Password was "debbie". The decrypted file plays in VLC perfectly.
pwned
pwned
Encryption Challenge
|
Password was "debbie". The decrypted file plays in VLC perfectly.
pwned
Hmm, well done
Back to the drawing board then...
Not really. If you use a long complex key (password) then the encryption will be fine. No encryption mechanism is protected against brute-force attacks.
However, in this case I ran two attacks, one where I tried to brute-force every password from a character set of A-Za-z0-9 and symbols, and one where I used a large dictionary file of commonly used passwords. The brute-force one ran first, but after a while I decided to use the dictionary attack, and that broke it in less than a second. The brute-force attack may have taken days to crack the password "debbie".
Dictionary attacks with variations is usually more successful when dealing with human targets.
Slave to the Patriarchy no more
True. I just used the rockyou password list.
That was cool. How did you apply a dictionary file to do a brute force attack? Was there a program that loaded it and did it (like AccessDiver does for websites)? Did you have to manually write a short program/script that can load each password and do send a password prompt does?
RE: Encryption Challenge
June 20, 2012 at 7:14 pm
(This post was last modified: June 20, 2012 at 7:17 pm by Angrboda.)
(April 29, 2012 at 5:19 pm)Cthulhu Dreaming Wrote:(April 29, 2012 at 5:11 pm)Tiberius Wrote: Sure, but the first rule of security is to assume that an attacker knows as much about your system as possible, since they can always figure it out in the end. The point of a secure system is that it is secure even if the attacker knows how it works (since the real security is in the password / key). Aka, "Security through obscurity is no security." Generally it's best to avoid regular words or names. But I'm the same way. I like to think my passwords are more secure because I use a mix of numbers and Chinese and Japanese words, but the fact is, a good dictionary will include more than one language. I've started buying eBooks from Barnes & Noble, and I kept getting login failures, with the message that this email address and password isn't associated with an account, forcing me to call support. I did that, and we reset the password successfully. The next time I went to login, I got the same thing again. So I call up support again, reset the password, and it doesn't take again. So the rep asks me how long my password is. I count it up and tell her that it's 14 characters. She tells me that it needs to be 6-10 characters. No warning. No check that the password needs to be that length. And two calls to support to figure it out. I was so mad. RE: Encryption Challenge
July 4, 2012 at 5:00 pm
(This post was last modified: July 4, 2012 at 5:00 pm by Tiberius.)
(June 20, 2012 at 1:58 am)goddamnit Wrote: That was cool. How did you apply a dictionary file to do a brute force attack? Was there a program that loaded it and did it (like AccessDiver does for websites)? Did you have to manually write a short program/script that can load each password and do send a password prompt does?I believe I used fcrackzip and a dictionary file I had lying around somewhere.
How did you know to use fcrackzip? Did you know it was a zipped file? If so, how? I opened it with HxD and saw the name of the song but everything else looked like jibberish. Thanks!
|
« Next Oldest | Next Newest »
|
Possibly Related Threads... | |||||
Thread | Author | Replies | Views | Last Post | |
The Shell Cipher (Challenge) | Tiberius | 36 | 10078 |
June 2, 2012 at 7:35 pm Last Post: Tiberius |