Author Topic: mysql >4.1 password hash  (Read 3352 times)

0 Members and 1 Guest are viewing this topic.

Offline union_select_h4ck

  • /dev/null
  • *
  • Posts: 9
  • Cookies: -2
    • View Profile
mysql >4.1 password hash
« on: January 27, 2014, 10:15:12 pm »
I need help with cracking mysql5 passwords. Im good with getting into websites and getting info, but mysql5 encrypted passwords stump me. I posted a thread last night but i guess it got deleted.
« Last Edit: February 01, 2014, 09:19:50 am by ande »
Another one bites the dust

Offline Raavgo

  • Peasant
  • *
  • Posts: 88
  • Cookies: 12
  • On my way from a n00b to a PRO
    • View Profile
Re: checked tutorial section and searched everywhere...no luck
« Reply #1 on: January 27, 2014, 11:28:12 pm »
I need help with cracking mysql5 passwords. Im good with getting into websites and getting info, but mysql5 encrypted passwords stump me. I posted a thread last night but i guess it got deleted.


More info would be helpful...
Do you want to bruteforce it? (john the ripper is a nice tool or even http://www.onlinehashcrack.com/ could work)
Make sure you google before opening a thread.


p.s.
Please write an intro (nobody wants a pls learn me how to hax person)

« Last Edit: January 27, 2014, 11:33:06 pm by Raavgo »

Offline b0whunter

  • Serf
  • *
  • Posts: 41
  • Cookies: 11
  • The finest sword plunged into salt water will rust
    • View Profile
    • My journal
Re: checked tutorial section and searched everywhere...no luck
« Reply #2 on: January 28, 2014, 12:38:04 am »
Check jack the ripper or hashcat's documentation... I think its a double sha1, but im not sure.
“Engage people with what they expect; it is what they are able to discern and confirms their projections. It settles them into predictable patterns of response, occupying their minds while you wait for the extraordinary moment — that which they cannot anticipate.”
― Sun Tzu, The Art of War

Offline union_select_h4ck

  • /dev/null
  • *
  • Posts: 9
  • Cookies: -2
    • View Profile
Re: checked tutorial section and searched everywhere...no luck
« Reply #3 on: January 30, 2014, 04:38:47 am »
Thank you for your replies. I will post the hash. I got hashcat and after 14hrs still didn't crack it. *F0E8AA8DDB9BEBBE913B52B8BF8A7CEF375E10FC that is the hash I have. I have the username too as well as email. I know you have to crack it without the * symbol so I put it in the program without it and with no luck.

p.s. I went to onlinehashcrack and they did it, but I don't want to pay $14 for the required bitcoins and I would like to know how to do it myself. I was going to write an intro, but as I went to the new comer section. I read the pls read topic and didn't sound like posting a "hey im new" thread was appropriate. So I went to asking a question. am proficient in sqli (manually) so not really asking to "learn how to hax" just cracking....they go hand in hand I see tho. I have done research and didn't find anything that I can use to do it myself. or tuts on mysql5
« Last Edit: January 30, 2014, 04:46:59 am by union_select_h4ck »
Another one bites the dust

Offline Raavgo

  • Peasant
  • *
  • Posts: 88
  • Cookies: 12
  • On my way from a n00b to a PRO
    • View Profile
Re: checked tutorial section and searched everywhere...no luck
« Reply #4 on: January 30, 2014, 03:06:10 pm »
Many Hashes are pre calculated an written down in rainbow tables.
Have you tried using a rainbow table ?
And I don't even know that's gonna work because it could be that the hash is salted
(I am not sure if MySql5 salts passwords but it would be safer. Please correct me if I am mistaking)
« Last Edit: January 30, 2014, 03:14:01 pm by Raavgo »

Offline union_select_h4ck

  • /dev/null
  • *
  • Posts: 9
  • Cookies: -2
    • View Profile
Re: checked tutorial section and searched everywhere...no luck
« Reply #5 on: January 30, 2014, 03:27:12 pm »
I will try the rainbow tables. It might work. I think they do salt mysql5, because on hashcat was reading 0/1 recovered and 0/1 salts. Don't know tho. 1st time working with a mysql5 password. usually sha1 or some shit like that. Thank you for the suggestion. Will post the outcome.
Another one bites the dust

Offline l0n3r

  • Serf
  • *
  • Posts: 23
  • Cookies: -16
    • View Profile
Re: checked tutorial section and searched everywhere...no luck
« Reply #6 on: January 30, 2014, 04:41:42 pm »
hey whats u guys,

