How to Double Dutch (PHP)

[COLOR="purple"]This tutorial was NOT written by me, it was written by a person with the handle "bouncer" (no quotes) from [url]http://www.hellboundhackers.org[/url][/COLOR]

[QUOTE]Most of the people use md5() or sha*() encryption these days and that is good because it's safe.... unless.... someone else got your hash and tries to bruteforce it.

Well i love to secure passwords very much so i always use my Double Dutch method ;)

We will now encrypt the word: "cookie" in md5 + sha* with php:
[PHP]<?php
md5("cookie");
sha*("cookie");
?>[/PHP]
You'll see the encryption of "cookie" in md5:
2dccd*ab*e0***0aea77*5*8**c85ca2
and the encryption of "cookie" in sha*:
5*c826fc854**7cbd4d*08*bce8fc00d076*e8b*

Now people can bruteforce this really easy so when encrypting your password you can do:

[PHP]<?php
md5(sha*("cookie"));
?>[/PHP]
Encryption of the Double Dutch method is:
aca8*f6e****e*f7dae00**2fd*8fca*

This encryption incudes the sha* encryption! So even when trying to bruteforce it, it will be like almost impossible to crack it (Nothing is impossible, only difficult).

So happy securing![/QUOTE]

You can take this Double Dutch method to extremes, like doing md5(sha*(md5(sha*("hashhere")))) or even bigger!

Unfortunately this is untrue. Take a look at my [url=http://www.all-nettools.com/forum/showthread.php?t=6**4]wordlist generator[/url] in C++. You can remove the line that creates the data, and replace it with a comparison operator:

if(md5(sha*(currentword))==hash){ PASSWORD WOULD BE FOUND }

If you compute the MD5 & SHA* functions to the current word and compare it to the hash, you could crack it just as easily.

~SyntaX

This is more centered around 'security by obscurity' i.e., you wouldn't go telling everyone that you are using this method. Double Dutching is good for the 'naughty admin' scenario.

Suppose your running a phpBB forum (which you modify to use Double Dutching, which I wouldn't recommend doing if you're a PHP newbie), and you decide to make a good buddy of yours an admin. He acts all good for a week, but then suddenly downloads a copy of your phpBB database, removes you as admin, deletes the whole ***rd, and tells you he will release the DB (which happens to be *000+ users) unless you pay him $*00 bucks.

Now, what he doesn't know is that the passwords are Double Dutched, so even if he does release the DB to people, you're the only one that knows they are Double Dutched (and hence gonna take a long while to crack, especially if you went md5-sha*-md5-sha*, which looks like a normal md5 hash in the end, and nobody will suspect a thing), and so all you have to worry about is the last time you backed up your forum's DB. :D

[b]This is the way I look at the situation:[/b]

If you obtained one hash, you can get another. You create your own account with a password you know. Once you have your own passwords hash you can easily figure out what method is used to encrypt the password and start your brute force.

I believe the best way to avoid brute force is to attach a 20(random number I just made up) character string onto each password before md5 hashing it. This will eliminate any chance that a brute forcer will ever crack the password. So you would actually:
[code]
$password="PlainTextPassword";
$password .= "PrimaryTextStringAttachedToPassword!";
$password = md5($password);
[/code]

Of course the question arises "[b]What about the Log In Validation?[/b]"

Since the database will have the encrypted version of the password stored, you would reapply the same process to compare for validation.

I see where your coming from, but if you pull a huge Double Dutch (I'm talking md5-sha*-md5-md5-md5-sha*-sha*-md5), the sheer amount of time it would take to bruteforce each and every hash's hash to get to the actual pass would not be worth wasting time and CPU power for. And notice I threw in a few md5's in a row, and two sha*'s in a row, that way just when the person thinks they've got the pattern, they hit a road block.

Also, combining your s***estion with Double Dutching would be virtually unstoppable (or should I say, uncrackable).

I would like to demonstrate how easy it is to find a hash process & crack a password if your choices are only MD5 & SHA*. Again, I will use my random combination script for this.

Lets set up the scenario I gave in the previous message.

[b]I need these two things from you:[/b]

*. Your password hash
2. My password hash

[b]Rules you must follow for time purposes[/b]

*. Your password must contain the following character set a-z,A-Z,0-* and no other characters.
2. Your password must be 5 or less characters in length
*. You must hash my password using the same method as you hash your password.
4. You can apply up to twenty hashes in a row. Ex: [i]md5(sha*(md5(sha*( etc... up to 20 [/i]

[b]My password:[/b] aa

If you can give me this information I will crack your password and display it in the next post.

