Re: Determine Salt used by MySQL in root'd server

[samayel () gmail com]

HI guys,
       Another idea would be to create a couple users and since you have access to the database where the passwords are 
stored and you know what your passwords are, you should be able to deduce the salted part of your hashes.

Good luck!
-Samayel
Sent from my Blackberry® on the Videotron Mobile Network

-----Original Message-----
From: cp77fk4r <empty0page () gmail com>
Sender: listbounce () securityfocus com
Date: Mon, 13 Jun 2011 19:57:43 
To: Voulnet<voulnet () gmail com>
Cc: webappsec () securityfocus com<webappsec () securityfocus com>
Subject: Re: Determine Salt used by MySQL in root'd server

Try to look in the source of the login page, or in some config file
that included to it.

On Sunday, June 12, 2011, Voulnet <voulnet () gmail com> wrote:
> Hello folks, I'm doing a pentest on a server, and I got root access
> through a Joomla web app, I got a dump of the jp_users table in MySQL,
> however the passwords are obviously hashed and salted. I honestly
> don't expect the passwords to be strong, so they can be bruteforced,
> md5-looked up easily. However, how can I determine the salt value? I
> already have root access on the server but I don't know where to look
> in MySQL to find the salt value.
>
>
>
> This list is sponsored by Cenzic
> --------------------------------------
> Let Us Hack You. Before Hackers Do!
> It's Finally Here - The Cenzic Website HealthCheck. FREE.
> Request Yours Now!
> http://www.cenzic.com/2009HClaunch_Securityfocus
> --------------------------------------



This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now! 
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------