BarsWF on ATI - Cuda-like MD5 bruteforce

Featured, Tools 3 Responses »
May 302009

Svarychevski Michail Aleksandrovich put up a version of BarsWF for ATI BROOK not long ago, but the results were less than spectacular. I recently updated to CCC 9.5 and wanted to give it another shot. Here are my hardware specs for my Vista 64 box:
CPUZ – Stock clock speeds.
cpuz
GPUZ – Also stock speeds.
gpuz

And here is the BarsWF run.
barswf

This particular run is a demo of ideal circumstances. I know the passwords charset and length, so I specified it in the command line:

C:\sec\md5>BarsWF_Brook_x64.exe -h d19ff6fb09cafa03d51ecac250bf71a8 -c 0A -min_len 10

Here is the same run under less than ideal circumstances. I don’t know anything about the hash, so I will just run the defaults:
barswf-2

C:\sec\md5>BarsWF_Brook_x64.exe -h d19ff6fb09cafa03d51ecac250bf71a8 -c 0aA~

So, we can see that it is indeed quite fast when running the full charset, though it should be noted that the ETA is quite off. It will likely reset a few times before finding the hash. It’s great to know that ATI owners have a GPU bruteforce option now. I’d really like to see this tech developed further to include other hash methods as well.

**UPDATE**
Here’s a screen of its memory usage after about 5 hours of running.
taskmgr
Looks like it’s using around 100MB RAM per hour at this point. I’ll continue to watch it and hopefully have it finish before start paging every thing (which is a must-reboot scenario with Vista for some reason).

Posted by nukeit at 5:21 pm Tagged with: , , , , ,

Facebook Hack - Access Any Users Photo Albums

Featured 27 Responses »
Mar 122009

http://www.flickr.com/photos/noneck/

Dave from Security Ninja shows how you can easily bruteforce a certain parameter to allow access to any user’s Facebook photo album using Burp Suite. Here are the basics:

Access to albums in Facebook is controlled by three parameters of a URL, you can see them here:

http://www.facebook.com/album.php?aid=-3&id=1508034566&l=aad9c

aid=-3 (-3 for every public profile album)
id=0123456789 (Obtained by searching for the user and hovering over the add friend button)
l=? (all we know is its 5 characters from the 0123456789abcdef range)

Dave uses Burp Suite, but there are many ways you can go about it. I think a dictionary of possible values might be marginally faster (untested) so I’ll use that.

First is one of my favorite methods, w3af’s Fuzzy Requests and Clustered Response tools.

GET http://www.facebook.com/album.php?aid=-3&id=targetsid&l=$[l.strip() for l in file('fbhex.dic').readlines()]$ HTTP/1.0
Host: www.facebook.com
User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en-us) AppleWebKit/312.1 (KHTML, like Gecko) Safari/312
Pragma: no-cache
Content-Type: application/x-www-form-urlencoded

Here’s the dictionary (1.1MB, zipped), extract it to your w3af directory.

After the run is finished, run the Cluster tool and wait. The valid page should show up far away from the rest of them.

Another tool that could be used for this is Edge Security’s WebSlayer:
URL:
http://www.facebook.com/album.php?aid=-3&id=targetsid&l=FUZZ
Set it to ignore lines so you can find your valid request faster. Currently, the error page contains 71 lines, but this may be different for you. Just run the scan for a few seconds and look at the number of lines that each error page contains, then stop the scan, enter the number in the ignore lines box and start again.

webslayer

Other useful features of WebSlayer are the ability to control the rate and set proxy options.

There are likely MANY other tools that you can use to accomplish this task, but these seem to be the simplest.
Good luck, and remember:

Check out Dave’s post for the Burp Suite method he uses to generate the needed parameter.

Posted by nukeit at 3:52 pm Tagged with: , , , , , , , , , , , , ,
© 2010 nukeitdotorg Suffusion WordPress theme by Sayontan Sinha