Waraxe IT Security Portal
Login or Register
November 2, 2024
Menu
Home
Logout
Discussions
Forums
Members List
IRC chat
Tools
Base64 coder
MD5 hash
CRC32 checksum
ROT13 coder
SHA-1 hash
URL-decoder
Sql Char Encoder
Affiliates
y3dips ITsec
Md5 Cracker
User Manuals
AlbumNow
Content
Content
Sections
FAQ
Top
Info
Feedback
Recommend Us
Search
Journal
Your Account
User Info
Welcome, Anonymous
Nickname
Password
(Register)

Membership:
Latest: MichaelSnaRe
New Today: 0
New Yesterday: 0
Overall: 9144

People Online:
Visitors: 87
Members: 0
Total: 87
Full disclosure
xlibre Xnest security advisory & bugfix releases
APPLE-SA-10-29-2024-1 Safari 18.1
SEC Consult SA-20241030-0 :: Query Filter Injection in Ping Identity PingIDM (formerly known as ForgeRock Identity Management) (CVE-2024-23600)
SEC Consult SA-20241023-0 :: Authenticated Remote Code Execution in Multiple Xerox printers (CVE-2024-6333)
APPLE-SA-10-28-2024-8 visionOS 2.1
APPLE-SA-10-28-2024-7 tvOS 18.1
APPLE-SA-10-28-2024-6 watchOS 11.1
APPLE-SA-10-28-2024-5 macOS Ventura 13.7.1
APPLE-SA-10-28-2024-4 macOS Sonoma 14.7.1
APPLE-SA-10-28-2024-3 macOS Sequoia 15.1
APPLE-SA-10-28-2024-2 iOS 17.7.1 and iPadOS 17.7.1
APPLE-SA-10-28-2024-1 iOS 18.1 and iPadOS 18.1
Open Redirect / Reflected XSS - booked-schedulerv2.8.5
SEC Consult SA-20241024-0 :: Unauthenticated Path Traversal Vulnerability in Lawo AG - vsm LTC Time Sync (vTimeSync) (CVE-2024-6049)
[RESEARCH] DTLS 'ClientHello' Race Conditions in WebRTCImplementations
Log in Register Forum FAQ Memberlist Search
IT Security and Insecurity Portal

www.waraxe.us Forum Index -> MD5 hashes -> MD5 Hash Question
Post new topicReply to topic View previous topic :: View next topic
MD5 Hash Question
PostPosted: Thu Aug 07, 2008 8:24 am Reply with quote
Chedda
Active user
Active user
Joined: May 26, 2008
Posts: 27




Well I have been using an exploit for SMF forums. It has revealed Hashes, but I have no idea what type of hash it is. It seems a bit long for just a plain MD5 hash so I am thinking there is more too it. I have tried to run it in PasswordsPro without any luck, but I am not even sure I entered it correctly. Can anyone help by telling me what type of hash I have and possibly cracking it. Any information would be helpful thanks!

Code:

C:\perl\perl\bin>perl smf.pl -p -u Admin -t http://www.****.net/forum
SMF Is Vulnerable!
Finding Password Hash for the Name: 'Admin'
Please Standby...

Password Hash:
1a9e202de331d17648eb07ffbe08443732582d08
This attack used 160 HTTP requests and took 1010 seconds to complete.
EOF


Here are the other hashes that came up under various usernames.

Code:

175a4a47d6aac2f736a36e69dfeba69f3b9262c2
1160bc92c9aaea04aba1fd3c929dd6d4a8ed142b
1267b4f93874a716cb6f070beaa01296e42b9a7f
View user's profile Send private message
PostPosted: Thu Aug 07, 2008 8:43 am Reply with quote
Chedda
Active user
Active user
Joined: May 26, 2008
Posts: 27




Oh I just finished reading the rest of the script and it is saying,

Quote:

The password hash is generated as:
sha1(strtolower() . );


Sadly I have no idea what that means, but I have a feeling its the answer.[/quote]
View user's profile Send private message
PostPosted: Thu Aug 07, 2008 9:03 am Reply with quote
oniric
Advanced user
Advanced user
Joined: Jul 24, 2008
Posts: 65




I read the script and it exactly says:

sha1(strtolower($username) . $password);

In passwordspro there is such a scheme. It's indicated as

sha1($username.$password);

you have to set the user as the lower char conversion of the username you want to crack.
View user's profile Send private message
PostPosted: Thu Aug 07, 2008 9:44 am Reply with quote
Chedda
Active user
Active user
Joined: May 26, 2008
Posts: 27




oniric wrote:
I read the script and it exactly says:

sha1(strtolower($username) . $password);

In passwordspro there is such a scheme. It's indicated as

sha1($username.$password);

you have to set the user as the lower char conversion of the username you want to crack.


