Slashdot Mirror
Online MD5 Cracking Service
toast writes "Did you forget your password but have your /etc/shadow? If so, this site is for you. Submit a MD5 hash and within a few days you'll have an answer. Of course, once Slashdot has its way, you'll have to wait a few years for an answer.. At least now I'll always know what f3789b3c1be47758203f9e8a4d8c6a2a means.."
This is why we use salted, iterated hashing.
hmmmm I would never submit any shadow file, who knows what the admin of the site does with the results! Nick
All joking aside, how much do you want to bet this is the first time the slashdot effect /really/ causes a computer to catch fire due to excessive processor heat?
Objects in the blog are closer then they ap
At least now I'll always know what f3789b3c1be47758203f9e8a4d8c6a2a means..
Processing....
(Three days later)
Processing Complete: Result is 42
It would be cool if it didn't suck.
I hope they can't identify information that could link you to your password... I guess most people would change it afterwards. Also, is there a possibility of abuse by this system for cracking other people's passwords?
If you have physical access to your computer...which you should...then of course you could just do it all by hand by booting off of a CD. Why go through all this, unless it's to do something you're not suppose to be doing.
I don't know, what would this be usefull for? Remote admin tasks perhaps?
"Music is everybody's possession. It's only publishers who think that people own it." - John Lennon.
This seems pretty irresponsible... There's not even a disclaimer or click-through license that tells you to submit only a shadow file you are authorized to manipulate. People who have legitimately lost their passwords are going to be a tiny, tiny minority of users of this site.
Just send us your:
1. SS#
2. Mother's maiden name
3. Address of the account with the forgotten password
4. ID of the account with the forgotten password
5. MD5 Hash of the forgotten password
Please send all info to The Good Samaritans c/o Nigerian Embassy.
There are already md5 cracking utilities out there that are extremely fast. It'd probably be faster to brute force the hash on your own machine, really.
Now, distributed md5 cracking would be quite interesting.
What is /etc/shadow?
"At the moment we can crack md5 hashes in this character range: a-z;0-9 [8] which means we can break almost all hashes (99.56%) which are created from lowercase plaintext with letters and/or digits up to length of 8 characters." (Emphasis mine)
If your password is under 8 characters and contains only lowercase letters and digits, you deserve to be cracked.
If you use a proper password, then you have nothing to fear from this "service"
While I'm *cough* sure that this site has good intentions, the best thing to do if you lose your password is
1) Get the admin to change it for you.
or, if you've lost the root password
2) Boot through some external method (generally from CD or network) and change your password that way.
Admins should keep the shadow file safe from malicious access, but this is giving it to a 3rd party... bad juju.
If you RTFA, it says that it will only hack the following passwords:
a-z;0-9 [8]
This just seems sorta pointless. Many people are ocmplaining about you getting a password for someone else's stuff -- but if they put a capital letter, or any sort of special character, they're safe from this attack. Is there a reason that they didn't add capital letters into the algorithm?
I think my principles are reachin' an all time low
A quick check of hashes pending results shows that not only will you know, but also the 52 dronelike /.ers who submitted the same hash.
Tip: Change your password.
>At best, they could come up with a combination that produces the same hash as the one given to them, but that does not mean it is the right answer.
But then why wouldn't that be good enough?
The surprise isn't how often we make bad choices; the surprise is how seldom they defeat us.
so, what they are saying is that they can tell me my password if i give them my /etc/shadow. however, that file can't be read, opened, et cetera, unless you are root. so if i had my root password, i could change my user's password anyway... or make a new user and copy all my ~ files over.
If I didn't have my root password, but had my user with sudo, I could fix it. Or I could reboot into single user mode.
All things which can be done for FREE and without fear of the decrypted password file out in la-la-land with a bunch of h4x0rz? And this fall Fox is going to have a new reality TV show entitled "Orthodontic Surgery, The Final Frontier" where people get root canals for laughs.
The More Laws, the less Justice --Marcus Tullius Cicero
There is no publically known MD5 hash collision. While it's rumored that one or more is known, it's never been confirmed. While MD5 is thought to be weaker than SHA-1, saying that MD5 has a "vulnerability" is going a bit too far.
This project is using RainbowCrack technology
Heading on over to the RainbowCrack page, we find (at the bottom):
Contact Information
Zhu Shuanglei shuanglei[at]hotmail.com
Member of Kingnet Security, Inc.
Shanghai, China
because Visual Basic isn't case sensitive?
The More Laws, the less Justice --Marcus Tullius Cicero
All this talk about Hash is making hungry for brownies.
