How can I recover a password given a couple of encrypted hash strings?
June 16, 2004 10:42 AM Subscribe
Given a couple of encrypted hash strings, I need to identify the algorithm used to generate the hashes so that I can brute-force decrypt them. More inside..
And the hashes, from a "mysqldump" of the affected database (MySQL 3.x), are:
INSERT INTO password VALUES ('user1','iiQ4AxZsPtUZ3r00');
INSERT INTO password VALUES ('user2','7ePNxD3QNoHP9r00');
If I can identify the type of hash used, I can decrypt these given enough CPU time. Any ideas?
(the guy in charge of this application, that uses MySQL, has ceased employment without writing down the administrator password..)
Right now, "just generate a new hash and put it in place of the old one" isn't really an option.
And the hashes, from a "mysqldump" of the affected database (MySQL 3.x), are:
INSERT INTO password VALUES ('user1','iiQ4AxZsPtUZ3r00');
INSERT INTO password VALUES ('user2','7ePNxD3QNoHP9r00');
If I can identify the type of hash used, I can decrypt these given enough CPU time. Any ideas?
(the guy in charge of this application, that uses MySQL, has ceased employment without writing down the administrator password..)
Right now, "just generate a new hash and put it in place of the old one" isn't really an option.
Actually, they're too short for MD5. Nevermind.
Are you sure they're not just crypt'd?
posted by cmonkey at 11:07 AM on June 16, 2004
Are you sure they're not just crypt'd?
posted by cmonkey at 11:07 AM on June 16, 2004
all i can think of is length, and they look like crypt, as cmonkey says, which makes sense (13 chars) (but what's the trailing r00 for?).
posted by andrew cooke at 11:16 AM on June 16, 2004
posted by andrew cooke at 11:16 AM on June 16, 2004
Response by poster: If i tak e the "r00" off the end, John The Ripper sees them as standard DES. If I leave it on, it bombs out. So far, no results in cracking them for the past hour, so I'm thinking they're NOT standard DES.
posted by mrbill at 11:17 AM on June 16, 2004
posted by mrbill at 11:17 AM on June 16, 2004
sorry if this sounds like you're an idiot, but it struck me you might not know what "crypt" is - do "man crypt" on a unix command line.
on preview - for crypt the first two values are the salt. read the man page. and it's not surprising you can't crack them in a few hours, is it (is crypt really that weak these days?!)?
posted by andrew cooke at 11:19 AM on June 16, 2004
on preview - for crypt the first two values are the salt. read the man page. and it's not surprising you can't crack them in a few hours, is it (is crypt really that weak these days?!)?
posted by andrew cooke at 11:19 AM on June 16, 2004
John the Ripper won't be able to crack it anytime soon if it's crypt'd and not based on a dictionary word. It could take months to crack it if they're random alphanumerics, if then.
You'd be better off to figure out how to replace the password, or track the guy down and see if he has it written down at home.
Also, it looks like they might have just used MySQL's ENCRYPT() function.
posted by cmonkey at 11:32 AM on June 16, 2004
You'd be better off to figure out how to replace the password, or track the guy down and see if he has it written down at home.
Also, it looks like they might have just used MySQL's ENCRYPT() function.
posted by cmonkey at 11:32 AM on June 16, 2004
If you've got access to the application you're probably best off finding out where the password check is done. It'll call something to encrypt the plaintext entered as the password. It might be a call to ENCRYPT, crypt(), md5, sha128 or whatever. Once you know what the algorithm is there's no reason to (and if it's a reasonable algorithm imposible to) brute force it.
Just use the inverse algorithm to insert a new password.
posted by substrate at 11:40 AM on June 16, 2004
Just use the inverse algorithm to insert a new password.
posted by substrate at 11:40 AM on June 16, 2004
By the way, if it's decryptable, you just posted some kind of administrator password to the internet?
posted by RustyBrooks at 12:01 PM on June 16, 2004
posted by RustyBrooks at 12:01 PM on June 16, 2004
andrew beat me to it: assuming a decent salt, the algorithm isn't half the battle, it's just about none of it.
posted by yerfatma at 12:26 PM on June 16, 2004
posted by yerfatma at 12:26 PM on June 16, 2004
Forget the administrator password. Create a new MySQL installation on a new machine. Replicate the database schema on the new machine. Create a new administrator account as well as any others. Manually copy the underlying data files from one system to the other.
Next, blow away the original MySQL system, then reinstall. Replicate the database from the secondary machine.
