Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Craking Serv-u passwords stored in .ini file.

From: "Altheide, Cory B. (IARC)" <AltheideC () nv doe gov>
Date: Thu, 2 Sep 2004 15:20:20 -0700
-----Original Message-----
From: Scovetta, Michael V [mailto:Michael.Scovetta () ca com] 
Sent: Thursday, September 02, 2004 1:23 PM
To: Altheide, Cory B. (IARC); Jérôme ATHIAS; 
pen-test () securityfocus com
Subject: RE: Craking Serv-u passwords stored in .ini file.


I realize this is pedantic, but there's a fundamental 
difference between "cracking" MD5 and looking up pre-computed 
values. Of course, it may be useful to find out what password 
generated some particular md5 hash, but the is only 
non-trivial because the implementation of the hashing 
algorithm did not include salt while hashing.


The only real difference is by using precomputed tables you're front-loading
your work and only doing computations that would normally be needlessly
repetitive once.  Otherwise the "cracking," as it were, is the basically
same.

I don't need to be directly addressed on messages to a mailing list I
obviously subscribe to. ;)

-- Cory


------------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. All of our class sizes are
guaranteed to be 12 students or less to facilitate one-on-one interaction
with one of our expert instructors. Check out our Advanced Hacking course,
learn to write exploits and attack security infrastructure. Attend a course
taught by an expert instructor with years of in-the-field pen testing
experience in our state of the art hacking lab. Master the skills of an
Ethical Hacker to better assess the security of your organization.

http://www.infosecinstitute.com/courses/ethical_hacking_training.html
-------------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: