hashcat Forum
Web server digest authentication. - Printable Version

+- hashcat Forum (https://hashcat.net/forum)
+-- Forum: Support (https://hashcat.net/forum/forum-3.html)
+--- Forum: hashcat (https://hashcat.net/forum/forum-45.html)
+--- Thread: Web server digest authentication. (/thread-6742.html)



Web server digest authentication. - Zzzz - 07-31-2017

Hello, I'm trying to find a lost password for a piece of equipment. We were able to locate a file on the file system that contains the username, realm and password hash, it is in the following format:

admin:Acme Corp monitoring server:AAAAAAAAAABBBB12345
I believe this is called Digest authentication.

I also have access to a similar device in which I know the password. The relam and username are the same, if I MD5 the three together I come out with the correct hash for that piece of equipment. 

So what I would like to do is prepend "admin:Acme Corp monitoring server:" to a wordlist and then try brute force if that doesn't work.

First I thought a custom charset would be what I needed, I created a maskfile with the following contents:

Code:
admin:Acme Corp monitoring server:?a?a?a?a?a?a?a?a

This seems to work, at first it iterates through the username and realm then starts brute forcing, which is good, but I tried to use the "-i --increment-min=8" command because I know how long my test password it but it didn't seem to work.

Another problem I ran into was getting an output I tried changing the mask file to:

Code:
admin:Acme Corp monitoring server:P@ssw0r?a

Hashcat cracks it quickly but I can't see where in the output it gives the password it found, I checked the potfile but it gives me a hex output that doesn't convert into the password.

Any suggestions on where to go next would be helpful.

Running Windows 10 x64 hashcat 3.5.0


RE: Web server digest authentication. - Zzzz - 07-31-2017

Just an update, I was able to disable hex in the potfile by using the switch --outfile-autohex-disable

The password was then written to the log, from there I switched out the hash for my unknown one, edited the mask file to brute force the last 3 characters of what I thought the password might have been, 7 seconds later I got lucky and was able to retrieve the password. Hope this helps someone in the future.