NEW: We have a Discord server now. Click here to go there now!

NOTE: Why not use our List Manager to crack your lists? Its easy and enables better management.

NOTE: When cracking WPA/WPA2 passwords, make sure you check gpuhash.me first incase it's already been processed.

Home - Found Passwords from Not Found Lists - 37860 raw-md5 from 32_hex


9 Results - Page 1 of 1 -
1
Author Message
Avatar
Hash-IT

Status: Trusted
Joined: Tue, 02 Aug 2011
Posts: 4598
Team: HashKiller
Reputation: 2982 Reputation
Offline
Sat, 13 Apr 2013 @ 11:45:21

Ha ! +1

Well done and thank you for sharing, you are a good cracker.


Please read the forum rules. | Please read the paid section rules.

BTC: 1MmWESN5bKZ1YSuHrm5uNwnQYxWyQnEQ6E

Avatar
Waffle

Status: Elite
Joined: Wed, 02 Jan 2013
Posts: 284
Team: CynoSure Prime
Reputation: 357 Reputation
Offline
Sat, 13 Apr 2013 @ 17:57:09

That's a salted VB3 hash. It is md5(md5($pass).$salt), expressed as -m 2611 in Hashcat. Here are some of the corrected solutions for your list.

There is also another salted hash in here, where the userid is included as md5($userid.&quot-&quot.md5($pass)). I use -m 3510 for these.


Attachments: Login to view attachments.
Avatar
Hash-IT

Status: Trusted
Joined: Tue, 02 Aug 2011
Posts: 4598
Team: HashKiller
Reputation: 2982 Reputation
Offline
Sat, 13 Apr 2013 @ 18:01:58

Waffle said:

That's a salted VB3 hash. It is md5(md5($pass).$salt), expressed as -m 2611 in Hashcat. Here are some of the corrected solutions for your list.

There is also another salted hash in here, where the userid is included as md5($userid.&quot-&quot.md5($pass)). I use -m 3510 for these.

Well spotted Waffle, good work as usual


Please read the forum rules. | Please read the paid section rules.

BTC: 1MmWESN5bKZ1YSuHrm5uNwnQYxWyQnEQ6E

Avatar
Waffle

Status: Elite
Joined: Wed, 02 Jan 2013
Posts: 284
Team: CynoSure Prime
Reputation: 357 Reputation
Offline
Sat, 13 Apr 2013 @ 19:15:25

Gajan said:

Yeah, i understood that those where salted hashes. And as you can see from what i got, there are also some other types of hashes like md5crypt/FreeBSD MD5.
But one thing that's weird is that the diffrent hashes aint that many & it is the salt that changes. What i mean is that there are TONS of dupes of the same hashes used and the diffrence is the salts. For example

e10adc3949ba59abbe56e057f20f883e7308
e10adc3949ba59abbe56e057f20f883emds
e10adc3949ba59abbe56e057f20f883e7p8
e10adc3949ba59abbe56e057f20f883eN|3
e10adc3949ba59abbe56e057f20f883eZlA

And so on...


Yes. That's ZIA:123456, N|3:123456, 7p8:123456, mds:123456, 7308:123456

Attached, please find some of the freebsd MD5 hashes you found.

The 7308 one isn't a VB3 hash, but still uses the md5(md5($pass).$salt) format.

There can be 875,000 identical passwords with different hashes with a VB3 hash. The purpose was to prevent brute-force cracking. Many, many, many people choose the same password, and by using salt it makes cracking them more difficult.

But just decrypting the md5 as you have done doesn't reveal the original password, but it does group them. I generally don't bother with that, because I'm after the actual password. If you take the secondary step to resolve the second MD5, it would be more helpful to people in general. But thank you again, for the work you _are_ doing; it is appreciated.

There are also much more complex forms of hashed and multiple-md5 hashes in use today. Resolving these often very confusing. I did a bit of work on this at http://forum.insidepro.com/viewtopic.php?t=20963


Attachments: Login to view attachments.
Avatar
Waffle

Status: Elite
Joined: Wed, 02 Jan 2013
Posts: 284
Team: CynoSure Prime
Reputation: 357 Reputation
Offline
Sat, 13 Apr 2013 @ 19:44:34

Gajan said:

Well, i am new to this forum and dont know how stuff works here.
But i understand that the hits i got where other hashes and not &quotreal&quot passwords.
And that was what i was i running. Using hashes as words. And it worked.
So the way i see it, these hits are either double-encrypted or someone created them on purpose.

