Re: decrypting htpasswd
From: Steve Phillips (steve_at_focb.co.nz)
Date: 01/24/05
- Previous message: Benjamin J. Weiss: "Re: decrypting htpasswd"
- In reply to: Benjamin J. Weiss: "Re: decrypting htpasswd"
- Next in thread: Stephen Carville: "Re: decrypting htpasswd"
- Reply: Stephen Carville: "Re: decrypting htpasswd"
- Reply: Benjamin J. Weiss: "Re: decrypting htpasswd"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: Mon, 24 Jan 2005 13:45:21 -0600 (CST) To: General Red Hat Linux discussion list <redhat-list@redhat.com>
On Mon, 24 Jan 2005, Benjamin J. Weiss wrote:
> Mulley, Nikhil wrote:
>
>> [I am not talking abt Cracking..] This is however to say that I ensure my
>> security and warn others abt their security as well..
>> as earlier said ..the password file has two fields...
>> Username:Password
>> the password is in DES (hashed)Encryption format..
>> so I think there is a way to Rip it with John...
>>
> 1) If you intentionally acquired this file without the permission of the
> server's owner, you have violated federal law.
> 2) If you accidentally acquired this file and then attempt to crack the
> password, you have violated federal law.
Except that the world is not the USA and there are still many countries
where this is entirely legal, or does not fall under "federal" law. While
his originating IP appears to be in Calafornia, he may actually be on the
other side of the world.
Morally your arguments hold up but claiming this on an international
mailing list is a little silly.
> If you truly came upon this file accidentally and you want to warn the owners
> about their security, simply give them a copy of the file you captured and
> then delete it.
>
> I work for a state law-enforcement agency. If you wish assistance in
> contacting the server owners, please contact me off-list.
There are actually rather legitimate reasons for wanting to crack a
password file. this may be the only record of a password used by a
previous employee who has locked other records with the same password but
the hash is in a more secure form *shrug* who knows.
To answer the original question - generally John the ripper requires the
password files to be in a specific format (when I last used it it was unix
password file format) which means that you may need to move the hash into
a pseudo password type file and tell john the ripper to try cracking it.
The information you require is all in the John the Ripper documentation,
it would probably be prudent to read it.
It would also be a good idea to get a dictionary list together (google if
you dont have one) which john can use against the hash whcih may speed
things up significantly if the password is based on a dictionary word.
Otherwise be prepared for a long wait, typically an 8 character DES
encrypted password with numbers, punctuation and upper/lower case letters
will take around 3-6 months to crack (higher end PC's obviously will do
this slightly faster)
HTH,
-- Steve. -- redhat-list mailing list unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list
- Previous message: Benjamin J. Weiss: "Re: decrypting htpasswd"
- In reply to: Benjamin J. Weiss: "Re: decrypting htpasswd"
- Next in thread: Stephen Carville: "Re: decrypting htpasswd"
- Reply: Stephen Carville: "Re: decrypting htpasswd"
- Reply: Benjamin J. Weiss: "Re: decrypting htpasswd"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
