Online MD5 Cracking Service

toast writes "Did you forget your password but have your /etc/shadow? If so, this site is for you. Submit a MD5 hash and within a few days you'll have an answer. Of course, once Slashdot has its way, you'll have to wait a few years for an answer.. At least now I'll always know what f3789b3c1be47758203f9e8a4d8c6a2a means.."

Dictionary attack

This is why we use salted, iterated hashing.

Re:Dictionary attack

[kasperd]

This is why we use salted, iterated hashing.

I never really looked into exactly how crypt works, so I can't say for sure if it use iterated hashing. But in the case of MD5 passwords, it does indeed use a 48 bit salt (8 chars base 64 encoded). So mentioning /etc/shadow doesn't really make any sense. I still find it a bit worrying that they can crack a password with about 42 bits of entropy. A good 8 character password will have about 48 bits of entropy, which means it would take only 64 times as long to crack as what they can do now (a litle more if the hashing is in fact iterated). But the salt does mean they couldn't be cracking more than one password at a time. (I'm glad my root password is 16 chars long).

Re:Dictionary attack

[fataugie]

(I'm glad my root password is 16 chars long).

See, that's why I have a blank root password...so they spend all that time cracking something that doesn't exist.

Re:Dictionary attack

[JPriest]

This method and more in the next version of 101 ways to abuse virtual hosting package.

Re:Dictionary attack

[julesh]

Unfortunately, some of us here know the empty MD5 well enough to recognise it on site. It's the only one I've ever seen that contains the string '98 foob2'.

I'm not entirely sure what a foob is, but I'm pretty sure we have at least 98 of them here.

Re:Dictionary attack

[kasperd]

which is why this website needs to have a distributed client

How much would that help? Presumably everybody submiting a password to have cracked have a different salt, so how much can they help each other? Of course if you want to find the reverse image of a hash value by brute force, it would help to have a lot of machines working on it, and if everybody had a list of all the hashes being searched for, they could help each other. But brute forcing MD5 this way is something that wouldn't be realistic now, maybe in a 100 years we will have enough computing power to do that. So some shortcuts must be made, which is why they allow only short passwords using a restricted set of chars. This "service" will only find the password from a small set with 42 bits of entropy, the salt alone have 48 bits of entropy. Probably you could make similar shortcuts even given a salt, but they would have to be aimed at one particular salt.

Hmmmmmm

[skynetos]

hmmmm I would never submit any shadow file, who knows what the admin of the site does with the results! Nick

Re:Hmmmmmm

[xlyz]

you should not worry about it

they just publish it on the internet

Re:Hmmmmmm

[Concerned+Onlooker]

Pardon me for actually checking out the site. It seems as though you don't submit an entire shadow file after all. Only the hash of the password.

Re:Hmmmmmm

[Richard_at_work]

And the best part of it, it actually says that in the blurb at the top of this page!!! Sheesh, have we stopped reading the slashdot writeup now? Is it really true that we have become a civilisation where our attention spans are measured in microseconds? Does the title have to have 'sex' or something in it to gain more scrutiny?

Re:Hmmmmmm

[Alsee]

!!!!!
Did someone mention sex?

-

Re:Hmmmmmm

Quit exagerrating. Slashdot has only improved my attention span by... Hey, cool, China's deploying an IPv9 Network!

A /. 1st?

[Your_Mom]

All joking aside, how much do you want to bet this is the first time the slashdot effect /really/ causes a computer to catch fire due to excessive processor heat?

Re:A /. 1st?

[allenw]

Hopefully it is running BeOS as its is_computer_on_fire() call will provide at least some protection.

Re:A /. 1st?

[Aeiri]

They can also use Linux. If you check the Linux source, not only does it check if your CPU is on fire, it also checks to see if your printer is on fire!

