Hak5
Save 10% at GoDaddy.com with coupon code HAK

Cracking md5 hashes

From Hak5

Jump to: navigation, search

This article will give you a good idea how to obtain Access to critical password hashes using your social engineering, and then crack the MD5 hash using Cain

Instead of bothering with CPanel/phpMyAdmin, just go to Google and do a search for "MD5 Hash Generator", choose one, enter a password, generate the hash, and then play around with it as you see fit. These sites are readily available because generating an MD5 hash takes only 1 line of PHP code using md5() (for more info see php.net/md5). There is no need to go to the trouble of using a god-forsaken CPanel + phpMyAdmin combination...

Also, when you get tired of waiting on the brute force to crack the password for you, you should once again consult Google and this time do a search for "MD5 Hash Database", which will give you a very long list of sites that archive collections of known hashes and their corresponding passwords. Why do the work when someone else has already done it for you?

For more info on MD5 (Message-Digest algorithm 5), check out the excellent WikiPedia article about it. Another good article can be found at PHPSec.org, especially for web developers or system admins.

---- This article is taken from Yourmysin.info

As everybody knows, MD5 is the leading hash today. Along with SHA2, MD5 is the most secure password hash around! MD5 hashes are almost virtually impossible to crack....or so people think. But with time people learn more about how hashes actually work, therefore they can find ways around them, Exploits. Many Databases now store MD5 hashes and the cracked passwords for people to search through, possibley to find the password they are looking for. These are often called Rainbow tables, and can be a huge help. Every day rainbow tables are reciving thousands of new password hashes and their correct passwords, making the internet less safe.

But rainbow tables are not the only way to crack a hash. Brute force is always, and will always be a popular choice to novice hackers. Brute force sends Thousands of password guesses each second until it sends the finds out the right password. Brute force allows you to select any options, like numerical or alphabetical, or even both, which allow the process to go faster. Despite how it sounds, brute force can be more of a troubling idea then a good idea. Brute force can easily take over thousands of years to come up with the correct hash.

Stealing and Cracking an MD5 hash is actually good pratice, you learn quite a bit about Online Security, as well as some great tools like Cain & Able as well as Phpmyadmin. All you need is Cpanel Hosting as well as the program Cain (Great network sniffer/Password cracker for newer 'hackers'). Any time you are ethical hacking, make sure you have the correct permissions. One false move and you can be fined. So, if you dont have a cpanel type of hosting, or any hosting with phpmyadmin, then you need to use your social engineering to gain access to some.And for those who dont know, Social engineering is a tactic used by hackers to gain access to information using securitys weak link, humans. So what i did is start by locating somebody who does have cpanel access and started by gaining their trust. I have actually known them for a couple months, and i have helped them out in the past, so their trust was easy to get. I told him i needed his cpanel access to test a new script i made for school, and told him he can feel free to change the password after im done. So after he revealed the username and password to me, i had full access :).

So start by setting up either Invision Power Board or PhpBB forum software. Those forums both use MD5 password hashes, but other forums do too. After you have the forums installed, open up your CPANEL, and open PhpMYadmin because this is where all the database information for those forums will be held. Search for the correct database the forum information will be located in, and then click browse. Now search for something pertaining to Members, like IP_members or phpbb_users then click that, then click browse. It should give you a list of all the user information, including IP Address, Member ID or MD5 (Either one of those may be the hash). After finding the Hash, Open up Cain and click on the cracker tab. Then look on the left side, and choose MD5 Hashes and double click that. Now click the Purple cross at the top and that will allow you too add the hash into the spreadsheet below. Then right click on the hash and you have several different options, its always best to try an online search before starting a brute force because online searches most likley have it, if the password is only a few characters. Now try a brute force, and you notice there is different options you can use. Normally i would keep the Predefined the same because most users do not use Case sensitive passwords. But i would change the Minimum password length to either 4-6 and the max password length to 12, because anything out of that range is basically uncrackable.

You can try cracking any MD5 hashes of your own passwords to see how safe they really are. You can also use the hash generator to find some really secure passwords if the one you use right now is not secure.

Retrieved from "http://wiki.hak5.org/wiki/Cracking_md5_hashes"