(05-12-2017, 08:55 AM)philsmd Wrote: well, you could just use -m 3710 = md5($salt.md5($pass)) together with --hex-salt (because you said that the first MD5 is in binary not hex), an example (hashes mask with xxxx):
Code:$ echo -n PWn3R | md5sum
1d0fxxxx06550cdexxxxxxcd52b0xx75
$ echo -n hashcat | md5sum
8743bxx063xxxx097a65d1xx3f5c74xx
$ echo -en "\x1d\x0f\xxx\xxx\x06\x55\x0c\xde\xxx\xxx\xxx\xcd\x52\xb0\x97\x758743bxx063xxxx097a65d1xx3f5c74xx" | md5sum
4507xx379f96xxxxfce75f4b4exx80c1
$ < hash cat
4507xx379f96xxxxfce75f4b4exx80c1:1d0fxxxx06550cdexxxxxxcd52b0xx75
$ ./hashcat -m 3710 -a 3 -w 3 --hex-salt hash ?l?l?l?lcat
4507xx379f96xxxxfce75f4b4exx80c1:1d0fxxxx06550cdexxxxxxcd52b0xx75:hashcat
So there is no need to use a different tool here, you just need to convert the list to hash:hex_salt and use -m 3710 with --hex-salt (as simple as this!).
Futhermore, what I really do not understand at all about this "problem" is why you would even think about cracking those hashes... What I mean is... if you have access to the database and the hash list etc... why do you not just make a backup/copy of everything and later on generate a "new" correct hash (with correct user name and apply the hash algorithm to the username and pass pair etc) and replace the hash with your newly generated one.
Normally you would only need to crack the hash whenever you really want to know the password in such cases, otherwise you could probably just easily bypass the login with substituted login data (I think you just need to replace the hash here and you should be able to log in)...
... or am I missing something ? In general bypassing the login in such situations is much more clever instead of spending thousands of dollars in a GPU rig and a lot of time to crack them... but as said, your situation might be different, but it's not clear from your first post
I'm too tired to properly digest what you put above, but I can't modify the file this came from. The root account (broke that hash) is disabled. All other console access is blocked because the users have no shell in passwd.
These md5(md5(salt)md5(pass)) hashes are from the built in admin webpage, not webmin which is also on the server. I read this file along with shadow and passwd using a webmin exploit with a username that has limited access. The webmin is stripped, customized and most modules are disabled and their files deleted.
I reverse engineered the hash using my account which does not have the right access, but has some access to that admin page. I had the hash and played with it until I could recreate my hash using my information and what was in the file.
This is literally matched using c# doing md5 of the md5 of my username and the md5 of my password hashes concatenated as outlined above. If you use the hex value it doesn't work.
Do you still think what you linked above will work? Happy to try tomorrow. I also spent two full work days trying to find a working write to file exploit so I could get console access. Also forgot ssh is disabled, postres is installed, but 127 is only allowed address and is not used for user management.
Edit: So tired I forgot to say thank you to both of you for you input.