decrypting htpasswd
Mulley, Nikhil
mnikhil at corp.untd.com
Thu Jan 27 05:18:51 UTC 2005
Thanks Steve.. for getting me..
Rather what I wanted was What kinda format of the passwd file does John Expect?
Ok as you said..."it would probably be prudent to read it." , I will do that.. :)
Regards,
Nikhil
> -----Original Message-----
> From: redhat-list-bounces at redhat.com
> [mailto:redhat-list-bounces at redhat.com]On Behalf Of Steve Phillips
> Sent: Tuesday, January 25, 2005 1:15 AM
> To: General Red Hat Linux discussion list
> Subject: Re: decrypting htpasswd
>
>
> On Mon, 24 Jan 2005, Benjamin J. Weiss wrote:
>
> > Mulley, Nikhil wrote:
> >
> >> [I am not talking abt Cracking..] This is however to say
> that I ensure my
> >> security and warn others abt their security as well..
> >> as earlier said ..the password file has two fields...
> >> Username:Password
> >> the password is in DES (hashed)Encryption format..
> >> so I think there is a way to Rip it with John...
> >>
> > 1) If you intentionally acquired this file without the
> permission of the
> > server's owner, you have violated federal law.
> > 2) If you accidentally acquired this file and then attempt
> to crack the
> > password, you have violated federal law.
>
> Except that the world is not the USA and there are still many
> countries
> where this is entirely legal, or does not fall under
> "federal" law. While
> his originating IP appears to be in Calafornia, he may
> actually be on the
> other side of the world.
>
> Morally your arguments hold up but claiming this on an international
> mailing list is a little silly.
>
> > If you truly came upon this file accidentally and you want
> to warn the owners
> > about their security, simply give them a copy of the file
> you captured and
> > then delete it.
> >
> > I work for a state law-enforcement agency. If you wish
> assistance in
> > contacting the server owners, please contact me off-list.
>
> There are actually rather legitimate reasons for wanting to crack a
> password file. this may be the only record of a password used by a
> previous employee who has locked other records with the same
> password but
> the hash is in a more secure form *shrug* who knows.
>
> To answer the original question - generally John the ripper
> requires the
> password files to be in a specific format (when I last used
> it it was unix
> password file format) which means that you may need to move
> the hash into
> a pseudo password type file and tell john the ripper to try
> cracking it.
> The information you require is all in the John the Ripper
> documentation,
> it would probably be prudent to read it.
>
> It would also be a good idea to get a dictionary list
> together (google if
> you dont have one) which john can use against the hash whcih
> may speed
> things up significantly if the password is based on a
> dictionary word.
> Otherwise be prepared for a long wait, typically an 8 character DES
> encrypted password with numbers, punctuation and upper/lower
> case letters
> will take around 3-6 months to crack (higher end PC's
> obviously will do
> this slightly faster)
>
> HTH,
>
> --
> Steve.
>
> --
> redhat-list mailing list
> unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
> https://www.redhat.com/mailman/listinfo/redhat-list
>
More information about the redhat-list
mailing list