Jump to content

[help] Decyption


Recommended Posts


I Used switchblade to get some passwords And i dont know how to decrypt them.



*************[Dump Cahe PW]*********











This is what i get instead of a right password.. And i cant find the right decryption for this

So Someone can help me figure this out?

* The numbers are the usernames and the password should be 8 letters and digitis  :o

[shadow=red,left]http://www.securiteam.com/tools/5JP0I2KFPA.html[/shadow] I looked for this and this should do the trick but the programs are offline so anyone can help?



Link to comment
Share on other sites

It is impossible to decrypt MD5, but when you hash a specific string or other piece of data you will always get the same hash, so if you have already computed a hash before and stored the original hash value you can do a reverse lookup sort of thing, those sites just have large databases of precomputed values. Anyway, as I already said this isn't an MD5 hash, it's a MD4 hash salted with the username, making rainbow tables useless. "it let me submit it in MD5" is a meaningless thing, an MD5 hash is just a 128 bit value, in this case represented using hex digits; it looks identical to any random 128 bit value.

Link to comment
Share on other sites

You can't decrypt it, because it isn't encrypted as such, it's a one way algorithm. However, you can get the password by brute forcing it, basically trying every possible combination until you find the matching hash.

Link to comment
Share on other sites

If you used the switchblade, then I am assuming that those hashes came from a windows box, and are more than likely LM hashes, which is *not* the same as MD5. LM hashes are the result of trunking/expanding a pass to 14 chars, converting to all uppercase, spliting into two 7 char keys, and then using each key to encrypt the string “KGS!@#$%” using DES. the resulting cyphertext is the hash.

MD5 is the password hash used in FreeBSD if memory serves me.

now, where could you find lm rainbowtables??? :-P

Link to comment
Share on other sites

Hmm..if they were definately LM Hashes he could just put Cain on a usb stick and dump them with LSA secrets, or even use something like what Mubix talked about on his last segment from 2x10(plus it doesn't get picked up like cain and other programs) :wink:

Link to comment
Share on other sites

Check the smoocon episode (2x09) where they talked about cached domain passowrds. Darren interviewd two fellas who went over it breifly. (or wait till the wiki and show notes come back online)

http://www.shmoocon.org/speakers.html :

Eoin Miller and Adair Collins

Auditing Cached Credentials With Cachedump

Our presentation will be on auditing cached Windows credentials using a combination of the cachedump tool and a custom Visual Basic script. The default behavior of Microsoft Windows domain members is to cache the last 10 different login credentials in the registry. One of the easiest ways to obtain Domain Administrator privilege on a Windows Domain is to compromise a desktop, laptop or member server and use the cachedump tool to reveal the cached domain credentials. The attacker will then launch a brute force or dictionary cracking attack against the cached credentials. This can lead to complete compromise of the entire domain if the cracked password corresponds to an account that is a member of the Domain Admins group.

Some more reading: http://support.microsoft.com/kb/913485

Link to comment
Share on other sites

Here's an example of how those passwords are generated, it's in Python (I don't think I'd use Python to try to brute force them though). It uses hashlib so requires Python 2.5.

import hashlib

username = 'username_here'.encode('utf-16le')
password = hashlib.new('md4', 'password_here'.encode('utf-16le')).digest()

print hashlib.new('md4', password + username).hexdigest()

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...