RE: Password Cracking Challenge...

From: David Schwartz (davids_at_webmaster.com)
Date: 07/28/03

  • Next message: Michael Wojcik: "RE: Password Cracking Challenge..." 
    To: "Ronish Mehta" <sf_mail_sbm@yahoo.com>, <vuln-dev@securityfocus.com>
Date: Mon, 28 Jul 2003 13:40:36 -0700

    > Below is a list of password (case sensitive) together
    > with the encrypted password, is it possible to
    > determine the algorithm used to hash the passwords
    > with this sample?
    >
    > If so, what would the hash for the password: Fir88x!t
    >
    > QUALITY - 52C52E2CC668FD2C0000000000000000
    >
    > Password321 - D5FBB0C7C20D9CE74407A5B354A6D6F1
    >
    > Password123 - D5FBB0C7C20D9CE7DBFA06AF253CC5C9
    >
    > Password2 - D5FBB0C7C20D9CE728B6D2DC010F626F
    >
    > Pa$$word321 - 8C4A8322764A87E62F90455FEA1F23B5
    >
    > Cr@ckM3! - FECC4F25D07CD6890000000000000000

            Two things:

            1) You should have hashed a few of the shortest possible passwords, like
    'a' and 'b' if the program would allow you to. At minimum, you should have
    hased passwords that are much more similar, like 'foo0' and 'foo1', or
    ideally '0' and '1'. You have no passwords that differ by only one
    character.

            2) You need to tell people what it is they're working on. If we're going to
    help you compromise the security of something, we need to know what it is.
    You don't mention whether this is an algorithm you constructed just for this
    challenge or whether it's a real algorithm.

            Also, it's obvious that the program divides the password into two portions
    and does a 64-bit hash of each. So the problem reduces to figuring out what
    64-bit hashing function that is.

            DS

  • Next message: Michael Wojcik: "RE: Password Cracking Challenge..."

    Relevant Pages

    • Re: SHA-1 vs. triple-DES for password encryption?
      ... be better to use a standard algorithm rather than a home-grown one. ... SHA-1 and 3DES have been reviewed for some time. ... This is where a hash comes in nicely. ... Longer passwords and hashes aid in making the hash much harder to work with. ...
      (SecProg)
    • Re: Hash MD5, Sha1 and Length
      ... These are standard cryptographic methods for protecting bulk passwords ... algorithm = new MD5CryptoServiceProvider; ... The salt prevents two people using the same password having the same ... hash and also stops an attacker pre-calculating hashes for commonly ...
      (microsoft.public.dotnet.languages.csharp)
    • Re: Password hashes
      ... NTLM hash as the key. ... There is however no locally stored NTLMV2 hash of passwords. ... Auditing and reviewing the security logs ... secure their network and data and the documentation to do such at TechNet ...
      (microsoft.public.windowsxp.security_admin)
    • Re: Windows XP / 2K3 Default Users
      ... Cracking the 'passwords' has never been ... The gist of the 'technique' is the "Modifying Windows NT Logon Credential" ... existing windows applications that use the hash currently set to ... and then re-use those hashes to try to get authenticated access to other ...
      (Pen-Test)
    • Re: Pidgin IM Client Password Disclosure Vulnerability.
      ... because we need to be able to generate the hash a given ... Some protocols can ask for different types of hashes at ... passwords stored in it ... lost, you have much bigger problems than lost IM passwords. ...
      (Bugtraq)