Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Variables involved in calculating passwords per second for brute force?

Posted on 2014-01-29
6
Medium Priority
?
339 Views
Last Modified: 2014-02-11
When using a brute force password guessing software, what are the variables involved in calculating the amount of passwords per second that software can process?

More specifically in relation to tsgrinder I thought of:

-number of threads
-computer processing power
-medium used?!
0
Comment
Question by:cgruber
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
  • 2
6 Comments
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 1000 total points
ID: 39818804
tsgrinder is a bruteforce password connection maker, not a password bruteforcer in the more traditional sense. TSGrinder is going to be slowed down by the network and the server it's attacking as opposed to JohnTheRipper or HashCat weak password finders.

TSgrinder expects a list of plain-text wordlist/dictionary, and then tries them against a Terminal Server. john and hashcat work against hashed passwords, and use dictionary/wordlist and rules that change those wordlists to match the same hash.

The only medium used is a TCP connection, the processing power of the tsgrinder is probably not much of a factor. TSGrinder is also less effective now since 2003 first introduced a lockout mechanism for this kind of attack against the administrator account. It used to be the administrator could not be locked out, now they can.
-rich
0
 
LVL 56

Expert Comment

by:McKnife
ID: 39819011
Hi all.
@Rich
>  since 2003 first introduced a lockout mechanism for this kind of attack against the administrator account
It did? Never heard that. I only know passprop from the NT4/win2k resource kit can be used for that purpose.
@cgruber: what's the context you are asking the question in?
0
 

Author Comment

by:cgruber
ID: 39819035
So can one say that tsgrinder can process X passwords per second, without knowing all the variables involved?
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 

Author Comment

by:cgruber
ID: 39819038
Arguing with a fellow worker who says tsgrinder can process 6 password per second at the most, where as I say that this figure is dependable on many factors.
0
 
LVL 56

Assisted Solution

by:McKnife
McKnife earned 1000 total points
ID: 39819082
Try it out.
You will not find people with experience with that tool, I am afraid. As there is a switch -n that can be altered, at least that suggests that it depends on the computing power of the machines that are involved. I don't know but I can't imagine only 5 pw/s are possible.
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 39819337
It used to be just having a "connection banner" would be enough to get TSgrinder to lock up as it wasn't expecting that, not sure if it's been improved.
I guess I was wrong about the 2003 feature introduction, I must of been thinking about IPSEC's default exemptions.
You can however deny logon through TS for the administrator account
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/618.mspx?mfr=true

While you cannot lock the administrator out via TS/RDP you can disable the account which effectively will do the same thing.

TSGrinder is very old school, thought I'd never hear that name again :)
-rich
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Since pre-biblical times, humans have sought ways to keep secrets, and share the secrets selectively.  This article explores the ways PHP can be used to hide and encrypt information.
Will you be ready when the clock on GDPR compliance runs out? Is GDPR even something you need to worry about? Find out more about the upcoming regulation changes and download our comprehensive GDPR checklist today !
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question