Jump to content

Recommended Posts

Posted

Hi. I´m Professor of Informatic Law in a University and I want to make a demo to show the fails on a system in a conference.

I use sslstrip on the Pineapple and make a test login on the webpage, and get this:

username=username&password=&rnd_id=-1&secure_password=ac9a12a8e060100585b7c7aec500e837&login=Entrar

Login = username

Password = Password

I try to decrypt using a Md5 decrypt tool, but it seems its´nt Md5. Any one knows what kind of encrypt it´s?

Thanks.

Posted

To paraphrase Obi-Wan Kenobi

"Read the source Luke."

The secure_password passed back from the browser will be generated via JavaScript on the page. You may have to do some deobfuscation of the JavaScript but once you find the hashing function you should be able to figure out if it is a common one or some homegrown method.

From the length (32 Hex characters) you can tell that the hash output is 128bits (32 * 4 as each hex digit represents one nibble). This rules out any hashing functions that don't produce 128bit output (including the SHA-1 and SHA-2 families of hashes). If they are using standard functions then it could be MD4 or MD5. MD4 if less likely which would suggest that it is MD5. Of course when you read the HTML and JavaScript source you will find out if it uses a salt with the password when hashing, which would explain why the hash doesn't match the one produced by you decrypt tool.

Posted

Depending on the source, a lot of JavaScript coders are lazy and simply MD5 their MD5 hashes. They're harder, but not impossible to rainbow. It's very bad practice to do so.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...