decrypting htpasswd

[Wade Chandler]

Mulley, Nikhil wrote:
> [I am not talking abt Cracking..] This is however to say that I ensure my security and warn others abt their security as well..
> as earlier said ..the password file has two fields...
> Username:Password
> the password is in DES (hashed)Encryption format..
> so I think there is a way to Rip it with John...
> 
> 
> 
>>-----Original Message-----
>>From: redhat-list-bounces at redhat.com
>>[mailto:redhat-list-bounces at redhat.com]On Behalf Of Nathaniel Hall
>>Sent: Monday, January 24, 2005 12:04 AM
>>To: General Red Hat Linux discussion list
>>Subject: Re: decrypting htpasswd
>>
>>
>>-----BEGIN PGP SIGNED MESSAGE-----
>>Hash: SHA1
>>
>>Mulley, Nikhil wrote:
>>| Hi All,
>>| [Meant for Linux Hackers...Well I know all here belong to the same
>>community ;)]
>>| However , I have managed to get the htpasswd file of some 
>>other site..
>>| this htpasswd file has the fileds like..
>>| Username:Password
>>| (which I guess has some DES encryption and as the salt does not seem
>>to be start with $1$ which resembles hashing with MD5)
>>| So , Question is how can I ask my John(the Ripper) to start cracking
>>this file to give me the password...
>>|
>>| Any one any thoughts/ideas ?
>>|
>>| ~Nikhil.
>>|  °v°
>>| /(_)\
>>|   ^ ^
>>|
>>While I do not see this being a good approach to the 
>>question, I do see
>>reasonable (legal) uses for your question.  I, however, will not say
>>anything about how to use John the Ripper.  It can be a good 
>>tool to use
>>as log as there is a good legal reason.
>>
>>As far as the password hashing with MD5, to the best of my knowledge
>>there is no way to figure out what the password is without generating
>>every possible combination and comparing the MD5 hash of both.  The
>>whole reason for using MD5 hashes is to keep from saving the 
>>password in
>>~ a decryptable form.  To verify authenticity you compare the 
>>MD5 sum of
>>a password given with the MD5 sum that was created when the 
>>password was
>>created.  Then you never sacrifice the password.
>>
>>- --
>>
>>Nathaniel Hall, GSEC
>>Intrusion Detection and Firewall Technician
>>Ozarks Technical Community College -- Office of Computer Networking
>>
>>halln at otc.edu
>>417-447-7535
>>
>>-----BEGIN PGP SIGNATURE-----
>>Version: GnuPG v1.2.1 (MingW32)
>>
>>iD8DBQFB8+4uc+QrUawYcxIRAolXAJwKs4DwKuGm0z9mbgYJRQlfE69v4QCfRMih
>>uTRl7zJo9P3ASq4e6iLcsus=
>>=zI9j
>>-----END PGP SIGNATURE-----
>>
>>-- 
>>redhat-list mailing list
>>unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
>>https://www.redhat.com/mailman/listinfo/redhat-list
>>
> 
> 

Not really.  It's a one way algorithm.  It doesn't keep enough 
information to be able to come up with the values.  It's a hash.  A hash 
  isn't encryption.  It's a security measure.  You have to crack it. 
Knowing the salt that was used would make it easier for you to be able 
to figure it out, but you still have to guess the correct value to 
generate the same hash then you know you have cracked a password. 
That's why short passwords are bad.  It's the same stuff the /etc/shadow 
file is based on...if not the same hash type it's still a hash.  I've 
written scripts to produce the hashed value, so I know it's not an 
encrypted value, many perl books show you how to do this.  The thing 
about a hash (good ones) is they don't give away the length of the 
input....same for an MD5...you can't tell the length of the input.

Wade