Hi All -
I am working on trying to recover a lost password for a super locked down "appliance" device that has all local accounts with no access or disabled. It is providing critical business functionality, both the vendor employees and others that have access do not remember their passwords and all the system accounts for the web management tool have been lost. Vendors advice to wipe the system and reconfigure by hand from the ground up is not palatable, and would likely require atleast 24 hours of downtime for a patient monitoring system.
I have hashes for the users on the system, and the information used to generate them as well as the methodology for the encoding. The passwords are in MD5 format and are generated using this:
MD5(MD5(username)MD5(password))
Since I have the username, I can supply that, but I am looking at the hashcat options and it looks like this is the best match:
3910
md5(md5($pass).md5($salt))
250920b3a5e31318806a032a4674df7e:1234
How can I go about setting something up for this? Obviously, in that configuration I have the "pass" but not the "salt" because the salt is the password, which I need to break. Is there a way around this? Did I miss something in the documentation? If there's a way to do this with masks and lengths, I have the length of the username obviously.
Edit: To be clear. I don't think I can use MD5($salt.MD5($pass)). In my testing I found that if I take the hex string of the MD5 hash for the username in my case and use that, I do not get the same value. I have to pass the byte[].
I am working on trying to recover a lost password for a super locked down "appliance" device that has all local accounts with no access or disabled. It is providing critical business functionality, both the vendor employees and others that have access do not remember their passwords and all the system accounts for the web management tool have been lost. Vendors advice to wipe the system and reconfigure by hand from the ground up is not palatable, and would likely require atleast 24 hours of downtime for a patient monitoring system.
I have hashes for the users on the system, and the information used to generate them as well as the methodology for the encoding. The passwords are in MD5 format and are generated using this:
MD5(MD5(username)MD5(password))
Since I have the username, I can supply that, but I am looking at the hashcat options and it looks like this is the best match:
3910
md5(md5($pass).md5($salt))
250920b3a5e31318806a032a4674df7e:1234
How can I go about setting something up for this? Obviously, in that configuration I have the "pass" but not the "salt" because the salt is the password, which I need to break. Is there a way around this? Did I miss something in the documentation? If there's a way to do this with masks and lengths, I have the length of the username obviously.
Edit: To be clear. I don't think I can use MD5($salt.MD5($pass)). In my testing I found that if I take the hex string of the MD5 hash for the username in my case and use that, I do not get the same value. I have to pass the byte[].