[b]Theory[/b]
The total possible combination for 20 hashes (using MD5 & SHA*) = 20*7*5* Possible Combinations. If my theory of cracking this works, I should be able to figure out your password hash method in less than * hour. Once I figure this out, I can crack your password (*-5 characters a-zA-Z0-* in less than an hour) The variable here is "Time" I'm not sure how much time will be added for each power of possible hashing but I guess we will find out.

Well then, I'll take you up on that challenge! :p

I used my own custom Double Dutch (made it up on the spot), and here are the hashes:

[CODE]My Hash - *6d2f2fd***a6*0e6767b*bd4b*f72e6c25c8dce
Your Hash - 4fe04d0bd**ab*0***045*a50776c25c***b75cf[/CODE]

I followed all of your rules, using nothing but numbers and letters. Didn't go past twenty hashing sequences, and followed the same method for both passwords.

Anyways, crack this by this same time tomorrow (the time I've posted this message) and I'll declare Double Dutch a piece of crap. If you can't however, you will have to post the words "PWNT" (no quotes), and then a link to a picture of a dead animal of your choice in this thread.

I will be waiting (and praying that I"m right :D)

[b]Offer accepted.[/b]

I will need to locate my PHP version of my C++ code for the SHA* hashing. Then I will need to tweak the code for MD5 & SHA*. Once this is completed I will run the combination script once to figure out your hash method. After I get your hash method I will run the combination script once again to crack your password. I will be running this on a P4 with little RAM so it will take longer than usual, but I will have it cracked by tomorrow, promised!

~SyntaX

Once I give you your password you must post a sticky for one week saying you were Pwned by Syntax******! And post a link to [url]http://Moonbat.justgotowned.com/[/url] showing everyone on the forum you were pwned.

For some reason, justgotowned isn't working anymore, or else I would've made you do the same :p

But, you wanted it, so I'll do it anyway, even though the link won't do anything

I just finished tweaking the script for md5 and sha*. The first script is running at 6500 combinations a second. The second one at *00,000. You will soon be PWNED!

You have broken the rules! Every possible combination of MD5 SHA* (Up to twenty) has been tried and none work. You have not followed the rules!

My password is lowercase aa

No combination of MD5 SHA* will output the string you provided.

Err.. what are you talking about? I did follow the rules, But I didn't do md5-sha*-md5-sha*.. etc., I did some switcheroos, like md5-md5-md5-sha*-md5-sha*, etc. I didn't just pick a pattern and stick with it. You assumed that I just did it normally.

I did a few md5s and sha*s in a row, or I could have done ** md5's and * sha*, or all sha*'s, or any other possible combination that puts a few of the encryptions in a row, so unless you want to find every combination of sha* and md5 figuring in every single instance of repeatability of md5 or sha*, then j00 my friend, have lost.

Your not understanding what has been tried. EVERY SINGLE POSSIBLE combination has been tried and none output the string 4fe04d0bd**ab*0***045*a50776c25c***b75cf for the password aa

I'm running 2* just in case you miscounted but this will take about a half hour...

UPDATE: Nope finished running in 2* places and no match. Make sure you code is correct. Do this combination and tell me what you get: sha*(md5(sha*(sha*(md5(md5(sha*("aa")))))));

Lemme get this straight:

You tried EVERY SINGLE COMBINATION EVER IN THE HISTORY OF THE UNIVERSE OF TWENTY MD5 AND SHA*?

Like...


md5-md5-md5-md5-md5-md5-md5-md5-md5-md5-md5-md5-md5-md5-md5-md5-md5-md5-md5-md5-sha*
md5-md5-md5-md5-md5-md5-md5-md5-sha*-md5-md5-md5-sha*-md5-md5-md5-md5-md5-md5-md5-sha*
sha*-md5-md5-md5--md5-md5-md5-md5-md5-md5-md5-md5-md5-md5-md5-md5-md5-md5-md5-md5-sha*

etc..?

Also, just to let you know, I didn't use 20 hash sequences. I find it hard to believe you found every single combo of sha* and md5 from 2 hash sequences all the way to 20 hash sequences, figuring in repeatability in each and every one.

EDIT: I didn't use PHP's hashing system (too lazy to set up a free hosting account somewhere to try), I used Yellowpipe Encrypter Decrypter tool.

Also, if you are telling the truth, tell me the exact hash sequence used when I hashed your password 'aa' After all, you should be able to mod your prog to tell me which sequence out of all the combos you used is the one used to hash aa

[b]YES[/b] EVERY POSSIBLE COMBINATION IN THE UNIVERSE (BUT THERE ARE ONLY 20*7*52 combinations) for 2* spaces.

Your still not getting the point. I DID try every single possible combination of SHA* and MD5 UP TO 2* and ZERO match. I will show you my code, but not until you fix your error. Use PHP not some online crap that doesnt encrypt correctly or this will not work.