# cd /usr/linux/src
# egrep -ri "(on fire)" *

This will return a lot, but here are two of the results:

arch/i386/kernel/cpu/mcheck/p5.c: printk(KERN_EMERG "CPU#%d: Possible thermal failure (CPU on fire ?).\n", smp_processor_id());

drivers/usb/class/usblp.c:static char *usblp_messages[] = { "ok", "out of paper", "off-line", "on fire" };

What it really means

[Zorilla]

At least now I'll always know what f3789b3c1be47758203f9e8a4d8c6a2a means..

Processing....

(Three days later)

Processing Complete: Result is 42

Re:What it really means

[BobPaul]

on page 2 when results are 500, you'll find

"f3789b3c1be47758203f9e8a4d8c6a2a" = "goatse"

So stop submitting it! ;)

Re:What it really means

[arvindn]

This is probably obvious, but you can verify it using:

$ echo -n goatse | md5sum

f3789b3c1be47758203f9e8a4d8c6a2a -

So parent is right.

Re:What it really means

So what the parent is really saying is that the question to life, the universe, and everything is "goatse"? and the answer is 42....expalins so much..

Re:What it really means

[Pharmboy]

But don't cue a beowulf of goatse!

Re:What it really means

[notsoclever]

It was Hitchhiker's Guide to the Galaxy, which was a radio show, a book, and a TV series, but not a movie.

Also, one hash maps to infinitely many unique items. Read up on the pigeonhole principle. The short form is that there are only 2^128 md5 hashes, so if there are more than 2^128 things which can be hashed (and there are) then more than one of those will map onto the same md5 hash. Granted, at least one of the passwords will have to be longer than 16 bytes and it'll be likely to have non-printable or high-ASCII/UTF-8/whatever garbage in it, but it's still possible.

(And, the converse is that no matter how long your password is, there'll always be a 16-character string which is equivalent to it.)

Um....couldn't you just change it yourself?

[ScottGant]

If you have physical access to your computer...which you should...then of course you could just do it all by hand by booting off of a CD. Why go through all this, unless it's to do something you're not suppose to be doing.

I don't know, what would this be usefull for? Remote admin tasks perhaps?

Re:Um....couldn't you just change it yourself?

[sonicattack]

I've done this a couple of times when something needed to be fixed and no-one remembered the root password. Since the system is in a very basic state after starting with init=/bin/bash, it's probably a good idea to only fix the absolutely necessary stuff in order to make a real startup.

mount -o remount,rw /

... fix the password file ..

sync ; sync

reboot -f

Re:Um....couldn't you just change it yourself?

[Pharmboy]

or pass "linux 1" to the kernel, at least in RH. Also, what is this /bin/bah shell you speak of? Is it part of the humbug package? ;)

Re:Um....couldn't you just change it yourself?

[sonicattack]

It may be that only one sync is necessary to get the data to the disk.

But since I've heard many times that on some systems, the first sync merely schedules dirty pages for writing, while the second sync won't return until the first sync has completed (buffers actually flushed), I've always gone for the safer bet.

Syncing three times is also a popular way of doing it. I've also noticed that the number of syncs I perform before reboot -f'ing correlates to the amount of coffee I've had. :^)

Re:Um....couldn't you just change it yourself?

[questor]

The idiom is "sync[return]sync[return]sync[return]", so that the first sync schedules the dirty page writing, which should (at least in theory) be done by the time the (super)user is done typing the third. Using semi-colons instead of returns defeats the purpose of doing it three times, since nothing happens until the return is typed; the second and third sync's are there only for the typing delay, which doesn't happen if they're ganged up on one command line.

Alternately, one could simply count to five or so before entering the "reboot" command/hitting the reset switch/whatever, but that's less reliable than muscle memory.

Hmm

[Have+Blue]

This seems pretty irresponsible... There's not even a disclaimer or click-through license that tells you to submit only a shadow file you are authorized to manipulate. People who have legitimately lost their passwords are going to be a tiny, tiny minority of users of this site.

Re:Hmm

[GodEater]

Especially since the only people who should have access to /etc/shadow should be the people with root on the box.

Joe bloggs on his shell account isn't going to be able to get it is he ?

