Just a quick update to say that I’ve moved on from my previous position and am excited to have co-founded a new company with a very good friend of mine @rebootuser !
Our new company is in.security and we’ll be doing what we do best, hacking and training!
You can check it out at https://in.security so keep you’re eyes open there for future posts too!
First of all, happy new year everyone! 😀
tl;dr – If hashcat crashes/hangs your system, your wallet scrypt settings more than likely want more RAM than your GPU has. You’ll only be able to crack with a CPU (adding -D 1 # where # is the number hashcat assigns your CPU will select all available CPU devices, or -D 1 -d <number> for an individual CPU) and the hash rate will still be slow 😦
—————————————————————————————————————————————-
Since writing about cracking various Ethereum wallets using the JSON file, a few people have mentioned that their systems hang/blue screen when they start the crack, so I thought I’d talk about why this is. Continue reading
Edit 04/01/18: Ethereum Wallet Cracking Pt 2. – GPU vs CPU can be found here
hashcat v3.6.0 was released yesterday and one of the newly supported hashes was Ethereum wallets (Go Ethereum (Geth), Mist and MyEtherWallet variants). This guide will show how a MyEtherWallet JSON keystore file is broken down, how it’s mapped to a hashcat compatible format, and finally an example crack. Continue reading
tl;dr
When kicking off a hashcat session I’ve got my favorite dictionary/rule combo’s I always tend to lean on. Sometime’s when time’s against me I don’t want to run several sessions over long periods of time, so I often wonder during these one shot windows whether I’m setting myself up with the best chance of success.
To test this, I took a large variety of shipped hashcat rules along with a few others, and put them through the paces against a large data set. By pulling the stats of the top performing individual rules in each test and combining them, I created an optimised custom rule which when subsequently testing cracked several more than any of the original rule sets.
A complete write up of the testing and stats can be found on NotSoSecure’s blog, and the custom rule is also available on github so you can test it out for yourself 🙂
When discussing pentests, I continue to see “weak cipher” issues that go on to say anything < 128 bits is insecure, however 3DES has to date been the exception to this. In turns of cryptographic strength, 3-key 3DES uses three unique 56 bit keys, providing 168 bits of strength before factoring in known attacks that reduce the amount work to break it to that of exhausting a 112 bit key. Now, 112 bits is less than 128 bits yet NIST who of course factor in the weakness, still state this year that 112 bits is sufficient and acceptable, hence my referral to 3DES as being an exception to weak ciphers. Continue reading
I’m pleased to write that 7Safe (my employer) have recently had all of their Ethical Hacking courses accredited by CREST! This is extremely good news as it shows the level of hard work and commitment that is given to maintaining and continually improving our training services. Continue reading
So here’s my guide to another CTF from VulnHub called Flick:1. This one was actually released before Tr0ll:1, but I finished this one after as I was trolled so much on the first one I had to take a break and try something else. Continue reading
Here’s my rundown of Tr0ll:1, a boot2root on Vulnhub that I had some fun with a few weeks back. I did feel like I was being trolled as I went at it and there were moments where I nearly needed to order a new keyboard but nevertheless, it was great fun when I finally got there. Continue reading
Well here we are! Hopefully in time my random thoughts about penetration testing and maybe some digital forensics will find themselves here, so that as time goes on and my thirst for knowledge grows, the old knowledge that falls out will land here rather than float off into the ether…
Stealthsploit 