Solved

Variables involved in calculating passwords per second for brute force?

Posted on 2014-01-29
6
337 Views
Last Modified: 2014-02-11
When using a brute force password guessing software, what are the variables involved in calculating the amount of passwords per second that software can process?

More specifically in relation to tsgrinder I thought of:

-number of threads
-computer processing power
-medium used?!
0
Comment
Question by:cgruber
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
  • 2
6 Comments
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 250 total points
ID: 39818804
tsgrinder is a bruteforce password connection maker, not a password bruteforcer in the more traditional sense. TSGrinder is going to be slowed down by the network and the server it's attacking as opposed to JohnTheRipper or HashCat weak password finders.

TSgrinder expects a list of plain-text wordlist/dictionary, and then tries them against a Terminal Server. john and hashcat work against hashed passwords, and use dictionary/wordlist and rules that change those wordlists to match the same hash.

The only medium used is a TCP connection, the processing power of the tsgrinder is probably not much of a factor. TSGrinder is also less effective now since 2003 first introduced a lockout mechanism for this kind of attack against the administrator account. It used to be the administrator could not be locked out, now they can.
-rich
0
 
LVL 55

Expert Comment

by:McKnife
ID: 39819011
Hi all.
@Rich
>  since 2003 first introduced a lockout mechanism for this kind of attack against the administrator account
It did? Never heard that. I only know passprop from the NT4/win2k resource kit can be used for that purpose.
@cgruber: what's the context you are asking the question in?
0
 

Author Comment

by:cgruber
ID: 39819035
So can one say that tsgrinder can process X passwords per second, without knowing all the variables involved?
0
Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

 

Author Comment

by:cgruber
ID: 39819038
Arguing with a fellow worker who says tsgrinder can process 6 password per second at the most, where as I say that this figure is dependable on many factors.
0
 
LVL 55

Assisted Solution

by:McKnife
McKnife earned 250 total points
ID: 39819082
Try it out.
You will not find people with experience with that tool, I am afraid. As there is a switch -n that can be altered, at least that suggests that it depends on the computing power of the machines that are involved. I don't know but I can't imagine only 5 pw/s are possible.
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 39819337
It used to be just having a "connection banner" would be enough to get TSgrinder to lock up as it wasn't expecting that, not sure if it's been improved.
I guess I was wrong about the 2003 feature introduction, I must of been thinking about IPSEC's default exemptions.
You can however deny logon through TS for the administrator account
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/618.mspx?mfr=true

While you cannot lock the administrator out via TS/RDP you can disable the account which effectively will do the same thing.

TSGrinder is very old school, thought I'd never hear that name again :)
-rich
0

Featured Post

Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many companies are looking to get out of the datacenter business and to services like Microsoft Azure to provide Infrastructure as a Service (IaaS) solutions for legacy client server workloads, rather than continuing to make capital investments in h…
Businesses who process credit card payments have to adhere to PCI Compliance standards. Here’s why that’s important.
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question