The question about why don’t we brute force WPA PSK’s (Pre Shared Keys) comes up a lot. The current technologies available do not allow for WPA/WPA2 PSK’s to be brute forced in a reasonable amount of time. Below I show specific numbers that can help anyone understand why brute forcing WPA passwords is near impossible at this point. So if you cannot brute force WPA PSK’s the most reasonable attack against WPA PSK’s is a dictionary attack which means that you create a list of character combinations that are more likely to be used than other character combinations. In fact the wordlist we offer for WPA PSK cracking on tools.question-defense.com is currently over 1.5 billion combinations that vary in length from 8 to 20 characters. We believe our wordlist to be one of the most if not the most extensive wordlists available on the Internet. This is a wordlist that purehate started building over 5 years ago and that we have put a lot of time into over the past couple of years. Passwords and how people generate passwords are something that we both continue to learn more about and we use that knowledge to fine tune our wordlist on a regular basis. Take a look below at the hard numbers.

Read the rest of this entry »

We are doing our best to continue our forward momentum.

So purehate and I expanded our WPA wordlist to over 1.5 billion combinations and brought our NTLM cracker back online late last night. We are in process of building out wordlists more geared towards hashes and brining other hash crackers online. Our current list of hash crackers we are working on includes DES, MD5, MD4, SHA1, Domain Cached Credentials v2 (mscache2), MSSQL 2000, MSSQL 2005, MySQL (v4.1+), and Oracle 11g. Again if you have any specific services you would like to see online sooner rather than later just let us know.

Stay tuned for further updates…

Today we launched an online hash analyzer which was actually is some code we found on github I believe and we will be expanding in the near future. It is pretty slick but as you know many hashes are made up the same as other hashes such as any hash that is 32 hexadecimal characters in length. Anyhow we are open to suggestions so please send them to us if you have them.

We also launched an automated Domain Cached Credentials(DCCv1) hash cracker. Currently this cracker only has a single option available but we will have some other options by weeks end at the latest. Our system will go through over 4.5 billion combinations a second when attempting to audit DCC version one hashes. Click here to use our online Domain Cached Credentials hash cracker.

Our MD4, MD5, NTLM, and SHA1 hash crackers have been taken offline while we upgrade those automated systems. If you would like any of those style hashes cracked let us know via our contact form here.

Last but not least we would again like to mention the Hashcat team and especially atom from Hashcat. If you want to analyze hash strength on your own without using our automated systems we suggest Hashcat which is open source and available for download here.

Look for more updates in the near future. Don’t forget to follow us on twitter by following @qdtools.

We decided to also launch the long overdue automated MD5(UNIX) hash cracker this afternoon. The same algorithm is used for md5crypt hashes, FreeBSD MD5 hashes, and Cisco IOS MD5 hashes so you can upload any of those hash types by clicking here. The hashes should begin with $1$ and will be a total 35 characters long such as the following hash below which is the MD5(Unix) hash of password.

Example MD5(Unix): $1$9Kz8IJjJ$CP/7PheN7Pz/hkslyJATu/

Currently we are only offering two options in terms of the combinations that will be attempted against MD5(Unix) hashes but we will be adding more in the near future. The first option is our WPA wordlist which has a billion combinations all over 8 characters. The other combination is the same wordlist using the oclHashcat best64.rule which adds 64 variants of the same combinations for a total of around 65 billion combinations attempted. We will be writing out the details of the best64.rule for reference in the near future.

We would like to thank atom and the Hashcat team for putting out the best password cracking software on the planet. It is amazing what has been done with Hashcat, oclHashcat, oclHashcat-plus, etc. in the past year and a half. We look forward to helping to make Hashcat prosper in the future!

Last night we made some major changes to our automated WPA/WPA2 wireless network capture analysis tool. In the beginning of our service it took around 3.5 hours to process any WPA capture file uploaded against our wordlist of a billion combinations. Around 3 months ago we made an improvement in hardware that improved the 3.5 hour process time to 2.25 hours to process a WPA capture against our premium wordlist. Starting today it will now take less than an hour to process WPA/WPA2 wireless network captures against or billion combination wordlist! These improvements will allow us to make a large amount of additions to our primary WPA dictionary that we have been waiting to do so process time was not heavily impacted.

The improvements made in the past couple of days also put down the groundwork for the changes to all of our automated hash crackers that we have been talking about for quite some time. Look for changes and a bunch of additions in the near future which will include tons of new hash types that we can process including MD5(Unix), MySQL, and Domain Cached Credentials (v1 and v2). Also the amount of combinations we can process and the speed at which they are processed will be greatly improved. Once the initial brute force methods are brought online we will also be adding options to select various rules or rulesets instead of brute forcing which improve results many fold. If you have specific hash types, character combinations, or rulesets you would like to see offered please drop us a line.

Please encourage others to use more secure passwords. With the technologies progressing as rapidly as they are there are not going to be any passwords under 12 chars that are safe in the very near future.

We have been slammed around the office lately and it is a rare occasion when purehate and I are both in the office at the same time because we have been traveling a ton. Anyhow we wanted to show you a new sign we got inside the office which is forty inches by forty inches and looks awesome at night. The video below shows the lighting system of the sign in action.

One of our friends from London, James from Group101 (note: site is still about a month from launch), who owns a media company sent it to us and we could not be happier with the results!

We also have some new hardware on order for the Tools server and we are still in process of launching new tools. There is another project that we are working on that I think people will really like but it will be at least a couple months until it is all the way off the ground.

Please send us any suggestions, comments, etc. you may have for our site by clicking here. We would also definitely like to hear what you think of the new sign in our office. We look forward to hearing from you.

We added a TShark for Windows tutorial today which can be viewed by clicking here. The tutorial is fairly basic and simply explains that TShark is installed by default with Wireshark as well as how to add TShark to the Windows users Path variable.

Request Tutorials From Question Defense!

We are always looking for articles to write so if any of you have technical articles you would like to see written regarding anything related to the Question Defense Automated Tools let us know by submitting the request via the QD Tools Contact Form.

We just wanted to provide an update of what has been going on with QD Tools. We are still working on a major update to the system that will change all of our hash cracking services including making them faster so we can offer longer character length and more characters for less money.

Read the rest of this entry »

I just calculated 9704448 keys for Thompson routers. These routers ship with a default essid and a default wpa key which most people do not change. The keys can be calculated from a range of default essids and are all in uppercase hex. Adding these keys should greatly increase the chances of recovering wpa keys from Thompson routers.

Recently purehate and I were invited to present Hashcat and oclHashcat password cracking techniques at a ISSA Password Exploitation class being taught by one of our good friends irongeek. Purehate already wrote a basic summary of the class along with a link to the videos of the class which include our sections as well as irongeeks sections of the class. We have gotten numerous requests for the slides to be posted so I generated a PDF and posted the slides here.

Read the rest of this entry »