Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[bishbashbosh]

Hi,

No, the information I supplied was for a test set of data that you could paste verbatim into a command line and confirm that it would all work for you before embarking on the potentially massive task of cracking the pass of an unknown length.

I fabricated that data just for the purpose of a test. Run that command and make sure that works first. should take no more than 10 mins really. From that you'll know what you are looking for.

Once that has happened and confirms everything is working run you set of data. I have absolutely no idea how long your pass would be but more than likely between 8 and 10 chars consisting of upper/lower/number. ISPs don't seem to use symbols, probably to make it easier for support staff.

PS, is that really 72 thousand hashes per second or am I reading that wrong? A strange way of saying 72 million if not.

[psychopomp1]

Ok I think I'm understanding the process better. In the example command line you gave, at the end it said

?1?1?1?1?1?1?1?1

I take it this means that hashcat has been tasked to provide a 8 character password? Once complete will the password be displayed here:

Candidates.#1....: ABCD1234 -> EFGH5678

But why are there 2 passwords?

I should add, requesting a password length greater than 4 chars takes ages!!

[bishbashbosh]

Hi

The --increment option starts from 1 char and increments every time the the number of tries for that number of chars is exhausted. eg it starts with a 1 char password and tries every combination. Then moves to two char and tries every combination. And so forth.

Once you have confirmed the test data gives the password that we expect I would add a couple of ?1?1 to make the maximum password char length 10.

So to summarise, increment starts from 1 char and stops at the number of chars in the mask. The mask is the ?1?1?1.......

If you are really only getting 72 thousand hashes a second I would not actually bother on that hardware as at 260 million hashes a second the test data took 3 mins 4 secs. I've never tried the windies version so if it represents the speed differently then please do correct me.

[bishbashbosh]

Just a quick calculation. 8 chars at 260MHs is about 10 days. 8 chars at 72KHs is 35000 days.

Looking at the screenshot and working out that it's reporting 12 mins for completion of 6 chars and that is roughly 3.5 times longer that I was getting at 260M I'm guessing (hoping) that's actually meaning 72thousand thousand hashes. 72 MHs.

Odd way of reporting the speed.

[psychopomp1]

Double checked again, speed is definitely 72000 KH/s in Windoze 7 which probably explains why i'm finding it extremely slow 

[bishbashbosh]

Hi,

Ignoring the 72000 KHs piece and working out the speed against mine and the amount of time it takes to crack I reckon it actually means 72MHs but you'll know that once you've seen how long it takes to crack the test data. If it's 12 mins or less then it's 72MHs. If its getting into hours then it's 72KHs.

[psychopomp1]

YESSSSSSS!!!

Thanks to the huge help given by bishbashbosh the SRX300 has been hacked 

(lots of virtual hugs mate  )

Fed the extracted username & pw into the PPPoE WAN box on my R9000 and bingo! the R9000 is able to obtain an internet connection direct to the Openreach ONT unit. But....

My IP address has changed (I am supposed to be on an ipv4 static) so I guess its only a matter of time before the ISP finds out that I'm no longer using the SRX300. If/when they get in touch I will grovel to them to let me use my own kit....

Once again thanks to bishbashbosh, burakkucat, ignitionet, uderzone, 4uture and others 

[bishbashbosh]

You're welcome  Psycopomp.

It was the PPPoE password that was cracked using the hashcat method before anyone gets too excited. Nothing to see here, move along, move along.

Just a thought about your IP, where you given and supplied the IP address in any documentation? If so you just need to set the WAN to static IP and gateway and all that jazz to continue. If not you could probably extract from the capture file with a little work.

[psychopomp1]

Just a thought about your IP, where you given and supplied the IP address in any documentation? If so you just need to set the WAN to static IP and gateway and all that jazz to continue. If not you could probably extract from the capture file with a little work.

Yes, i was given a static ip address, a gateway IP address (SRX300 ip address i think) and DNS server addresses which i put into my own router when it was connected to the SRX300. However putting the same details into the router when directly connected to the ONT does NOT give me a connection. I have to remove the supplied IP addresses and select 'obtain ip address automatically' in wan settings to get a connection. But at least the new IP address i'm getting appears to be static...

[burakkucat]

YESSSSSSS!!!

Thanks to the huge help given by bishbashbosh the SRX300 has been hacked 

(lots of virtual hugs mate  )

That's what I was hoping to see.      A "purrfect" result.

Once again thanks to bishbashbosh, burakkucat, ignitionet, uderzone, 4uture and others 

On behalf of all contributors: "You are welcome." 

[underzone]

Spoof the MAC address of the supplied hardware on your own equipment if you can 

[psychopomp1]

Spoof the MAC address of the supplied hardware on your own equipment if you can 

I've tried that as there is an option to put in a custom MAC address in the Netgear however i still get a different static IP address. If i then force the Netgear to use the original ip i was given for the service then i simply cannot connect...

These are the Netgear settings when i was using the SRX300: (real IPs changed)



And the settings when the Netgear is connected directly to the Openreach kit: (again sensitive info has been removed/edited)

[bishbashbosh]

As a guess, the Juniper box might be doing some kind of NAT or routing, Are you able to get any info from the Juniper?

Looking at the capture you made are you able to find any offer of IPs from the PPP server? I think from memory it's PPP IPCP. Although static, it might be static but offered by the PPP server.

It's early and I'm off to the coal face again. Yes, on a Saturday.

[psychopomp1]

The Juniper is totally locked down, only way to get any info from it is through port mirroring.

Rather than stressing out over what may (or may not) happen, I will just continue using my connection in the new way and hope for the best