mysql >4.1 password hash

[union_select_h4ck]

I need help with cracking mysql5 passwords. Im good with getting into websites and getting info, but mysql5 encrypted passwords stump me. I posted a thread last night but i guess it got deleted.

[Raavgo]

I need help with cracking mysql5 passwords. Im good with getting into websites and getting info, but mysql5 encrypted passwords stump me. I posted a thread last night but i guess it got deleted.

More info would be helpful...
Do you want to bruteforce it? (john the ripper is a nice tool or even http://www.onlinehashcrack.com/ could work)
Make sure you google before opening a thread.


p.s.
Please write an intro (nobody wants a pls learn me how to hax person)

[b0whunter]

Check jack the ripper or hashcat's documentation... I think its a double sha1, but im not sure.

[union_select_h4ck]

Thank you for your replies. I will post the hash. I got hashcat and after 14hrs still didn't crack it. *F0E8AA8DDB9BEBBE913B52B8BF8A7CEF375E10FC that is the hash I have. I have the username too as well as email. I know you have to crack it without the * symbol so I put it in the program without it and with no luck.

p.s. I went to onlinehashcrack and they did it, but I don't want to pay $14 for the required bitcoins and I would like to know how to do it myself. I was going to write an intro, but as I went to the new comer section. I read the pls read topic and didn't sound like posting a "hey im new" thread was appropriate. So I went to asking a question. am proficient in sqli (manually) so not really asking to "learn how to hax" just cracking....they go hand in hand I see tho. I have done research and didn't find anything that I can use to do it myself. or tuts on mysql5

[Raavgo]

Many Hashes are pre calculated an written down in rainbow tables.
Have you tried using a rainbow table ?
And I don't even know that's gonna work because it could be that the hash is salted
(I am not sure if MySql5 salts passwords but it would be safer. Please correct me if I am mistaking)

[union_select_h4ck]

I will try the rainbow tables. It might work. I think they do salt mysql5, because on hashcat was reading 0/1 recovered and 0/1 salts. Don't know tho. 1st time working with a mysql5 password. usually sha1 or some shit like that. Thank you for the suggestion. Will post the outcome.

[l0n3r]

hey whats u guys,

I ran across this this morning and it was very interesting article, anyway near the bottom of the article has something to do with find plaintest FROM HASHES...including your mysql5....

check it out. read through

http://thehackernews.com/2014/01/cryptography-hacks-hash-encryption.html#


 

[Raavgo]

I will try the rainbow tables. It might work. I think they do salt mysql5, because on hashcat was reading 0/1 recovered and 0/1 salts. Don't know tho. 1st time working with a mysql5 password. usually sha1 or some shit like that. Thank you for the suggestion. Will post the outcome.

As far as I researched this is a 160 bit SHA-1 Hash.
So your only chance IS a rainbow table ( and still I doubt that this is gonna work)

[union_select_h4ck]

Thank You guys. Am still working on it. Now I know which method to stick with. Hopefully can get this

[ande]

The replies in this thread is horrible, I am almost disappointed.

First of all, OP (union_select_h4ck), never ever use such subjects again. We are not interested in whether or not you found stuff in the tutorial section and searched around, its a good thing that you did but that title does not help us or anyone in any way. I have renamed it for you. Additionally you should have posted your hash in the first post.

Having a look at http://www.insidepro.com/hashes.php and previous experience I would say your hash was generated by the password() function in a mysql version post-4.1. (check out http://dev.mysql.com/doc/refman/5.0/en/password-hashing.html).

The (default) password() function in a post 4.1 version of mysql would be a double sha1 indeed, but can be changed, however your hash is probably not.

http://www.insidepro.com/eng/passwordspro.shtml will be able to crack your hash, or at least try. It also supports rainbow tables afaik (read down).

As a bonus, here is a PHP implementation of the password() function:

Code: (php) [Select]

<?php
$pass = "12345678";
echo "*".strtoupper(sha1(hex2bin(sha1($pass))));
?>


Many Hashes are pre calculated an written down in rainbow tables.
Have you tried using a rainbow table ?
And I don't even know that's gonna work because it could be that the hash is salted
(I am not sure if MySql5 salts passwords but it would be safer. Please correct me if I am mistaking)

You are mistaken, it does not salt the passwords. In fact, the password() function in mysql should not be used to hash user passwords according to mysql's documentation.

As far as I researched this is a 160 bit SHA-1 Hash.
So your only chance IS a rainbow table ( and still I doubt that this is gonna work)

Your only chance is NEVER just rainbow tables. Bruteforce and wordlists are always an option. Alltho in this case I would go for tables from https://www.freerainbowtables.com/en/tables2/ (they are HUGE tho).

[hppd]

What about runing a js botnet through ad netwworks and let them do the work . It's cheap as  hell and your passwords get cracked pretty fucking fast..

http://www.youtube.com/watch?v=ERJmkLxGRC0

[union_select_h4ck]

Thank you for the reply ande and will take what you said and imply it towards future posts. I just put it in there, because everyones 1st response is always "well did you research". So thought I'd cut that corner and let people know I did up front. I will get the tables in the link you have provided. Thanks again ande for the much needed information. That should be all I need