Java Script: Brute Force Calculator

GPGPU. That is a new technology which allows to do mathematical instead of only graphical tasks with the GPU. The point is that video cards have a lot more GFLOPs than CPUs. While GPGPU is only effective for doing very parallel tasks, they are perfect for password cracking.

Today I just wanted to know how long someone would need to crack a password of a specific length with GPGPU. There are some Brute Force Calculators on the web, but the ones I’ve seen on my quick research only offer CPU, not GPU related results.

So I decided to write my own calculator in Java Script (so make sure to activate that), which does exactly what I want.

jwcxz’s mirror (thx!)

omploader mirror (updated)

source code

How to use:

Everything should be self-explaining up to Combinations per second. For this one you need to decide what hardware you want to check your password against and how fast trying one combination can be (which also depends on the algorithm).

I’ve googled for something AES related, but I couldn’t really find anything (if you did, please leave a comment). Instead there’s a web page that lists how many keys per second video cards/CPUs can take when brute forcing the RC5-72 Algorithm, so go on and open that page in a tab.

As I am writing this, someone with a Radeon HD 4850-625 keeps the high score with 450951.8 kkey/sec (kkey/sec = thousand keys per second). So if I want to check a password against that card, I type below Combinations per second the number 450951800. For ten times that card, it will be 4509518000 and so on.

Enjoy!

archbbs thread

Von der Leyen will Zensur ausweiten

„Doch wir werden weiter Diskussionen führen, wie wir Meinungsfreiheit, Demokratie und Menschenwürde im Internet im richtigen Maß erhalten. Sonst droht das großartige Internet ein rechtsfreier Chaosraum zu werden, in dem man hemmungslos mobben, beleidigen und betrügen kann.“

Quelle: abendblatt.de

Firebird77 hat das auf gulli wirklich gut kommentiert und ich bin voll seiner Meinung. Löschen statt verstecken, das Internet ist doch kein rechtsfreier Raum!

Panik! Alle bitte schreiend im Kreis laufen!

…so lesen sich zumindest die gulli:news zum Thema „Windows-Hacking: Truecrypt Verschlüsselung umgangen“, sowie fast alle Kommentare darauf. Mit den Verschlüsselungsalgorithmen (Standard: AES) hat das leider überhaupt nichts zutun. Viel mehr geht es in dem Artikel um ein Rootkit (oder auch Bootkit, da es sich in den MBR einnistet), „welches die TrueCrypt-Verschlüsselung auf 32-Bit-Windows-Systemen aushebelt.“

Nun, aushebeln heißt an dieser Stelle das Bootkit in den MBR zu schreiben und den normalen Entschlüsselungs-MBR anzuhängen. Der Newsautor, 020200, nennt das eine Schwachstelle von Truecrypt.

Im Fall von Truecrypt fragt der MBR das Passwort zum entschlüsseln der Systempartition ab. Wenn man diesen also verschlüsseln würde, dann hätte man keine Eingabemaske mehr für den Schlüssel. Aus diesem Grund ist der MBR auch nicht verschlüsselt, das funktioniert garnicht (abgesehen von Hardware-Lösungen, die sich dann aber auch wieder manipulieren lassen auf Hardware-Ebene).

In der Theorie ist diese „Lücke“ schon immer dagewesen – und nicht nur bei Windows – bei allen Betriebssystemen ist das so. Wenn jemand entweder physikalischen oder ferngesteuerten, mit vollen Rechten versehenen, Zugriff auf deinen Computer hat, ist er nicht mehr sicher. Das war schon immer so und wird auch immer so bleiben. Um das etwas anschaulicher zu formulieren; man könnte genauso gut eine versteckte Kamera über der Tastatur installieren und dann das Passwort aufzeichnen um später die Festplatte zu entschlüsseln – das ist keine Lücke von Truecrypt!

Weil das alles theoretisch möglich ist, geht man am besten auch davon aus, dass es praktisch gemacht wird. Wer weiß schon, was es so für Programme gibt? Nicht jeder „Hacker“ veröffentlicht seine Programme mit Demonstrationen und nachträglich als Opensource im Internet. Deshalb können einem nicht nur die News egal sein, es muss einem auch bewusst sein, dass diese Problematik auch bei x86_64 („64-bit“)-Betriebssystemen und anderen Architekturen vorhanden ist.

