Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Penetration Testing: Re: Craking Serv-u passwords stored in .ini file.

Re: Craking Serv-u passwords stored in .ini file.

From: Nigel Stepp <stepp_at_atistar.net>
Date: Fri, 03 Sep 2004 09:29:45 -0400

Altheide, Cory B. (IARC) wrote:

>>-----Original Message-----
>>From: Scovetta, Michael V [mailto:Michael.Scovetta_at_ca.com]
>>Sent: Thursday, September 02, 2004 1:23 PM
>>To: Altheide, Cory B. (IARC); Jérôme ATHIAS;
>>pen-test_at_securityfocus.com
>>Subject: RE: Craking Serv-u passwords stored in .ini file.
>>
>>
>>I realize this is pedantic, but there's a fundamental
>>difference between "cracking" MD5 and looking up pre-computed
>>values.
[ snip ]
> The only real difference is by using precomputed tables you're front-loading
> your work and only doing computations that would normally be needlessly
> repetitive once. Otherwise the "cracking," as it were, is the basically
> same.

I think the point in question is that you are not cracking *MD5*. That
would entail finding a weakness in the MD5 algorithm that allowed you to
reverse the hash, or more easily find what created the hash you are
looking at.

Using rainbow tables and such is just brute force, and doesn't have a
lot to do with the specific hashing algorithm.

>
> -- Cory
>
>
> ------------------------------------------------------------------------------
> Ethical Hacking at the InfoSec Institute. All of our class sizes are
> guaranteed to be 12 students or less to facilitate one-on-one interaction
> with one of our expert instructors. Check out our Advanced Hacking course,
> learn to write exploits and attack security infrastructure. Attend a course
> taught by an expert instructor with years of in-the-field pen testing
> experience in our state of the art hacking lab. Master the skills of an
> Ethical Hacker to better assess the security of your organization.
>
> http://www.infosecinstitute.com/courses/ethical_hacking_training.html
> -------------------------------------------------------------------------------
> 

-- 
:wq
------------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. All of our class sizes are
guaranteed to be 12 students or less to facilitate one-on-one interaction
with one of our expert instructors. Check out our Advanced Hacking course,
learn to write exploits and attack security infrastructure. Attend a course
taught by an expert instructor with years of in-the-field pen testing
experience in our state of the art hacking lab. Master the skills of an
Ethical Hacker to better assess the security of your organization.
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
-------------------------------------------------------------------------------
Received on Sep 04 2004
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]