Trying to brute force a basic hash of a plaintext password and a hash... But having difficulty with the hashcat commands.
I'm unsure how to specify what my salt is. I've selected that the -m command is (10) and -a 3 for brute force, but whenever I try to load my hash + salt I get "Line-length exception"
My command is:
hashcat64.exe -m 10 hash.txt -a 3
You "specify" the salt by having the correct format for the hashing algorithm.
For -m 10, or md5($pass.$salt), see this example is directly from the hashcat website:
01dfae6e5d4d90d9892622325959afbe:7050461
Note the colon after the password hash, which separates it from the salt. If your file already looks like this, maybe try adding a new line to the end?
Related
I am desperately trying to recover a veracrypt password with hashcat.
I got the hash file of the encrypted device with dd command and then used the sha512sum command to get the hash so it should be :
c21cd34530e01d4f31f329a9c53643984894e1411ee6400551d7f614d4e3409ec643e3a0c3684238b9656c2793239666aa907f7739055197b094804679026810
I remember a part of the password so I guessed a mask attack with hashcat should be helpful.
But I keep getting "separator unmatched"
I typed the following command :
hashcat --force -m 1800 -a 3 -i --increment-min 20 --increment-max 21 c21cd34530e01d4f31f329a9c53643984894e1411ee6400551d7f614d4e3409ec643e3a0c3684238b9656c2793239666aa907f7739055197b094804679026810 ?u?1?1?s?u?1?1?s?d?d?d?d?s?l?l
Hash 'c21cd34530e01d4f31f329a9c53643984894e1411ee6400551d7f614d4e3409ec643e3a0c3684238b9656c2793239666aa907f7739055197b094804679026810': Separator unmatched
No hashes loaded.
I do not understand my mistake, the mask is after the hash however.
I was given this file:
hashes.txt
experthead:e10adc3949ba59abbe56e057f20f883e
interestec:25f9e794323b453885f5181f1b624d0b
ortspoon:d8578edf8458ce06fbc5bb76a58c5ca4
reallychel:5f4dcc3b5aa765d61d8327deb882cf99
simmson56:96e79218965eb72c92a549dd5a330112
bookma:25d55ad283aa400af464c76d713c07ad
popularkiya7:e99a18c428cb38d5f260853678922e03
eatingcake1994:fcea920f7412b5da7be0cf42b8c93759
heroanhart:7c6a180b36896a0a8c02787eeafb0e4c
edi_tesla89:6c569aabbf7775ef8fc570e228c16b98
liveltekah:3f230640b78d7e71ac5514e57935eb69
blikimore:917eb5e9d6d6bca820922a0c6f7cc28b
johnwick007:f6a0cb102c62879d397b12b62c092c06
flamesbria2001:9b3b269ad0a208090309f091b3aba9db
oranolio:16ced47d3fc931483e24933665cded6d
spuffyffet:1f5c5683982d7c3814d4d9e6d749b21e
moodie:8d763385e0476ae208f21bc63956f748
nabox:defebde7b6ab6f24d5824682a16c3ae4
bandalls:bdda5f03128bcbdfa78d8934529048cf
I thought I had to separate them, for example I put the experthead, interestec, etc. in one file named wordtext.txt and e10adc3949ba59abbe56e057f20f883e, etc in another file called hash.txt.
I then ran this:
hashcat -m 0 -a 0 /Users/myname/Desktop/hash.txt /Users/myname/Desktop/wordtext.txt -O
but I couldn't get anything. And then I googled e10adc3949ba59abbe56e057f20f883e and the output was 123456 so now I don't know how to approach this problem.
Just leave the hashes (erase the plaintext) on the txt file, hashcat will sort them out by itself. What I do is: hashcat.exe -m 0 -a 0 hashFile.txt dict.txt --show
The file appears to be in username:hash format. By default, hashcat assumes that only hashes are in the target file.
You can change this behavior with hashcat's --username option.
You don't need to place the -O at the end. It should work perfectly without it, but you do need hashcat.exe in the beginning.
I am creating a "change password" form where the user is required to enter the previous password first, then a new password (twice).
I should compare the entered "previous password" to the one already stored.
My web application uses an LDAP server to store user credentials. Password is apparently stored using SHA.
So what I do is get the previous password entered by the user, digest it using SHA1, then compare it.
String oldPass = request.getParameter("oldpass");
String enteredOldPass= App.getInstance().getCipher().cipher(oldPass);
String ldapPassword= ctx.get("userpassword");
But this isn't working, because the passwords are different. When I store "test" in the LDAP I obtain {sha}qUqP5cyxm6YcTAhz05Hph5gvu9M= when calling .get("userPassword"), whilst I get a94a8fe5ccb19ba61c4c0873d391e987982fbbd3 when hashing "test" by myself.
