Penetration Testing mailing list archives
Re: Brute force .htpasswd
From: Kostas Evangelinos <kos () bastard net>
Date: Fri, 30 Nov 2001 01:20:33 -0500
| I am looking for a program to brute force .htpasswd
| using MD5 encryption using by Apache on W32 platform.
Attached a patch against john-1.6 to make the freebsd
method work with arbitrary magic strings.
diff -ruN john-1.6/src/MD5_fmt.c john-1.6-apmd5/src/MD5_fmt.c
--- john-1.6/src/MD5_fmt.c Wed Dec 2 19:29:50 1998
+++ john-1.6-apmd5/src/MD5_fmt.c Fri Nov 30 00:33:14 2001
@@ -31,6 +31,7 @@
{"$1$12345678$f8QoJuo0DpBRfQSD0vglc1", "12345678"},
{"$1$12345678$xek.CpjQUVgdf/P2N9KQf/", ""},
{"$1$1234$BdIMOAWFOV2AQlLsrN/Sw.", "1234"},
+ {"$apr1$Q6ZYh...$RV6ft2bZ8j.NGrxLYaJt9.", "test"},
{NULL}
};
@@ -40,11 +41,19 @@
{
char *pos, *start;
- if (strncmp(ciphertext, "$1$", 3)) return 0;
+ if(*ciphertext != '$') return 0;
- for (pos = &ciphertext[3]; *pos && *pos != '$'; pos++);
- if (!*pos || pos < &ciphertext[4] || pos > &ciphertext[11]) return 0;
+ /* magic string */
+ start = &ciphertext[1];
+ for (pos = start; *pos && *pos != '$'; pos++);
+ if (!*pos || pos < start+1 || pos > start+MD5_MAGIC_LENGTH+1) return 0;
+ /* salt */
+ start = ++pos;
+ for (pos = start; *pos && *pos != '$'; pos++);
+ if (!*pos || pos < start || pos > start+8) return 0;
+
+ /* hash */
start = ++pos;
while (atoi64[(ARCH_INDEX)*pos] != 0x7F) pos++;
if (*pos || pos - start != CIPHERTEXT_LENGTH) return 0;
diff -ruN john-1.6/src/MD5_std.c john-1.6-apmd5/src/MD5_std.c
--- john-1.6/src/MD5_std.c Wed Dec 2 19:29:50 1998
+++ john-1.6-apmd5/src/MD5_std.c Fri Nov 30 01:02:11 2001
@@ -14,6 +14,8 @@
#include "common.h"
#include "MD5_std.h"
+char cryptmd5_magic[MD5_MAGIC_LENGTH];
+
MD5_binary MD5_out;
typedef union {
@@ -463,6 +465,7 @@
MD5_block block;
int length, index;
struct pattern *line;
+ int l;
#if ARCH_LITTLE_ENDIAN
MD5_word *last;
#endif
@@ -519,11 +522,12 @@
MD5_body(block.w, MD5_out);
MD5_swap(MD5_out, MD5_out, 4);
- memcpy(&block, patterns.o.p.b, patterns.l.p);
- memcpy(&block.b[patterns.l.p], "$1$", 3);
- memcpy(&block.b[patterns.l.p + 3], patterns.s, patterns.l.s);
- memcpy(&block.b[patterns.l.ps + 3], MD5_out, patterns.l.p);
- length = patterns.l.psp + 3;
+ l = strlen(cryptmd5_magic);
+ memcpy(&block, patterns.o.p.b, patterns.l.p);
+ memcpy(&block.b[patterns.l.p], cryptmd5_magic, l);
+ memcpy(&block.b[patterns.l.p + l], patterns.s, patterns.l.s);
+ memcpy(&block.b[patterns.l.ps + l], MD5_out, patterns.l.p);
+ length = patterns.l.psp + l;
if ((index = patterns.l.p))
do {
block.b[length++] = (index & 1) ? 0 : patterns.o.p.b[0];
@@ -564,9 +568,15 @@
{
static char out[9];
int length;
+ char *pos;
+ char *start;
+
+ start = &ciphertext[1];
+ for (pos = start; *pos && *pos != '$'; pos++);
+ start = ++pos;
for (length = 0; length < 8; length++)
- if ((out[length] = ciphertext[3 + length]) == '$') break;
+ if ((out[length] = start[length]) == '$') break;
out[length] = 0;
return out;
@@ -590,9 +600,18 @@
char b[16];
} out;
char *pos;
+ char *start;
MD5_word value;
+
+ memset(cryptmd5_magic, 0, MD5_MAGIC_LENGTH);
+
+ start = &ciphertext[1];
+ for (pos = start; *pos && *pos != '$'; pos++);
+ if (!*pos || pos < start+1 || pos > start+MD5_MAGIC_LENGTH+1) return 0;
+ pos++;
+ strncpy(cryptmd5_magic, start-1, 1 + (int)pos - (int)start);
- pos = ciphertext + 3; while (*pos++ != '$');
+ while (*pos++ != '$');
TO_BINARY(0, 6, 12);
TO_BINARY(1, 7, 13);
diff -ruN john-1.6/src/MD5_std.h john-1.6-apmd5/src/MD5_std.h
--- john-1.6/src/MD5_std.h Wed Dec 2 19:29:50 1998
+++ john-1.6-apmd5/src/MD5_std.h Fri Nov 30 00:45:54 2001
@@ -27,6 +27,8 @@
#define MD5_ALGORITHM_NAME "32/" ARCH_BITS_STR
+#define MD5_MAGIC_LENGTH 10
+
/*
* Sets a salt for MD5_std_crypt().
*/
----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/
Current thread:
- Brute force .htpasswd D V (Nov 26)
- Re: Brute force .htpasswd H D Moore (Nov 26)
- Re: Brute force .htpasswd D V (Nov 27)
- Re: Brute force .htpasswd Erik Parker (Nov 28)
- Re: Brute force .htpasswd D V (Nov 27)
- Re: Brute force .htpasswd Kostas Evangelinos (Nov 30)
- Re: Brute force .htpasswd H D Moore (Nov 26)