## Performance – Brute Force MD5 checksum to match regex

The code starts with 128 bits of 0 (size of `md5sum` Checksum) then forces brutal forces to find a checksum that matches the regex (all characters of the checksum in hex are digits). I know that collisions can occur and that not all 2 ^ 128 possible checksums come out.

I know that if the code runs, it won't end soon. I will try to find out how I can change that `for` Loop in a parallel `for` Loop that uses all CPU cores.

This is one of my first (not very useful) programs in Golang. All constructive feedback is welcome.

Output:

``````0000000000000000000000000092FE92    14275262221639818016075488414463
000000000000000000000000009FF5EA    56052719788687373369347657641554
00000000000000000000000000BA7A1D    25521851964074241922881283516897
00000000000000000000000000E13807    19356247379454983142782955697777
00000000000000000000000000E8C976    64115693827254722796959498140064
0000000000000000000000000109658F    87596081213274701373126754303410
...
``````
``````package main

import (
"crypto/md5"
"encoding/hex"
"fmt"
"regexp"
"strings"
)

func main() {
data := ()byte("x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00")

r, _ := regexp.Compile("^(0-9){32}\$")

for {
hash := md5.Sum(data)
hash_hex_string := hex.EncodeToString(hash(:))

if (r.MatchString(hash_hex_string)) {
fmt.Printf("%X    %sn", data, strings.ToUpper(hash_hex_string))
}

if (!increment(data, 15)) {
break
}
}
}

func increment(data ()byte, start_pos int) (bool) {
if (start_pos < 0) {
return false
}

data(start_pos)++

if (data(start_pos) == 0) {
return increment(data, start_pos - 1)
}

return true
}
$$```$$
``````

## Brute Force – Prevents automated token attacks without relying on a firewall or network infrastructure

Our concern is rather the application-side prevention of automated attacks. Although the firewall helps prevent this, our development team's security practices have mandated that we need a second level of protection. Solutions like MFA and CAPTCHA are solutions for another problem. They help reduce the likelihood that an attacker might have to bypass authentication and guess credentials. Basically what we want here is to detect and stop (or realistically delay) an automated attack.

The penetration tester attack was as follows:

This is a link that is sent to email addresses to reset the password. They tried an automatic enumeration of the token to guess a correct one. Although they were unable to guess a valid one, they reported this as a security issue because our application was unable to intercept this automated attack and could not block the requests. We are now at a dead end and have found solutions.

Some solutions we have developed:

1. Blocking IP addresses – seems to be problematic because requests go through a number of servers and components (firewall -> web server -> app server, etc.). Therefore, it is extremely difficult to determine the source IP address of the requestor. Sometimes attacks can still lie behind proxies.

This would be doable if the enumeration were something like username and password. We can develop logic that recognizes the enumeration of usernames with the same password and blocks the next requests with the same password. In this case only one token in the input.

The reasons for solving this problem are running low. Can someone help us with this?

## Hash – is it important if a brute force search for a password returns a collision rather than the password?

Steffen's answer covers this perfectly, but I just wanted to add a few details.

### Anything that gives a match is usually fine

As he says, you generally don't care if you can find the actual password, as a website application would usually like to authenticate you with a string that hashed the hash value stored in the database. This means that you can log in to a brute force search and find something with the same hash, even if it's not the same password. As implied in the question, this is the nature of hashing and a direct result of the pigeonhole principle.

### Until you need the actual password

However, there can be some cases where you to do I want to find the original password. This would be the case if, for example, a hacker stole a username / password from a worthless service and tried to log in as a user to a more valuable service (Facebook, banks, etc.). Since users often use the same password everywhere, in this case you really want the original password – not just something that hashes to the same value for a particular hashing algorithm (after all, different services may use different hashing methods).

### But the difference doesn't matter

Fortunately (for our attacker) this doesn't matter. The reason is that exhaustive brute force is effectively impossible. Instead, a hacker tries things that are likely to be passwords (word lists, common passwords, etc.). As a counterexample, imagine that despite the impossibility of hashing a web service, you can perform a brute force search on all possible 256-bit ASCII strings. There are three inputs that have the same value as the user's password hash:

1. `BD3EDF42F6D3AF2DAAE93313EB534`
2. `7AF7B8B8F84443872C48EC372DBD1`
3. `password`

What is the real password? The answer is clear # 3. I mean, technically, there's a possibility that the user just selected an extremely strong password (i.e. `BD3EDF42F6D3AF2DAAE93313EB534`) that has the same value as `password`, but the chances of that are effectively zero.

In this sense, the attacker has a nice advantage. You would prefer to find the actual password, and it turns out that the best way to do that is not to check everything anyway, but to check things that look like passwords. This makes brutally enforcing the search much, much, much, much more effective, and also gives the attacker a much more useful result (the actual password instead of a random string that happens to have the same hash).

## Authentication – Brute solution for attacks on ID fields

This is not a brute force action for passwords, but a brute force attack on the other field for the login.

We have a web application in which the input fields for the login are: employeeId and password. To prevent brute force attacks, we have implemented a lock function for 5 invalid attempts with a valid employee ID but incorrect password. Now the penetration testers provided the same password and the same employee ID until a valid one was found. No lock can prevent this since the ID field is always changed. You enumerated at a rate just below the minimum firewall threshold to categorize and block this as an automated attack.

It seems that the only way to handle this is programmatically. I have a few solutions in mind, but I don't want to reinvent the wheel. I just want to ask if there are other more recommended solutions for how to do this programmatically.

