Waraxe Forums

_nix · Beginner

Okay, so I thought I'd test out a friends net today and I'm fairly new to the pass cracking department so I thought it would be good practice. Anyway, I know about the htaccess and htpasswd files and all that, so after grabbing those easily I thought I'd run the Des encrypted password through a brute forcer, I tried two of them and they both brought up the same cracked password of "wipeout" (excluding the quotes).

First I ran a brute force using john the ripper, 4 hours later "wipeout" came up, I tested it on webmin, phpmyadmin, ssh, nothing at all. I then tried it with propass and as you can guess the same "wipeout" pass came up.

So I am wondering, is this just a guess or is it legit? I tried it on a few test passwords with a dictionary where I put in the plain text passes halfway down and both programs found them all without fail.

Am I doing something wrong? Is it possible for the htpasswd file to not contain the actual password? I'm really puzzled here.

The Des pass is yJx7FJB6RPlE2 so if anyone wants to see if it is actually "wipeout" or something else then by all means, hopefully someone can help me out here ;[

waraxe · Site admin

This DES hash is indeed related to "wipeout" and is 100% OK. Question is, where it is used ...
If it's coming from .htpasswd, then you can use it for HTTP Basic Auth. Sometimes it is used for PhpMyAdmin too, but it depends. So it seems, that you have found password, but just don't know, where it's used Smile

Of course, lazy admins/webmasters/programmers can use same password for many things, but not always ...

_nix · Beginner

Thanks for confirming I had done it right, and got the correct password from it Smile