Re: htpasswd decrypt

[Paul Melson <pmelson () gmail com>]

2010/6/19 Jacky Jack <jacksonsmth698 () gmail com>:
> It's not easy to write bruteforce decryptor as it generates new
> password each time upon generation.

The salted hashes are only a challenge if you don't have the salt,
like in the case of generating rainbow tables.

> 2010/6/18 Miguel González Castaños <miguel_3_gonzalez () yahoo es>:
> > Hi all,
> >
> >  For a hack lab in that I'm doing  I reach a point where I get a htpasswd
> > file in clear in an Apache server.

However, the original poster has captured the file, and therefore has
the full salt and hash. So a brute-force or dictionary attack against
the captured hash using any number of the tools already mentioned in
this thread will work just fine.

PaulM

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------