## How can I carry out a brute force attack on a webmail site that has no firewall and an unlimited number of attempts? [closed]

My professor created this page for us and gave us a project to find the password when we got the email. Is it possible?
I am not sure if this is relevant, but the site is not HTTPS either

## Python – Hardening GnuPG against brute force attacks

I am currently working on a Python program that uses GnuPG (with symmetric encryption) to store data on the client: user enters password, GPG file is decrypted, data is loaded, etc.

Assume that an attacker copies this GPG file. What can be done to slow down the brutal password enforcement? Maybe it is possible to do thousands of iterations in a PBKDF (or maybe SHA) and then use that as a password?

## Time and space complexity for the brute force backpack problem

I was wondering if anyone can confirm my work for the complexity of 0/1 Knapsack Brute Force and Dynamic Programming solutions.

I justified it for the brute force $$O (N.2 ^ N)$$

This is because to calculate all possible subsets (the method I used brute force was to calculate the potency set and then calculate the weights / values ​​for each set) $$2 ^ N$$ and then we compute the sum of each subset of size from 1-N that lasts $$N.2 ^ N$$

Would be space complexity $$O (P)$$ Where p is the total number of subsets

But according to my notes, the Brute Force is 0/1 Knapsack $$O (2 ^ N)$$ with space $$O (N)$$

I think that's for the recursive solution, but my raw strength is not recursive.

## hash – brute force hashing of passwords with known format

The meaning of the word fortuitously It has a lot of weight in the Infosec community. In fact, some people are obsessed with it! We keep trying to get a better approximation of actual coincidence, but it can actually be impossible!

The secret to your problem is weak, not because of the reversibility of the hash (which would be very difficult), but because it is just not long enough and not fortuitously enough to have enough entropy to make a brute force attack impossible.

I see that the first "random" value is a date. It looks like the date may be relevant to the system. If the system uses sha512, this value will probably be available sometime in recent years and probably more recently!

The second "random" value is a name. I could probably get a list of names used all over the world and iterate my cracker through various combinations of them. If I could make a few guesses about a user's ethnicity, I could narrow the dictionary even further.

And you see why randomness is so important! Since these values ​​are not really random, they are much easier to guess than others, and a cracker based on dictionary attacks can be programmed to take advantage of this fact.

## Throttling – brute force attacks (security php)

After a few weeks of searching and learning "php secure" I created a class of failed logins.

1. record_failed_login -> Record the logins, if the entry is not found, it creates the new one. If he finds – will be updated.
2. clear_failed_logins -> is similar to logging in with a failed record. If you accept the user, set the number to 0.
3. throttle_failed_logins -> returns the number of minutes that must be waited before registrations are possible again.

I don't know how to insert an associative array into a MySQL table with a prepared statement. That's why I used "PHP Procedural Style" + OOP.

`\$this->sanitized_attributes();` comes from `class DatabaseObject`

``````CREATE TABLE `failed_logins` (
`id` int(11) NOT NULL auto_increment,
`username` varchar(255) NOT NULL,
`count_f` int(11) NOT NULL,
`last_time` varchar(100) NOT NULL,
PRIMARY KEY  (`id`)
) DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci;

escape_string(\$username) . "' ";
\$sql .= "LIMIT 1";

\$result = self::\$database->query(\$sql);
\$result->free();
}

// Insert record
foreach(\$failed_login as \$key => \$value){

\$sql = "INSERT INTO " . self::\$table_name . " (";
\$sql .= join(', ', self::\$db_columns);
\$sql .= ") VALUES (";
\$sql .= "'" . self::\$database->escape_string(\$failed_login('username')) . "', ";
\$sql .= "'" . self::\$database->escape_string(\$failed_login('count_f')) . "', ";
\$sql .= "'" . self::\$database->escape_string(\$failed_login('last_time')). "'";
\$sql .= ")";
}

\$result = self::\$database->query(\$sql);
if(\$result) {
\$this->id = self::\$database->insert_id;
}
return \$result;
}

protected function update_record_in_db(\$failed_login) {

\$attributes = \$this->sanitized_attributes();
\$attribute_pairs = ();
foreach(\$attributes as \$key => \$value) {
\$attribute_pairs() = "{\$key}='{\$value}'";
}

\$sql = "UPDATE " . self::\$table_name . " SET ";
\$sql .= join(', ', \$attribute_pairs);
\$sql .= " WHERE username='" . self::\$database->escape_string(\$this->username) . "' ";
\$sql .= "LIMIT 1";

\$result = self::\$database->query(\$sql);
return \$result;
}

'count_f'   => 1,
'last_time' => time()
);

} else {
// existing failed_login record
\$this->count_f = \$failed_login('count_f') + 1;
\$this->last_time = time();
}

return true;
}

\$this->count_f = \$failed_login('count_f') = 0;
\$this->last_time = time();
}

return true;
}

\$throttle_at = 5;
\$delay_in_minutes = 10;
\$delay = 60 * \$delay_in_minutes;

\$remaining_delay = (\$failed_login('last_time') + \$delay) - time();
\$remaining_delay_in_minutes = ceil(\$remaining_delay / 60);
return \$remaining_delay_in_minutes;
} else {
return 0;
}
}
}
?>
``````

## Unlock Huawei BootLoader – is brute force the only way now?

problem

So I want to unlock the BootLoader on my Huawei Mate 9 to install LineageOS on it. I have already read that Huawei no longer gives BootLoader codes. Now is the only way (free) to enforce all possible codes?

Brute-forcing method

I would write a simple python script that iterates through all the numbers (16 digits) through 10 ^ 16 and runs the appropriate command. My CPU cores are 3 GHz, so it would only take about 55 minutes (10 ^ 16 / 3,000,000,000).

But I don't know if this is possible. How should I check if a device is unlocked with Python? And will the device lock after a few tries?

Here is someone else's script, it would take too long.

Any advice or help would be appreciated.