Legacy RO

[HuiJun]

Code Select Expand


$ver = "01";
$dbgtmr = "1"; #Intervall of showing the current speed + lastpassword in seconds.

if ($dbgtmr<=0){ die "Set dbgtmr to a value >=1 !\n";};
use Digest::MD5 qw(md5_hex);
use Time::HiRes qw(gettimeofday);

if ($ARGV[0]=~"a") {
$alpha = "abcdefghijklmnopqrstuvwxyz";}
if ($ARGV[0]=~"A") {
$alpha = $alpha. "ABCDEFGHIJKLMNOPQRSTUVWXYZ";}
if ($ARGV[0]=~"d") {
$alpha = $alpha."1234567890";}
if ($ARGV[0]=~"x") {
$alpha = $alpha. "!\"\$%&/()=?-.:\\*'-_:.;,";}

if ($alpha eq "" or $ARGV[3] eq "") {usage();};
if (length($ARGV[3]) != 32) { die "Sorry but it seems that the MD5 is not valid!\n";};

print "Selected charset for attack: '$alpha\'\n";
print "Going to Crack '$ARGV[3]'...\n";

for (my $t=$ARGV[1];$t<=$ARGV[2];$t++){
crack ($t);
}

sub usage{
print "USAGE\n";
print "./md5crack <charset> <mincount> <maxcount> <yourMD5>\n";
print " Charset can be: [aAdx]\n";
print " a = {'a','b','c',...}\n";
print " A = {'A','B','C',...}\n";
print " d = {'1','2','3',...}\n";
print " x = {'!','\"',' ',...}\n";
print "EXAMPLE FOR CRACKING A MD5 HASH\n";
print "./md5crack.pl ad 1 3 900150983cd24fb0d6963f7d28e17f72\n";
print " This example tries to crack the given MD5 with all lowercase Alphas and all digits.\n";
print " MD5 Kit only tries combinations with a length from 1 and 3 characters.\n-------\n";
print "./md5crack.pl aA 3 3 900150983cd24fb0d6963f7d28e17f72\n";
print " This example tries to crack the given MD5 with all lowercase Alphas and all uppercase Alphas.\n";
print " MD5 Kit only tries passwords which length is exactly 3 characters.\n-------\n";
print "./md5crack.pl aAdx 1 10 900150983cd24fb0d6963f7d28e17f72\n";
print " This example tries to crack the given MD5 with nearly every character.\n";
print " MD5 Kit only tries combinations with a length from 1 to 10 characters.\n";
die "Quitting...\n";
}

sub crack{
$CharSet = shift;
@RawString = ();
for (my $i =0;$i<$CharSet;$i++){ $RawString[i] = 0;}
$Start = gettimeofday();
do{
  for (my $i =0;$i<$CharSet;$i++){
   if ($RawString[$i] > length($alpha)-1){
    if ($i==$CharSet-1){
    print "Bruteforcing done with $CharSet Chars. No Results.\n";
    $cnt=0;
    return false;
   }
   $RawString[$i+1]++;
   $RawString[$i]=0;
   }
  }
###################################################
   $ret = "";
   for (my $i =0;$i<$CharSet;$i++){ $ret = $ret . substr($alpha,$RawString[$i],1);}
   $hash = md5_hex($ret);
   $cnt++;
   $Stop = gettimeofday();
   if ($Stop-$Start>$dbgtmr){
    $cnt = int($cnt/$dbgtmr);
    print "$cnt hashes\\second.\tLast Pass '$ret\'\n";
    $cnt=0;
    $Start = gettimeofday();
   }
            print "$ARGV[3] != $hash ($ret)\n";
   if ($ARGV[3] eq $hash){
    die "\n**** Password Cracked! => $ret\n";
   }
###################################################
  #checkhash($CharSet)."\n";

  $RawString[0]++;
}while($RawString[$CharSet-1]<length($alpha));
}

sub checkhash{
$CharSet = shift;
$ret = "";
for (my $i =0;$i<$CharSet;$i++){ $ret = $ret . substr($alpha,$RawString[$i],1);}
$hash = md5_hex($ret);
$cnt++;
$Stop = gettimeofday();
if ($Stop-$Start>$dbgtmr){
  $cnt = int($cnt/$dbgtmr);
  print "$cnt hashes\\second.\tLast Pass '$ret\'\n";
  $cnt=0;
  $Start = gettimeofday();
}

if ($ARGV[3] eq $hash){
  die "\n**** Password Cracked! => $ret\n";
}

}


[Zone]

Brute forcing possibly, or he could have just gotten the password from an sql table.

@Zone
So you're still going to tell me that if a password looks like this 'a1jd0ai3n1oci01e', you can crack it? Cause if you actually typed 'a1jd0ai3n1oci01e', it wouldn't work since it's MD5 encrypted. And if the owner linked the Forum & Game accounts, they'd both have to be in MD5, since the registration would input the MD5 encrypted password into both the forum and game tables.

Also if Brute-Forced, I'd suggest www.ic3.gov for the owner. The FBI can trace the IP whether the hacker used proxies or not. Internet crime is crime.

