decrypting htpasswd

Steve Phillips steve at focb.co.nz
Mon Jan 24 19:45:21 UTC 2005 

On Mon, 24 Jan 2005, Benjamin J. Weiss wrote:

> Mulley, Nikhil wrote:
>
>> [I am not talking abt Cracking..] This is however to say that I ensure my 
>> security and warn others abt their security as well..
>> as earlier said ..the password file has two fields...
>> Username:Password
>> the password is in DES (hashed)Encryption format..
>> so I think there is a way to Rip it with John...
>> 
> 1) If you intentionally acquired this file without the permission of the 
> server's owner, you have violated federal law.
> 2) If you accidentally acquired this file and then attempt to crack the 
> password, you have violated federal law.

Except that the world is not the USA and there are still many countries 
where this is entirely legal, or does not fall under "federal" law. While 
his originating IP appears to be in Calafornia, he may actually be on the 
other side of the world.

Morally your arguments hold up but claiming this on an international 
mailing list is a little silly.

> If you truly came upon this file accidentally and you want to warn the owners 
> about their security, simply give them a copy of the file you captured and 
> then delete it.
>
> I work for a state law-enforcement agency.  If you wish assistance in 
> contacting the server owners, please contact me off-list.

There are actually rather legitimate reasons for wanting to crack a 
password file. this may be the only record of a password used by a 
previous employee who has locked other records with the same password but 
the hash is in a more secure form *shrug* who knows.

To answer the original question - generally John the ripper requires the 
password files to be in a specific format (when I last used it it was unix 
password file format) which means that you may need to move the hash into 
a pseudo password type file and tell john the ripper to try cracking it. 
The information you require is all in the John the Ripper documentation, 
it would probably be prudent to read it.

It would also be a good idea to get a dictionary list together (google if 
you dont have one) which john can use against the hash whcih may speed 
things up significantly if the password is based on a dictionary word. 
Otherwise be prepared for a long wait, typically an 8 character DES 
encrypted password with numbers, punctuation and upper/lower case letters 
will take around 3-6 months to crack (higher end PC's obviously will do 
this slightly faster)

HTH,

-- 
Steve.

More information about the redhat-list mailing list