Best way to crack salted FreeBSD md5 hashes

3.095 visualizzazioni
Passa al primo messaggio da leggere

Mohit Chawla

da leggere,
8 ago 2011, 05:55:0708/08/11
a null-...@googlegroups.com
Hello all,

I hope the subject itself clarifies the question I have.
So what could be the best way to crack salted MD5 hashes.

Thanks,
Mohit

Yash Kadakia

da leggere,
8 ago 2011, 06:14:4708/08/11
a null-...@googlegroups.com, Mohit Chawla
It really comes down to how the password has been salted. There are n number of ways in which developers could salt the password for e.g.:
  • md5(password + salt)
  • md5(salt + password)
  • md5(pass + salt +word)
  • md5(md5(password) + md5(salt))
  • and a million other such combinations

Additionally the contents of the salt could also realistically be anything. With this level of variation, the only real options you have are:
  • Raw brute force
  • Reverse engineering the salted hash via a known password
  • Identifying the hashing process

Best Regards - Yash


--
null - Spreading the right Information
null Mailing list charter: http://null.co.in/section/about/null_list_charter/

webDEViL

da leggere,
8 ago 2011, 07:57:4908/08/11
a null-...@googlegroups.com
Well since you mention FreeBSD.

salt would be abcdef if your hash was:
$1$abcdef$zzzzzzzzzzzzzzzzzzzzz
Put it in JTR, it will recognize it for you automatically. But it will be agonizingly slow and really in-feasible. Because linux is secure! :P
GPU based cracking is what you should be looking at.



--
null - Spreading the right Information
null Mailing list charter: http://null.co.in/section/about/null_list_charter/



--
Regards,
webDEViL


webDEViL

da leggere,
8 ago 2011, 09:45:3008/08/11
a Mohit Chawla, null-...@googlegroups.com
Re-read my earlier mail to get a hint.

On Mon, Aug 8, 2011 at 6:52 PM, Mohit Chawla <mohit.c...@gmail.com> wrote:
Ok.

Well yes, JTR cud recognize it as FreeBSD 32/32. But, its taking hell lot of time even on the Xeon server.
Because AFAICS, it's not utilizing all the cores of CPU.

My question is, what could be best possible way to crack those hashes?

TAS

da leggere,
8 ago 2011, 09:49:0708/08/11
a null-...@googlegroups.com, Mohit Chawla
In case you still dint get it GPU based cracking is what you should be looking at.

-
TAS
http://twitter.com/p0wnsauc3

From: webDEViL <w3bd...@gmail.com>
Date: Mon, 8 Aug 2011 19:15:30 +0530
To: Mohit Chawla<mohit.c...@gmail.com>
Subject: Re: [null] Best way to crack salted FreeBSD md5 hashes

Dhanesh k

da leggere,
8 ago 2011, 11:12:4908/08/11
a null-...@googlegroups.com
I had blogged about cracking MD5 earlier.
http://dhanesh.blogspot.com/2010/04/worlds-fastest-md5-cracker.html

You can use CPU+GPU based brute force tools like BarsWF or any commercial alternatives.
Oh and get a good GPU ;)

Regards,
Dan

Yash Kadakia

da leggere,
8 ago 2011, 06:48:0708/08/11
a Mohit Chawla, null-...@googlegroups.com
Hi Mohit,

I honestly don't remember the exact salting routine used but if it is from a *nix based OS, it shouldn't be very difficult to find out via Google or better yet by simply opening up the relevant code.

In-regards to reverse engineering, when dealing with salted hashes for an audit - we will typically create a password on the system with say password "a". After this, we will brute force all possible combinations of a + salt and so-on until something matches the hash. This way, we can get an idea about the algorithm used to create the hashes.

Yash

On 08-Aug-2011, at 4:13 PM, Mohit Chawla wrote:

Hello Yash,

On Mon, Aug 8, 2011 at 3:44 PM, Yash Kadakia <tecc...@gmail.com> wrote:
It really comes down to how the password has been salted. There are n number of ways in which developers could salt the password for e.g.:
  • md5(password + salt)
  • md5(salt + password)
  • md5(pass + salt +word)
  • md5(md5(password) + md5(salt))
  • and a million other such combinations
Cool. Very comprehensive.
But, it's FreeBSD style md5 hash + salt combination, which is commonly used to store passwords in Linux.
So which of mentioned, must have been used in Unix/Linux OSes?

