I just learned about rainbow tables and cracking password hashes.

[Use]

So I've only been looking at these things for around 20 minutes.
What I can make out of Rainbow tables and hashes are that the rainbow table is a huge list of different hashes and it's possible to use that list in programs to try and find a match to the password hash.

It seems like this method is only used for simple and not very secure websites, right?

Thanks in advance for any help and advice.

[PrincessFluttershy]

So I've only been looking at these things for around 20 minutes.
What I can make out of Rainbow tables and hashes are that the rainbow table is a huge list of different hashes and it's possible to use that list in programs to try and find a match to the password hash.

It seems like this method is only used for simple and not very secure websites, right?

Thanks in advance for any help and advice.

Yes it is considered infeasable with websites that add a salt to their hashes. However, for smaller websites which aren't backed by extremely knowledgeable dev's, it can be effective (I believe). I'm not too well versed on the subject myself, but they're rather ineffective due to the fact they require alot of storage space and grow exponentially larger when there are extra characters in a password.

Depending on the hash, it might be easier to decrypt by using free websites which specialize in cracking hashes for passwords.

MD5Decrypter.co.uk, Over 8.7 billion Decrypted Hashes, Free MD5 Decryptor, MD5 Cracker, MD5 Security Hacking

[Use]

Yes it is considered infeasable with websites that add a salt to their hashes. However, for smaller websites which aren't backed by extremely knowledgeable dev's, it can be effective (I believe). I'm not too well versed on the subject myself, but they're rather ineffective due to the fact they require alot of storage space and grow exponentially larger when there are extra characters in a password.

Depending on the hash, it might be easier to decrypt by using free websites which specialize in cracking hashes for passwords.

MD5Decrypter.co.uk, Over 8.7 billion Decrypted Hashes, Free MD5 Decryptor, MD5 Cracker, MD5 Security Hacking

Okay thanks.
So I'm still looking at gaia when I'm talking about cracking passwords, I'm guessing they add a ton of "salt" to the hashes.
The easier to crack the password also depends on how long it is and what characters than?
Thanks for the link, I'm about to look at it.

[PrincessFluttershy]

Okay thanks.
So I'm still looking at gaia when I'm talking about cracking passwords, I'm guessing they add a ton of "salt" to the hashes.
The easier to crack the password also depends on how long it is and what characters than?
Thanks for the link, I'm about to look at it.

The website I linked you can be thought of as one giant rainbow table. Hashes are calculated by a certain algorythim which can be decrypted with the the same formula. The point of rainbow tables is so that all the hashes are already pre-calculated and the corresponding password is saved to match the exact hash. The reason why it's not quite as feasible for someone to use their own rainbow table is because the amount of data storage you would need, as well as saving all of that data with no efficient way to sort and search the hashes makes it not worth it. Of course you would also need to calculate an asston of hashes and their corresponding passwords and save them yourself, ya-da ya-da. It would only be plausibly done by an automaton. Doing it by hand wouldn't be worth it.

For this reason, the shorter the password is, the easier it is to 'crack it'.

That is because 1 character has x amount of possibilities, (idk 40?) so there are a total of 40 hashes that need to be saved. When it is 2 characters, it is 40*40 because there are suddenly 40^2 combinations, so on and so fourth of pre-saved hashes. Anyone feel free to correct me if I'm wrong, half of this is out of my ass.

[Use]

The website I linked you can be thought of as one giant rainbow table. Hashes are calculated by a certain algorythim which can be decrypted with the the same formula. The point of rainbow tables is so that all the hashes are already pre-calculated and the corresponding password is saved to match the exact hash. The reason why it's not quite as feasible for someone to use their own rainbow table is because the amount of data storage you would need, as well as saving all of that data with no efficient way to sort and search the hashes makes it not worth it. Of course you would also need to calculate an asston of hashes and their corresponding passwords and save them yourself, ya-da ya-da. It would only be plausibly done by an automaton. Doing it by hand wouldn't be worth it.

For this reason, the shorter the password is, the easier it is to 'crack it'.

That is because 1 character has x amount of possibilities, (idk 40?) so there are a total of 40 hashes that need to be saved. When it is 2 characters, it is 40*40 because there are suddenly 40^2 combinations, so on and so fourth of pre-saved hashes. Anyone feel free to correct me if I'm wrong, half of this is out of my ass.

Oh okay, I'm starting to get it.
Just using this method is still confusing to me as what the input would be.

