silvestre Posted May 8, 2007 Share Posted May 8, 2007 Before I Used switchblade to get some passwords And i dont know how to decrypt them. ________________________________________________________________________________ _____________________ *************[Dump Cahe PW]********* ************************************ 51750:5AF591625BD15197A584857B4B3D7946:studenten 49295:0895EE691ABE73C1DAA4AD3B6378D431:studenten 46210:A833745C1FF9EF27E9AC187C55039C2C:studenten 49806:EF9AAF42B265837598A567E47BD2CA45:studenten 46267:EC713864619A1E01EB333BC1E7F3EEAA:studenten 55394:CB15A6791731B7B31754F4A178AD21A3:studenten: 49302:1DB56D6C53CCD777CFD62C62F62C7B93:studenten: 51761:5594ED80439A5597BE8385FE808956DE:studenten: 55389:7A546FE5C0D35FBBDE549A0E7B909991:studenten: This is what i get instead of a right password.. And i cant find the right decryption for this So Someone can help me figure this out? * The numbers are the usernames and the password should be 8 letters and digitisĀ :o [shadow=red,left]http://www.securiteam.com/tools/5JP0I2KFPA.html[/shadow] I looked for this and this should do the trick but the programs are offline so anyone can help? Thanks, Silvestre Quote Link to comment Share on other sites More sharing options...
deleted Posted May 8, 2007 Share Posted May 8, 2007 Just a Note: Questions should go into the Question Section or Things to do with the switchblade should go in the section for it. Just makes it easier for people. They are MD5 Hashes. You can crack them using your own Rainbow Tables or a site like http://www.plain-text.info/ Quote Link to comment Share on other sites More sharing options...
Shaun Posted May 8, 2007 Share Posted May 8, 2007 They are MD5 Hashes. I don't think so. Quote Link to comment Share on other sites More sharing options...
deleted Posted May 8, 2007 Share Posted May 8, 2007 I don't think so. I wasn't Sure Either, so i submitted the first one to plain-text.info so i could see what it would let me submit and it let me submit it in MD5. Quote Link to comment Share on other sites More sharing options...
silvestre Posted May 8, 2007 Author Share Posted May 8, 2007 I submitted the hash on the site it says : cracking : how long does it take and sorry i posed in these wrong section i tried http://www.md5decrypter.com/ but it says cannot find this hash in database ... some other sites says its impossible to decrypt md5.. Quote Link to comment Share on other sites More sharing options...
Shaun Posted May 8, 2007 Share Posted May 8, 2007 It is impossible to decrypt MD5, but when you hash a specific string or other piece of data you will always get the same hash, so if you have already computed a hash before and stored the original hash value you can do a reverse lookup sort of thing, those sites just have large databases of precomputed values. Anyway, as I already said this isn't an MD5 hash, it's a MD4 hash salted with the username, making rainbow tables useless. "it let me submit it in MD5" is a meaningless thing, an MD5 hash is just a 128 bit value, in this case represented using hex digits; it looks identical to any random 128 bit value. Quote Link to comment Share on other sites More sharing options...
silvestre Posted May 8, 2007 Author Share Posted May 8, 2007 so its impossible to decrypt that hash..? i dont have more information Quote Link to comment Share on other sites More sharing options...
Shaun Posted May 8, 2007 Share Posted May 8, 2007 You can't decrypt it, because it isn't encrypted as such, it's a one way algorithm. However, you can get the password by brute forcing it, basically trying every possible combination until you find the matching hash. Quote Link to comment Share on other sites More sharing options...
digip Posted May 8, 2007 Share Posted May 8, 2007 If it is MD5 you can always try: http://www.schwett.com/md5/bruteforce.php Quote Link to comment Share on other sites More sharing options...
a5an0 Posted May 8, 2007 Share Posted May 8, 2007 If you used the switchblade, then I am assuming that those hashes came from a windows box, and are more than likely LM hashes, which is *not* the same as MD5. LM hashes are the result of trunking/expanding a pass to 14 chars, converting to all uppercase, spliting into two 7 char keys, and then using each key to encrypt the string āKGS!@#$%ā using DES. the resulting cyphertext is the hash. MD5 is the password hash used in FreeBSD if memory serves me. now, where could you find lm rainbowtables??? :-P Quote Link to comment Share on other sites More sharing options...
digip Posted May 8, 2007 Share Posted May 8, 2007 Hmm..if they were definately LM Hashes he could just put Cain on a usb stick and dump them with LSA secrets, or even use something like what Mubix talked about on his last segment from 2x10(plus it doesn't get picked up like cain and other programs) Quote Link to comment Share on other sites More sharing options...
Shaun Posted May 9, 2007 Share Posted May 9, 2007 They're cached domain passwords. They're not LM, they're not MD5. They're actually NTLM hashes concatenated with the username and then hashed again. Quote Link to comment Share on other sites More sharing options...
digip Posted May 9, 2007 Share Posted May 9, 2007 Check the smoocon episode (2x09) where they talked about cached domain passowrds. Darren interviewd two fellas who went over it breifly. (or wait till the wiki and show notes come back online) http://www.shmoocon.org/speakers.html : Eoin Miller and Adair Collins Auditing Cached Credentials With Cachedump Our presentation will be on auditing cached Windows credentials using a combination of the cachedump tool and a custom Visual Basic script. The default behavior of Microsoft Windows domain members is to cache the last 10 different login credentials in the registry. One of the easiest ways to obtain Domain Administrator privilege on a Windows Domain is to compromise a desktop, laptop or member server and use the cachedump tool to reveal the cached domain credentials. The attacker will then launch a brute force or dictionary cracking attack against the cached credentials. This can lead to complete compromise of the entire domain if the cracked password corresponds to an account that is a member of the Domain Admins group. Some more reading: http://support.microsoft.com/kb/913485 Quote Link to comment Share on other sites More sharing options...
Shaun Posted May 9, 2007 Share Posted May 9, 2007 Here's an example of how those passwords are generated, it's in Python (I don't think I'd use Python to try to brute force them though). It uses hashlib so requires Python 2.5. import hashlib username = 'username_here'.encode('utf-16le') password = hashlib.new('md4', 'password_here'.encode('utf-16le')).digest() print hashlib.new('md4', password + username).hexdigest() Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.