Long story short, these where hits i got from the 32_hex file.
And i posted them so that they could be removed from that file.
I did not follow up and tried decrypting the hits i got (the various hashes).
Was that wrong?

And thanks for the info on how salts work.
I been doing this for more than 10 years so i know a bit of it already, but maybe others find it useful.
edited by Gajan on 13/04/2013

One of the problems is that people supply the hashes without the salts, or the salts somehow get lost or forgotten. This ends up with a bunch of data that _looks_ like it could be MD5 (because it is 32 hex digits), but becomes impossible to solve without effort like you are making.

So, your effort is in no way wrong, and it is certainly appreciated.

Many of the more complex forms of hashing are not created on purpose, but in actual daily use by more obscure programs. Identifying complex hash forms (like md5(freebsdmd5($pass))) is the largest problem, else they stay unresolved forevery, which is why what you are doing is great!

No offense intended on the explanation of salting - and there are people of all levels here. I've been at it a while too. I'd prefer not to say how long - but it is measured in decades :-)


Avatar
Waffle

Status: Elite
Joined: Wed, 02 Jan 2013
Posts: 284
Team: CynoSure Prime
Reputation: 357 Reputation
Offline
Sat, 13 Apr 2013 @ 20:07:11

Gajan said:

Yeah, i have seen many files that looks like raw-md5 (or other 32chars hash) with the salt missing.
But i found this a bit weird as there where so many of the exact same hash + diffrent salts ENCRYPTED into raw-md5.
Thats why i suspected it to be man-made, meaning someone took just a few hashes, generated salts to them and then encrypted into raw-md5.

Indeed. I found this one, though:

md5(&quot*&quot.uc(sha1(sha1_raw(md5(md5($pass).$salt)))))

10a2cf407050365476b5ddd7d2d1b6d2:&^l:changed

That's a VB3 hash, then a raw sha-1 (giving 20 bytes), then the uppercase standard sha-1 (40 bytes), prepended with a &quot*&quot, then MD5'ed. People encode passwords this way in many cases to get a full ASCII version that they can store easily in a database field, and attempt to make it difficult to reverse. So, there are some really strange encodings in use.


Avatar
Waffle

Status: Elite
Joined: Wed, 02 Jan 2013
Posts: 284
Team: CynoSure Prime
Reputation: 357 Reputation
Offline
Sun, 14 Apr 2013 @ 06:54:04

Gajan said:

Still getting hits when using those hashes as words and add stuff after.

Examples:

4ec94b5e9746efa2c96666934b6abbb4angel
e10adc3949ba59abbe56e057f20f883ehenry
21232f297a57a5a743894a0e4a801fc3qwerty
21232f297a57a5a743894a0e4a801fc3master

So i think this proves (?) that many of the hits i get are not double-encrypted
hashes, but in fact the actual words (and that someone ENcrypted this crap
into raw-md5).

If they where good salted hashes that where double-encrypted, both
the hash & the salts would be unique. But the hits i get have the same
hashes over and over again and it is only the &quotsalt-part&quot that changes.
And as you can see from my hits, the &quotsalt-part&quot is not even &quotsalt-looking&quot.
edited by Gajan on 14/04/2013


The hash might not be unique; 21232f297a57a5a743894a0e4a801fc3 is admin, for example, and that could be a salted hash of the form

md5(md5($user).$pass)

admin/qwery and admin/master kind of makes sense, I suppose.

Either way, it is great you are cleaning out these. Fake-hashed, real, or otherwise, they aren't straight MD5, and gone is good!


Avatar
resoapo

Status: n/a
Joined: Thu, 23 Jan 2014
Posts: 1
Team:
Reputation: 0 Reputation
Offline
Thu, 23 Jan 2014 @ 21:31:10

Please anyone can hack this password ?

f2e9c1cc73f5761298b6a851d45211eb


Avatar
CaoimhĂ­n
Administrator
Status: Elite
Joined: Sat, 29 Dec 2012
Posts: 3251
Team:
Reputation: 5065 Reputation
Offline
Thu, 23 Jan 2014 @ 21:41:56

resoapo said:

Please anyone can hack this password ?

f2e9c1cc73f5761298b6a851d45211eb

Not until you post in the correct section

*cough* 25 hashes *cough* and un*cough*der thread
Damn this cold!


BTC - 1CkFbxQHz9Ab2TK4gydTfkpEWmPep3qDRU


9 Results - Page 1 of 1 -
1

We have a total of 197675 messages in 24450 topics.
We have a total of 21731 registered users.
Our newest registered member is Jxchem.