I see Flareboy lurking, maybe he can correct or add anything.
Thanks!

[PrincessFluttershy]

Put it this way:

if you can get your hands on hashes, you are fucking golden. The issue is not cracking the hashes, but obtaining them in the first place.

Best of luck.

[Use]

Put it this way:

if you can get your hands on hashes, you are fucking golden. The issue is not cracking the hashes, but obtaining them in the first place.

Best of luck.

Okay.
It's just a matter of time after I get them, right?

Since you're putting it like that, it must be pretty hard to get the hashes?
Do you know any guides or tutorials? Anything that might help would be great.

And thanks ^^

[Omlett]

Put it this way:

if you can get your hands on hashes, you are fucking golden. The issue is not cracking the hashes, but obtaining them in the first place.

Best of luck.

Ive seen the hashs for gaia passwords. If I wasnt mistaken (Which I completely might of been) They do add a ton of salt to the hash.

[323]

Well for Gaia, I don't think its possible to bruteforce passwords without an exploit. You should innovate and try to find your own solution!

[Use]

Ive seen the hashs for gaia passwords. If I wasnt mistaken (Which I completely might of been) They do add a ton of salt to the hash.

Suld my plan be to get the hashes and than strip them down?
Or does the salt mean it's harder to get them?

[Use]

Well for Gaia, I don't think its possible to bruteforce passwords without an exploit. You should innovate and try to find your own solution!

You were lurking forever according to the thread info. bar, I thought you were typing up a storm xD

I've tried some super simple passwords on the accounts I have which haven't worked, but I dunno who in the world would use the passwords I tried (basically same as usernames), but I have seen it be that way actually.

I've only been going at this cracking stuff for a week at the most xD, I don't know if I have the knowledge to make my own solution yet.
But if I do somehow get my hands on the hashes, I will try to make it easier and easier.

[323]

You were lurking forever according to the thread info. bar, I thought you were typing up a storm xD

I've tried some super simple passwords on the accounts I have which haven't worked, but I dunno who in the world would use the passwords I tried (basically same as usernames), but I have seen it be that way actually.

I've only been going at this cracking stuff for a week at the most xD, I don't know if I have the knowledge to make my own solution yet.
But if I do somehow get my hands on the hashes, I will try to make it easier and easier.

If you got your hands on the hashes, it would be an AMAZING feat. From there though, they would still be extremely hard to crack because of how much they salted them

[Omlett]

Suld my plan be to get the hashes and than strip them down?
Or does the salt mean it's harder to get them?

If you take your time you can find a way into gaias admin pannel, so thats where I would start. Ive never been able to decrypt a salted hash but im not really a hacker.

[PrincessFluttershy]

Correction, apparently without the use of rainbow tables, reverse engineering hashes is impossible?

Not positive but from some sources i found online that seems to be the case.

[Use]

If you take your time you can find a way into gaias admin pannel, so thats where I would start. Ive never been able to decrypt a salted hash but im not really a hacker.

How would anyone be able to get into the admin panel without being an admin?
I remember seeing aleena doing something like that but apparently it's debatable whether or not it was legit or...?

[Use]

If you got your hands on the hashes, it would be an AMAZING feat. From there though, they would still be extremely hard to crack because of how much they salted them

Okay...
Seems really hard xD
Some other people should be trying with me also, it seems like no one else is interested in cracking gaia passwords

[The Unintelligible]

How would anyone be able to get into the admin panel without being an admin?
I remember seeing aleena doing something like that but apparently it's debatable whether or not it was legit or...?

A couple of devs I talked to said it was just a hoax (which I knew from the start). It was just a vacant test server that he used to register the account 'Lanzer' which doesn't have any user leverage there.

[Use]

A couple of devs I talked to said it was just a hoax (which I knew from the start). It was just a vacant test server that he used to register the account 'Lanzer' which doesn't have any user leverage there.

Okay xD
I have no idea where to start if I wanted to get into the admin panel.

[Omlett]

Ive been on the admin panal on a test server (test thats where people would use the email exploit, but it was patched a while ago. I think it was under the gaiacash section.

[The Unintelligible]

Okay xD
I have no idea where to start if I wanted to get into the admin panel.

You don't. At this point, it would be virtually impossible. Gaia's beefed up their security a lot since related incidents occurred.

