What kinda encryption at passwords?

Discussion in 'other security issues & news' started by tr33forrest, May 28, 2006.

Thread Status:
Not open for further replies.
  1. tr33forrest

    tr33forrest Registered Member

    Joined:
    May 28, 2006
    Posts:
    3
    First of all,
    I am totally newbie to all of this, so, please, forgive me and please help me to educate myself a bit.

    If the passwords are located in file passwd.db and looking something like:

    ckiwior:zq0BwlzpS26vM
    cgriswol:imA3lx8cG2eWw
    kgibson:mw.DYvAXoapd2

    etc..

    so, into what passwords have veen encrypted?
    I've tried Cain & Abel with no luck.

    But, i might be wrong, i am just newbie with 0 knowledge.

    I would appreciate everyone who's helping me to say which kinda encryption or with what they can be "decrypted"?

    Best of all,
    33
     
  2. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,876
    Location:
    New England
  3. Inspector Clouseau

    Inspector Clouseau AV Expert

    Joined:
    Apr 2, 2006
    Posts:
    1,329
    Location:
    Maidenhead, UK
    According to this reply the "One more thing: you can get the SAME hash value for two DIFFERENT passwords, because of the way the one-way-hash
    method works. But, to be honest, the probability for encountering
    such case is rather too low."

    Is completely wrong. You can easily reproduce a 8 Byte Hashcode just by mathematics. I encountered this by myself several times in our scan engine with string hashing (which is equal to password hashes). So basically it depends on which basis this hashcode was build. A lot of systems still using 8 byte hashcode which is NOT SECURE.
     
  4. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,876
    Location:
    New England
    I would hope that people who are trying to secure important data are using the better hashes available today. Even the standard htpasswd password generator allows for MD5 and SHA encryptions.
     
  5. Inspector Clouseau

    Inspector Clouseau AV Expert

    Joined:
    Apr 2, 2006
    Posts:
    1,329
    Location:
    Maidenhead, UK
    I'm not exactly sure what are you going to do with the decrypted passwords, so i just give a small help: There's basically only one way: You have to guess passwords and to encrypt them and then compare them with the existing ones. It doesn't work in the other way as most of the brute forcers are working... But this was now the last help i gave since nobody knows if you are the right owner of those password file.
     
  6. tr33forrest

    tr33forrest Registered Member

    Joined:
    May 28, 2006
    Posts:
    3
    thank you all for your answers!
    also, the "words" before colon are usernames, right?

    ps. experts-exchange needs an payment registration.

    edit: also, as i can understand, these passwords can be "decrypted" via brute-force? I've heard a lot about 'John The Ripper'; can it handle it?
    oh, forgot to ask one thing more: if you use Cain & Abel's Hash Calculator to calculate MD5 etc. hashes with these encrypted passwords, will it lead me somewhere closer?
     
  7. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,876
    Location:
    New England
    No, it doesn't. Don't press the "View Solution" button... just scroll down on the page I linked, going down below the Ads. The replies are all visible and you need to read that as a starting place to understanding these types of passwords.
     
  8. iceni60

    iceni60 ( ^o^)

    Joined:
    Jun 29, 2004
    Posts:
    5,116
    so what algorithm is it o_O where did you get these hashes?
     
Loading...
Thread Status:
Not open for further replies.