how can i crack hexmd5 hash ?
#21
the only problem is that your capture starts in the middle and ends in the middle and therefore only one complete exchange is captured.

Let's make it very clear.

The javascript + salt is the question (Q).
the hash/password is the answer (A).

you always need to have a question Qx and a corresponding answer Ax. (x is the number of exchange, Q1 is question for exchange 1, A1 is answer for exchange 1)

What we need is this (ideal situation):
First question, then answer. First question, then answer. First question, then answer.

First question Q1, then answer A1.
First question Q2, then answer A2.
First question Q3, then answer A3. etc

Back to the non-ideal case (your capture):
Your capture starts in the middle with an answer (no question) and stops without an answer (only question).

Your capture looks like this:
1) answer 1: A1 (question missing. ERROR. VERY BAD)
2) question 2: Q2 (we still need an answer, let's see... )
3) answer 2: A2 (hurray! we got an answer for Q2, we have now a full exchange with question Q2 and answer A2, very good)
4) question 3: Q3 (the capture stops here, no more answer. ERROR: A3 missing, VERY BAD)


only question Q2 (hexMD5('\137' + document.login.password.value + '\115\116\213\305\117\073\313\206\013\042\106\121\240\001\333\032')) and answer A2 (cbc5d1a36621e0f824f5491ae9cf172c) are usable and VERY GOOD
the remaining parts can't be used, A1 and Q3 are useless, because Q1 and A3 are missing. VERY BAD

we always need first question Qx and corresponding answer Ax
Reply
#22
(02-23-2019, 01:08 AM)philsmd Wrote: the only problem is that your capture starts in the middle and ends in the middle and therefore only one complete exchange is captured.

Let's make it very clear.

The javascript + salt is the question (Q).
the hash/password is the answer (A).

you always need to have a question Qx and a corresponding answer Ax. (x is the number of exchange, Q1 is question for exchange 1, A1 is answer for exchange 1)

What we need is this (ideal situation):
First question, then answer. First question, then answer. First question, then answer.

First question Q1, then answer A1.
First question Q2, then answer A2.
First question Q3, then answer A3. etc

Back to the non-ideal case (your capture):
Your capture starts in the middle with an answer (no question) and stops without an answer (only question).

Your capture looks like this:
1) answer 1: A1 (question missing. ERROR. VERY BAD)
2) question 2: Q2 (we still need an answer, let's see... )
3) answer 2: A2 (hurray! we got an answer for Q2, we have now a full exchange with question Q2 and answer A2, very good)
4) question 3: Q3 (the capture stops here, no more answer. ERROR: A3 missing, VERY BAD)


only question Q2 (hexMD5('\137' + document.login.password.value + '\115\116\213\305\117\073\313\206\013\042\106\121\240\001\333\032')) and answer A2 (cbc5d1a36621e0f824f5491ae9cf172c) are usable and VERY GOOD
the remaining parts can't be used, A1 and Q3 are useless, because Q1 and A3 are missing. VERY BAD

we always need first question Qx and corresponding answer Ax

this well explained and all
but isn't this
hexMD5('\115' + document.login.password.value + '\017\226\132\264\231\243\072\025\142\343\313\006\131\010\106\311');

is the Q1 for the A1 ?!
what's bad with it ?!
Reply
#23
Q3 is a new question.
A1 was a very old answer.

we do NOT have any answer for question 3 (Q3). We have no question Q1 for answer A1.
This is because you started and stopped the capture in the middle of some exchanges, without capturing Q1 and without capturing A3.

new questions (like Q3) are always unrelated (NOT RELATED, VERY BAD) to previous answers (A1).

you can't say that if someone answered something (A1) without knowing the question (Q1) and very, very later a server asked a question (Q3), that the question (Q3) is related to a very old answer (A1). A question Qx is never a responds to an answer Ax!

Remember this: First question, then answer. First question, then answer. First question, then answer

A1 and Q3 have nothing to do with each other.

we would need Q1+A1, Q2+A2, Q3+A3
but we got only this: [missing]+A1, Q2+A2, Q3+[missing]

missing is VERY BAD, very, very bad. We can't use them.
we can only use full exchanges like Q2+A2.

the answer must always answer the correct question. Every answer corresponds to a question. you can't mix them up.

There probably was at least a question Q1, but you didn't capture it.

