Tuesday, January 17, 2012

Cracking 16 Byte MySQL Hashes

In this post, I am going to talk about a tool I came across while trying to crack a pre-MySQL 4.1 password hash. As my goto hash cracker did not support this type of depreciated hash, I had to look for other methods of doing this and I came across the MySQL323 password cracker/collider located here

I found this tool to be just what I was looking for so I downloaded it and ran it. It is very easy to use and the flags for the command are very straight forward.

"mysql323 32.exe" [number of threads] [hash] [keyspace-file]

Once the program finished it gave me these statistics

Total time: 455.626 seconds (7.5 mins)
Average speed: 10.96 Tp/s

Very fast! And yes, the tp/s does stand for trillion passwords per second. The machine I ran this on has an i7 processor with 8 gigs of memory.

This will definitely be my new goto tool for these specific types of MySQL hashes.

Friday, January 13, 2012

Attacking Hackademic RTB1

As I am always looking for new machines that are vulnerable by design, Boot to Root, whatever you want to call them, I came across one called Hackademic Boot to Root 1 located here : https://ghostinthelab.wordpress.com/2011/09/06/hackademic-rtb1-root-this-box/

Once I set it up as a VM, booted it, and fired up Backtrack 5 I began to poke around on this machine to see what I could find out about it. First I started with a basic netdiscover which yielded its IP at Next I went on to scan it with nmap.

nmap -sV -p 1-65535 -v

After this scan finished, it reported a closed port 22 and an open port 80 running apache. Lets browse to the site to see what we can find out.

After a little clicking around we find out that this site is a Wordpress 1.5.11 installation. After playing with all the links and parameters I could find, we definitely have a sql error message thrown in the ?cat=1' parameter.

Now lets try to inject commands to get database output to the screen and see what the database will tell us using methods I discussed in previous posts here

/*Sidenote: If you are using Backtrack 5 and firefox, you will need to disable No-Script in the firefox browser. It will not allow you to type in the special characters to do other sql injection enumeration of the database.*/

Bingo! We were successfully able to get the database output to display on the page. Now lets mine the database for as many usernames and hashes as we can. Since we know this is a Wordpress installation, a little recon from our friend google will tell us the default table and field names so if the user has not changed the defaults it will make our job much easier.

Now that we have all the usernames and hashes from the Wordpress table, lets crack them so that we can log into the application. There are many password cracking tools, but since I have a new found love for hashcat and OCLhashcat I will use that to do the cracking. OCLhashcat utilizes your GPU for pretty much the fastest password cracking I have ever seen. With my new HD 6770 this should take no time at all :).

As you can see, I was able to recover ALL the hashes in about 3 seconds. OCLhashcat really is an amazing tool.

So now for our newly owned users we have this:


Now what can we learn from this attack:

Mistake #1: Obviously the user had an unpatched version of Wordpress (1.5.11) that allowed for the initial sql injection.

Mistake #2: The user left the Wordpress tables inside the MySql database at their default configuration. These table names are easy to find on the internet. Changing them probably would not have stopped the attacker, but would have atleast made his job a little tougher.

Mistake #3: These users DEFINITELY did not have a good password policy implemented. The administrator (NickJames) had a password of 'admin' which is awfully easy to guess. Using longer password lengths, such as 13 characters, as well as using special characters and passwords that are not english words would have made this password attack harder to do.

In the next post I will try to get underlying access to the operating system of this machine.