BRUTE FORCE means that instead of using clever and intelligent algorithms, you just try all possible solutions until eventually one fits. I.e. you just throw in more computing power instead of mathematics etc.
I’m still none the wiser. Could you give me a snippet of code to think about?
Well, code for which problem[?] I’m not going to do what Jörg refused to do, i.e. posting the password cracking code[:p] I’ll instead try to give you a more detailed explanation: Let’s say you want to solve some very complex problem, e.g. decrypting some piece of encrypted information (like passwords). If the encryption algorithm is known (e.g. DES, RSA), you may try and search for a weakness in the algorithm. In the (highly unlikely) case you find one, you can then write a program that exploits this weakness and directly gives you the unencrypted information if supplied the encrypted password in question. This approach takes a lot of brainpower, mathematics etc., but the program will finish very fast. If, OTOH, the algorithm is unknown or you don’t find any weaknesses, and there is a (possibly secret, “black box”) encryption algorithm available, you may choose to take the brute-force approach. You simply generate all possible passwords, encrypt them and compare the encrypted data. This usually takes very little time to implement, the program is relatively easy (a simple text generator), but computing time may be astronomical. Contrary to the approach above, you need lots of computing power and can spare yourself the mathematics [;)] As another example, consider sorting an array of numbers. The brute force approach would be to generate all permutations (easy) until you find one that is correctly sorted. This takes a lot of time. The alternative would be to think up some clever sorting algorithm like quicksort or heapsort (complicated). The program, however, will be orders of magnitude faster.
well… you’re needing an example on what brute force means… here it’s … 1) set that the password you’re searching it’s a number between 1 and 200 and you don’t know it. VAR brutetry : integer; Found : boolean; brutetry := 0; found := false; WHILE ((brutetry < 200) AND (NOT found)) DO BEGIN brutetry += 1; IF (MyPassword = brutetry) THEN BEGIN found := TRUE; END; END; MESSAGE('The password its %1',brutetry);
I did NOT claim you can not break my password. I say DO IT. The trick is, you have found some passwords with 5 letters and only lovercase letters. You say 2 days for this. If you just add the use of uppercase and 6 or 7 letters the time you need to use is counted in years. I my example I add figures and other signs and then it very hard. I think this is an excelent exercise in password quality, and how important it is. Got a chock myself. So a good password need 6 or more letters and the use of upper and lovercase letters and figures and other signs. BR Per
quote:
So a good password need 6 or more letters and the use of upper and lovercase letters and figures and other signs.
You are absolutely right! IMO it’s a lack in NAVISION, that there are no “restriction options” for password (Database Login) like in WinNT etc. One could develop own password-controll-features (I did for our DB [}:)]: valid-date, login-times, etc.) but I think a “Standard Solution” is neccessary … Regards, Jörg
Hi to all Navision-fans, I wrote a little programm to get the password. It’s easy to do it, but what Jörg said the runtime is the matter. My example ( always tested for the whole characterset ) : to get the 3-character password it takes on my pc up to 46 sec. , to get the 4-character password it takes on my pc up to 1:03 hours, for a 5-character password it takes around 11 days !!! not hours !!! and for a 6-character password it takes around 7.6 years ??? I don’t know exactly, it is practically not possible, if you want, calculate it. Therefore I think a password with at least 6 char., also with special-signs is a good password, but be careful and change it often !!! But through chance, it can be find out more quickly . So for the BRUTE FORCE routines the time / pc is the matter and also the type of characters. Regards Rolf
Hi Good work Rolf !!! The point is just that there is a chance, small, but still a chance, that a BF program try the right password in the fift guess. It might not take 7 years. But only 6 minuts. It’s just MOST likely it will take about 3 years. BR Per
Hi, Jpt you don’t need waiting 3 years. last time, I forgot my super user passwd, then I change Navision fin.exe. so this fin.exe don’t ask any passwd and directly skip into Navision main menu. BTW, only working at Navision 2.6 version.
