rv

blogprojectsadvisoriesTILimprint

Cracking salted MD5 with Hashcat

2012-07-15

Some days ago during a pentest I found a critical sql injection vulnerability which gave me access to the user database. Most of the time finding this kind of vulnerability and extracting some data from the database is enough as an proof of concept, but in this particular pentest I needed to gain access to the backend administration.

Sadly there was no way to insert data into the user table so it was not possible to create an admin account for me. I decided to dump a few entries from the user table and take a look at the encryption. The user table was in the format

# Database dump (format)
USERNAME;EMAIL;RIGHTS;SALT;HASH

# Example row
john;john@foo.com;admin;OPHQOEF;U04b5bbcf6570b3172657c4c93f2a28eb

Cutting for hashcat

It was pretty obvious that the password was hashed with MD5, so there was no need to run it through hash_id.py. The first thing I had to do was to bring it to the right format to pass it to hashcat:

rv% cat /security/220812_db_dump | awk "-F;" '{print $5 ":" $4}' > /security/blog_crackme

Note: The awk -F argument specifies the field seperator (in our case the ';' which seperates our columns).

Our list is now in the format hash:salt so we can now pass it to hashcat:

Crack it

rv% ./hashcat-cli64.app -m 10 -a 0 /security/blog_crackme /security/wordlist

-m 10 specifies the hash-type. Running --help will print you a full list of supported types. Because I guessed that it's a simple $salt + $pass or $pass + $salt there were only two suitable candidates:

10 = md5($pass.$salt)
20 = md5($salt.$pass)

-a 0 defines the attack mode. There are six modes which you can choose one from:

0 = Straight (just the word found in $wordlist: foobar)
1 = Combination (words combinated: foobar)
2 = Toggle-Case (toggled case: Foobar, FOobar, FOObar, ...)
3 = Brute-force (tries all combinations from a given keyspace)
4 = Permutation (permutations like abc, acb, bac, ...)
5 = Table-Lookup (read [here](http://hashcat.net/wiki/doku.php?id=table_lookup_attack))

I choosed 0 to do a straight attack. One account was all I needed so I hoped for a fast result through my wordlist.

Results

rv% ./hashcat-cli64.app -m 10 -a 0 /security/blog_crackme /security/wordlist
Initializing hashcat v0.40 by atom with 8 threads and 32mb segment-size...

NOTE: press enter for status-screen

Added hashes from file /security/blog_crackme: 38 (38 salts)
65ae1d0cf8e9634e49da735708a75171:DAQLHMBM:1980
63208de564208a200f473c61a62b902a:QXYDVONY:sunshine
82bcf418ec8e4139e0331e49e40d73c9:NWTWIXNJ:blablabla
Input.Mode: Dict (/security/wordlist)
Index.....: 1/1 (segment), 2854263 (words), 31746845 (bytes)
Recovered.: 3/38 hashes, 3/38 salts
Speed/sec.: 13.96M plains, 398.73k words
Progress..: 2854263/2854263 (100.00%)
Running...: 00:00:00:07
Estimated.: --:--:--:--
Started: Mon Aug 27 11:09:08 2012
Stopped: Mon Aug 27 11:09:15 2012

Luckily my first guess with the hash type ($pass + $salt) was the right one so I got some great results. I was able to login with the cracked credentials. Mission complete ;-)