihttp://www.cerberusgate.comnoreply@blogger.comtag:blogger.com,1999:blog-6881326265222951171.post-60621950417322152402009-07-03T17:28:41.441+02:002009-07-03T17:28:41.441+02:00Yeah, the website was still under construction. Th...Yeah, the website was still under construction. The links should be up now.dzhugashvilihttp://www.cerberusgate.comnoreply@blogger.comtag:blogger.com,1999:blog-6881326265222951171.post-5155336872879000302009-07-03T00:36:35.192+02:002009-07-03T00:36:35.192+02:00Interesting things there.. but is it me, or did yo...Interesting things there.. but is it me, or did you somehow remove all the actual links on your site? i assume that at least the red marked text are supposed to be links?Daniel Niggebruggehttps://www.blogger.com/profile/02053201958307619797noreply@blogger.comtag:blogger.com,1999:blog-6881326265222951171.post-401819587522641802009-07-02T22:16:46.624+02:002009-07-02T22:16:46.624+02:00I see. Thanks! Hey you may be interested in this:
...I see. Thanks! Hey you may be interested in this:<br /><br />http://www.cerberusgate.com/benchmark_comparison<br /><br />I benchmarked your programs against several others I found on the internet - yours were pretty high up there! I was especially impressed by cacheebr!dzhugashvilihttp://www.cerberusgate.comnoreply@blogger.comtag:blogger.com,1999:blog-6881326265222951171.post-6351918995775567902009-06-27T00:23:21.512+02:002009-06-27T00:23:21.512+02:00the reason that you cannot reverse the outer MD4 l...the reason that you cannot reverse the outer MD4 loop with ms cache is because while reversing you keep a part of the input (plaintext) fixed and go change another part of the input. So with regular plaintexts, you reverse the hash for example for the following group of plaintexts:<br />[aaaa-zzzz][aaaa]<br /><br />you keep part 2 fixed and calculate all the possible plaintexts for the first part (aaaa-zzzz), then you change the 2nd part and re-reverse the hash for this group:<br />[aaaa-zzzz][aaab]<br /><br />With the outer MD4 loop, all the inputs are a 128 bits MD4 hash. You cannot efficiently fixate a certain part of this hash and go change the rest (because that input hash actually depends on the plaintext input of the inner MD4 calculation).<br /><br />I hope this clears things up for you, feel free to ask for a better explanation :)Daniel Niggebruggehttps://www.blogger.com/profile/02053201958307619797noreply@blogger.comtag:blogger.com,1999:blog-6881326265222951171.post-37477994400568286332009-06-27T00:17:17.513+02:002009-06-27T00:17:17.513+02:00hi dzhugashvili, sorry for my late answer (vacatio...hi dzhugashvili, sorry for my late answer (vacation :)).<br /><br />interlacing SSE2 means that you arrange the sse instructions in such a way that your cpu performs multiple instructions per clock cycle. It is important that these instructions do not depend on each other (like a=b+c; d=a*2, where you cannot calculate 'd' before you calculate a). By interlacing in brute forcers, you just calculate the hashes of multiple plaintexts, as these do are independent calculations.Daniel Niggebruggehttps://www.blogger.com/profile/02053201958307619797noreply@blogger.comtag:blogger.com,1999:blog-6881326265222951171.post-26462576561098895502009-06-16T23:09:09.539+02:002009-06-16T23:09:09.539+02:00I can understand why you could not reverse the inn...I can understand why you could not reverse the inner MD4, but couldn't you still reverse the outer MD4 as much as any flat MD4 computation? Treat (MD4(Unicode(password))+Unicode(tolower(username)))<br />as a plaintext and compute all but last round, which has been reversed from mscache hash?dzhugashvilinoreply@blogger.comtag:blogger.com,1999:blog-6881326265222951171.post-11888121696793888432009-06-15T22:19:07.854+02:002009-06-15T22:19:07.854+02:00What does it mean to 'interlace' SSE2? I a...What does it mean to 'interlace' SSE2? I am (relatively) familiar with SSE2, and heard the word 'interlace' used before, but don't know how it pertains.dzhugashvilinoreply@blogger.com