L2J Server

Well I though that might be interesting for some people to talk about security, passes encryption, "hackerz" on steroidz and so on...


How do passwords are encrypted?
Passwords are encrypted in SHA-1 in L2j sql databases. In few words it's like zomfg-impossible to decrypt.
If you want to read more about that: http://en.wikipedia.org/wiki/SHA_hash_functions

So as example, if your password is "123456", it will be encrypted asin the database.

How can I decrypt that?
With some mighty tools that I won't share, mainly because the point of that topic is not to hack but to know more about security, secondly because you can Google it, you can use the GPGPU power of your graphic card to "decrypt" it.
Most of the time ATI gives better results to hack, while NVIDIA's CUDA is better for CoreAVC or Adobe's softwares (CS5 shitstorm incoming) for example.

How do "decrypters" work?
They try every password combinations until it will find out which one gives the same encryption as asked and ta-da!

Example:



In this example I hacked the password 123456 in less than 1 second, with an average speed of 394.3 MILLIONS of passwords tryed per second. I usually can go around 410 Millions of pass per second.

Are you telling me that SHA-1 encryption is not safe at all?
It is, if you are not using a retarded password.
Actually, it's all about mathematics now:
To decrypt a password that contains both small letters and digits (36 different characters) and that is 8 characters long, the "decrypter" has to try 36^8 different combinations = 2 821 109 907 456 different combinations
Assuming you have an hacking speed of 400 Millions of pass per second, it will take
(2 821 109 907 456)/(400 000 000) = 7 052,77477 seconds = ~2 hours to try every combinations, unless it find out the password before the end.

Examples of different password combination and time to hack it at the speed of 400Mpps.
Only small letters, 8 characters long:
208 827 064 576 different passwords
~9 minutes

Only small letters, 9 characters long:
5.42950368 × 10^12 different passwords
~4 hours

Only small letters, 10 characters long:
1.41167096 × 10^14 different passwords
~100 hours

Small letters + digits, 7 characters long:
78 364 164 096 different passwords
~3 minutes

Small letters + digits, 8 characters long:
2 821 109 907 456 different passwords
~2 hours

Small letters + digits, 9 characters long:
1.01559957 × 10^14 different passwords
~70 hours

Small letters + capital letters, 7 characters long:
1 028 071 702 528 different passwords
~43 minutes

Small letters + capital letters, 8 characters long:
5.34597285 × 10^13 different passwords
~37 hours


I think it is enough to give you an idea of what kind of password you shall use.


Of course if your attacker knows how your password look like, he can guess what letters/digits he should use instead of whole alphabet, and how much characters long it should be, which shortens the time of decrypting a lot!



There is another point I'd like to talk about:
Hacking is hard.
Mistakes are easy.

In my case I "hacked" a server's sql password without doing anything special. I also read some sql tables of its database while my IP was not allowed to enter when using navicat.
A simple browser was enough. (Chrome <3)

How I did that? Well I just entered the IP of the host in the address bar, there was some files with .php1 files showing the passwords to the whole world and there was some kind of mysql manager on the same IP.
So yeah I did hacked some passwords, yet I had NO hacking knowledge. A brain, a browser and Google are enough.



I hope you liked it ;D

You open America! rofl

A little more about this...

1) in a security system, the strength of the whole system is the strength of the weakest link
Even if you use perfect algorithms, if the way you use them is crap, the whole system is crap

2) Hashing is transforming a string to another one, losing most of the information.
Several strings may result to the sa0hme hash. There is a kind of attack on hash which is not about finding a text for a specific hash but two texts which give the same hash value. An attack called "aniversary attack" is often used for that. It's based on the fact that in a group, you've more chance to have two items with same value than one with a specific value.
For a given hash value, many strings will return the hash. But some of them are more usable than other... Some will be pure binary (non-printable characters, graphic characters, ...) and other may be words.

3) dual hash
One way to strnghten hash is to make two equally secure hashes on the values. The set of the strings which gives both hash value is the intersection of the two sets and is much smaller. This will prevent alternate password to be found.

4) salt
if you get the whole password list, each try will be compared to each password. This means that it won't take longer to crack all passwords. One way to prevent that is to make the password string twofold : a cleartext salt value and the hashed password.
The salt value is used to alter either the hash algorithm (unix crypt using DES), the Initialisation Vector of the hash function or the password (by prepending or appending the salt to the password for example).
That way, you may only crack one password at a time.

