Penetration Testing mailing list archives
Re: Brute force .htpasswd
From: D V <mysecurite () yahoo fr>
Date: Tue, 27 Nov 2001 11:52:49 +0100 (CET)
Hi, I have received some e-mail from people (thanks to all of us) telling me to mangle the hashes in a correct password file format. It is not the problem for me. I will try to explain. If you take a MD5 hash from a Unix/Linux box, the hash is beginning whith $1$ (and I think by $2$ in some case) but if you are taking a MD5 hash from a .htacess (or .htpasswd) file using by Apache, it begins by $apr1$. In this case, John and MD5Crack doesn't work (I also tried to force the format with -format:MD5 with john). It tried them on W32 and Linux. The MD5 hashes are generating with htpasswd.exe (on W32) that is a tool provided with Apache. For the example, I have generating a MD5 hash : test:$apr1$K2......$0afaV4Pb0N8k1udUVBHo./ In this case the password is 'test' but I have no tool (MD5crack and John doesn't work) that allow me to crack this .htpasswd file. Any help is welcome. Thank for your help Dominique --- H D Moore <sflist () digitaloffense net> a écrit : > MDCrack is one of the nicest MD5 brute forcers I
have come across. You may need to mangle the hashes a little bit to get mdcrack to accept them, but it should do the trick. JTR is also very good at cracking md5 hashes, they have in the correct format for it to recognize them though. MDCrack: http://mdcrack.multimania.com/nsindex2.html
___________________________________________________________ Do You Yahoo!? -- Une adresse @yahoo.fr gratuite et en français ! Yahoo! Courrier : http://courrier.yahoo.fr ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
Current thread:
- Brute force .htpasswd D V (Nov 26)
- Re: Brute force .htpasswd H D Moore (Nov 26)
- Re: Brute force .htpasswd D V (Nov 27)
- Re: Brute force .htpasswd Erik Parker (Nov 28)
- Re: Brute force .htpasswd D V (Nov 27)
- Re: Brute force .htpasswd Kostas Evangelinos (Nov 30)
- Re: Brute force .htpasswd H D Moore (Nov 26)