We offer a similar service

Just send us your:

1. SS#
2. Mother's maiden name
3. Address of the account with the forgotten password
4. ID of the account with the forgotten password
5. MD5 Hash of the forgotten password

Please send all info to The Good Samaritans c/o Nigerian Embassy.

Nothing new.

[Moonshadow]

There are already md5 cracking utilities out there that are extremely fast. It'd probably be faster to brute force the hash on your own machine, really.

Now, distributed md5 cracking would be quite interesting.

Re:Nothing new.

[hey]

hey's rule: for every slashdot article about something new and cool there exists at least one posting saying that its been done before.

Re:Nothing new.

[drinkypoo]

How many Slashdotters does it take to change a light bulb? One to change it, another one to change it again, and then fifty or sixty more to let everyone know the precise date and time of the first changing.

Question

[ArchAngel21x]

What is /etc/shadow?

Re:Question

[Zeebs]

What /etc/passwd leaves against a surface when you shine a light at it.

Umm..

[pilot1]

"At the moment we can crack md5 hashes in this character range: a-z;0-9 [8] which means we can break almost all hashes (99.56%) which are created from lowercase plaintext with letters and/or digits up to length of 8 characters." (Emphasis mine)

If your password is under 8 characters and contains only lowercase letters and digits, you deserve to be cracked.
If you use a proper password, then you have nothing to fear from this "service"

Re:Umm..

[cgenman]

Anyone else wonder if this is just a clever way to steal passwords?

'scuse me?

[NitsujTPU]

While I'm *cough* sure that this site has good intentions, the best thing to do if you lose your password is

1) Get the admin to change it for you.

or, if you've lost the root password

2) Boot through some external method (generally from CD or network) and change your password that way.

Admins should keep the shadow file safe from malicious access, but this is giving it to a 3rd party... bad juju.

. . . not just you . . .

[erikharrison]

At least now I'll always know what f3789b3c1be47758203f9e8a4d8c6a2a means

A quick check of hashes pending results shows that not only will you know, but also the 52 dronelike /.ers who submitted the same hash.

Tip: Change your password.

Re:How much use?

[MntlChaos]

that can be changed, it'll just take a lot more space for them. For those that didn't RTFA. What the rainbowcrack system is is a system that generates all the hashes for a known keyspace. Then all that is needed is a lookup in these (gigantic) tables.

possible answer:

[sinnfeiner1916]

because Visual Basic isn't case sensitive?

hash

[k31bang]

All this talk about Hash is making hungry for brownies.

Stop this nonsense

[Peaker]

A click-through license is not a binding contract. In fact, it is absolutely nothing, legally. Yes, EULA's are worthless pieces of text as well, and shown unenforceable in court.

Brute force search

[arvindn]

Just so that its clear, they haven't broken MD5 in the cryptographic sense; they're merely using the fact that the 8 character password space is small enough if you are restricted to lowercase alphabets and numbers (about 3*10^12) to run the whole thing through a brute force search. The nice thing is that they precompute all the plaintext-ciphertext pairs, which means that the actual cracking step is simply a lookup. Lookup can be greatly speeded up if you're looking up lots of things at once, so the /. effect is a very good thing for them, throughput-wise :-)

Re:Load of Crap...

[dukerobillard]

combination that produces the same hash as the one given to them, but that does not mean it is the right answer

You are mistaken, sir. A combo that produces the same hash is indeed the right answer.

This is something most people never think about. You actually could have several passwds that work for a given account...anything that hashes to the same thing is a working passwd.

Stop yammering about your passwords, folks

[fanatic]

From the rainbbow crack FAQ site: http://www.antsight.com/zsl/rainbowcrack/faq.htm:

1. Is it possible to crack /etc/shadow file in linux with time-memory trade-off technique? No, you can't. Linux use salt to randomize the hash, which is originally designed to defend this kind of attack. However, any hash with salt is resistant to time-memory trade-off attack, while hashes without salt aren't.

Emphasis added.

a simple solution- use a salt

[jCaT]

Why not just use the method that crypt() uses, and use a salt? It's not terribly difficult to implement, and it would mean their database would need to be roughly 3,800 times as big as it is now ( assuming [a-zA-Z0-9]{2} ) Since they have 47.6 GB of lookup tables now, adding a salt would mean the resulting database would be over 180 terabytes.

