Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sat, 11 Mar 2006 08:49:08 +0100
From: Turko <granturko@...il.com>
To: john-users@...ts.openwall.com
Subject: Re: checking only first 5 characters of a md5 hash

On 3/10/06, Solar Designer <solar@...nwall.com> wrote:
>
> On Fri, Mar 10, 2006 at 02:59:30PM +0100, Turko wrote:
> > > > My problem is this: I have only the first 5 characters of a md5
> hash.
> [...]
> > They are taken from a  php generated hash that I m using for locale
> tests
> > on  my webserver :
> >
> > $code = substr(base64_encode(md5($mykey)),0, 5);
>
> Well, those are the first 5 characters of a base64 encoding of a hex
> encoding of an MD5 hash.  That's something between 12 and 16 bits.
>
> > > That would require a source code patch.
> >
> > is it hard to write? Maybe I can try...but how ?
>
> I'm afraid, it'd be a little too hard for you.  You'd have to implement
> base64 encoding or decoding.  You also don't need to do it:
>
> > > If you only need this done once, it might be quicker for you to write
> a
> > > Perl script that would use Digest::MD5 and accept a stream of
> candidate
> > > passwords on the standard input.  Then use "john ... --stdout" to feed
> > > candidate passwords to this Perl script.
> >
> >
> > Mhhmmm, I m not an expert programmer as you can imagine...So the steps
> are:
> >
> > 1- Writing a script that receives ascii passwords from John,
> > 2- encrypt them,
> > 3- and then check the first 5 characters of the hash (right ?)
>
> Almost - except that it's called "hashing" and not "encryption", and all
> of these steps are to be performed in your script.


OK

Now that you've finally described what type of hash you have - and now
> that you've also mentioned that you're already dealing with PHP code -
> my suggestion would be that you write your cracker program in PHP.
>
> You don't really need the power of John to crack something as trivial as
> what you have there.  There can only be a little over 20 thousand
> different values of $code, so you can expect to find a suitable password
> if you search about this many candidates.  This can be done in under a
> second with pure PHP code:
>
> <?php
> $mycode = "ZTNlM";
> $mykey = "a";
> while (1) {
>         $code = substr(base64_encode(md5($mykey)), 0, 5);
>         if ($code == $mycode) break;
>         $mykey++;
> }
> print "$mykey\n";
> ?>
>
> Please note that this loop may run forever in case $mycode is set to a
> string not produced by the $code = ... line from your message.


Thanks a lot. I m trying this (easy) script. Of course I had to setup
php.ini in "Maximum execution time" (30 seconds by default) .
Now is 10 hours it works, but nothing. I m sure that $mycode is an existing
part of the hash.
Ho can I calculate the amunt of time I need (theory) ?

Bye and thanks a lot ; )

--
> Alexander Peslyak <solar at openwall.com>
> GPG key ID: B35D3598  fp: 6429 0D7E F130 C13E C929  6447 73C3 A290 B35D
> 3598
> http://www.openwall.com - bringing security into open computing
> environments
>
> Was I helpful?  Please give your feedback here:
> http://rate.affero.net/solar
>
> --
> To unsubscribe, e-mail john-users-unsubscribe@...ts.openwall.com and reply
> to the automated confirmation request that will be sent to you.
>
>


--
L'imbecille cade sulla schiena e si sbuccia il naso. (Proverbio Yiddish).
Non esistono donne brutte. Dipende solo da quanta vodka bevi (Proverbio
russo).

Powered by blists - more mailing lists

Your e-mail address:

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.