Cracking salted MD5 with Hashcat


Some days ago during a pentest I found a critical sql injection vulnerability which gave me access to the user database. Most of the time finding this kind of vulnerability and extracting some data from the database is enough as an proof of concept, but in this particular pentest I needed to gain access to the backend administration.

Sadly there was no way to insert data into the user table so it was not possible to create an admin account for me. I decided to dump a few entries from the user table and take a look at the encryption. The user table was in the format

# Database dump (format)
# Example row

Cutting for hashcat

It was pretty obvious that the password was hashed with MD5, so there was no need to run it through The first thing I had to do was to bring it to the right format to pass it to hashcat:

rv% cat /security/220812_db_dump | awk "-F;" '{print $5 ":" $4}' > /security/blog_crackme

Note: The awk -F argument specifies the field seperator (in our case the ';' which seperates our columns).

Our list is now in the format hash:salt so we can now pass it to hashcat:

Crack it

rv% ./ -m 10 -a 0 /security/blog_crackme /security/wordlist

-m 10 specifies the hash-type. Running --help will print you a full list of supported types. Because I guessed that it's a simple $salt + $pass or $pass + $salt there were only two suitable candidates:

10 = md5($pass.$salt)
20 = md5($salt.$pass)

-a 0 defines the attack mode. There are six modes which you can choose one from:

0 = Straight (just the word found in $wordlist: foobar)
1 = Combination (words combinated: foobar)
2 = Toggle-Case (toggled case: Foobar, FOobar, FOObar, ...)
3 = Brute-force (tries all combinations from a given keyspace)
4 = Permutation (permutations like abc, acb, bac, ...)
5 = Table-Lookup (read [here](

I choosed 0 to do a straight attack. One account was all I needed so I hoped for a fast result through my wordlist.


rv% ./ -m 10 -a 0 /security/blog_crackme /security/wordlist
Initializing hashcat v0.40 by atom with 8 threads and 32mb segment-size...

NOTE: press enter for status-screen

Added hashes from file /security/blog_crackme: 38 (38 salts)
Input.Mode: Dict (/security/wordlist)
Index.....: 1/1 (segment), 2854263 (words), 31746845 (bytes)
Recovered.: 3/38 hashes, 3/38 salts
Speed/sec.: 13.96M plains, 398.73k words
Progress..: 2854263/2854263 (100.00%)
Running...: 00:00:00:07
Estimated.: --:--:--:--
Started: Mon Aug 27 11:09:08 2012
Stopped: Mon Aug 27 11:09:15 2012

Luckily my first guess with the hash type ($pass + $salt) was the right one so I got some great results. I was able to login with the cracked credentials. Mission complete ;-)