What am I doing wrong here? It seems that a step is missing since my result is purely hex, while the one I get from the LDAP is ASCII. But I tried converting the string to hex (using string to hex online converters) but the result is still differnet.
You don't do any of this.
You attempt to rebind as the user with that password. It either succeeds or fails. That tells you whether it was right or wrong. The API and protocol and server will take care of any hashing required.
Or, if you're using an LDAP server that supports the extended change-password operation, you provide the old and new passwords in the extended operation.
you must convert to binary, then convert to base64. Try this:
echo -n "test" | sha1sum | awk '{print $1}' <br>
The result will be a94a8fe5ccb19ba61c4c0873d391e987982fbbd3
echo -n "test" | sha1sum | awk '{print $1}' | xxd -r -p | base64
The result will be qUqP5cyxm6YcTAhz05Hph5gvu9M=
In the repository home page , i can see comments posted in recent activity at the bottom, bit it only shows 10 commnets.
i want to all the comments posted since beginning.
Is there any way
Comments of pull requests, issues and commits can be retrieved using bitbucket’s REST API.
However it seems that there is no way to list all of them at one place, so the only way to get them would be to query the API for each PR, issue or commit of the repository.
Note that this takes a long time, since bitbucket has seemingly set a limit to the number of accesses via API to repository data: I got Rate limit for this resource has been exceeded errors after retrieving around a thousand results, then I could retrieve about only one entry per second elapsed from the time of the last rate limit error.
Finding the API URL to the repository
The first step is to find the URL to the repo. For private repositories, it is necessary to get authenticated by providing username and password (using curl’s -u switch). The URL is of the form:
https://api.bitbucket.org/2.0/repositories/{repoOwnerName}/{repoName}
Running git remote -v from the local git repository should provide the missing values. Check the forged URL (below referred to as $url) by verifying that repository information is correctly retrieved as JSON data from it: curl -u username $url.
Fetching comments of commits
Comments of a commit can be accessed at $url/commit/{commitHash}/comments.
The resulting JSON data can be processed by a script. Beware that the results are paginated.
Below I simply extract the number of comments per commit. It is indicated by the value of the member size of the retrieved JSON object; I also request a partial response by adding the GET parameter fields=size.
My script getNComments.sh:
#!/bin/sh
pw=$1
id=$2
json=$(curl -s -u username:"$pw" \
https://api.bitbucket.org/2.0/repositories/{repoOwnerName}/{repoName}/commit/$id/comments'?fields=size')
printf '%s' "$json" | grep -q '"type": "error"' \
&& printf "ERROR $id\n" && exit 0
nComments=$(printf '%s' "$json" | grep -o '"size": [0-9]*' | cut -d' ' -f2)
: ${nComments:=EMPTY}
checkNumeric=$(printf '%s' "$nComments" | tr -dc 0-9)
[ "$nComments" != "$checkNumeric" ] \
&& printf >&2 "!ERROR! $id:\n%s\n" "$json" && exit 1
printf "$nComments $id\n"
To use it, taking into account the possibility for the error mentioned above:
A) Prepare input data. From the local repository, generate the list of commits as wanted (run git fetch -a prior to update the local git repo if needed); check out git help rev-list for how it can be customised.
git rev-list --all | sort > sorted-all.id
cp sorted-all.id remaining.id
B) Run the script. Note that the password is passed here as a parameter – so first assign it to a variable safely using stty -echo; IFS= read -r passwd; stty echo, in one line; also see security considerations below. The processing is parallelised onto 15 processes here, using the option -P.
< remaining.id xargs -P 15 -L 1 ./getNComments.sh "$passwd" > commits.temp
C) When the rate limit is reached, that is when getNComments.sh prints !ERROR!, then kill the above command (Ctrl-C), and execute these below to update the input and output files. Wait a while for the request limit to increase, then re-execute the above one command and repeat until all the data is processed (that is when wc -l remaining.id returns 0).
cat commits.temp >> commits.result
cut -d' ' -f2 commits.result | sort | comm -13 - sorted-all.id > remaining.id
D) Finally, you can get the commits which received comments with:
grep '^[1-9]' commits.result
Fetching comments of pull requests and issues
The procedure is the same as for fetching commits’ comments, but for the following two adjustments:
Edit the script to replace in the URL commit by pullrequests or by issues, as appropriate;
Let $n be the number of issues/PRs to search. The git rev-list command above becomes: seq 1 $n > sorted-all.id
The total number of PRs in the repository can be obtained with:
curl -su username $url/pullrequests'?state=&fields=size'
and, if the issue tracker is set up, the number of issues with:
curl -su username $url/issues'?fields=size'
Hopefully, the repository has few enough PRs and issues so that all data can be fetched in one go.