Archlinux: Enigmail on AUR

Schnouki has just made a PKGBUILD for the Thunderbird-Addon Enigmail which enables you to use GPG-encryptions on e-mails easily. The advantage is now, that we don’t need to rely on third-party binary packages anymore, because we can build it directly from the AUR. With enough votes, it might become part of the official community repository.

truecrypt, linux: hide password from ps

Sometimes it is useful to mount Truecrypt volumes via commandline parameters (eg. mount 2 volumes with the same password). The problem is that if you use the --password switch, everyone using your linux box (no need for root access!) can just type

ps ax | grep truecrypt

and find it that way. Here’s how to hide it:

#!/bin/bash
truecrypt -t –mount /home/thoughtcrime/test –volume-type=normal \
/mnt/test –verbose -k „“ –protect-hidden=no <<EOF
secret
EOF

„secret“ could also be a variable like ${password} or something. Based on this post.

My Idea of an OpenPandora OS

If I would buy a Pandora, which I am not sure of currently, I would propably make my own Archlinux based OS.

The idea to port Arch to the ARM platform is nothing new, as someone is trying to do it here.  So I would just use this as base and then make sure to include the following key features:

All in one apps. The Pandora seen as a computer has not too much power. Also there is as far as I know only 512 MB internal space planned, so using Firefox, Thunderbird and Liferea at once does not make too much sense for me. I would prefer Seamonkey, Mozilla’s Firefox/Thunderbird/Other hybrid. As a downloader, one could use either something terminal based like aria2c. For advanced usage I am thinking about JDownloader, but without a GUI and a HTML-Server-Plugin (so that you can control JDownloader from within Seamonkey). Also I would need something for chatting, I recommend Pidgin here (again, cutting off some features I don’t need).

Encryption. I thinkt portable devices should always be encrypted. They propably contain private data and you do not want to get it stolen and then get everything published on the internet, do you? LUKS with dm-crypt is the software that I would use here. Encrypting everything would slow down the speed though, so I would try to keep it balanced. See also this article I wrote about that subject. For chat and mail encryption, there are the OTR and Enigmail plugins. Maybe Keepass to keep all passwords sorted (plugins for seamonkey and pidgin would be really awesome here; maybe I could write them).

Usability. Basically OpenBox with big enough window borders, that you can click the buttons easily with your fingers on the touchscreen. Also a panel featuring a big launch menu, which goes fullscreen. Mouse gestures where possible (Seamonkey)!

Pacman wrapper? I have been thinking about package management a bit longer. On the pandora forums I have read that they do not want any packagemanagement, so you can copy pasta a compiled program from your pc on your SD card and then just launch it on the Pandora. This seems not too useful for me, I would prefer pacman except that you can choose where (on which SD card) you want to install your software. Why? Because you can put two of them in there. Huge software like openarena could be installed on a different card as main programs are installed. I know that this is very likely to how windows likes to deal with software, but in this scenario it seems to make sense to me. One could sort his SD card like the ordinary linux root folder structure, so he would know where to find the software. Furthermore, there should be scripts that check whether the right SD card is inserted before launching a program. I am not sure, but all this might be possible with a pacman wrapper and a fixed folder structure on every SD card, containing a pacman database each.

As said before, I am not sure if I will buy one of these beautiful devices, but if I do, I will make a very customized setup.

Windows: Manage NTFS Shares from a logged in unprivileged user

So I set up my laptop once again, this time with Arch64 and Windows XP. Since I think the concept of not using an account with full administrative rights all the time (like you should use it with linux) is a good one, so I decided to do that with windows, too. Its not as easy there, but it mostly works. To fully encrypt my system partition, I had to log-in with the admin-account and SMB-filesharing couldn’t be managed from the unprivileged user, too. For the second issue, I downloaded and installed the freeware AutoIt3 which offers a simple scripting language which can do a lot of windows-specific stuff.

