NicholasVA

Quick update, with the help of the tools I created MD5 hashes for some "passwords". I then tried to crack them with John. First problem is that John cannot figure out exactly the format probably because these are not real OS-generated hashes. A workaround is to specify the format as "raw-md5". However I would prefer to make the hashes more "realistic". Is there a way to do this? Second question: Is there a way to wipe out any info from previous John runs? I keep testing with the same hashes so i want John to "forget" that he has already cracked them. Thanks! :-)

Thanks for the answers. I downloaded md5sum and also did some more googling and got a couple more utils. This should do it! :-)

Hello, I want to test the strength of passwords. Assuming I have the password-cracking skills/tools of an average hacker, I want to turn the passwords into hashes and then try to crack them. This will give me a realistic picture of how strong they are. My question is: How do I turn the passwords into hashes? Does it matter what hashing algorithm I use? Thanks Nicholas

Wow, thanks for the fantastic explanations! This is truly superb, thanks!!! I am moderately familiar with SSH and the command line but for some reason an SSH session doesn't feel like I am "owning" the machine. I suppose I am so used to the GUI's nowadays... In regards to compiling an exploit, let's assume I want to do it on the target machine but gcc is not on it. Would I bring my own gcc to the party? I actually tried this, downloaded gcc on my machine, FTPed it onto the target, then ran SSH and made sure (chmod) I had RWX on both gcc & the exploit. Despite all that, gcc refused to run. Are there different gcc versions? Would I have to find the proper gcc for my target?

Hello. I am new to hacking/pen-testing and not super familiar with Linux. I am looking for a bit of clarity with a few basic questions: 1. Assuming I have credentials to a Linux server, how would I access the box remotely? For instance in Windows there is Remote Desktop. Is there something similar in Linux? If command-line is the only option, would SSH be equivalent to console login or is it more limited? 2. I found a C exploit on exploit-DB. I would like to compile it (gcc) but I read in an article/post that it is best to compile on the target system because a locally-compiled executable may have incompatibilities. Is this indeed a problem? 3. (Continuing on No.2) Is gcc part of all Linux releases or will I need to get the gcc compiler (and/or libraries) on the target system myself? 4. In metasploit some exploits require a SESSION parameter. What does this refer to? Does it imply that I first have to establish a session to my target (through another exploit) and then launch the second exploit through the former's session? 5. Assuming I have some kind of access to the target system (ie an SSH session), can I use that "channel" to launch a metasploit exploit? Thanks Nicholas