-+-=-+-=-+-=-+-=-+-=-+ *** http://www.mountainfort.com *** +-=-+-=-+-=-+-=-+-=-+-
A click-through license is not a binding contract. In fact, it is absolutely nothing, legally. Yes, EULA's are worthless pieces of text as well, and shown unenforceable in court.
Just so that its clear, they haven't broken MD5 in the cryptographic sense; they're merely using the fact that the 8 character password space is small enough if you are restricted to lowercase alphabets and numbers (about 3*10^12) to run the whole thing through a brute force search. The nice thing is that they precompute all the plaintext-ciphertext pairs, which means that the actual cracking step is simply a lookup. Lookup can be greatly speeded up if you're looking up lots of things at once, so the /. effect is a very good thing for them, throughput-wise :-)
You are mistaken, sir. A combo that produces the same hash is indeed the right answer.
This is something most people never think about. You actually could have several passwds that work for a given account...anything that hashes to the same thing is a working passwd.
The only thing that makes this remotely feasible is the limited character set and the length limit, which puts the total possible combinations it looks through at about 2.9 trillion. If they were to use uppercase letters as well, the total number of possibilities becomes about 222 trillion, and the search would take a lot longer.
"that's not encryption - it's a new perl script that I'm working on..." - from some Matrix parody
Why not just use the method that crypt() uses, and use a salt? It's not terribly difficult to implement, and it would mean their database would need to be roughly 3,800 times as big as it is now ( assuming [a-zA-Z0-9]{2} ) Since they have 47.6 GB of lookup tables now, adding a salt would mean the resulting database would be over 180 terabytes.
Not to mention adding in special chars and uppercase letters, which would increase the database by 600 fold, assuming it's linear...
Step 1: Create a service that does something which needs a password hash
Step 2: Get a bunch of bored slashdotters to post their password hashes, and log their IPs
Step 3: Crack the hashes, keep the passwords
Step 4: h4xx0r!
And the l33t shall inherit the 34r7h.
Sorry, but this is nothing more than a "Oh cool." to me. It has no value to me as an admin. I lost my root pw, or my user passwords? I have physical access to the machine, I just reboot single user, and boom, I'm in.
I purchase old computers all the time (where old is relative of course) often with passworded logins, or -always- the owner forgot the root password. Every OS I've come across with has had a way to get past the password protection -IF YOU HAVE PHYSICAL ACCESS-
Now if you lose your login on your unix machine that you have remote access to only, contact whoever hosts it, have -them- break it open for you. If they don't know how... question their admin-fu.
A short range MD5 cracker. Neat tho, but nothing more than brute force no?
Hence an executable file with a specific MD5 value either is the original or garbage that won't run.
Don't count on it. When you create an executable it is easy to put 17 bytes somewhere, that is really not used for anything. After this has been done just start searching for a combination of those 17 bytes that produce the expected hash. It is very likely that more than one choice will exist. Of course this would take too much time.
It is easier to produce a collision. Create two executables, and instead of the 17 bytes from before just leave 9 unused bytes in each file. Then try all choices for each of the two files, and sort the results to find your collision. 2*256^9 is way smaller than 256^17. Of course even this is still infeasible. But it will be possible in a few (50) years. Using SHA1 is a bit better, but it will only take about 100000 times as much CPU time to find a SHA1 collision as an MD5 collision. Which means the computer to do it will be available about 25 years later than the one to find an MD5 collision (assuming More's law still holds).
Do you care about the security of your wireless mouse?
You have access to the shadow file, but you can't remember your password, so what do you do?
Submit the hashes over the internet of course!!
What the hell were these people thinking? If you have access to the shadow file, then you have root access, and you can just passwd a different password. Root doesn't have to supply the current password.
Worst case scenario, just cut out the hash and it'll be a blank password until you reset it. And if you really need that password, odds are that the others in there would be a nice bonus too, in which case there's plenty of other tools available.
Well, 36 ^ 8 = 2,821,109,907,456. How long does it take to compute an MD5 Sum?
More to the point, consider "cracking" passwords in this manner:
The NSA has been reported to have ACRES of computer space; their own chip fab and some of the fastest computers in the world.
What if, decades ago, they just dedicated banks of systems to cracking all possible passwords hashed with crypt. Then, a few years later, did the same thing with MD5, SHA-1, and Blowfish -- as each became available.
They store all this stuff in a table, and now getting passwords to most systems is nothing more than a quick table lookup.
Yes, I know the math. However, add in a bit of psychology and statistics.
