Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 346
  • Last Modified:

Variables involved in calculating passwords per second for brute force?

When using a brute force password guessing software, what are the variables involved in calculating the amount of passwords per second that software can process?

More specifically in relation to tsgrinder I thought of:

-number of threads
-computer processing power
-medium used?!
0
cgruber
Asked:
cgruber
  • 2
  • 2
  • 2
2 Solutions
 
Rich RumbleSecurity SamuraiCommented:
tsgrinder is a bruteforce password connection maker, not a password bruteforcer in the more traditional sense. TSGrinder is going to be slowed down by the network and the server it's attacking as opposed to JohnTheRipper or HashCat weak password finders.

TSgrinder expects a list of plain-text wordlist/dictionary, and then tries them against a Terminal Server. john and hashcat work against hashed passwords, and use dictionary/wordlist and rules that change those wordlists to match the same hash.

The only medium used is a TCP connection, the processing power of the tsgrinder is probably not much of a factor. TSGrinder is also less effective now since 2003 first introduced a lockout mechanism for this kind of attack against the administrator account. It used to be the administrator could not be locked out, now they can.
-rich
0
 
McKnifeCommented:
Hi all.
@Rich
>  since 2003 first introduced a lockout mechanism for this kind of attack against the administrator account
It did? Never heard that. I only know passprop from the NT4/win2k resource kit can be used for that purpose.
@cgruber: what's the context you are asking the question in?
0
 
cgruberAuthor Commented:
So can one say that tsgrinder can process X passwords per second, without knowing all the variables involved?
0
Worried about phishing attacks?

90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!

 
cgruberAuthor Commented:
Arguing with a fellow worker who says tsgrinder can process 6 password per second at the most, where as I say that this figure is dependable on many factors.
0
 
McKnifeCommented:
Try it out.
You will not find people with experience with that tool, I am afraid. As there is a switch -n that can be altered, at least that suggests that it depends on the computing power of the machines that are involved. I don't know but I can't imagine only 5 pw/s are possible.
0
 
Rich RumbleSecurity SamuraiCommented:
It used to be just having a "connection banner" would be enough to get TSgrinder to lock up as it wasn't expecting that, not sure if it's been improved.
I guess I was wrong about the 2003 feature introduction, I must of been thinking about IPSEC's default exemptions.
You can however deny logon through TS for the administrator account
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/618.mspx?mfr=true

While you cannot lock the administrator out via TS/RDP you can disable the account which effectively will do the same thing.

TSGrinder is very old school, thought I'd never hear that name again :)
-rich
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Building an Effective Phishing Protection Program

Join Director of Product Management Todd OBoyle on April 26th as he covers the key elements of a phishing protection program. Whether you’re an old hat at phishing education or considering starting a program -- we'll discuss critical components that should be in any program.

  • 2
  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now