A3 could be missing because the client never responded after Q3, because it gave up (or you just didn't capture it)
Reply
#24
(02-23-2019, 04:28 PM)philsmd Wrote: Q3 is a new question.
A1 was a very old answer.

we do NOT have any answer for question 3 (Q3). We have no question Q1 for answer A1.
This is because you started and stopped the capture in the middle of some exchanges, without capturing Q1 and without capturing A3.

new questions (like Q3) are always unrelated (NOT RELATED, VERY BAD) to previous answers (A1).

you can't say that if someone answered something (A1) without knowing the question (Q1) and very, very later a server asked a question (Q3), that the question (Q3) is related to a very old answer (A1). A question Qx is never a responds to an answer Ax!

Remember this: First question, then answer. First question, then answer. First question, then answer

A1 and Q3 have nothing to do with each other.

we would need Q1+A1, Q2+A2, Q3+A3
but we got only this: [missing]+A1, Q2+A2, Q3+[missing]

missing is VERY BAD, very, very bad. We can't use them.
we can only use full exchanges like Q2+A2.

the answer must always answer the correct question. Every answer corresponds to a question. you can't mix them up.

There probably was at least a question Q1, but you didn't capture it.

A3 could be missing because the client never responded after Q3, because it gave up (or you just didn't capture it)

"new questions (like Q3) are always unrelated (NOT RELATED, VERY BAD) to previous answers (A1)."

The question arises again ... how did you know that it's the Q3 not Q1 ?
isn't every packet have
one answer and one question.....
Reply
#25
Look in what order those messages were received.
Reply
#26
(02-24-2019, 03:50 PM)undeath Wrote: Look in what order those messages were received.

which order ? there is only two that contains java script then salt in every tcp stream !!
https://i.ibb.co/wMXynkY/Untitled.png
huh ?
Reply
#27
[Image: a.png]

the wireshark filter used in this image:
frame contains " = hexMD5" || frame contains "password="

answer 1: A1 (response (POST) from client with "password=", ERROR, VERY BAD, question missing)

question 2: Q2 (= hexMD5('\137' ... new question for a password, salt: '\115\116\213\305...)
answer 2: A2   (password" = "cbc5d1a36621e0f824f5491ae9cf172c", answer from client (POST) for question Q2)

question 3: Q3 (= hexMD5('\115' ... new question for a new password, salt: '\017\226\132\264..., after that we got no answer A3: ERROR, VERY BAD)

You can also see that Q3 was sent by the server about 2 minutes later than A1. They are completely unrelate
Only A2 is an answer for Q2, as our successful MD5 crack showed.
If we were able to crack the hash from A2 with the salt of Q2, we know that A2 and Q2 are related.

Q3 instead is a new question, asked 2 minutes after the answer A1. A question Qx is always a new exchange. It is never related to a previous answer Ax.

Remember this: First question, then answer. First question, then answer. First question, then answer.
Reply
#28
(02-24-2019, 06:57 PM)philsmd Wrote: [Image: a.png]

the wireshark filter used in this image:
frame contains " = hexMD5" || frame contains "password="

answer 1: A1 (response (POST) from client with "password=", ERROR, VERY BAD, question missing)

question 2: Q2 (= hexMD5('\137' ... new question for a password, salt: '\115\116\213\305...)
answer 2: A2   (password" = "cbc5d1a36621e0f824f5491ae9cf172c", answer from client (POST) for question Q2)

question 3: Q3 (= hexMD5('\115' ... new question for a new password, salt: '\017\226\132\264..., after that we got no answer A3: ERROR, VERY BAD)

You can also see that Q3 was sent by the server about 2 minutes later than A1. They are completely unrelate
Only A2 is an answer for Q2, as our successful MD5 crack showed.
If we were able to crack the hash from A2 with the salt of Q2, we know that A2 and Q2 are related.

Q3 instead is a new question, asked 2 minutes after the answer A1. A question Qx is always a new exchange. It is never related to a previous answer Ax.

Remember this: First question, then answer. First question, then answer. First question, then answer.
"frame contains " = hexMD5" || frame contains "password=" "
thanks about that i really didn't know that i have to use a custom filter not just follow tcp trick
...........
"First question, then answer. First question, then answer. First question, then answer"
lol finally i got it !!!
because of the order of the packets i thought it was First answer then question First answer then question
so i didn't think of the additional question number 3 i thought it was Q2 ....
sorry for the misunderstanding 😅😅😅
so our keys are
1-the difference of time between each packet
2- the order First question, then answer
and question is the java script/salt and the answer is the hash

big thanks to you for the very good explanation Smile
Reply