Most people don't use characters you can't type on a keyboard for a password. VERY few do ALT-nnn or something like that. Most are going to be puire alpha, or alphanumeric. Some will contain special characters.
Meaning, you don't have to exhaust the entire 8-bit character space to get the vast majority of what you're looking for.
Is it really a surprise that something like this is starting to be possible on consumer systems?
Heck, imagine a beowulf cluster dedicated to this...
Learning HOW to think is more important than learning WHAT to think.
If it's a production server that you can't afford to even reboot, maybe you shouldn't be giving the root password to some random website
Yes, because knowing the password means that you automatically know the IP address too, right?
Personally, I think it would be better if they released an app that does this.
Yeah, a 47GB app. That'd be a snap to download.
They're using RainbowCrack - the app is no secret.. it's the data tables that make this useful.
It is a time-memory tradeoff. They come up with a "reduction function" R, which maps hashes into keys. It is not a reversal of the md5 algorithm, it just generates some key based on the hash. Then they create sequences of hash, key, hash, key, hash, key... with each key being the reduction function applied to the previous hash, and each hash being the hash function applied to the previous key. They stop their sequences when they reach "distinguished values," which may e.g. have 0's for the first 12 bits. Then they store the start and endpoints of the sequence.
So now they have a list of start and endpoints for these chains of hashes and keys. To crack a hash, they apply the same process to it - reduction function, hash, reduction function, hash, until they reach a value that is in their table of endpoints. Then they begin at the startpoint associated with that endpoint, and regenerate the sequence up to the hash they're trying to crack. Since the key directly before that hash hashes to that hash, they've successfully cracked the hash.
The "rainbow" refers to the recent innovation of using a different reduction function for each step of the sequence, i.e. using R1 on the first hash, R2 on the second, etc. This means that, even if two sequences contain the same hash, they probably won't be exactly the same after that - a significant problem with the older method of having a single reduction function.
If you want to read about this in more detail with math symbols and such, the pdf is linked from the site.
ROLAND The combination is (hesitates) 827ccb. ;)
HELMET 827ccb.
SANDURZ 827ccb. (writes)
ROLAND 0eea8a.
HELMET 0eea8a.
SANDURZ 0eea8a. (writes)
ROLAND 706c4c.
HELMET 706c4c.
SANDURZ 706c4c (writes)
ROLAND 34a1689.
HELMET 34a1689.
SANDURZ 34a1689. (writes)
ROLAND (hesitates) 1f84e7b.
HELMET 1f84e7b.
SANDURZ 1f84e7b. (writes)
HELMET So the combination is 827ccb0eea8a706c4c34a16891f84e7b (lifts mask) That's the stupidest combination I've ever heard in my life. That's the kinda thing a fucking n00b would have on his Windows box.
Join the TWIT army now!
"827ccb0eea8a706c4c34a16891f84e7b?? That's the same combination that's on my luggage!"
Same thing for windows users (only different) is here. Submit an LM or NT hash, get the password emailed back to you...
Anyway, time to change up to SHA1 ;)
/^[A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,4}$/i
17:25 http://passcracking.com/
:)
17:25 <ge_> !!
17:26 <toast> interesting
17:26 <toast> let's DoS it
17:26 <ge_> hehehehe
17:26 <toast> just write a distributed tool to submit nonsense and keep the queue full
17:26 <ge_> worse
17:26 <ge_> let's slashdot it!
17:27 <toast> haha
17:27 <toast> perfect
- "When you want something with all your heart, the entire universe conspires to give it to you" -Paulo Coelho
This is something most people never think about. You actually could have several passwds that work for a given account...anything that hashes to the same thing is a working passwd.
Another neat example of this principle at work is the soundex hash function, which was designed for the US Census to lookup names. It encodes a name such as Johnson as an alphanumerical code J525. Other, similar names, such as Jonsson, Joganson and even Jamieson and Jenkins are converted to J525 as well. In this way, even if people's names are misspelled in some way in the census (or when they were registered at birth; family names tend to evolve over time) they can still be found by a reasonable approximation.
And because the soundex hash is computed when the records are stored, there isn't the kind of overhead that you'd get from a regular expression/glob search over all the records.
The modest computational requirements for what amounts to a very clever phonetic lookup mechanish aren't surprising in a way; Soundex was patented in 1918.
You can play with soundex on this page.
Now imagine your password was stored as a soundex hash.. Ouch! Even if someone looking over your shoulder when you type in your password got half the letters wrong, he'd still get in!
This is exactly why it's so important that cryptographic one-way hashes don't regularly produce the same hash. The name for finding a password that's not the same, but hashes the same is a birthday attack, named after the birthday paradox.
