Is correct these hash?
#1
Hi,

I'm trying to extract user and pass of a application for try to convince my boss to use https instead http. The application have a form that login with http server.
I'm  trying to sniff traffic and capture data with wireshark to get user/pass authentication:

I see these in wireshark:

Code:
[1,"UserSession:IDL_Register",1,0,{"1":{"str":"david"},"2":{"str":"|GSR|WIN-56DQT3UEU2J|3740|1516566386|ChallengeSIDStr|2:5D2F8D5A0E07E4C3C4E97990E5CE2A7C452DEEDDA43D52BF99AD9F47735FC4D675A3F62FF4FC028679BC06E78EA1B34F91DF9C5214F4F9C60E6E4124FXXXXXXX"},"3":{"str":"CLIENTE"},"4":{"str":"user"},"5":{"str":"GUI"},"6":{"str":"9.0.18.000"},"7":{"i64":600}}]HTTP/1.1 200 OK


Since the user I login is david (I know also the password), I understand than the code 5D2F8..... is the hash password.  I've used hashid and it says me:

Code:
Possible Hashs:
[+]  SHA-512
[+]  Whirlpool

So I use hashcat but I can't get nothing:


Code:
C:\Users\pc\Downloads\hashcat-4.0.1\hashcat-4.0.1>hashcat64.exe -m 1700 -a 0 --opencl-device-types 1,2 5D2F8D5A0E07E4C3C4E97990E5CE2A7C452DEEDDA43D52BF99AD9F47735FC4D675A3F62FF4FC028679BC06E78EA1B34F91DF9C5214F4F9C60E6E4124FXXXXXXXX
hashcat (v4.0.1) starting...

* Device #1: Intel's OpenCL runtime (GPU only) is currently broken.
             We are waiting for updated OpenCL drivers from Intel.
             You can use --force to override, but do not report related errors.
* Device #3: WARNING! Kernel exec timeout is not disabled.
             This may cause "CL_OUT_OF_RESOURCES" or related errors.
             To disable the timeout, see: https://hashcat.net/q/timeoutpatch
nvmlDeviceGetFanSpeed(): Not Supported

OpenCL Platform #1: Intel(R) Corporation
========================================
* Device #1: Intel(R) HD Graphics 530, skipped.
* Device #2: Intel(R) Core(TM) i7-6700HQ CPU @ 2.60GHz, 4060/16242 MB allocatable, 8MCU

OpenCL Platform #2: NVIDIA Corporation
======================================
* Device #3: GeForce GTX 950M, 1024/4096 MB allocatable, 5MCU

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1

Applicable optimizers:
* Zero-Byte
* Early-Skip
* Not-Salted
* Not-Iterated
* Single-Hash
* Single-Salt
* Raw-Hash
* Uses-64-Bit

Password length minimum: 0
Password length maximum: 256

ATTENTION! Pure (unoptimized) OpenCL kernels selected.
This enables cracking passwords and salts > length 32 but for the price of drastical reduced performance.
If you want to switch to optimized OpenCL kernels, append -O to your commandline.

Watchdog: Temperature abort trigger set to 90c
Watchdog: Temperature retain trigger disabled.

Starting attack in stdin mode...

Session..........: hashcat
Status...........: Running
Hash.Type........: SHA-512
Hash.Target......: 5d2f8d5a0e07e4c3c4e97990e5ce2a7c452deedda43d52bf99a...XXXXXX
Time.Started.....: Sun Jan 21 22:01:55 2018 (10 secs)
Time.Estimated...: Sun Jan 21 22:02:05 2018 (0 secs)
Guess.Base.......: Pipe
Speed.Dev.#2.....:        0 H/s (0.00ms)
Speed.Dev.#3.....:        0 H/s (0.00ms)
Speed.Dev.#*.....:        0 H/s
Recovered........: 0/1 (0.00%) Digests, 0/1 (0.00%) Salts
Progress.........: 0
Rejected.........: 0
Restore.Point....: 0
Candidates.#2....: [Copying]
Candidates.#3....: [Copying]
HWMon.Dev.#2.....: N/A
HWMon.Dev.#3.....: Temp: 54c Util:  0% Core: 993MHz Mem:1001MHz Bus:16

NvAPI_GPU_GetPerfPoliciesInfo(): NVAPI_ERROR

NvAPI_GPU_GetPerfPoliciesStatus(): NVAPI_ERROR

Could you help me please? I'm trying to understand but I'm newbie and is difficult to me. Many thanks and sorry for my English!
Reply
#2
(01-21-2018, 11:06 PM)mmm286 Wrote: I'm trying to extract user and pass of a application for try to convince my boss to use https instead http.

Just deploy a rouge web server and do an active mitm? Or show how sensible data leaks. Or steal the cookie and execute actions. Or fire your fucking stupid boss.
Reply
#3
Is the json you posted the request or the response? If it's the request, and that is indeed a hash of the password, then the password is being hashed client-side and you simply need to read the javascript to figure out what it's doing. However, it looks like that hash isn't a password hash, but rather the session id.

Anyway, undeath is correct. The biggest threat to http is mitm, so you need to actually mitm the app to demonstrate that threat.
Reply
#4
(01-22-2018, 06:37 AM)epixoip Wrote: Is the json you posted the request or the response? If it's the request, and that is indeed a hash of the password, then the password is being hashed client-side and you simply need to read the javascript to figure out what it's doing. However, it looks like that hash isn't a password hash, but rather the session id.

Anyway, undeath is correct. The biggest threat to http is mitm, so you need to actually mitm the app to demonstrate that threat.

Thanks!

Maybe is a session id. The application connects to apache tomcat. I'm trying to filter by "http.request.method == POST", but I can't see hash pass :-(
Reply
#5
Password hashing is typically done server-side, not client-side. Client-side hashing is uncommon. You should be seeing the plaintext password in transit.
Reply
#6
(01-22-2018, 12:11 AM)undeath Wrote:
(01-21-2018, 11:06 PM)mmm286 Wrote: I'm trying to extract user and pass of a application for try to convince my boss to use https instead http.

Just deploy a rouge web server and do an active mitm? Or show how sensible data leaks. Or steal the cookie and execute actions. Or fire your fucking stupid boss.

Hehe, that last suggestion seems a little less doable.
Reply