Penetration Testing mailing list archives
RE: Craking Serv-u passwords stored in .ini file.
From: "Scovetta, Michael V" <Michael.Scovetta () ca com>
Date: Thu, 2 Sep 2004 16:23:18 -0400
I realize this is pedantic, but there's a fundamental difference between "cracking" MD5 and looking up pre-computed values. Of course, it may be useful to find out what password generated some particular md5 hash, but the is only non-trivial because the implementation of the hashing algorithm did not include salt while hashing. In other words, MD5("bob") --> XYZ MD5("crud") --> ABC This would be bad, since "bob" and "crud" are probably in the rainbow tables. However: MD5("haskjcfh3728h32ncvbob") --> UVW' MD5("haskjcfh3728h32ncvcrud") --> DEF' And these would not be in the rainbow tables, unless such tables were specifically built with "haskjcfh3728h32ncv" prefixed to the source dictionary. I'm sure that there are many bad implementations of hashed password storage, so that's why these websites exist, but for those of you who implement it correctly, these won't make a difference at all. Michael Scovetta -----Original Message----- From: Altheide, Cory B. (IARC) [mailto:AltheideC () nv doe gov] Sent: Thursday, September 02, 2004 1:36 PM To: 'Jérôme ATHIAS'; pen-test () securityfocus com Subject: RE: Craking Serv-u passwords stored in .ini file.
-----Original Message----- From: Jérôme ATHIAS [mailto:jerome.athias () caramail com] Sent: Wednesday, September 01, 2004 12:11 PM To: pen-test () securityfocus com Subject: Re: Craking Serv-u passwords stored in .ini file.i believe that is an md5 hash. there is a free service for cracking md5 = hashes that uses tables at http://passcracking.com peas audi ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~I believe this url will only crack LM hashes of Windows passwords up to 14 characters using Rainbow Tables... I think it's quite different from MD5...
That's odd, because right at the top of the page, it says "MD5 ONLINE CRACKING." Also, the title of the page is "MD5 CRACK." Furthermore, the about section has clues like "This project is dedicated to crack md5 hashes online through web interface" and "At the moment we can crack md5 hashes in this character range: a-z;0-9 [8] which means we can break almost all hashes (99.56%) which are created from lowercase plaintext with letters and/or digits up to length of 8 characters." In fact, Windows LM hashes aren't mentioned at all. I'm fairly certain that this URL will only crack MD5 hashes* and won't do much of anything useful with Lanman hashes. Cory Altheide Senior Network Forensics Specialist NNSA Information Assurance Response Center (IARC) altheidec () nv doe gov *unsalted ------------------------------------------------------------------------------ Ethical Hacking at the InfoSec Institute. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors. Check out our Advanced Hacking course, learn to write exploits and attack security infrastructure. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. http://www.infosecinstitute.com/courses/ethical_hacking_training.html ------------------------------------------------------------------------------- ------------------------------------------------------------------------------ Ethical Hacking at the InfoSec Institute. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors. Check out our Advanced Hacking course, learn to write exploits and attack security infrastructure. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. http://www.infosecinstitute.com/courses/ethical_hacking_training.html -------------------------------------------------------------------------------
Current thread:
- RE: Craking Serv-u passwords stored in .ini file., (continued)
- RE: Craking Serv-u passwords stored in .ini file. Jose Maria Lopez (Sep 01)
- RE: Craking Serv-u passwords stored in .ini file. Ferruh Mavituna (Sep 01)
- RE: Craking Serv-u passwords stored in .ini file. M. D. (Sep 02)
- Re: Craking Serv-u passwords stored in .ini file. Jérôme (Sep 02)
- Re: Craking Serv-u passwords stored in .ini file. Hans Porter (Sep 02)
- Re: Craking Serv-u passwords stored in .ini file. Marius Huse Jacobsen (Sep 09)
- Re: Craking Serv-u passwords stored in .ini file. Hans Porter (Sep 02)
- RE: Craking Serv-u passwords stored in .ini file. Scovetta, Michael V (Sep 02)
- RE: Craking Serv-u passwords stored in .ini file. Ferruh Mavituna (Sep 02)
- RE: Craking Serv-u passwords stored in .ini file. Altheide, Cory B. (IARC) (Sep 02)
- RE: Craking Serv-u passwords stored in .ini file. Ferruh Mavituna (Sep 02)
- RE: Craking Serv-u passwords stored in .ini file. Scovetta, Michael V (Sep 02)
- RE: Craking Serv-u passwords stored in .ini file. Altheide, Cory B. (IARC) (Sep 02)
- Re: Craking Serv-u passwords stored in .ini file. Nigel Stepp (Sep 04)
- RE: Craking Serv-u passwords stored in .ini file. M. D. (Sep 03)
- RE: Craking Serv-u passwords stored in .ini file. avarni (Sep 04)
- Re: Craking Serv-u passwords stored in .ini file. Hans Porter (Sep 07)
- Re: Craking Serv-u passwords stored in .ini file. Jérôme (Sep 03)
- RE: Craking Serv-u passwords stored in .ini file. M. D. (Sep 08)