This is the reason why you should salt!
SCO employee? Check out the bounty
#!/usr/bin/perl
M NOPQRSTUVWXYZ';
;
use Digest::MD5;
use constant POSSIBLE_CHARS => 'abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKL
use constant LAST_POSSIBLE_CHAR => substr(POSSIBLE_CHARS, length(POSSIBLE_CHARS) -1, 1);
use constant FIRST_POSSIBLE_CHAR => substr(POSSIBLE_CHARS, 0, 1);
print "Digest:\t";
$digest = <STDIN>;
chomp($data);
$ctx = Digest::MD5->new;
print "Beginning to decrypt...\n";
$attempts = 0;
$current_string=FIRST_POSSIBLE_CHAR;
$start _time = time();
while($digest ne $attempt)
{
$current_string = next_string($current_string);
$attempts++;
$ctx->reset();
$ctx->add($current_string);
$attempt=$ctx->hexdigest();
}
$end_time = time();
print "String decrypted...\n";
print "String = '$current_string'\t\t\tHash = $attempt\n";
$time_to_complete = $end_time - $start_time;
$seconds = $time_to_complete % 60;
$time_to_complete = ($time_to_complete - $seconds) / 60;
$minutes = $time_to_complete % 60;
$time_to_complete = ($time_to_complete - $minutes) / 60;
$hours = $time_to_complete % 24;
$time_to_complete = ($time_to_complete - $hours) / 24;
$days = $time_to_complete % 7;
foreach $unit (($seconds, $minutes, $hours))
{
if($unit < 10) { $unit = '0' . $unit; }
}
print "String found in $days days, $hours:$minutes:$seconds\t\t\t$attempts cycles\n";
sub next_string
{
($string) = @_;
$last_char_of_string = substr($string, length($string) - 1, 1);
unless( $last_char_of_string eq LAST_POSSIBLE_CHAR )
{
substr($string, length($string) - 1, 1, substr(POSSIBLE_CHARS, ( rindex(POSSIBLE_CHARS, $last_char_of_string) + 1 ), 1));
return $string;
}
else
{
if( (length($string) == 1) && ($string eq LAST_POSSIBLE_CHAR))
{
return FIRST_POSSIBLE_CHAR . FIRST_POSSIBLE_CHAR;
}
else
{
return next_string (substr($string, 0, length($string) - 1) ) . FIRST_POSSIBLE_CHAR
}
}
}
- reboot(8) syncs disks.
- reboot(8) sends TERM signals.
- reboot(8) syncs every 3 seconds for up to 60 while vm.stats.vm.v_swappgsin changes.
- reboot(8) sends KILL signals.
- reboot(2) is called, which calls boot(), which syncs in a loop 20 times, backing off from 1/20th to 1 second while there are active buffers.
- If any active buffers remain, the disk is left mounted so it's fscked next boot.
Now, if only shutdown(8) called sync once, we'd be up to a maximum of 42... maybe I missed one. Nice function name in there at least; die_you_gravy_sucking_pig_dog().You really wanted to know all that didn't you? Hello? Bah.
IIRC, MD5 was based on the idea that even if two or more things had the same MD5 sum, there wouldn't be more than one *intelligible* or *usable* thing with the same MD5.
That's why MD5 works well for error or tampering verification. You might be able to get a big pile of garbage to have the same MD5 as the real message, but you'd be hard-pressed to create any other legible/interpretable data, or wind up with corrupted (slightly different) data with the same hash.
Information wants to be free.
Entertainment wants to be paid.
You just want to be cheap.
The "salt" is used to change how the password is hashed. If you look at the shadow password file on your computer, you'll see some lines that look like this
root:$1$abcdefge$abcd1234efg789hijklmno:0:0:...
You'll notice that the password field (the stuff after the 1st colon, and before the 2nd colon) is itself divided into 3 fields separated by dollar signs. The purpose of these fields are:
1st field - Identifies hashing method. This allows for future changes to how the password in stored while allowing backward compatability with existing passwords.
2nd field - This contains the salt used to hash the password. In order to verify a new password, this exact salt must be used in the hashing process. Since in this case, it's 8 characters long and each character can be one of 64 values, it means that each possible password my be hashed into one of 2^48 different values. This salt is generated randomly at the time that you set your password. The randomly generated salt is then stored here for use in verifying future authencation attempts.
3rd field - This is the actual hashed password using the salt specified in the previous field. It is 22 characters long, which with base 64 encoding can store 132 bits. Since MD5 only hashes to 128 bits, there are 4 unused bits at the tail end of this value.