@Rahael
What are you talking about? Are the Forum & Game accounts linked together or what?

I tell ya what, check http://www.milw0rm.com
There are passwords they have cracked, they may have cracked a few of mine that I put in, however, any password can be brute forced given the time, dictionary (rainbow sheet), and the hash.
I have already posted pictures of a program that I use that can crack even sha-1,2, and 256. 16 characters isn't that bad for a brute forcing, however, not many databases accept passwords over 12 characters.
ic3 wouldn't help if you run a remote desktop to a server in  a foreign country and then used an internet based virtual computer, on top of hide my ip plat. and smac.

There are ways, and FBI wouldn't be doing the research, they don't give a damn about a video game server, and if they did, they would have a CTN look at the situation and if that CTN gave a damn, then he would look into it for about 6 hours if nessecary, once he determines it's a stupid game, all he has to say is it's a dumb game, and then they will just drop it.
Also, brute forcing, who would give you the logs for IPs? FBI wouldn't waste their time for such non-sense.
I promise you, if they dealt with every complaint they had, they would be wasting their time.
'Oh, boo hoo my myspace was haxord D: imma cut mahselph. i hadz ova 40k+ fwiendz'
I tell ya what, all a person needs to do is make a phishing page, and then the person who gets 'hacked' can't do a thing because the person gave the information freely. (Deceit is no excuse, use common sense)
Go ahead, report it, it's the person's own stupidity.

Actually... you're wrong in a lot of areas man. Where do they crack MD5's in http://www.milw0rm.com?http://www.milw0rm.com/cracker/insert.php Show me please, I only found exploits for certain programs. The FBI would do the research because they would earn money from it, and yes it's true that they help only US-stationed servers. What is CTN? "CTN - Christian Television Network"?
FBI would earn money if they didn't waste it on some stupid hack like a private video game server. CTNs are Cryptographic Technician - Networking, they are the people who hack for the military, work on security systems for the military, and other things that I cannot disclose due to their confidentiality.

Also, a phishing page can be reported to the owner of the website and in your case, MySpace.com and the owner of the Phishing page would get sued and server/webhost account would be shut down. If MySpace.com wanted to report a Phisher, they would go to --> https://www.digitalphishnet.org/default.aspx
far too many phishing pages exist nowadays, and would you mind finding the exact location of where you got your info on being able to sue? I see phishing as a game, you exploit the people who are too stupid to compare sources.

Then the phisher would be prosecuted and sued and the agency makes money. Money is what makes the IC3 and DigitalPhishnet work, otherwise they wouldn't be doing anything.
with all the phishers and hacks there are today, I doubt they even  have time for all of them. And all over 1 password? that's something I would seriously laugh at.

So Zone, what next? I'm not trying to argue with anyone, but I'm trying to wonder HOW it's possible. So if you want to argue and get this topic locked, sure. But I'm telling you bro, I'm just trying to find some answers to my questions. I agree, but I like to find ways around things, loopholes, I don't mean to make this an arguement.
Posted on: Jun 06, 2008, 10:29 am

So you're still going to tell me that if a password looks like this 'a1jd0ai3n1oci01e', you can crack it?

Nothing is uncrackable. Especially not md5.

Pic from the very raid thread:


[Edit edit]Also also, http://www.legacyro.com/forum/index.php?showtopic=150

Ah, I see I see. That's some pretty serious stuff, lol. Thank you for answering my question.
Posted on: Jun 06, 2008, 10:33 am

As just said, md5 isnt 100% secure. Even without ANY info, it is crackable if you invest time.
Now, if you know ONE SINGLE PASSWORD (example: one of your own accounts), you can crack the whole database in half a second using some tools.

Then why do we even encrypt passwords >__>? Just wondering

You encrypt passwords to give them some security, otherwise, there would be no need for passwords, period.
Most people cannot hack, or don't even know what to look for. They would go to a hacker or a forum for hackers and say 'wut does i do to hax dis phool? plz hax dem 4 mi plzzz!!!11!' I see it all the time. Hell, a guy was saying he would pay a person $600 for hackin a fricken habbo account. Laziness, pure laziness...
Even with MD5s I could get into a log without cracking them. It's a nice trick with certain browsers and addons. It's the easiest way of getting into a cutenews page.

[mayuresh]

Legacy has failed terribly.. ppl who still play that server r only thoe who donated lol...

[Rehael]

Is someone here trying to say that he / She can decrypt MD5 passes ?

[Guest]

Legacy has failed terribly.. ppl who still play that server r only thoe who donated lol...

so that means about 1000 ppl donated? if so i feel sad for them......


its true their population has been cut in half....
but still its a big number

[HuiJun]

when v5 happens i think that number will drop dramatically.

[Pandora]

Let's face it, MD5 is not full proof, but it's still much much better than nothing. Most people cannot decode it, the most you'll find easily is mesh database, but if you got a complicated password it wont be in those.

What makes me go o_O at the new wipe of legacy (4th now?) is that their website claimed to make hourly backups. I find this extreme, but then why didn't he store some of those backup outside the server? Burn down a DVD with all data at least once a week.