New Beginnings!

Just a quick update to say that I’ve moved on from my previous position and am excited to have co-founded a new company with a very good friend of mine @rebootuser !

Our new company is in.security and we’ll be doing what we do best, hacking and training!

You can check it out at https://in.security¬†so keep you’re eyes open there for future posts too!

Advertisements
Posted in Pentest | Leave a comment

Ethereum Wallet Cracking Pt. 2 – GPU vs CPU

First of all, happy new year everyone! ūüėÄ

tl;dr ¬†If hashcat crashes/hangs your system, your wallet scrypt settings more than likely want more RAM than your GPU has. You’ll only be able to crack with a CPU (adding -D 1 #¬† where # is the number hashcat assigns your CPU will select all available CPU devices, or -D 1 -d <number> for an individual CPU) and the hash rate will still be slow ūüė¶

—————————————————————————————————————————————-

Since writing about cracking various Ethereum wallets using the JSON file, a few people have mentioned that their systems hang/blue screen when they start the crack, so I thought I’d talk about why this is.¬† Continue reading

Posted in crypto, password cracking, Pentest | 9 Comments

Ethereum Wallet Cracking

Edit 04/01/18: Ethereum Wallet Cracking Pt 2. – GPU vs CPU can be found here

hashcat v3.6.0 was released yesterday and one of the newly supported hashes was Ethereum wallets (Go Ethereum (Geth), Mist¬†and MyEtherWallet variants). This guide will show how a MyEtherWallet JSON keystore file is broken down, how it’s mapped to a hashcat compatible format, and finally an example crack.¬† Continue reading

Posted in password cracking, Pentest | 56 Comments

hashcat Rule Optimisation

tl;dr

When kicking off a hashcat session I’ve got my favorite dictionary/rule combo’s I always tend to lean on. Sometime’s when time’s against me I don’t want to run several sessions over long periods of time, so I often wonder during these one shot windows whether I’m setting myself up with the best chance of success.

To test this, I took a large variety of shipped hashcat rules along with a few others, and put them through the paces against a large data set. By pulling the stats of the top performing individual rules in each test and combining them, I created an optimised custom rule which when subsequently testing cracked several more than any of the original rule sets.

A¬†complete write up of the testing and stats can be found on NotSoSecure’s blog, and the custom rule is also available on github so you can test it out for yourself ūüôā

Posted in password cracking | Leave a comment

3DES is finally actually broken!

When discussing pentests, I continue to see¬†“weak cipher” issues that go on to say anything < 128 bits is insecure, however 3DES has to date been the exception to this. In turns of cryptographic strength, 3-key 3DES uses three unique 56 bit keys, providing 168 bits of strength before factoring in known attacks that reduce the amount work to break it to that of exhausting a 112 bit key. ¬†Now, 112 bits is less than 128 bits yet NIST who of course factor in the weakness, still state this year that 112 bits is sufficient and acceptable, hence¬†my referral to¬†3DES as being¬†an¬†exception to weak ciphers.¬† Continue reading

Posted in crypto, Pentest | Leave a comment

7Safe Ethical Hacking Courses accredited by CREST

I’m pleased to write that 7Safe (my employer) have recently had all of their Ethical Hacking courses accredited by CREST! ¬†This is extremely¬†good news as it shows the level of hard work and commitment¬†that is given to maintaining and continually improving our training services.¬† Continue reading

Posted in Other | Tagged , | Leave a comment

Quick tricks to beat the Flick

So here’s my guide to another CTF from VulnHub called Flick:1. ¬†This one was actually released before Tr0ll:1, but I finished this one after as I was trolled so much on the first one I had to take a break and try something else.¬† Continue reading

Posted in CTF | Tagged , | Leave a comment