 
Additionally the contents of the salt could also realistically be anything. With this level of variation, the only real options you have are:
  • Raw brute force
It would take hell lot of time.
 
  • Reverse engineering the salted hash via a known password
Could you be more descriptive?
 
  • Identifying the hashing process
I could not find technique used in most *Nix OS(Or maybe I'm not using proper keywords;-) )
But, would be great if someone knows it.
 

Mohit Chawla

da leggere,
8 ago 2011, 09:55:5908/08/11
a p0wn...@gmail.com, null-...@googlegroups.com
Oh ok. Sorry for ignoring it.

Hardware constraints :-(

Mohit Chawla

da leggere,
8 ago 2011, 06:43:3008/08/11
a Yash Kadakia, null-...@googlegroups.com
Hello Yash,

On Mon, Aug 8, 2011 at 3:44 PM, Yash Kadakia <tecc...@gmail.com> wrote:
It really comes down to how the password has been salted. There are n number of ways in which developers could salt the password for e.g.:
  • md5(password + salt)
  • md5(salt + password)
  • md5(pass + salt +word)
  • md5(md5(password) + md5(salt))
  • and a million other such combinations
Cool. Very comprehensive.

But, it's FreeBSD style md5 hash + salt combination, which is commonly used to store passwords in Linux.
So which of mentioned, must have been used in Unix/Linux OSes?

 
Additionally the contents of the salt could also realistically be anything. With this level of variation, the only real options you have are:
  • Raw brute force
It would take hell lot of time.
 
  • Reverse engineering the salted hash via a known password
Could you be more descriptive?
 
  • Identifying the hashing process
I could not find technique used in most *Nix OS(Or maybe I'm not using proper keywords;-) )
But, would be great if someone knows it.
 

Mohit Chawla

da leggere,
8 ago 2011, 06:53:5008/08/11
a Yash Kadakia, null-...@googlegroups.com
Ok.

And thanks for rev-engg explanation.
That was plain and simple.

Yash Kadakia

da leggere,
8 ago 2011, 09:51:1308/08/11
a null-...@googlegroups.com
Or even dist john if you have multiple machines available.

If its professional work, I highly recommend using AWS.

Yash

Yash Kadakia

Office: +91-022-23532909
Office: +1-347-99-ITSEC (+1-347-994-8732)
Mobile: +91-9833375290
Blog: http://www.yashkadakia.com/

Sent on my BlackBerry® from Vodafone

From: "TAS" <p0wn...@gmail.com>
Date: Mon, 8 Aug 2011 13:49:07 +0000

Mohit Chawla

da leggere,
8 ago 2011, 09:22:4208/08/11
a w3bd...@gmail.com, null-...@googlegroups.com
Ok.

Well yes, JTR cud recognize it as FreeBSD 32/32. But, its taking hell lot of time even on the Xeon server.
Because AFAICS, it's not utilizing all the cores of CPU.

My question is, what could be best possible way to crack those hashes?

On Mon, Aug 8, 2011 at 5:27 PM, webDEViL <w3bd...@gmail.com> wrote:

Ijas Rahman

da leggere,
10 ago 2011, 05:56:5110/08/11
a null-...@googlegroups.com
Dear Mohit,

As webDEViL mentioned earlier, JTR is the best in its domain.


--
Regards,

Ijas Rahman

On Mon, Aug 8, 2011 at 3:25 PM, Mohit Chawla <mohit.c...@gmail.com> wrote:

--

Rahul Sasi

da leggere,
12 ago 2011, 00:42:5912/08/11
a null-...@googlegroups.com
An ugly paper explaining your question , but still it would have been healthy using google.

http://www.garage4hackers.com/entry.php?38-Cracking-Salted-Hashes
http://null.co.in/2010/08/25/cracking-salted-hashes/

Regards,
--
Rahul Sasi aka Fb1h2s
Info Security Researcher

07738222968
www.fb1h2s.com
wwww.garage4hackers.com
www.garage4hackers.com/blog.php?8-Fb1h2s-blog


Rispondi a tutti
Rispondi all'autore
Inoltra
0 nuovi messaggi