[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: decrypting htpasswd



Mulley, Nikhil wrote:
[I am not talking abt Cracking..] This is however to say that I ensure my security and warn others abt their security as well..
as earlier said ..the password file has two fields...
Username:Password
the password is in DES (hashed)Encryption format..
so I think there is a way to Rip it with John...



-----Original Message-----
From: redhat-list-bounces redhat com
[mailto:redhat-list-bounces redhat com]On Behalf Of Nathaniel Hall
Sent: Monday, January 24, 2005 12:04 AM
To: General Red Hat Linux discussion list
Subject: Re: decrypting htpasswd


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Mulley, Nikhil wrote:
| Hi All,
| [Meant for Linux Hackers...Well I know all here belong to the same
community ;)]
| However , I have managed to get the htpasswd file of some other site..
| this htpasswd file has the fileds like..
| Username:Password
| (which I guess has some DES encryption and as the salt does not seem
to be start with $1$ which resembles hashing with MD5)
| So , Question is how can I ask my John(the Ripper) to start cracking
this file to give me the password...
|
| Any one any thoughts/ideas ?
|
| ~Nikhil.
|  °v°
| /(_)\
|   ^ ^
|
While I do not see this being a good approach to the question, I do see
reasonable (legal) uses for your question.  I, however, will not say
anything about how to use John the Ripper. It can be a good tool to use
as log as there is a good legal reason.

As far as the password hashing with MD5, to the best of my knowledge
there is no way to figure out what the password is without generating
every possible combination and comparing the MD5 hash of both.  The
whole reason for using MD5 hashes is to keep from saving the password in ~ a decryptable form. To verify authenticity you compare the MD5 sum of a password given with the MD5 sum that was created when the password was
created.  Then you never sacrifice the password.

- --

Nathaniel Hall, GSEC
Intrusion Detection and Firewall Technician
Ozarks Technical Community College -- Office of Computer Networking

halln otc edu
417-447-7535

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (MingW32)

iD8DBQFB8+4uc+QrUawYcxIRAolXAJwKs4DwKuGm0z9mbgYJRQlfE69v4QCfRMih
uTRl7zJo9P3ASq4e6iLcsus=
=zI9j
-----END PGP SIGNATURE-----

--
redhat-list mailing list
unsubscribe mailto:redhat-list-request redhat com?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list




Not really. It's a one way algorithm. It doesn't keep enough information to be able to come up with the values. It's a hash. A hash isn't encryption. It's a security measure. You have to crack it. Knowing the salt that was used would make it easier for you to be able to figure it out, but you still have to guess the correct value to generate the same hash then you know you have cracked a password. That's why short passwords are bad. It's the same stuff the /etc/shadow file is based on...if not the same hash type it's still a hash. I've written scripts to produce the hashed value, so I know it's not an encrypted value, many perl books show you how to do this. The thing about a hash (good ones) is they don't give away the length of the input....same for an MD5...you can't tell the length of the input.

Wade



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]