Get plain text password knowing hash and salt
#1
So first of all hi, I just want to say that im completely new to hashcat, and I noticed it's missing some docs... so that's why im here asking.

Recently I got a complete dump of a SQL members table (as of 13-01-2015) that contains lots of info but im particularly interested in 4 fields only: name (it's the username in fact), email, members_pass_hash and members_pass_salt.

The table itself comes from a site using IP.Board, so they store they passwords like this (more info) :

Code:
$hash = md5( md5( $salt ) . md5( $password ) );

Now, checking hashcat wiki I found one mode that's ALMOST the same, but concatenated in different order:

Code:
3910 = md5(md5($pass).md5($salt))

So my question is, is still possible to find those passwords? If so, how can I find them all at once? How would the args be?

Finally, if someone has some "newbie guides" or whatever, please link them Smile

Regards.
#2
You didn't check enough :

Quote:2811 IPB2+, MyBB1.2+
#3
(01-30-2015, 02:17 PM)Xanadrel Wrote: You didn't check enough :

Quote:2811 IPB2+, MyBB1.2+

Oh, well... lol.

Another thing, how do I specify the salt to use? And once it finishes I'll obtain another md5 representing the real password, right?

Example data-set:

[all hashes remove by philsmd]
#4
(01-30-2015, 02:05 PM)N3HL Wrote: im completely new to hashcat, and I noticed it's missing some docs

Not at all, the docs are:
1. https://hashcat.net/wiki/
2. --help output of oclHashcat or cpu hashcat
3. forum search

For instance, the answer to your salt question can easily be answered by looking at this example hashes page:
https://hashcat.net/wiki/doku.php?id=example_hashes


And you (in almost all of the cases!) won't obtain a "new" MD5 hash from cpu hashcat / oclHashcat, but it will just tell you if the hash was cracked, i.e. if the matching password was found, and it will output the important data (*original* hash, salt, password etc). The output format can be adjusted with --outfile-format parameter, the default is hash:password or hashConfusedalt:password (if we speak about salted hashes).

Full information about the available output formats can be found by running cpu hashcat / oclHashcat with the --help switch.
#5
(01-30-2015, 04:43 PM)philsmd Wrote:
(01-30-2015, 02:05 PM)N3HL Wrote: im completely new to hashcat, and I noticed it's missing some docs

Not at all, the docs are:
1. https://hashcat.net/wiki/
2. --help output of oclHashcat or cpu hashcat
3. forum search

For instance, the answer to your salt question can easily be answered by looking at this example hashes page:
https://hashcat.net/wiki/doku.php?id=example_hashes


And you (in almost all of the cases!) won't obtain a "new" MD5 hash from cpu hashcat / oclHashcat, but it will just tell you if the hash was cracked, i.e. if the matching password was found, and it will output the important data (*original* hash, salt, password etc). The output format can be adjusted with --outfile-format parameter, the default is hash:password or hashConfusedalt:password (if we speak about salted hashes).

Full information about the available output formats can be found by running cpu hashcat / oclHashcat with the --help switch.

Yeah, saw the examples for each mode, and finally got it to work, btw, one last thing, do you have some nice wordlists? I already searched but most links are down.
#6
you can get some cool wordlists here: https://wiki.skullsecurity.org/Passwords
#7
Thanks @undeath, pretty good wordlists. And now I promise this is the last thing xD

How can I associate usernames with passwords in one .txt file, because as for now I get (obviously) something like this:

<HASHES REMOVED>

Hash | Salt | Password

And to test some hashs I used a SQL statement to make my "hashs.txt":

Code:
SELECT CONCAT(members_pass_hash, ":", members_pass_salt)
FROM members
LIMIT 300
INTO OUTFILE "hashs.txt"

But I'd like to end with one unique file with this format:

Username: %s - Password: %s

I used 300 rows to test hashcat, so far works great, now I have passwords but if I want to find the user I have to query my localhost each time, and start to build a custom .txt by hand (and I have more than 250k rows !)
#8
you could use the --username switch of hashcat/oclHashcat.

input format (you must use the --username switch to crack the hashes):
username:hashConfusedalt

second step (after cracking); you can output it with --show --username
format can be adjusted with --outfile-format, for instance --outfile-format 2 --show --username will give you
username:password


Attention: --username --show currently only works and is supported by oclHashcat. cpu hashcat support for --show --username may or may not be added, depending on how many users care about adding it to trac and voting for this feature

You should be anyway be able to use oclHashcat to do this task
#9
(01-30-2015, 05:45 PM)philsmd Wrote: you could use the --username switch of hashcat/oclHashcat.

input format (you must use the --username switch to crack the hashes):
username:hashConfusedalt

second step (after cracking); you can output it with --show --username
format can be adjusted with --outfile-format, for instance --outfile-format 2 --show --username will give you
username:password


Attention: --username --show currently only works and is supported by oclHashcat. cpu hashcat support for --show --username may or may not be added, depending on how many users care about adding it to trac and voting for this feature

You should be anyway be able to use oclHashcat to do this task

Okay, I own an ATI Radeon R7 260 X so im downloading the AMD oclHashcat. Meanwhile, if you don't mind, could you explain me a bit more?

Now my input file looks like this:

Code:
[ALL hashes removed by philsmd]|

Username | Hash | Salt

So if I use --username in first place it should generate the file ignoring the username in the beginning, but then when you say "second step (after cracking): you can output it with --show --username", what do you mean? I mean, the file is already done, so how would be this "second step". Or just using "--outfile-format 2 --show --username" from the start is enough? Sorry, it isn't clear for me.


Added by philsmd: everyone who posts hashes and hence does not adhere to the (accepted) forum rules ( https://hashcat.net/forum/announcement-2.html ) will be banned, it doesn't matter where the hashes come from (or if they were randomly generated etc)
#10
--show is always used to show the cracks for a specific oclHashcat session after the actual cracking process is done.

So it would look like this:

oclHashcat64.exe -m 2811 --username hashes.txt dict.txt

after that actual cracking process is finished, you display the cracks with --show:

oclHashcat64.exe -m 2811 --show --username hashes.txt


hmm I'm wondering why you are still not banned, since you did not follow the forum rules: https://hashcat.net/forum/announcement-2.html (which you did accept). Don't post hashes!