how can i crack hexmd5 hash ?
#11
(02-21-2019, 10:45 AM)philsmd Wrote: I think you are just heavily misinterpreting the tcp dump.

Just think about it a moment. The javascript code must be sent before the hexMD5 () password is sent, because the client needs to know what it should do with the password field and how it should sent it.
Therefore you just mixed up everything and the correct step is this:

for this hexMD5 ():
Code:
hexMD5('\137' + document.login.password.value + '\115\116\213\305\117\073\313\206\013\042\106\121\240\001\333\032')
i.e. we have this in hexadecimal:
Code:
'\137' = 0x5f = _
'\115\116\213\305\117\073\313\206\013\042\106\121\240\001\333\032' = 0x4d4e8bc54f3bcb860b224651a001db1a

I can crack this hash like this:
Code:
hashcat -m 10 -O -w 3 --hex-salt -j ^^_ cbc5d1a36621e0f824f5491ae9cf172c:4d4e8bc54f3bcb860b224651a001db1a dict.txt
cbc5d1a36621e0f824f5491ae9cf172c:4d4e8bc54f3bcb860b224651a001db1a:_575

Therefore the password is 575 (because the _ must be ignored because it was prepended by the algorithm)
Note: I think on windows you need to use ^^_ for the "normal"  ^_ rule (because of escaping), you can also use a rule file with ^_ instead


back to the tcp dump misinterpretation problem. first the capture includes a hash without any previous javascript code sent ! that means that the capture was done in the middle of the communication. i.e. 8de6c4719419b4a9237acaeaa1a0e095 was sent without any previous javascript code. then we have one full correct communication with javascript hexMD5('\137' + document.login.password.value + '\115\116\213\305\117\073\313\206\013\042\106\121\240\001\333\032') and the response cbc5d1a36621e0f824f5491ae9cf172c (see crack above), after that we only have 1 more javascript without any response (no more hash)

the extracted web page file from the tcp dump ..https://quickfileshare.org/V5h/testtest.rar 
if it would help or something !
Reply
#12
1. about the javascript string to hexadecimal conversion: it's just the octal code point (see https://mathiasbynens.be/notes/javascript-escapes#octal) converted to hexadecimal
something like this in javascript:
s='\115\116\213\305\117\073\313\206\013\042\106\121\240\001\333\032';r='';for(i=0;i<s.length;i++)r+=('0'+s.charCodeAt(i).toString(16)).slice(-2);console.log(r)

2. 8de6c4719419b4a9237acaeaa1a0e095 is a further "password=" hash within your tcp dump without any preceeding salt and md5Hex () javascript code. If the information is missing, you can't crack it of course. The salt must be known, it's not in the tcp dump. I explained this already. If we do not have any additional information about the salt we only know that it is a hash for which we miss the information required. The salt is MISSING in the capture ! I'm not sure what is so difficult to understand about this

3. mask attack is explained here: https://hashcat.net/wiki/?id=mask_attack (any hard-coded string can be added to the mask directly, but any static prefix to masks will reduce speed by a lot)
hashcat -m 10 -a 3 -O -w 3 --hex-salt cbc5d1a36621e0f824f5491ae9cf172c:4d4e8bc54f3bcb860b224651a001db1a --increment _?d?d?d?d?d?d?d?d

DanielG already explained this. You must be also willing to read and learn/understand. We can't help you reading what we write here
.

4. The html code doesn't contain any hint of how the salt is generated on the server. It's probably a piece of code executed on the
server to generate random salts (what you called chap-id and chap-challenge above). You don't see this within the capture or html
code
Reply
#13
(02-21-2019, 04:38 PM)philsmd Wrote: 1. about the javascript string to hexadecimal conversion: it's just the octal code point (see https://mathiasbynens.be/notes/javascript-escapes#octal) converted to hexadecimal
something like this in javascript:
s='\115\116\213\305\117\073\313\206\013\042\106\121\240\001\333\032';r='';for(i=0;i<s.length;i++)r+=('0'+s.charCodeAt(i).toString(16)).slice(-2);console.log(r)

2. 8de6c4719419b4a9237acaeaa1a0e095 is a further "password=" hash within your tcp dump without any preceeding salt and md5Hex () javascript code. If the information is missing, you can't crack it of course. The salt must be known, it's not in the tcp dump. I explained this already. If we do not have any additional information about the salt we only know that it is a hash for which we miss the information required. The salt is MISSING in the capture ! I'm not sure what is so difficult to understand about this

3. mask attack is explained here: https://hashcat.net/wiki/?id=mask_attack (any hard-coded string can be added to the mask directly, but any static prefix to masks will reduce speed by a lot)
hashcat -m 10 -a 3 -O -w 3 --hex-salt cbc5d1a36621e0f824f5491ae9cf172c:4d4e8bc54f3bcb860b224651a001db1a --increment _?d?d?d?d?d?d?d?d

DanielG already explained this. You must be also willing to read and learn/understand. We can't help you reading what we write here
.

