+- hashcat Forum (https://hashcat.net/forum)
+-- Forum: Support (https://hashcat.net/forum/forum-3.html)
+--- Forum: hashcat (https://hashcat.net/forum/forum-45.html)
+--- Thread: Web server digest authentication. (/thread-6742.html)
Web server digest authentication. - Zzzz - 07-31-2017
Hello, I'm trying to find a lost password for a piece of equipment. We were able to locate a file on the file system that contains the username, realm and password hash, it is in the following format:
admin:Acme Corp monitoring server:AAAAAAAAAABBBB12345
I believe this is called Digest authentication.
I also have access to a similar device in which I know the password. The relam and username are the same, if I MD5 the three together I come out with the correct hash for that piece of equipment.
So what I would like to do is prepend "admin:Acme Corp monitoring server:" to a wordlist and then try brute force if that doesn't work.
First I thought a custom charset would be what I needed, I created a maskfile with the following contents:
Code:
admin:Acme Corp monitoring server:?a?a?a?a?a?a?a?aThis seems to work, at first it iterates through the username and realm then starts brute forcing, which is good, but I tried to use the "-i --increment-min=8" command because I know how long my test password it but it didn't seem to work.
Another problem I ran into was getting an output I tried changing the mask file to:
Code:
admin:Acme Corp monitoring server:P@ssw0r?aHashcat cracks it quickly but I can't see where in the output it gives the password it found, I checked the potfile but it gives me a hex output that doesn't convert into the password.
Any suggestions on where to go next would be helpful.
Running Windows 10 x64 hashcat 3.5.0
RE: Web server digest authentication. - Zzzz - 07-31-2017
Just an update, I was able to disable hex in the potfile by using the switch --outfile-autohex-disable
The password was then written to the log, from there I switched out the hash for my unknown one, edited the mask file to brute force the last 3 characters of what I thought the password might have been, 7 seconds later I got lucky and was able to retrieve the password. Hope this helps someone in the future.