Ahh thanks! I think I understand now so is this correct?

View user's profile Send private message
PostPosted: Thu Aug 07, 2008 9:49 am Reply with quote
oniric
Advanced user
Advanced user
Joined: Jul 24, 2008
Posts: 65




No..lowercase username.. admin
View user's profile Send private message
PostPosted: Fri Aug 08, 2008 8:20 am Reply with quote
Chedda
Active user
Active user
Joined: May 26, 2008
Posts: 27




I can't seem to get any passwords. I even registered on a vulnerable forums and used the password 'password' just as a control and I wasn't even able to crack the hash that came with my account. If anyone has time could they please run these through for me.

Here is supposedly the format, sha1($username.$password);

username : hash


sam : 10f4665ee1de517dd38b8a7202d8b0e8036996ed
amanda : 1a9e202de331d17648eb07ffbe08443732582d08
linds : 1be24e792005794a996b642346bfdc7c1cec0949
Aus10 : 1b9e3bd58439e46cbf2c64167adf52bbb107b0f6
Lauren : 1160bc92c9aaea04aba1fd3c929dd6d4a8ed142b

If anyone could try these I would greatly appreciate it.
View user's profile Send private message
PostPosted: Fri Aug 08, 2008 9:11 am Reply with quote
oniric
Advanced user
Advanced user
Joined: Jul 24, 2008
Posts: 65




Just looked more carefully at the screenshot and you put admin as the user name but you used the hash of another user.. Which are the two versions of SMF you attacked?
View user's profile Send private message
PostPosted: Sat Aug 09, 2008 1:37 am Reply with quote
Chedda
Active user
Active user
Joined: May 26, 2008
Posts: 27




oniric wrote:
Just looked more carefully at the screenshot and you put admin as the user name but you used the hash of another user.. Which are the two versions of SMF you attacked?

I'm not 100% sure about your reply. The version I am trying to attack is SMF 1.1.3 and I am using http://www.milw0rm.com/exploits/4547. Here is basically step by step of what I did;

Run the exploit


Add the username and hash to PasswordsPro


Run PasswordsPro


Obviously I just started running PasswordsPro so I have a while until its done, but this is exactly what I did before to figure out a different hash without any luck. Should I enter the hash into the Salted box? I really have no idea and am willing to try anything. I am also new to PasswordsPro and have noticed at the bottom while its trying to crack the hash it has a box for Current password: that is constantly changing. I assume this is the current password its trying to match with the hash, but what I have noticed is the password displayed is always in capital letters is that a problem?
View user's profile Send private message
PostPosted: Sat Aug 09, 2008 9:12 am Reply with quote
oniric
Advanced user
Advanced user
Joined: Jul 24, 2008
Posts: 65




You are using a Brute Force Attack, so you checking all the possible passwords in the key space generated by the character set of your choice and the desired range. Try first a dictionary attack? Do you have a good word list?

Btw, I'm going to test some of these with my wordlist.
View user's profile Send private message
PostPosted: Sat Aug 09, 2008 3:46 pm Reply with quote
Chedda
Active user
Active user
Joined: May 26, 2008
Posts: 27




oniric wrote:
You are using a Brute Force Attack, so you checking all the possible passwords in the key space generated by the character set of your choice and the desired range. Try first a dictionary attack? Do you have a good word list?

Btw, I'm going to test some of these with my wordlist.


Thanks for the advice you truly are the man. I didn't have a very large wordlist, but just downloaded a 2 GB wordlist no idea how good it is.
View user's profile Send private message
PostPosted: Sat Aug 09, 2008 4:05 pm Reply with quote
oniric
Advanced user
Advanced user
Joined: Jul 24, 2008
Posts: 65




I tested the hash on my wordlists and I didn't find a collision..
View user's profile Send private message
MD5 Hash Question
www.waraxe.us Forum Index -> MD5 hashes
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT
Page 1 of 1

Post new topicReply to topic


Powered by phpBB © 2001-2008 phpBB Group



Space Raider game for Android, free download - Space Raider gameplay video - Zone Raider mobile games
All logos and trademarks in this site are property of their respective owner. The comments and posts are property of their posters, all the rest (c) 2004-2024 Janek Vind "waraxe"
Page Generation: 0.050 Seconds