Date: Wed, 22 Aug 2012 19:48:10 +0400 From: Vladimir Vorontsov <vladimir.vorontsov@...ec.ru> To: john-users@...ts.openwall.com Subject: Re: Is there any patch to crack MySQL Network auth? -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi! I want to join! Need to brute that: SHA1(salt + SHA1(SHA1($password))) MySQL auth protocol described bellow: http://dev.mysql.com/doc/internals/en/client-server-protocol.html#Password_functions http://dev.mysql.com/doc/internals/en/password-functions-after-4.0.html Quote: 4.1 and later Remember that mysql.user.Password stores SHA1(SHA1(password)) 1. The server sends a random string (scramble) to the client 2. the client calculates: * stage1_hash = SHA1(password), using the password that the user has entered. * token = SHA1(scramble + SHA1(stage1_hash)) XOR stage1_hash 3. the client sends the token to the server 4. the server calculates * stage1_hash' = token XOR SHA1(scramble + mysql.user.Password) 5. the server compares SHA1(stage1_hash') and mysql.user.Password 6. If they are the same, the password is okay. (Note SHA1(A+B) is the SHA1 of the concatenation of A with B.) This protocol fixes the flaw of the old one, neither snooping on the wire nor mysql.user.Password are sufficient for a successful connection. But when one has both mysql.user.Password and the intercepted data on the wire, he has enough information to connect. 22.08.12, 19:32, Richard Miles пишет: > Hi > > I have a few MySQL network authentication hashes (SHA1 + > challenge), but I can't find a option to crack it with John. There > is a patch (even if unofficial) to crack it? > > Thanks. > -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAlA0/zoACgkQshExP8cA6RRJMgCgi+NbKIQeGcovXAHD+3obGpxg alUAoIk/dxPYo8vz0XL/a28x8XqXNaH6 =TPqV -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.