I wrote a script with the #RequireAdmin tag in front of it, that shows all the shared folders and allows you to add new, delete or modify existing ones. The #RequireAdmin thingy makes it display a dialog from windows which forces you to login with an admin account (for this app only, the current session will otherwise not be affected) or exit the script. Well its not fully finished, but the core features already work. I’ll publish it here, when its in a final state.

Adi64 commented, that this app is also useful after a LAN party if you don’t know anymore what you shared, so you might use it for that matter, too.

_Full_ harddisk encryption unnecessary with linux

Last week I talked to yoschi about how slow my KDE starts up. He pointed out that my full disk encryption is propably the speed killer and that it is not needed.

Its not too long ago that I switched from Windows to Linux and by not knowing too much about its architecture I decided to do a full encryption just like I did it on my Windows installation.

The major difference is that Windows programs write their configuration files, cache or other data wherever they want to – you can’t really control it. Linux programs don’t do that – you’ll find all the sensitive data in your home folder (or in one of the folders I listed below). Besides on Linux you have mainly open or at least free (as in beer) software. Most windows users I know crack at least some software (Photoshop is a good example, not everyone is able to buy it), so you don’t need to worry about that either.

The only problem could be that some software is not allowed in your country – germany has for example a so called Hackerparagraf which says that software that can be used to hack computers are illegal (it isn’t really clear though and I haven’t heared/read of someone getting sued for this yet). In that case you should encrypt this software, too, if you are planning to use it.

Here’s my plan of what I will encrypt on my machine when I re-install it the next time:

Encrypt:

/home
/etc
/var
/srv
/tmp
/root

Except for:

/var/cache/pacman

This should give my box a real boost since most stuff won’t be encrypted anymore

PS: I don’t use any swap. If you do use one, you better also encrypt that!

Ultrasurf: keep the connection bash script

Ultrasurf is a freeware proxy software that tunnels everything you send through it with SSL and gives you a different IP (from America).  It is used in China for example to visit banned websites.

Well this windows application works fine with wine, although it looses the connection if you aren’t browsing web pages permanently. This script prevents it from doing that.

#!/bin/bash

while [ 1 ]

do

export http_proxy="127.0.0.1:9666"

wget --no-cookies checkip.dyndns.org -O - -nv -q \

> /dev/null

export http_proxy="127.0.0.1:9667"

wget --no-cookies checkip.dyndns.org -O - -nv -q \

> /dev/null

#wait one minute

sleep 60

done

Note: It usually binds the 9666 port, but sometimes it uses the 9667 one instead. Thats why I choose to run wget on both of them.

Was ist OTR und wo findet man es?

OTR, die Abkürzung bedeutet Off-the-Record Messaging, ist ein Verschlüsselungsalgorithmus für Instant Messenger, wie zum Beispiel ICQ (AIM), MSN, Yahoo oder Jabber. Man sollte es definitv benutzen, weil sonst zumindest die Server der Chat-Protokolle mit allen Nachrichten machen können, was sie wollen.

Hier ist eine Liste von Webseiten, wo du Plugins für IM-Clients bekommen kannst. Falls dein aktueller Client hier nicht aufgelistet ist, empfehle ich auf einen anderen umzusteigen.

Download Anleitung für Windows User:

Notiz: Gehe bitte sicher, dass das Plugin auch aktiviert ist, nachdem du es installiert hast. Bei vielen muss man das manuell machen.

Pidgin: Öffne diese Seite, klicke unter dem Text  „OTR plugin for Pidgin (formerly known as gaim)“ auf  „Win32 installer for pidgin 2.x“ und lade es dann runter.

Pidgin portable: Klicke auf dieser Seite unter „Features“ auf „Pidgin-OTR“.

Trillian: Das bekommst du hier indem du auf den rosa Text neben  „Current Version“ klickst.

Miranda: Ein Miranda Plugin gibt es  hier, wenn du auf „Download“ klickst.

Für Linux User:

Es gibt Plugins für Pidgin und Kopete. Diese sollten sich einfach mit dem Paketmanager von $Distribution installieren lassen.