5) Best hacking system is not a computer
If you really want to go in hacking, the best is to have an FPGA array which will be responsible for the computations. FPGA will be able to do the same calculation in less time and using less power. Also, for the same computing power, it'll take less room than a computer cluster.

6) Bruteforce attacks
To do a bruteforce, you'll have two parts : a string generator and an hash generator. If the second has only to be fast, the first one has to be fast and well tuned.
John the ripper (slow program that used to be the state of the art years ago) uses the following method :
a) using a given dictionnary
b) using the same dictionnary plus some basic mutation (adding a digit at the end, UC whole word, replacing e by 3, i by ! (3|_337 script), ...)
c) using the same dictionnary with intensive mutation (more on inserting digits, UC some letters,...)
d) bruteforce using an optimized character set (etaoinshrdlu in the beginning (letters most used in english) for example)
The character set has to be chosen with care. Main subsets are lowercase, uppercase, numbers, punctuation, accentuated letters (éèêë,...), special characters (#@{}[][^~...),... sometimes, a first pass will be done with some group of subsets and then, a slower pass will be made with more subsets (resulting in some password checked twice)

7) best way to avoid password hacking ?
Well, in order to attack your users passwords, an hacker will first need to be able to dump the password lists. This will require an access to your DB which can only be done
- if DB access allowed from outside (still need to crack your DB password or read it from some files)
- if attacker is able to alter or exploit some web pages (Perl, PHP, Python, Servlet/JSP, ...) that has access to your DB
- if attacker can get a shell on your computer and use it to read the password from L2J config then connect localy to the DB.

Best practice includes
- a secure DB password
- a separate access for the web part with less permissions (for example, no access to the passwords)
- DB server firewalled so it won't be accessible from internet, only from the L2J server and, optionnally, the web server
- no web DB management tools (use the command line... I know, it's not as easy but the web management tool (like phpmyadmin) will remove some of the host-based protections
- one machine, one service...

this is a nice password checker, I wouldn't recommend anything less than 100% for your passwords
http://www.passwordmeter.com/

Probe wrote:this is a nice password checker, I wouldn't recommend anything less than 100% for your passwords
http://www.passwordmeter.com/

slowly variant..
in first post use CUDA on Video card graphic processor, very fast

Qarked wrote:in first post use CUDA on Video card graphic processor, very fast

It depends of what you are using it for, for hacking ATI wins in performances, but for everything else CUDA is probably better supported.

Mayhem wrote:

Qarked wrote:in first post use CUDA on Video card graphic processor, very fast

It depends of what you are using it for, for hacking ATI wins in performances, but for everything else CUDA is probably better supported.

ATI Fanboy? ATI crap!
Pls hack my password LNK9zysL7NNkoeqSypZGoV1Z9Vs=

Qarked wrote:ATI Fanboy? ATI crap!
Pls hack my password LNK9zysL7NNkoeqSypZGoV1Z9Vs=

No I'm NVIDIA powered and fan ;D
I tryed but it seems enough complicated and I don't want to lose my time for this ;D

Mayhem wrote:

Qarked wrote:ATI Fanboy? ATI crap!
Pls hack my password LNK9zysL7NNkoeqSypZGoV1Z9Vs=

No I'm NVIDIA powered and fan ;D
I tryed but it seems enough complicated and I don't want to lose my time for this ;D

Hahaha

And now pls work with an regualr ping + flood protection of an regular sql server.
Srsly wht is this topic about? TO show how cool it is to use opencl? (and how cool it is that U can use it?)

SHA1 can be decrypted, but only using rainbow tables with brute force, anyway could take a lot of time

Forsaiken wrote:And now pls work with an regualr ping + flood protection of an regular sql server.
Srsly wht is this topic about? TO show how cool it is to use opencl? (and how cool it is that U can use it?)

You didn't understood how it works, if you hacked or if you are some kind of corrupted admin you just take the encrypted password and try to decrypt it, you can decrypt it offline.
So the point of that topic is to talk about security, password encryption and what kind of passwords are vulnerable.

well....I just saw this topic and used google search and look what I found!
It converted my codes about the half of the times I tried but it's cool!
http://www.md5decrypter.co.uk/sha1-decrypt.aspx