Until I get it and test it myself! Let me hear someone answer me on the following: Facts 1. Even a super user has no permission to a normal users’s rights. Changing password for example requires the normal users’s password. 2. A normal user has no permission to the users table. Conslusions (Questions): 1. The user who runs the report must have super user rights, and the license must have report Designer. Apart from having bad intentions, why would this report tool be necessary when the user (super user) could as well login and take care of the situation…of course this is too obvious that I dont think super user permissn is the case. Does this mean to say normal user can run any report even if they dont have permission to the table from which the report gets the data? 2. It is one thing to have a gun, and another thing to make a gun. Whatever you believe, Iraq war is because Iraq is suspected to have weapons of mass destruction (I have no side by teh way, and dont want to change you focus now). In some countries (if not all) its illegal to make a gun. It is therefore illigal to make such a tool and have it. Such tool means you can always get into system as any of users. As for checking on peoples password standards, I dont think it is such a problem to require a tool. A good talk to the staff would solve the problem, although I always wonder why Navision has no technologies of like counting attempts, locking out…generally tamper detection 3. If this is truth and not a test the forum members, then Navision should definitely be interestd and should may be re-think the whole password approach. All in all, I have said that it should be possible to do the 3-day brutal force routine, but it also requires permission to the tables, and yet with such permission, you shouldhave ability to rectify the password loss! Robert
Hi
quote:
Originally posted by rbm
… although I always wonder why Navision has no technologies of like counting attempts, locking out …
Ahem. These features are included in the BLUE - version. If you want to use them all you have to do is DOWNgrading to 3.56 [8D]. bye André
Well,… I’ve tried it and it works with some recursivity in the function. It’s not that difficult. There’s just one problem… you’ll have to be able to get in the object designer!! [edit] Is it possible the validate of the password field stopped working since the last hotfix of Navision 3.60?? [:(][/edit]
Hello Robert, I think I might help with some clarification because the problem is not that easily solved with the superuser rights…
quote:
A normal user has no permission to the users table.
that’s one part of the problem… every user does in fact have read access to the users table, otherwise the password could no be checked.
quote:
Even a super user has no permission to a normal users’s rights. Changing password for example requires the normal users’s password.
Nope, simply open Tools/Security/Database Logins and change the password… no need to know the current password of the user, anyway somebody must be able to “reset” a forgotten user password
quote:
The user who runs the report must have super user rights, and the license must have report Designer.
Super user rights are not necesary because every user has access to the User table, the permission you’d need is to open the object designer if you do not want to hide this special report in the normal menu forms… secondly once you have the report you do not need the designer licence… I like your “gun” example, and I think all of us agree that this report should only be used to regain your superuser password in case that you as admin forgot this password … why should you forget such an important password anyway… besides being an intellectual challenge nobody is thinking of this functionality for abuse, i hope [;)] Definitly there is a hole in the security setup of Navision (attain), standard 3.60 does still have this bug, I did not check with the hotfix, might be that it got solved. [}:)] Saludos Nils
Hi, Robert Mutyaba If you don’t believe it, just send your database to me. I will change your password to 123456, and send back to you in 5 mins. my mothod is nothing with super user, normal user and any license.
Could someone who has their own BF routines to crack passwords, do me a favour. I have written my own and was wondering how long it took other people’s BF routines to crack the password below. INFO: The password is wench. My code cracked is in 1hr 50mins. This is pure Brute Force, not using a dictionary. Any ideas appreciated.[:)]
quote:
Originally posted by hf
Hi, Robert Mutyaba If you don’t believe it, just send your database to me. I will change your password to 123456, and send back to you in 5 mins. my mothod is nothing with super user, normal user and any license.
Well… you’re a bit slow if you’re needing 5 minutes for that… unless you type really slow the question marks when using the special executable for getting the authorization code and entering on the database as admin… Regards,
quote:
Originally posted by CMDunbar
Could someone who has their own BF routines to crack passwords, do me a favour. I have written my own and was wondering how long it took other people’s BF routines to crack the password below.
Connull, you should have mentioned the speed of the PC you used for your test [;)] My routine needed 2:25 hours to find your password on a 1.7 GHz P4. Besides the order in which characters are inserted into the test string (in my case: first lowercase, then uppercase, then numbers), I have not found any algorithmic tricks to influence execution speed [:(] But then, I spent only about 20 minutes to write the program [;)]
Heinz, Thanks for your reply. My pc is a Dell Pentium IV 2GHz I think?!?!?! I also just used lowercase, uppercase & numbers. What do you mean by “algorithmic tricks”?!?!? Surely BF means testing every possible combination of characters, one at a time?!??!
Connull, even with exhaustive, brute force searches, you can try to implement some heuristics to speed up the search. Heuristics may speed up the search - in the worst case (if they fail) you will still be trying all the possibilities, but in the best and average case, you will be done quicker. As an example, computer chess programs use a wealth of heuristics to prevent them from searching all possible move combinations, and they are quite good at it. With respect to cracking passwords, one could think of trying “more promising” passwords first. It will probably be unlikely for a user to have “aaaaa” as his password. Same for “aaaab”, “aaaac” and so on. Yet with a straightforward password generation routine, you will be trying exactly these passwords first. The password you chose will be found quicker if you move from lowercase letters to uppercase. If you first try uppercase letters, your program will need more time. Generally, having some reasonable assumption about the “general structure” of your password will enable you to speed up the search. In any case, though, you will have to make sure that your program is able to generate and test all possible combinations, just in case all your assumptions turn out as invalid.
Guys, it’s a very well known issue for navision that you can change any passowrd with with just user2.modify; and also safe the old one! i guess that it’s the time for MBS to do something about that!