4. The html code doesn't contain any hint of how the salt is generated on the server. It's probably a piece of code executed on the
server to generate random salts (what you called chap-id and chap-challenge above). You don't see this within the capture or html
code


hi thanks very much for the very nice and informative reply

"server to generate random salts (what you called chap-id and chap-challenge above). You don't see this within the capture or html code"
i don't know but for now i only have the capture .... if i get a chance to check the html again i will notice you
but i think it's in the page
see this
https://wiki.mikrotik.com/wiki/HotSpot_e...login_page

"You must be also willing to read and learn/understand"
thanks i will keep this in mind too

but there still is one problem what if wanted to submit it some only site how can i deal with the '\137' = 0x5f = _
part ?!! also i didn't find any online site that support --hex-salt !!!!!!!

thanks again
Reply
#14
"The salt is MISSING in the capture ! I'm not sure what is so difficult to understand about this"
So for my stupidity ... But can you explain what is exact missing  with screen shots or text from the TCP dump ... Cause I really don't see what's missing .! 
The first http post login contains the hashed password and it's salt ... And the second post login contains the hashed password and it's salt that you have cracked !!

Sorry I asked too much .. But I need to understand
Reply
#15
I think this is going past what hashcat is about and more turning in how you can hack a certain piece of software.
You have all the information in this topic (and external sources) to understand intercepted data and how to attack it using the hashcat md5 module.

Some more general tips:
- https://www.w3schools.com/whatis/default.asp
- http://www.robotroom.com/NumberSystems4.html
- https://www.wireshark.org/download/docs/user-guide.pdf

Learning how everything works will help understand what you need, how to change it and how to use it.
Reply
#16
Thanks for the Great links ... I have read some of two of them ...but still didn't find the answer to my two simple questions ... I know that it's out of hashcat topics ... But I don't want to open new questions... Can you answer them please ?!😔😕
Reply
#17
in the capture test.pcap

if first packet javascript with salt then hash packet after javascript is VERY GOOD

if first packet hash then javascript is VERY BAD

if last packet javascript and NO more hash is VERY BAD
Reply
#18
(02-22-2019, 01:29 PM)philsmd Wrote: in the capture test.pcap

if first packet javascript with salt then hash packet after javascript is VERY GOOD

if first packet hash then javascript is VERY BAD

if last packet javascript and NO more hash is VERY BAD

lol i still don't understand the difference
the two of them are "if first packet javascript with salt then hash packet after javascript is VERY GOOD" (very good )
look i filter the packets with http.request.method == POST then click follow tcp stream on the post packet !!
the first one that you said that's bad
salt
https://i.ibb.co/3fGnbgn/image.png
javascript
https://i.ibb.co/wQqpg80/image.png
the second one that's very good that you cracked
salt
https://i.ibb.co/0ZVs9hH/image.png
javascript
https://i.ibb.co/wBJ5VCb/image.png

i don't really get what's missing !!!
sorry again Sad
Reply
#19
[Image: verygoodverybad.png]
Reply
#20
(02-22-2019, 07:25 PM)philsmd Wrote: [Image: verygoodverybad.png]
So you take the JavaScript of first one and salt of the second one ?!
I still don't get it !!!
Can you mark your point on the screen shots ... The two of them have hash in the first then JavaScript with salt in the last ...
The hash of the already cracked one
cbc5d1a36621e0f824f5491ae9cf172c
The JavaScript with salt
"hexMD5('\137' + document.login.password.value + '\115\116\213\305\117\073\313\206\013\042\106\121\240\001\333\032') "

The one you said is wrong
The hash
8de6c4719419b4a9237acaeaa1a0e095
The JavaScript with salt
hexMD5('\115' + document.login.password.value + '\017\226\132\264\231\243\072\025\142\343\313\006\131\010\106\311');

What's wrong with them ?

Isn't the password is the hex hash ?!
cbc5d1a36621e0f824f5491ae9cf172c
And the salt is the numbers ?!
'\115\116\213\305\117\073\313\206\013\042\106\121\240\001\333\032'

Thanks for answering my questions till now Smile Smile
I am sorry if I bothered you :∆
Reply