So I've only been looking at these things for around 20 minutes.
What I can make out of Rainbow tables and hashes are that the rainbow table is a huge list of different hashes and it's possible to use that list in programs to try and find a match to the password hash.
It seems like this method is only used for simple and not very secure websites, right?
Thanks in advance for any help and advice.
Quote:
Originally Posted by Use
Yes it is considered infeasable with websites that add a salt to their hashes. However, for smaller websites which aren't backed by extremely knowledgeable dev's, it can be effective (I believe). I'm not too well versed on the subject myself, but they're rather ineffective due to the fact they require alot of storage space and grow exponentially larger when there are extra characters in a password.
Depending on the hash, it might be easier to decrypt by using free websites which specialize in cracking hashes for passwords.
MD5Decrypter.co.uk, Over 8.7 billion Decrypted Hashes, Free MD5 Decryptor, MD5 Cracker, MD5 Security Hacking
Okay thanks.Quote:
Originally Posted by PrincessFluttershy
So I'm still looking at gaia when I'm talking about cracking passwords, I'm guessing they add a ton of "salt" to the hashes.
The easier to crack the password also depends on how long it is and what characters than?
Thanks for the link, I'm about to look at it.
The website I linked you can be thought of as one giant rainbow table. Hashes are calculated by a certain algorythim which can be decrypted with the the same formula. The point of rainbow tables is so that all the hashes are already pre-calculated and the corresponding password is saved to match the exact hash. The reason why it's not quite as feasible for someone to use their own rainbow table is because the amount of data storage you would need, as well as saving all of that data with no efficient way to sort and search the hashes makes it not worth it. Of course you would also need to calculate an asston of hashes and their corresponding passwords and save them yourself, ya-da ya-da. It would only be plausibly done by an automaton. Doing it by hand wouldn't be worth it.Quote:
Originally Posted by Use
For this reason, the shorter the password is, the easier it is to 'crack it'.
That is because 1 character has x amount of possibilities, (idk 40?) so there are a total of 40 hashes that need to be saved. When it is 2 characters, it is 40*40 because there are suddenly 40^2 combinations, so on and so fourth of pre-saved hashes. Anyone feel free to correct me if I'm wrong, half of this is out of my ass.
Oh okay, I'm starting to get it.Quote:
Originally Posted by PrincessFluttershy
Just using this method is still confusing to me as what the input would be.
I see Flareboy lurking, maybe he can correct or add anything.
Thanks!
Put it this way:
if you can get your hands on hashes, you are fucking golden. The issue is not cracking the hashes, but obtaining them in the first place.
Best of luck.
Okay.Quote:
Originally Posted by PrincessFluttershy
It's just a matter of time after I get them, right?
Since you're putting it like that, it must be pretty hard to get the hashes?
Do you know any guides or tutorials? Anything that might help would be great.
And thanks ^^
Ive seen the hashs for gaia passwords. If I wasnt mistaken (Which I completely might of been) They do add a ton of salt to the hash.Quote:
Originally Posted by PrincessFluttershy
Well for Gaia, I don't think its possible to bruteforce passwords without an exploit. You should innovate and try to find your own solution! :D
So would my plan be to get the hashes and than strip them down?Quote:
Originally Posted by Omlett
Or does the salt mean it's harder to get them?
You were lurking forever according to the thread info. bar, I thought you were typing up a storm xDQuote:
Originally Posted by Flareboy323
I've tried some super simple passwords on the accounts I have which haven't worked, but I dunno who in the world would use the passwords I tried (basically same as usernames), but I have seen it be that way actually.
I've only been going at this cracking stuff for a week at the most xD, I don't know if I have the knowledge to make my own solution yet.
But if I do somehow get my hands on the hashes, I will try to make it easier and easier.
If you got your hands on the hashes, it would be an AMAZING feat. From there though, they would still be extremely hard to crack because of how much they salted them :oQuote:
Originally Posted by Use
If you take your time you can find a way into gaias admin pannel, so thats where I would start. Ive never been able to decrypt a salted hash but im not really a hacker.Quote:
Originally Posted by Use
Correction, apparently without the use of rainbow tables, reverse engineering hashes is impossible?
