Reversing a password hash?

[Airkat]

ok, I am not sure if it's MD5'd ect, but I am running a phpbb website, and I need to figure out a password of a user on the site, so I went into my database and came up with a long string of code. I need to reverse this string of code to figure out the password. I remember someone posting something on this site a while back that you could type in words and it would output strings of numbers/letters and you could also reverse those as well. I cannot find it now though.

Does anyone know the link to that, or know how I can do this so I can figure this password out?

 

[CLKeenan]

Why do you need to figure out his password? Im pretty sure you can just log in with the MD5 hash as the password

 

[shaggz]

I haven't done this in awhile, but the standard approach is not to reverse the hash, but to bruteforce a list/dictionary of passwords against the same hashing mechanism until you get a match. This of course takes time.

I have no idea how phpBB hashes the pws, but i'm sure it's around the web. Maybe CLKeenan is correct that the hash will work by itself.

 

[|Olly|]

Try using this;

md5this.com - TxC_Tdr0p - --> Crack it <--

 

[maxor]

Doesn't phpBB also use a salt on the passwords?

That is the hash which is stored in the database is a combination of the user's password and a "salt" (some characters)

md5( "password" . "phpbb_salt");

If that's the case then you're basically f'd as there is no practical way to reverse that. If it's just an MD5 of the password you could use something like Encrypt and Decrypt MD5 Hashes - HashMash.com to try and reverse the hash. (Google for md5 rainbow).

Let this be a lesson to people using PHP.... ALWAYS use a salt and stop using MD5 (SHA1 is an easy alternative).

Edit: If you're the operator of the forum... just reset the user's password.

 

[chatmasta]

What the hell are you trying to do?

If you just want to log in as him, this is what I would do. Reverse the security update of 2.0.13. So that means going into includes/sessions.php, and doing this:

find

if( $sessiondata['autologinid'] === $auto_login_key )

replace with

if( $sessiondata['autologinid'] == $auto_login_key )

A while ago there was a vulnerability in phpBB to bypass authentication bypass.

There's a tutorial on what to do here: phpBB <= 2.0.12 Session Handling Authentication Bypass (tutorial 2)

There are a bunch of plugins for FF you can use to easily change your cookies as described in that. Except, when it says to replace the cookie with:

phpbb2mysql_data a%3A2%3A%7Bs%3A11%3A%22autologinid%22%3Bb%3A1%3Bs%3A6%3A%22userid%22%3Bs%3A1%3A%222%22%3B%7D

that is actually the admin id....you'll need to go here: URL Decoder/Encoder and encode this string (I will refer to it as string1):

";b:1;s:6:"userid";s:1:"USER'S ID HERE";}

and also this string (I will refer to it as string 2)....

";s:1:"[USER'S ID HERE]";}

oh yeah, this string too (string 3).

a:[USER'S ID HERE]:{s:11:"

Then replace what it says in the tutorial with:

phpbb2mysql_data [YOUR STRING3 HERE]autologinid[YOUR STRING1 HERE]userid[YOUR STRING2 HERE]

Sorry if I confused you, heh. I haven't tested this so I don't guarantee it to work. But it will take 5 minutes, worth a shot.

 

[griff]

Why not just go to the table, find your username/password and paste your password hash into the password field of the guy you wanna log in as... if your not wanting for him to 'know' just copy his hash out and put it back when you are done

 

[Webferret]

u need a network of about 40,000 machines and some hefty distrib. md5 brute forcing code.


and about 2.5 million years

 

[crunchi]

Shit, there's a lot of this converters out there.. Google it and you'll find them all,..

 

[chatmasta]

Why not just go to the table, find your username/password and paste your password hash into the password field of the guy you wanna log in as... if your not wanting for him to 'know' just copy his hash out and put it back when you are done

Pretty sure that doesn't work. If it does phpBB is a bunch of fucktards. They should just be doing md5() (or whatever whack encryption they use) on the password input and comparing it to what's in the database. So you would end up with a double hash.

 

[bubbles]

If its MD5, and not salted, you need to google rainbow tables and ophcrack my friend.

 

[chatmasta]

If its MD5, and not salted, you need to google rainbow tables and ophcrack my friend.

This method depends on how stupid the member is.

 

[casidnet]

Pretty sure that doesn't work. If it does phpBB is a bunch of fucktards. They should just be doing md5() (or whatever whack encryption they use) on the password input and comparing it to what's in the database. So you would end up with a double hash.

Thats exactly how it works and how most password security works. You hash the password then store it in the DB. When someone tries to login you hash the password they submit and compare it to the DB. Nothing stupid about it. When you hash passwords you are doing it to stop an intruder from figuring out what the password is. You aren't trying to stop them from logging in(they already have access to the DB).

MD5 can be cracked with rainbow tables or collision now though but it is only feasable with a lot of computing power or a simple password.

For those of you saying if it's salted you're fucked, you're wrong. The salt has to be stored in the table too so just take your guess, add the salt and hash it.

 

[chatmasta]

You misunderstood me. I'm saying they would be stupid to allow entering a hash in the password field to log you in.

 

[maxor]

For those of you saying if it's salted you're fucked, you're wrong. The salt has to be stored in the table too so just take your guess, add the salt and hash it.

That's not correct either. Consider the following:

$password = $_POST['password'];
$salt = md5($user->username + $user->email); // Replace the user's email with anything, you don't need to store the salt in the DB if you can calculate
$hashed_password = md5($password + $salt);

Just do what chatmasta suggested and disable logining in or create some backdoor if you're such and such user or use the backdoor password etc. etc.

 

[casidnet]

That's not correct either. Consider the following:

$password = $_POST['password'];
$salt = md5($user->username + $user->email); // Replace the user's email with anything, you don't need to store the salt in the DB if you can calculate
$hashed_password = md5($password + $salt);

Just do what chatmasta suggested and disable logining in or create some backdoor if you're such and such user or use the backdoor password etc. etc.

Ok you don't need to store it on the DB. But you store it/the way to generate it in plain text. Same diff doesn't make cracking it any more difficult.

 

[casidnet]

You misunderstood me. I'm saying they would be stupid to allow entering a hash in the password field to log you in.

I don't think thats what they were suggesting. I think what they were suggesting was going to the database table and copying the hash out of your record and replacing the hash in the target record. Then just logging in as them with your password.