Penetration Testing mailing list archives

Re: htpasswd decrypt

From: "modversion" <modversion () gmail com>
Date: Sun, 20 Jun 2010 10:06:39 +0800

You can try l0phtcrack.
check http://baoz.net/crack-htpasswd-with-l0phtcrack/ for details

-----邮件原件-----
发件人: listbounce () securityfocus com [mailto:listbounce () securityfocus com] 代表 Jacky Jack
发送时间: 2010年6月19日 22:05
收件人: Miguel González Castaños
抄送: pen-test () securityfocus com
主题: Re: htpasswd decrypt

I haven't been aware of it, too.
If you know it, let me know.

It's not easy to write bruteforce decryptor as it generates new password each time upon generation.

./htpasswd -nb test test

Automatically using MD5 format.
test:$apr1$O9B501zi$LIb3jgek2pqVEv29qfCqO0

./htpasswd -nb test test

Automatically using MD5 format.
test:$apr1$Rekfkt5.$8NeNTA7C/Oy4jEuCgrnBE/

./htpasswd -nb test test

Automatically using MD5 format.
test:$apr1$PEH.OBdt$wE/nHRG.FYo2bzmAfxfIn1

./htpasswd -nb test test

Automatically using MD5 format.
test:$apr1$BtwEARib$2WWdK3nGlAWVutTRkFyV20




2010/6/18 Miguel González Castaños <miguel_3_gonzalez () yahoo es>:

Hi all,

 For a hack lab in that I'm doing  I reach a point where I get a 
htpasswd file in clear in an Apache server.

 Is there any tool that given the crypted password I can try to brute 
force (or use a dictionary attack) and get the original password? 
There are a lot of MD5 password crackers but they don't state if they 
work for htpasswd generated passwords.

 Thanks!

 Miguel

----------------------------------------------------------------------
-- This list is sponsored by: Information Assurance Certification 
Review Board

Prove to peers and potential employers without a doubt that you can 
actually do a proper penetration test. IACRB CPT and CEPT certs 
require a full practical examination in order to become certified.
http://www.iacertification.org
----------------------------------------------------------------------
--


------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------


------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------

Current thread:

htpasswd decrypt Miguel González Castaños (Jun 18)
- Re: htpasswd decrypt dishix (Jun 19)
- Re: htpasswd decrypt Jacky Jack (Jun 19)
  - Re: htpasswd decrypt Christine Kronberg (Jun 20)
    - Re: htpasswd decrypt Miguel Gonzalez (Jun 20)
  - RE: htpasswd decrypt Gaurav Kumar (Jun 20)
    - Re: htpasswd decrypt Miguel González Castaños (Jun 21)
  - Re: htpasswd decrypt Paul Melson (Jun 21)
- <Possible follow-ups>
- Re: htpasswd decrypt modversion (Jun 20)