I ran across this this morning and it was very interesting article, anyway near the bottom of the article has something to do with find plaintest FROM HASHES...including your mysql5....

check it out. read through

http://thehackernews.com/2014/01/cryptography-hacks-hash-encryption.html#


 

Offline Raavgo

  • Peasant
  • *
  • Posts: 88
  • Cookies: 12
  • On my way from a n00b to a PRO
    • View Profile
Re: checked tutorial section and searched everywhere...no luck
« Reply #7 on: January 30, 2014, 09:41:09 pm »
I will try the rainbow tables. It might work. I think they do salt mysql5, because on hashcat was reading 0/1 recovered and 0/1 salts. Don't know tho. 1st time working with a mysql5 password. usually sha1 or some shit like that. Thank you for the suggestion. Will post the outcome.

As far as I researched this is a 160 bit SHA-1 Hash.
So your only chance IS a rainbow table ( and still I doubt that this is gonna work)
« Last Edit: January 30, 2014, 09:41:26 pm by Raavgo »

Offline union_select_h4ck

  • /dev/null
  • *
  • Posts: 9
  • Cookies: -2
    • View Profile
Re: checked tutorial section and searched everywhere...no luck
« Reply #8 on: February 01, 2014, 06:29:26 am »
Thank You guys. Am still working on it. Now I know which method to stick with. Hopefully can get this
Another one bites the dust

Offline ande

  • Owner
  • Titan
  • *
  • Posts: 2664
  • Cookies: 256
    • View Profile
Re: checked tutorial section and searched everywhere...no luck
« Reply #9 on: February 01, 2014, 09:19:24 am »
The replies in this thread is horrible, I am almost disappointed.

First of all, OP (union_select_h4ck), never ever use such subjects again. We are not interested in whether or not you found stuff in the tutorial section and searched around, its a good thing that you did but that title does not help us or anyone in any way. I have renamed it for you. Additionally you should have posted your hash in the first post.

Having a look at http://www.insidepro.com/hashes.php and previous experience I would say your hash was generated by the password() function in a mysql version post-4.1. (check out http://dev.mysql.com/doc/refman/5.0/en/password-hashing.html).

The (default) password() function in a post 4.1 version of mysql would be a double sha1 indeed, but can be changed, however your hash is probably not.

http://www.insidepro.com/eng/passwordspro.shtml will be able to crack your hash, or at least try. It also supports rainbow tables afaik (read down).

As a bonus, here is a PHP implementation of the password() function:
Code: (php) [Select]
<?php
$pass 
"12345678";
echo 
"*".strtoupper(sha1(hex2bin(sha1($pass))));
?>




Many Hashes are pre calculated an written down in rainbow tables.
Have you tried using a rainbow table ?
And I don't even know that's gonna work because it could be that the hash is salted
(I am not sure if MySql5 salts passwords but it would be safer. Please correct me if I am mistaking)

You are mistaken, it does not salt the passwords. In fact, the password() function in mysql should not be used to hash user passwords according to mysql's documentation.

As far as I researched this is a 160 bit SHA-1 Hash.
So your only chance IS a rainbow table ( and still I doubt that this is gonna work)

Your only chance is NEVER just rainbow tables. Bruteforce and wordlists are always an option. Alltho in this case I would go for tables from https://www.freerainbowtables.com/en/tables2/ (they are HUGE tho).
if($statement) { unless(!$statement) { // Very sure } }
https://evilzone.org/?hack=true

Offline hppd

  • Knight
  • **
  • Posts: 163
  • Cookies: 7
    • View Profile
Re: mysql >4.1 password hash
« Reply #10 on: February 02, 2014, 12:24:36 am »
What about runing a js botnet through ad netwworks and let them do the work :D. It's cheap as  hell and your passwords get cracked pretty fucking fast..

http://www.youtube.com/watch?v=ERJmkLxGRC0

Offline union_select_h4ck

  • /dev/null
  • *
  • Posts: 9
  • Cookies: -2
    • View Profile
Re: mysql >4.1 password hash
« Reply #11 on: February 02, 2014, 01:28:06 am »
Thank you for the reply ande and will take what you said and imply it towards future posts. I just put it in there, because everyones 1st response is always "well did you research". So thought I'd cut that corner and let people know I did up front. I will get the tables in the link you have provided. Thanks again ande for the much needed information. That should be all I need :)
Another one bites the dust