Re: Re[2]: MD5 algorithm

[Matt Howard <securityfocus () hattmoward org>]

On Tuesday 23 March 2004 12:59 pm, you wrote:
> Hello Matt,

> But I received only 16,22 or 32-byte hashes. Why not 34-byte hashes?
> And how can I use Digest::MD5 for it? Or maybe you can show me a
> script on perl or c/c++ with its implementation.

Ah, I looked back at your first question... you want to make a md5 hash for 
use in a passwd file?  Check out 'man crypt'.  This form of md5 uses a salt 
to make the algorithm require two dimensions.  That is, instead of making it 
so you only have to make a hash of every possible password, you have to cover 
every password with every salt.

If you're using perl on a system with the GNU version of libcrypt, you simply 
use a salt that starts with "$1$".  You will need to generate a random salt, 
using the characters in the set [a-zA-Z0-9./].  This will produce a string in 
the form you expected: $1$00000000$0000000000000000000000
The first 8 0's are the salt used, and the other 22 are the final md5 in base 
64.

If you're not on a system with GNU libcrypt, there may be a perl module 
available on CPAN that does the job also.

-- 
Matt Howard <mhoward__hattmoward.org>  http://hattmoward.org
PGP: 2364 B8D1 199C 4DB6 9E23  2409 C10B EC85 29B9 91EE


---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
any course! All of our class sizes are guaranteed to be 10 students or less 
to facilitate one-on-one interaction with one of our expert instructors. 
Attend a course taught by an expert instructor with years of in-the-field 
pen testing experience in our state of the art hacking lab. Master the skills 
of an Ethical Hacker to better assess the security of your organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------