Not to mention adding in special chars and uppercase letters, which would increase the database by 600 fold, assuming it's linear...

Profit!

[pseudochaotic]

Step 1: Create a service that does something which needs a password hash
Step 2: Get a bunch of bored slashdotters to post their password hashes, and log their IPs
Step 3: Crack the hashes, keep the passwords
Step 4: h4xx0r!

Re:Interesting...

[drix]

Ah ha! You've got `em, you cunning sleuth, you.

It will be a cold day in Hell before I hand my /etc/shadow over to a Chinese person.

Thank you so very much for enlightening me and the rest of /. about this very pertinent, sensitive and telling piece of information.

Re:Passwords

[mindmaster064]

As long as you aren't using passwords that are straight out of the dictionary (this is like 3rd grade people) you should be fine even with something like this being available. I suggest quit using passwords, and use passphrases instead. Someone MD5ing phrases will have to look for months not days.. Change your passphrase like every three months and you'll never have a thing to worry about. The only problem is that md5 has a pretty limited key space and "foo" might equal "TheLastStand" so someone may come up with an equivalent key. Regardless, md5 is designed to keep people from being able to easily come up with these passwords or alter a file it is not designed to keep people off of your computer and it is still much better than crypt. Being able to reverse an md5sum isn't going to get someone on your system that hasn't already got in. Make sure root cannot log on to your box and a user cannot su without being in wheel so if someone does crack the md5 they have no hope of getting any more rights than they already have. Configure a script to run to alert you right away if someone attempts to su but gets canned because of not being in the wheel group. Really stuff unix people should have been doing all along

Remember: Don't Panic!

-Mind

Re:MD5 vs SHA-1

[kasperd]

Hence an executable file with a specific MD5 value either is the original or garbage that won't run.

Don't count on it. When you create an executable it is easy to put 17 bytes somewhere, that is really not used for anything. After this has been done just start searching for a combination of those 17 bytes that produce the expected hash. It is very likely that more than one choice will exist. Of course this would take too much time.

It is easier to produce a collision. Create two executables, and instead of the 17 bytes from before just leave 9 unused bytes in each file. Then try all choices for each of the two files, and sort the results to find your collision. 2*256^9 is way smaller than 256^17. Of course even this is still infeasible. But it will be possible in a few (50) years. Using SHA1 is a bit better, but it will only take about 100000 times as much CPU time to find a SHA1 collision as an MD5 collision. Which means the computer to do it will be available about 25 years later than the one to find an MD5 collision (assuming More's law still holds).

It gives one pause...

[chill]

Well, 36 ^ 8 = 2,821,109,907,456. How long does it take to compute an MD5 Sum?

More to the point, consider "cracking" passwords in this manner:

The NSA has been reported to have ACRES of computer space; their own chip fab and some of the fastest computers in the world.

What if, decades ago, they just dedicated banks of systems to cracking all possible passwords hashed with crypt. Then, a few years later, did the same thing with MD5, SHA-1, and Blowfish -- as each became available.

They store all this stuff in a table, and now getting passwords to most systems is nothing more than a quick table lookup.

Yes, I know the math. However, add in a bit of psychology and statistics.

Most people don't use characters you can't type on a keyboard for a password. VERY few do ALT-nnn or something like that. Most are going to be puire alpha, or alphanumeric. Some will contain special characters.

Meaning, you don't have to exhaust the entire 8-bit character space to get the vast majority of what you're looking for.

Is it really a surprise that something like this is starting to be possible on consumer systems?

Heck, imagine a beowulf cluster dedicated to this...

Re:Even worse...

[schon]

If it's a production server that you can't afford to even reboot, maybe you shouldn't be giving the root password to some random website

Yes, because knowing the password means that you automatically know the IP address too, right?

Personally, I think it would be better if they released an app that does this.

Yeah, a 47GB app. That'd be a snap to download.

