Cracking grub password...

[bulkangel]

Hi everybody,
recently, I had to put a password in the grub. Now, I'd like to crack it. When I do:

Code:

grub> md5crypt 

Password: ***
Encrypted: $1$ug/131$QR45VubKz2oJwTxHJ7FAu/

grub> md5crypt 

Password: ***
Encrypted: $1$mh/131$aPXxgSaWwiypIb2x/Utsy.

grub> md5crypt 

Password: ***
Encrypted: $1$Xi/131$7s5cGqHzRm/sjPgRuea02/

grub> md5crypt 

Password: ***
Encrypted: $1$Dj/131$nVDUdgexdFM56.0I4o97a0

I tried to crypt the word "yep" 3 times, but each result is different ! Someone told me that this type of pass is a "salted password", where "mh/131" (resp: Xi/131 & Dj/131) is the "salt".

Normally, the result is:

Code:

# echo yep | md5sum 
5fe28693e458d7cc79e17bf4cb95203c

So, my question is how this salt acts, and how can I crack this salted md5 ? And finally, why don't we use this type of encryption for databases ? (phpbb user's pass, etc)

Thank you

Bulki

[kr5kernel]

I think John the Ripper can do salted md5 if i am not mistaken.

The reason I would gather that you would not use a salted md5 for a database would the salt itself. I am going out on a limb here, a user creates a password and then it throws in it a database. When they login, their password is once again encrypted and then checked against the encrypted version of the password in the dbase. If you ised salts wouldn;t the encrypted password the user logs in as change everytime? and then would not be comparable to a value in the database? Sorry, I guess its more questions instead of an answer.

[Maestr0]

The salt in grub is always prepended with "$1$", This is Modular Crypt format where the number indicates the hash algorithm used: 1 = MD5, 2 = Blowfish, 3 = NTHash and the salt is then terminated with a "$". The user's password hash is then created with the entered password and the pseudo-randomly generated salt and stored. The purpose of the salt is to prevent someone from comparing a pregenerated list of hashes to your hash (or prevent one cracked password from exposing all other accounts with same password). Because of the salt, you would have to use the salt with each brute force attempt, or use the salt on the dictionary to create a new hash list, and then you have to do it for each password you wish to crack using a different salt. Yes, JtR will crack them and as to why they arent used in databases is because some coders are shitheads, and plenty of people do use them in databases. For instance in PHP you have the the following description for crypt: "string crypt ( string str [, string salt] )"

-Maestr0

[bulkangel]

Thank you for these precisions.
Is there a way to make a rainbow table with this salt ? (informational purpose)

[kr5kernel]

i don't believe so. I know you can't use rainbow tables to crack a salted md5.

[nihil]

Hi,

kr5kernel is doubtless correct from all practical viewpoints. However, for it to be impossible to use Rainbow Tables the "salting" process would have to be capable of producing an infinite number of unique solutions.

In this situation it would mean that you could never construct a complete set of tables. It would be a bit like trying to calculate the absolute value of mathematical Pi?

So I would suggest that in theory it could be done but in practice it can't.

Sorry I don't have any links, but I did read about it a while back.

[Maestr0]

It could easily be done, but serves no purpose and just wastes a ton of time and storage. A rainbow table uses whats known as the "time-memory trade off" This means that you pre-generate a list of all possible hashes within a defined scope, and then compare hashes to your list. The same list can be used over and over. This is precisely what a salt prevents from being effective. Because of the salt, any pregenerated hashes are useless because they wont include the salt (and there's a diffrent salt for each hash), you may as well just brute-force the hash itself. Unless you plan on winning the lottery or the keyspace is very limited, a brute force might having you waiting a LONG time. A dictionary attack is going to be the best approach.


-Maestr0

[bulkangel]

Thank you everybody for your replies. But now, I've another question:
how is the salt applied on the md5 ? I can understand how to build how to built a md5 password, but I don't understand when the salt is applied.
If I have this md5: 5fe28693e458d7cc79e17bf4cb95203c
and I apply this salt: ug/131
The result is: QR45VubKz2oJwTxHJ7FAu/

Do you have information about how this salt works ? I've searched a lot on the Net, but I've not found anything interesting...

Thank you for your supports, that's nice

Bulki

[sec_ware]

Hi

Plenty of hash functions actually use an encryption/compression-type function
to create the hash. The message "A" to be hashed is used as the password
to encrypt a certain start string "S", e.g. in the particular case of md5[1,2], 128 bit.
The reason to use such encryption or compression functions is, that they increase
the entropy, ie. the randomness of the output.

Without going too much in detail, the main idea of salting is the following:

- perform an md5-"encryption" of "S" with the message "A" -> "S_1"
- perform an md5-"encryption" of "S_1" with the salt -> "S_2"
- perform an md5-"encryption" of "S_2" with the message "A" -> "S_3"

...and iterate in a particular scheme by alternating the message "A" and the salt
in some order. The goal of the iterations is to increase the computational
effort to generate a rainbow table. As it has been said already - rainbow tables may
be reasonable for the old LM hashes (as I had to learn ), but it is ridiculous to create
them for md5-hashes, in particular if they are salted.

You may have a look at the source code of crypt[3] for details.


Cheers

P.s. I use the word "encrypt" although it may not be rigorously correct generically.

[1] http://en.wikipedia.org/wiki/MD5
[2] http://cvs.sourceforge.net/viewcvs.p....c?view=markup
[3] http://cvs.sourceforge.net/viewcvs.p....c?view=markup

[bulkangel]

Wouh... I'lll study that in 2 years :P...

Thank you