Viewing comments
They can be viewed normally via the web interface on their commit/PR/issue page at:
https://bitbucket.org/{repoOwnerName}/{repoName}/commits/{commitHash}
https://bitbucket.org/{repoOwnerName}/{repoName}/pull-requests/{prId}
https://bitbucket.org/{repoOwnerName}/{repoName}/issues/{issueId}
For example, to open all PRs with comments in firefox:
awk '/^[1-9]/{print "https://bitbucket.org/{repoOwnerName}/{repoName}/pull-requests/"$2}' PRs.result | xargs firefox
Security considerations
Arguments passed on the command line are visible to all users of the system, via ps ax (or /proc/$PID/cmdline). Therefore the bitbucket password will be exposed, which could be a concern if the system is shared by multiple users.
There are three commands getting the password from the command line: xargs, the script, and curl.
It appears that curl tries to hide the password by overwriting its memory, but it is not guaranteed to work, and even if it does, it leaves it visible for a (very short) time after the process starts. On my system, the parameters to curl are not hidden.
A better option could be to pass the sensitive information through environment variables. They should be visible only to the current user and root via ps axe (or /proc/$PID/environ); although it seems that there are systems that let all users access this information (do a ls -l /proc/*/environ to check the environment files’ permissions).
In the script simply replace the lines pw=$1 id=$2 with id=$1, then pass pw="$passwd" before xargs in the command line invocation. It will make the environment variable pw visible to xargs and all of its descendent processes, that is the script and its children (curl, grep, cut, etc), which may or may not read the variable. curl does not read the password from the environment, but if its password hiding trick mentioned above works then it might be good enough.
There are ways to avoid passing the password to curl via the command line, notably via standard input using the option -K -. In the script, replace curl -s -u username:"$pw" with printf -- '-s\n-u "%s"\n' "$authinfo" | curl -K - and define the variable authinfo to contain the data in the format username:password. Note that this method needs printf to be a shell built-in to be safe (check with type printf), otherwise the password will show up in its process arguments. If it is not a built-in, try with print or echo instead.
A simple alternative to an environment variable that will not appear in ps output in any case is via a file. Create a file with read/write permissions restricted to the current user (chmod 600), and edit it so that it contains username:password as its first line. In the script, replace pw=$1 with IFS= read -r authinfo < "$1", and edit it to use curl’s -K option as in the paragraph above. In the command line invocation replace $passwd with the filename.
The file approach has the drawback that the password will be written to disk (note that files in /proc are not on the disk). If this too is undesirable, it is possible to pass a named pipe instead of a regular file:
mkfifo pipe
chmod 600 pipe
# make sure printf is a builtin, or use an equivalent instead
(while :; do printf -- '%s\n' "username:$passwd"; done) > pipe&
pid=$!
exec 3<pipe
Then invoke the script passing pipe instead of the file. Finally, to clean up do:
kill $pid
exec 3<&-
This will ensure the authentication info is passed directly from the shell to the script (through the kernel), is not written to disk and is not exposed to other users via ps.
You can go to Commits and see the top line for each commit, you will need to click on each one to see further information.
If I find a way to see all without drilling into each commit, I will update this answer.
I'm trying to write some code to work with an htdigest password file. The documentation I can find seems to claim that the format of that file is:
user:realm:MD5(user:realm:pass)
If that is the case, then why doesn't this work for me? I created a file with the command line htdigest thus:
htdigest -c test b a
When prompted for a password I entered 'c'. This creates a file with the contents:
a:b:02cc8f08398a4f3113b554e8105ebe4c
However if I try to derive this hash I can't,
echo a:b:c | md5
gives me "49d6ea7ca1facf323ca1928995420354". Is there something obvious that I'm missing here?
Thanks
echo by default adds a trailing new line:
echo -n a:b:c | md5
Should work as you expect.
Hm, I seem to have answered my own question. My test case was flawed, 'echo' is adding extra characters (not sure which). For instance
echo a:b:c | wc
gives 6 characters instead of 5. Calculating the hash at http://md5-hash-online.waraxe.us/ gives the correct value. Sorry everyone!
Here is how you set the password for a given user.
sudo htdigest /etc/apache2/.htdigest yourrealm.com yourusername