02-21-2019, 02:17 PM
(02-21-2019, 10:45 AM)philsmd Wrote: I think you are just heavily misinterpreting the tcp dump.
Just think about it a moment. The javascript code must be sent before the hexMD5 () password is sent, because the client needs to know what it should do with the password field and how it should sent it.
Therefore you just mixed up everything and the correct step is this:
for this hexMD5 ():
i.e. we have this in hexadecimal:Code:hexMD5('\137' + document.login.password.value + '\115\116\213\305\117\073\313\206\013\042\106\121\240\001\333\032')
Code:'\137' = 0x5f = _
'\115\116\213\305\117\073\313\206\013\042\106\121\240\001\333\032' = 0x4d4e8bc54f3bcb860b224651a001db1a
I can crack this hash like this:
Code:hashcat -m 10 -O -w 3 --hex-salt -j ^^_ cbc5d1a36621e0f824f5491ae9cf172c:4d4e8bc54f3bcb860b224651a001db1a dict.txt
cbc5d1a36621e0f824f5491ae9cf172c:4d4e8bc54f3bcb860b224651a001db1a:_575
Therefore the password is 575 (because the _ must be ignored because it was prepended by the algorithm)
Note: I think on windows you need to use ^^_ for the "normal" ^_ rule (because of escaping), you can also use a rule file with ^_ instead
back to the tcp dump misinterpretation problem. first the capture includes a hash without any previous javascript code sent ! that means that the capture was done in the middle of the communication. i.e. 8de6c4719419b4a9237acaeaa1a0e095 was sent without any previous javascript code. then we have one full correct communication with javascript hexMD5('\137' + document.login.password.value + '\115\116\213\305\117\073\313\206\013\042\106\121\240\001\333\032') and the response cbc5d1a36621e0f824f5491ae9cf172c (see crack above), after that we only have 1 more javascript without any response (no more hash)
the extracted web page file from the tcp dump ..https://quickfileshare.org/V5h/testtest.rar
if it would help or something !