They're using RainbowCrack - the app is no secret.. it's the data tables that make this useful.

How it works

[slubberdegullion]

Their method isn't just a brute-force attack or a "brute-memory" list of PLAINTEXT:HASH. It is faster than brute-force, and uses far less memory than "brute-memory"

It is a time-memory tradeoff. They come up with a "reduction function" R, which maps hashes into keys. It is not a reversal of the md5 algorithm, it just generates some key based on the hash. Then they create sequences of hash, key, hash, key, hash, key... with each key being the reduction function applied to the previous hash, and each hash being the hash function applied to the previous key. They stop their sequences when they reach "distinguished values," which may e.g. have 0's for the first 12 bits. Then they store the start and endpoints of the sequence.

So now they have a list of start and endpoints for these chains of hashes and keys. To crack a hash, they apply the same process to it - reduction function, hash, reduction function, hash, until they reach a value that is in their table of endpoints. Then they begin at the startpoint associated with that endpoint, and regenerate the sequence up to the hash they're trying to crack. Since the key directly before that hash hashes to that hash, they've successfully cracked the hash.

The "rainbow" refers to the recent innovation of using a different reduction function for each step of the sequence, i.e. using R1 on the first hash, R2 on the second, etc. This means that, even if two sequences contain the same hash, they probably won't be exactly the same after that - a significant problem with the older method of having a single reduction function.

If you want to read about this in more detail with math symbols and such, the pdf is linked from the site.

Imagine if this was spaceballs with a twist

[whiteranger99x]

ROLAND The combination is (hesitates) 827ccb.
HELMET 827ccb.
SANDURZ 827ccb. (writes)
ROLAND 0eea8a.
HELMET 0eea8a.
SANDURZ 0eea8a. (writes)
ROLAND 706c4c.
HELMET 706c4c.
SANDURZ 706c4c (writes)
ROLAND 34a1689.
HELMET 34a1689.
SANDURZ 34a1689. (writes)
ROLAND (hesitates) 1f84e7b.
HELMET 1f84e7b.
SANDURZ 1f84e7b. (writes)
HELMET So the combination is 827ccb0eea8a706c4c34a16891f84e7b (lifts mask) That's the stupidest combination I've ever heard in my life. That's the kinda thing a fucking n00b would have on his Windows box. ;)

Re:Interesting...

[BJH]

Personally, I'd be more worried about handing my password over to someone whose main point of contact is a Hotmail address.

Windows users not left out!

[pegr]

Same thing for windows users (only different) is here. Submit an LM or NT hash, get the password emailed back to you...

Slashdot has been used

[Twid]

17:25 http://passcracking.com/
17:25 <ge_> !!
17:26 <toast> interesting
17:26 <toast> let's DoS it
17:26 <ge_> hehehehe
17:26 <toast> just write a distributed tool to submit nonsense and keep the queue full
17:26 <ge_> worse
17:26 <ge_> let's slashdot it!
17:27 <toast> haha
17:27 <toast> perfect

:)

Re:Things I've always wanted to know about salting

[jcochran]

The "salt" is used to change how the password is hashed. If you look at the shadow password file on your computer, you'll see some lines that look like this

root:$1$abcdefge$abcd1234efg789hijklmno:0:0:...

You'll notice that the password field (the stuff after the 1st colon, and before the 2nd colon) is itself divided into 3 fields separated by dollar signs. The purpose of these fields are:

1st field - Identifies hashing method. This allows for future changes to how the password in stored while allowing backward compatability with existing passwords.

2nd field - This contains the salt used to hash the password. In order to verify a new password, this exact salt must be used in the hashing process. Since in this case, it's 8 characters long and each character can be one of 64 values, it means that each possible password my be hashed into one of 2^48 different values. This salt is generated randomly at the time that you set your password. The randomly generated salt is then stored here for use in verifying future authencation attempts.

3rd field - This is the actual hashed password using the salt specified in the previous field. It is 22 characters long, which with base 64 encoding can store 132 bits. Since MD5 only hashes to 128 bits, there are 4 unused bits at the tail end of this value.