Posts: 56
Threads: 17
Joined: Apr 2017
07-12-2017, 01:12 AM
(This post was last modified: 07-12-2017, 12:40 PM by philsmd.)
I am trying to crack a shadow hash that i pulled off the firmware to a wifipineapple.. no big secret as to what the default password for root actually is on this device, but i am just trying to learn.
so the hash from the shadow file is as such:
root:$1$hash removed by philsmd:16786:0:99999:7:::
my assumptions are that
1. root is the user
2. $1 indicates the hashtype - md5
3. $salt (changed by phil) is the salt
4. $after salt (changed by phil) is the actual password
5. i have no idea what the rest is (maybe a time stamp?)
anyway, i have tried putting this through hash identifiers, and hashcat itself with -m as 0, 4010, 20 and clipping it every which possible way i could think of..
but hashcat always gives me errors like 'line length exception' or Hash-encoding exception saying no hashes loaded..
could someone help this young grasshopper learn?
Posts: 100
Threads: 34
Joined: Aug 2014
The first thing you need to know, grasshopper, is that posting hashes is against the forum rules. Don't be surprised if you get banned.
Posts: 56
Threads: 17
Joined: Apr 2017
(07-12-2017, 03:11 AM)devilsadvocate Wrote: The first thing you need to know, grasshopper, is that posting hashes is against the forum rules. Don't be surprised if you get banned.
I didn't realize, I didn't think there would be a problem as it's a documented password
Posts: 22
Threads: 1
Joined: Jun 2015
07-12-2017, 11:27 AM
(This post was last modified: 07-12-2017, 11:28 AM by rvn.)
The Fields are IMHO:
16786: The number of days (since January 1, 1970) since the password was last changed.
0: The number of days before password may be changed (0 indicates it may be changed at any time)
99999: The number of days after which password must be changed (99999 indicates user can keep his or her password unchanged for many, many years
7 : The number of days to warn user of an expiring password (7 for a full week)
Posts: 22
Threads: 1
Joined: Jun 2015
I also think $1$ might be md5crypt and not plain md5
Posts: 2,301
Threads: 11
Joined: Jul 2010
07-12-2017, 12:08 PM
(This post was last modified: 07-16-2017, 05:43 PM by undeath.)
(07-12-2017, 01:12 AM)elidell Wrote: so the hash from the shadow file is as such:
root:$1$DhqYuxhs$p/O7aro1npF4yvkRT7qJK.:16786:0:99999:7:::
This is not the hash but the full user entry.
(07-12-2017, 11:35 AM)rvn Wrote: I also think $1$ might be md5crypt and not plain md5
Yes. Most unix systems use
PBKDF2 with some default settings something different for hashing, not plain hashes. If in doubt compare with the examples on
https://hashcat.net/wiki/doku.php?id=example_hashes
Posts: 2,267
Threads: 16
Joined: Feb 2013
Please do not forget that hashcat supports loading of different/special file types like pwdump, linux shadow, passwd, DCC, NetNTLM, nsldaps etc.
Therefore you actually only need to specify that you want to crack a -m 500 hash (md5crypt) and the HLFMT detection routine will automatically figure out that in this particular case it is a shadow file.
And yes, md5crypt is not just md5. I'm not sure why so many people just say "I have a md5" if it is md5crypt instead etc
Posts: 2,936
Threads: 12
Joined: May 2012
(07-12-2017, 12:08 PM)undeath Wrote: Yes. Most unix systems use PBKDF2 with some default settings for hashing
No, crypt(3) does not implement PBKDF2. md5crypt and sha2crypt are distinctly different from PBKDF2. Outside of "salted and iterated" the similarities stop there.