[help] Decyption

[silvestre]

Before

I Used switchblade to get some passwords And i dont know how to decrypt them.

________________________________________________________________________________

_____________________

*************[Dump Cahe PW]*********

************************************

51750:5AF591625BD15197A584857B4B3D7946:studenten

49295:0895EE691ABE73C1DAA4AD3B6378D431:studenten

46210:A833745C1FF9EF27E9AC187C55039C2C:studenten

49806:EF9AAF42B265837598A567E47BD2CA45:studenten

46267:EC713864619A1E01EB333BC1E7F3EEAA:studenten

55394:CB15A6791731B7B31754F4A178AD21A3:studenten:

49302:1DB56D6C53CCD777CFD62C62F62C7B93:studenten:

51761:5594ED80439A5597BE8385FE808956DE:studenten:

55389:7A546FE5C0D35FBBDE549A0E7B909991:studenten:

This is what i get instead of a right password.. And i cant find the right decryption for this

So Someone can help me figure this out?

* The numbers are the usernames and the password should be 8 letters and digitis  :o

[shadow=red,left]http://www.securiteam.com/tools/5JP0I2KFPA.html[/shadow] I looked for this and this should do the trick but the programs are offline so anyone can help?

Thanks,

Silvestre

[deleted]

Just a Note: Questions should go into the Question Section or Things to do with the switchblade should go in the section for it. Just makes it easier for people.

They are MD5 Hashes. You can crack them using your own Rainbow Tables or a site like http://www.plain-text.info/

[Shaun]

They are MD5 Hashes.

I don't think so.

[deleted]

I don't think so.

I wasn't Sure Either, so i submitted the first one to plain-text.info so i could see what it would let me submit and it let me submit it in MD5.

[silvestre]

I submitted the hash on the site it says : cracking : how long does it take

and sorry i posed in these wrong section

i tried http://www.md5decrypter.com/ but it says cannot find this hash in database ...

some other sites says its impossible to decrypt md5..

[Shaun]

It is impossible to decrypt MD5, but when you hash a specific string or other piece of data you will always get the same hash, so if you have already computed a hash before and stored the original hash value you can do a reverse lookup sort of thing, those sites just have large databases of precomputed values. Anyway, as I already said this isn't an MD5 hash, it's a MD4 hash salted with the username, making rainbow tables useless. "it let me submit it in MD5" is a meaningless thing, an MD5 hash is just a 128 bit value, in this case represented using hex digits; it looks identical to any random 128 bit value.

[silvestre]

so its impossible to decrypt that hash..? i dont have more information

[Shaun]

You can't decrypt it, because it isn't encrypted as such, it's a one way algorithm. However, you can get the password by brute forcing it, basically trying every possible combination until you find the matching hash.

[digip]

If it is MD5 you can always try: http://www.schwett.com/md5/bruteforce.php

[a5an0]

If you used the switchblade, then I am assuming that those hashes came from a windows box, and are more than likely LM hashes, which is *not* the same as MD5. LM hashes are the result of trunking/expanding a pass to 14 chars, converting to all uppercase, spliting into two 7 char keys, and then using each key to encrypt the string “KGS!@#$%” using DES. the resulting cyphertext is the hash.

MD5 is the password hash used in FreeBSD if memory serves me.

now, where could you find lm rainbowtables??? :-P

[digip]

Hmm..if they were definately LM Hashes he could just put Cain on a usb stick and dump them with LSA secrets, or even use something like what Mubix talked about on his last segment from 2x10(plus it doesn't get picked up like cain and other programs)

[Shaun]

They're cached domain passwords. They're not LM, they're not MD5. They're actually NTLM hashes concatenated with the username and then hashed again.

[digip]

Check the smoocon episode (2x09) where they talked about cached domain passowrds. Darren interviewd two fellas who went over it breifly. (or wait till the wiki and show notes come back online)

http://www.shmoocon.org/speakers.html :

Eoin Miller and Adair Collins

Auditing Cached Credentials With Cachedump

Our presentation will be on auditing cached Windows credentials using a combination of the cachedump tool and a custom Visual Basic script. The default behavior of Microsoft Windows domain members is to cache the last 10 different login credentials in the registry. One of the easiest ways to obtain Domain Administrator privilege on a Windows Domain is to compromise a desktop, laptop or member server and use the cachedump tool to reveal the cached domain credentials. The attacker will then launch a brute force or dictionary cracking attack against the cached credentials. This can lead to complete compromise of the entire domain if the cracked password corresponds to an account that is a member of the Domain Admins group.

Some more reading: http://support.microsoft.com/kb/913485

[Shaun]

Here's an example of how those passwords are generated, it's in Python (I don't think I'd use Python to try to brute force them though). It uses hashlib so requires Python 2.5.

import hashlib

username = 'username_here'.encode('utf-16le')
password = hashlib.new('md4', 'password_here'.encode('utf-16le')).digest()

print hashlib.new('md4', password + username).hexdigest()