Think Complex Passwords Will Save You?

BSidesLV 2017

Presented by: Ian Foster, David Hulton
Date: Tuesday July 25, 2017
Time: 17:00 - 17:55
Location: Ground1234!

Have you ever tried to crack a password that was just too difficult to crack? This talk will focus on some new techniques for cracking passwords that work 100% of the time. In 2012 I released an FPGA-based DES cracking service with Moxie Marlinspike for cracking MSCHAPv2 and quickly started seeing it being used for cracking other things besides MSCHAPv2. In this presentation we'll take a look at some of the research we've done into other widely used protocols and services that still rely on DES for security and provide an quick intro into the https://crack.sh API so you too can use this service for your own projects.

Specifically, we will demonstrate tools for doing exhaustive brute-force cracking of MSCHAPv2 (PPTP VPNs, WPA-Enterprise), des_crypt() hashes, Kerberos5, and release a free real-time service for cracking MSCHAPv1 (Windows Lanman and NTLMv1 authentication) in a matter of seconds.

David Hulton

David Hulton organizes the ToorCon suite of conferences and has spent nearly 20 years doing security research mostly focused on reverse engineering and cracking crypto. He’s mostly known for developing the bsd-airtools wireless attack tools in the early 2000’s, developing and presenting the first practical attack on GSM a5/1 in 2008, and releasing a DES cracking service and tools to perform a full break of MSCHAPv2 authentication in 2012.

Ian Foster


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats