[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: decrypting htpasswd



On Mon, 24 Jan 2005, Benjamin J. Weiss wrote:

Mulley, Nikhil wrote:

[I am not talking abt Cracking..] This is however to say that I ensure my security and warn others abt their security as well..
as earlier said ..the password file has two fields...
Username:Password
the password is in DES (hashed)Encryption format..
so I think there is a way to Rip it with John...

1) If you intentionally acquired this file without the permission of the server's owner, you have violated federal law. 2) If you accidentally acquired this file and then attempt to crack the password, you have violated federal law.

Except that the world is not the USA and there are still many countries where this is entirely legal, or does not fall under "federal" law. While his originating IP appears to be in Calafornia, he may actually be on the other side of the world.

Morally your arguments hold up but claiming this on an international mailing list is a little silly.

If you truly came upon this file accidentally and you want to warn the owners about their security, simply give them a copy of the file you captured and then delete it.

I work for a state law-enforcement agency. If you wish assistance in contacting the server owners, please contact me off-list.

There are actually rather legitimate reasons for wanting to crack a password file. this may be the only record of a password used by a previous employee who has locked other records with the same password but the hash is in a more secure form *shrug* who knows.

To answer the original question - generally John the ripper requires the password files to be in a specific format (when I last used it it was unix password file format) which means that you may need to move the hash into a pseudo password type file and tell john the ripper to try cracking it. The information you require is all in the John the Ripper documentation, it would probably be prudent to read it.

It would also be a good idea to get a dictionary list together (google if you dont have one) which john can use against the hash whcih may speed things up significantly if the password is based on a dictionary word. Otherwise be prepared for a long wait, typically an 8 character DES encrypted password with numbers, punctuation and upper/lower case letters will take around 3-6 months to crack (higher end PC's obviously will do this slightly faster)

HTH,

--
Steve.



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]