(02-21-2019, 10:45 AM)philsmd Wrote: I think you are just heavily misinterpreting the tcp dump.
Just think about it a moment. The javascript code must be sent before the hexMD5 () password is sent, because the client needs to know what it should do with the password field and how it should sent it.
Therefore you just mixed up everything and the correct step is this:
for this hexMD5 ():
Code:
hexMD5('\137' + document.login.password.value + '\115\116\213\305\117\073\313\206\013\042\106\121\240\001\333\032')
i.e. we have this in hexadecimal:
Code:
'\137' = 0x5f = _
'\115\116\213\305\117\073\313\206\013\042\106\121\240\001\333\032' = 0x4d4e8bc54f3bcb860b224651a001db1a
I can crack this hash like this:
Code:
hashcat -m 10 -O -w 3 --hex-salt -j ^^_ cbc5d1a36621e0f824f5491ae9cf172c:4d4e8bc54f3bcb860b224651a001db1a dict.txt
cbc5d1a36621e0f824f5491ae9cf172c:4d4e8bc54f3bcb860b224651a001db1a:_575
Therefore the password is 575 (because the _ must be ignored because it was prepended by the algorithm)
Note: I think on windows you need to use ^^_ for the "normal" ^_ rule (because of escaping), you can also use a rule file with ^_ instead
back to the tcp dump misinterpretation problem. first the capture includes a hash without any previous javascript code sent ! that means that the capture was done in the middle of the communication. i.e. 8de6c4719419b4a9237acaeaa1a0e095 was sent without any previous javascript code. then we have one full correct communication with javascript hexMD5('\137' + document.login.password.value + '\115\116\213\305\117\073\313\206\013\042\106\121\240\001\333\032') and the response cbc5d1a36621e0f824f5491ae9cf172c (see crack above), after that we only have 1 more javascript without any response (no more hash)
hi thanks for the very good explanation
but back to the original form i found somewhere on the internet !
hexMD5('$(chap-id)' + passw + '$(chap-challenge)');
where can I find the formula that generates chap-id and chap challenge in TCP dump ?
or it's sent from the server ?
sorry for asking too many questions !! ;(
..................................................
and how did you do this part i again ?!
"
'\137' = 0x5f = _
'\115\116\213\305\117\073\313\206\013\042\106\121\240\001\333\032' = 0x4d4e8bc54f3bcb860b224651a001db1a
"
i typed
'\137' in the browser and i got this "_"
but when i type '\115\116\213\305\117\073\313\206\013\042\106\121\240\001\333\032'
i get this nonsense "MNÅO;Ë"FQ Û"
.......
"8de6c4719419b4a9237acaeaa1a0e095 was sent without any previous javascript code"
but what is that ?!
document.sendin.password.value = hexMD5('\115' + document.login.password.value + '\017\226\132\264\231\243\072\025\142\343\313\006\131\010\106\311');
i am really confused
..............
"I think on windows you need to use ^^_ for the "normal" ^_ rule (because of escaping), you can also use a rule file with ^_ instead "
what if i am brute forcing !!! what should the i type to add _ ??!
is there any problem with this _?d?d?d?
thank you very much