[PrincessFluttershy]

Gaiaonline Admin Control Panel (From back in my hacking days) - YouTube

Doesn't take a super genius to figure out it's not legit. 08 in this video

No market data. When in the world did gaia have no market data for 6 items on the front page? That means its desynced from the live server.

[The Unintelligible]

Gaiaonline Admin Control Panel (From back in my hacking days) - YouTube

Doesn't take a super genius to figure out it's not legit. 08 in this video

No market data. When in the world did gaia have no market data for 6 items on the front page? That means its desynced from the live server.

Only the video in itself still makes it plausible that he got into the actual ACP. At least to most kids. The developers themselves formally confirmed that it's false.

[PrincessFluttershy]

Only the video in itself still makes it plausible that he got into the actual ACP. At least to most kids. The developers themselves formally confirmed that it's false.

Trust in videos of nature is like believing in magic. There's usually a trick behind them.

[Use]

So, my choices are to somehow get the hashes.
or
brute-force?

[The Unintelligible]

So, my choices are to somehow get the hashes.
or
brute-force?

#1 isn't possible. Unless voodoo magic happens. #2 is ineffective and in theory not feasible.

[PrincessFluttershy]

So, my choices are to somehow get the hashes.
or
brute-force?

do some research to unrestrict your possibilities. Hashes and brute-forcing are means to an end. I can think of a dozen ways to get passwords that doesn't explicitly require you to brute-force gaia or get password hashes from gaia

[Use]

do some research to unrestrict your possibilities. Hashes and brute-forcing are means to an end. I can think of a dozen ways to get passwords that doesn't explicitly require you to brute-force gaia or get password hashes from gaia

Okay, I'll find something that works, eventually.

off to google 8|

[The Unintelligible]

Okay, I'll find something that works, eventually.

off to google 8|

To tip you off, the most common ways is to use malware (keyloggers, RATs, etc), FLPs or any variants (e.g. FMP [Fake Marketplace]), or old-fashioned Social Engineering.

[Use]

To tip you off, the most common ways is to use malware (keyloggers, RATs, etc), FLPs or any variants (e.g. FMP [Fake Marketplace]), or old-fashioned Social Engineering.

I've never heard of keyloggers, or RATs, but I know what FLPs are. I don't know how to use FMP's xD or where to find anything about them since a lot of forums aren't allowed to discuss about them.

What's Social Engineering?
Also, FLPs and FMPs wouldn't help me get any old accounts, I don't really want to get active accounts since it would be even harder to transfer the items or gold.

[PrincessFluttershy]

To tip you off, the most common ways is to use malware (keyloggers, RATs, etc), FLPs or any variants (e.g. FMP [Fake Marketplace]), or old-fashioned Social Engineering.

While those are apart of the dozens, they're rather old-fashioned and ineffective. My personal hint was using the word 'gaia'.

[The Unintelligible]

I don't use any of them so I wouldn't know. But I don't really see any real hint in your post. And I doubt the methods you use are more effective than those.

Back then there were exploits that proved to be more efficient, but most if not all of those are gone now. XSS is probably still around but that's probably as effective as getting them to download something.

[PrincessFluttershy]

I don't use any of them so I wouldn't know. But I don't really see any real hint in your post. And I doubt the methods you use are more effective than those.

Back then there were exploits that proved to be more efficient, but most if not all of those are gone now. XSS is probably still around but that's probably as effective as getting them to download something.

If i really have to put it simply, find a website with a high correlation of gaia players also signed up to said website (which may be less secure) and breach security in that instead. While it may or may not work with gaia (tek tek comes ot mind but I dont believe it stores user accounts), passwords from that site may either be in plaintext or nonsalted passwords.

[The Unintelligible]

If i really have to put it simply, find a website with a high correlation of gaia players also signed up to said website (which may be less secure) and breach security in that instead. While it may or may not work with gaia (tek tek comes ot mind but I dont believe it stores user accounts), passwords from that site may either be in plaintext or nonsalted passwords.

You've suggested this to me before I believe. That's all dependent of whether they use a universal password or not (or a highly similar password). It's also definitely not more effective and a lot slower.

Though, nonetheless it's a more creative approach. It all depends on the situation I guess.

[PrincessFluttershy]

You've suggested this to me before I believe. That's all dependent of whether they use a universal password or not (or a highly similar password). It's also definitely not more effective and a lot slower.

Though, nonetheless it's a more creative approach. It all depends on the situation I guess.

Worked for neopets. Earned the hacker over 20,000 dollars and still going within the course of a few months.