Wednesday, June 29, 2005
MD5 Project
Check out the nice work Jason over at MD5 Lookup is doing. This is a very similar concept to the one employed in LMCrack.
MD5 Lookup is an online lookup tool for doing MD5 hash to password lookups. The MD5 hashes are pre-computed and stored in a database. The cracking involves a search of the MD5 Lookup Database to return the associated plain-text password. Pretty neat.
The database has ~3,107,933,738 entries already and is being constantly added to.
MD5 Lookup is an online lookup tool for doing MD5 hash to password lookups. The MD5 hashes are pre-computed and stored in a database. The cracking involves a search of the MD5 Lookup Database to return the associated plain-text password. Pretty neat.
The database has ~3,107,933,738 entries already and is being constantly added to.
Free L0phtCrack Replacement
My friend the Digital Beachcomber put me onto this one. LCP is a freeware password cracker modeled on LOpht Crack.
LCP is relatively feature rich and you can check out the comparison to LC5 feature by feature on the LCP Comparison page.
Unfortuneately its only about a fifth the speed of L0pht but hey its $1000 cheaper! Very nice.
If you combine the speed of LMCrack (which outputs uncracked passwords for importing into LCP) with the comprehensive results from a brute force cracking attack using LCP, you have a very effective cheap password auditing solution. :-)
LCP is relatively feature rich and you can check out the comparison to LC5 feature by feature on the LCP Comparison page.
Unfortuneately its only about a fifth the speed of L0pht but hey its $1000 cheaper! Very nice.
If you combine the speed of LMCrack (which outputs uncracked passwords for importing into LCP) with the comprehensive results from a brute force cracking attack using LCP, you have a very effective cheap password auditing solution. :-)
Monday, June 27, 2005
WebGoat set-up issues
Firstly for those of you not familiar with WebGoat, it "is a full J2EE web application designed to teach web application security lessons. In each lesson, users must demonstrate their understanding by exploiting a real vulnerability on the local system"
I had some issues setting it up as it is not as well documented as it could be. To set it up on Windows:
Could not get to work, BUT remotely from another machine on the network with same credentials it worked fine (ie http://10.0.0.52/WebGoat/attack) which is how I would use anyway.
I had some issues setting it up as it is not as well documented as it could be. To set it up on Windows:
- Download WebGoat with Java (48MB), other versions don't seem to work as well.
- Unzip and run the batch file.
- Make sure nothing is running on port 80 or it will fail.
- Username: guest & password: guest
Could not get to work, BUT remotely from another machine on the network with same credentials it worked fine (ie http://10.0.0.52/WebGoat/attack) which is how I would use anyway.
Sunday, June 12, 2005
Favourite Gentoo tools
I am slowly converting all my Linux and some of my Windows machines to Gentoo. The following is a list of my "must have" packages before you install anything else.
- ccache - this caches compiled code, so if the compiler is calling for some code and it already has been compiled then it comes from the cached. This really speeds up subsequent compiles. Install this first.
- esearch - nice command line package search
- gentoolkit - portage tools
- kuroo - if you are using KDE (and why wouldn't you - Gnome is technically inferior :-) Kuroo is a portage tool which simplifies package management. It also includes Gentoo Watcher which monitors packages for currency and notifies of security advisories.
- krusader - Total Commander like tool for KDE