Not positive but from some sources i found online that seems to be the case.
How would anyone be able to get into the admin panel without being an admin?Quote:
Originally Posted by Omlett
I remember seeing aleena doing something like that but apparently it's debatable whether or not it was legit or...?
Okay...Quote:
Originally Posted by Flareboy323
Seems really hard xD
Some other people should be trying with me also, it seems like no one else is interested in cracking gaia passwords
A couple of devs I talked to said it was just a hoax (which I knew from the start). It was just a vacant test server that he used to register the account 'Lanzer' which doesn't have any user leverage there.Quote:
Originally Posted by Use
Okay xDQuote:
Originally Posted by The Unintelligible
I have no idea where to start if I wanted to get into the admin panel.
Ive been on the admin panal on a test server (test8) thats where people would use the email exploit, but it was patched a while ago. I think it was under the gaiacash section.
You don't. At this point, it would be virtually impossible. Gaia's beefed up their security a lot since related incidents occurred.Quote:
Originally Posted by Use
Gaiaonline Admin Control Panel (From back in my hacking days) - YouTube
Doesn't take a super genius to figure out it's not legit. 0:38 in this video
No market data. When in the world did gaia have no market data for 6 items on the front page? That means its desynced from the live server.
Only the video in itself still makes it plausible that he got into the actual ACP. At least to most kids. The developers themselves formally confirmed that it's false.Quote:
Originally Posted by PrincessFluttershy
Trust in videos of nature is like believing in magic. There's usually a trick behind them.Quote:
Originally Posted by The Unintelligible
So, my choices are to somehow get the hashes.
or
brute-force?
#1 isn't possible. Unless voodoo magic happens. #2 is ineffective and in theory not feasible.Quote:
Originally Posted by Use
do some research to unrestrict your possibilities. Hashes and brute-forcing are means to an end. I can think of a dozen ways to get passwords that doesn't explicitly require you to brute-force gaia or get password hashes from gaiaQuote:
Originally Posted by Use
Okay, I'll find something that works, eventually.Quote:
Originally Posted by PrincessFluttershy
off to google 8|
To tip you off, the most common ways is to use malware (keyloggers, RATs, etc), FLPs or any variants (e.g. FMP [Fake Marketplace]), or old-fashioned Social Engineering.Quote:
Originally Posted by Use
I've never heard of keyloggers, or RATs, but I know what FLPs are. I don't know how to use FMP's xD or where to find anything about them since a lot of forums aren't allowed to discuss about them.Quote:
Originally Posted by The Unintelligible
What's Social Engineering?
Also, FLPs and FMPs wouldn't help me get any old accounts, I don't really want to get active accounts since it would be even harder to transfer the items or gold.
While those are apart of the dozens, they're rather old-fashioned and ineffective. My personal hint was using the word 'gaia'.Quote:
Originally Posted by The Unintelligible
I don't use any of them so I wouldn't know. But I don't really see any real hint in your post. And I doubt the methods you use are more effective than those.
Back then there were exploits that proved to be more efficient, but most if not all of those are gone now. XSS is probably still around but that's probably as effective as getting them to download something.
If i really have to put it simply, find a website with a high correlation of gaia players also signed up to said website (which may be less secure) and breach security in that instead. While it may or may not work with gaia (tek tek comes ot mind but I dont believe it stores user accounts), passwords from that site may either be in plaintext or nonsalted passwords.Quote:
Originally Posted by The Unintelligible
You've suggested this to me before I believe. That's all dependent of whether they use a universal password or not (or a highly similar password). It's also definitely not more effective and a lot slower.Quote:
Originally Posted by PrincessFluttershy
Though, nonetheless it's a more creative approach. It all depends on the situation I guess.
Worked for neopets. Earned the hacker over 20,000 dollars and still going within the course of a few months.Quote:
Originally Posted by The Unintelligible