It is a bit of a kludge but it works. It even worked for me with different versions of MySQL.
posted by Kwantsar at 12:39 PM on June 16, 2004
Next, blow away the original MySQL system, then reinstall. Replicate the database from the secondary machine.
It is a bit of a kludge but it works. It even worked for me with different versions of MySQL.
posted by Kwantsar at 12:39 PM on June 16, 2004
This suggestion may be far, or very far beneath your level of expertise, but if you have access to source code for applications that makes use of the database, it will have connect statements that give a username and password to access MySQL, so you might want to try scouring it. A good administrator won't give more access than is necessary to a script, but someone may have fallen asleep at the wheel.
posted by alphanerd at 1:54 PM on June 16, 2004
posted by alphanerd at 1:54 PM on June 16, 2004
Response by poster: RustyBrooks - this is an internal password for an application, not a machine itself.
Kwantsar: thats my last-ditch option if I don't want to just reinstall the application from scratch.
That's how I actually *got* this hash - copied the db over to a new machine, and ran "mysqldump" on it.
alphanerd: Nope, these accounts are for administrator login through a GUI; nothing automated logs in using these accounts.
I sent the application vendor an email asking what encryption algorithm they're using for the stored passwords, and hope to hear back.
If I don't, I'll just nuke the entire thing and reinstall (it needs to be upgraded anyway).
This was more of a "hey! I bet I can recover the password this way" exercise than anything else. Thanks, everyone.
posted by mrbill at 2:26 PM on June 16, 2004
Kwantsar: thats my last-ditch option if I don't want to just reinstall the application from scratch.
That's how I actually *got* this hash - copied the db over to a new machine, and ran "mysqldump" on it.
alphanerd: Nope, these accounts are for administrator login through a GUI; nothing automated logs in using these accounts.
I sent the application vendor an email asking what encryption algorithm they're using for the stored passwords, and hope to hear back.
If I don't, I'll just nuke the entire thing and reinstall (it needs to be upgraded anyway).
This was more of a "hey! I bet I can recover the password this way" exercise than anything else. Thanks, everyone.
posted by mrbill at 2:26 PM on June 16, 2004
The encryption algorithm might be MySQL's PASSWORD() function. Both the passwords are 16 bytes long which is consistent with the implementation of the PASSWORD() function prior to version 4.1.
posted by alphanerd at 2:47 PM on June 16, 2004
posted by alphanerd at 2:47 PM on June 16, 2004
This suggestion may be far, or very far beneath your level of expertise, but if you have access to source code for applications that makes use of the database, it will have connect statements that give a username and password to access MySQL, so you might want to try scouring it
Even if you don't have access to the source code, try running the unix command "strings" on the binary:
$ strings db_access_binary | less
you will have to use vgrep* to determine which string is likely to be the admin password, but it will probably be local to other more readable strings.
(*vgrep == visual grep == your eyes)
posted by Kwantsar at 3:09 PM on June 16, 2004
Even if you don't have access to the source code, try running the unix command "strings" on the binary:
$ strings db_access_binary | less
you will have to use vgrep* to determine which string is likely to be the admin password, but it will probably be local to other more readable strings.
(*vgrep == visual grep == your eyes)
posted by Kwantsar at 3:09 PM on June 16, 2004
Response by poster: Kwantsar: these passwords arent in the binary anywhere, as they were set by the guy who installed the application, at the time of install.
The vendor is overnighting me install media for the latest version, and I'll be reinstalling everything sometime next week.
posted by mrbill at 6:19 PM on June 16, 2004
The vendor is overnighting me install media for the latest version, and I'll be reinstalling everything sometime next week.
posted by mrbill at 6:19 PM on June 16, 2004
Logically, knowing the hash algorithm will be of little help, since the whole point of a one-way hash is that you cannot reconstruct the original string from it.
This presumes that it IS a hash, rather than a ciphertext.
However, do you know what rules for passwords the app enforces? Because if, for example, passwords must be at least 7 characters, contain 2 numerals, and one uppercase letter, you can greatly reduce the search space for brute-forcing.
posted by i_am_joe's_spleen at 7:30 PM on June 16, 2004
This presumes that it IS a hash, rather than a ciphertext.
However, do you know what rules for passwords the app enforces? Because if, for example, passwords must be at least 7 characters, contain 2 numerals, and one uppercase letter, you can greatly reduce the search space for brute-forcing.
posted by i_am_joe's_spleen at 7:30 PM on June 16, 2004
This thread is closed to new comments.
posted by cmonkey at 10:52 AM on June 16, 2004