Help Decrypting Password String

[Boba Fett]

Hi. I´m Professor of Informatic Law in a University and I want to make a demo to show the fails on a system in a conference.

I use sslstrip on the Pineapple and make a test login on the webpage, and get this:

username=username&password=&rnd_id=-1&secure_password=ac9a12a8e060100585b7c7aec500e837&login=Entrar

Login = username

Password = Password

I try to decrypt using a Md5 decrypt tool, but it seems its´nt Md5. Any one knows what kind of encrypt it´s?

Thanks.

[Jason Cooper]

To paraphrase Obi-Wan Kenobi

"Read the source Luke."

The secure_password passed back from the browser will be generated via JavaScript on the page. You may have to do some deobfuscation of the JavaScript but once you find the hashing function you should be able to figure out if it is a common one or some homegrown method.

From the length (32 Hex characters) you can tell that the hash output is 128bits (32 * 4 as each hex digit represents one nibble). This rules out any hashing functions that don't produce 128bit output (including the SHA-1 and SHA-2 families of hashes). If they are using standard functions then it could be MD4 or MD5. MD4 if less likely which would suggest that it is MD5. Of course when you read the HTML and JavaScript source you will find out if it uses a salt with the password when hashing, which would explain why the hash doesn't match the one produced by you decrypt tool.

[ApacheTech Consultancy]

Depending on the source, a lot of JavaScript coders are lazy and simply MD5 their MD5 hashes. They're harder, but not impossible to rainbow. It's very bad practice to do so.