Home page logo
/

pen-test logo Penetration Testing mailing list archives

RE: Craking Serv-u passwords stored in .ini file.
From: "Scovetta, Michael V" <Michael.Scovetta () ca com>
Date: Thu, 2 Sep 2004 13:20:35 -0400

Nekro--

Maybe I'm just ignorant here, but if you are referring to the recent
collision attacks on MD5, how does such an attack compromise serv-u
security? Being able to create two strings that hash to the same value
is orders of magnitude easier than finding a string that hashes to some
particular hash value. 

From what I see, the serv-u hash security is weak not because of the
weakness of MD5 or any other hashing algorithm, but rather because a
simple dictionary attack (performaed 26^2 times) would be more effective
than attempting a preimage attack on the final hashed value.

If there's something here that I'm not getting, please let me know.

Regards,

Michael Scovetta

-----Original Message-----
From: M. D. [mailto:nekromancer () lycos com] 
Sent: Wednesday, September 01, 2004 11:37 AM
To: pen-test () securityfocus com
Subject: RE: Craking Serv-u passwords stored in .ini file.

Dear colleagues,

Googling around shows THIS:

http://www.cat-soft.com/serv-u-list/08%2014-Apr-99%20To%2005-Aug-02/msg0
9499.html

With that information and any good MD5 hash cracker (Lepton's Crack
comes to mind, but feel free to chose any other, I'm a bit biased being
one of the authors ;-) I think that you can try to bruteforce these
passwords.
Hope this info helps.
Cheers,

Nekromancer

-- 
_______________________________________________
Find what you are looking for with the Lycos Yellow Pages
http://r.lycos.com/r/yp_emailfooter/http://yellowpages.lycos.com/default
.asp?SRC=lycos10


------------------------------------------------------------------------
------
Ethical Hacking at the InfoSec Institute. All of our class sizes are
guaranteed to be 12 students or less to facilitate one-on-one
interaction
with one of our expert instructors. Check out our Advanced Hacking
course,
learn to write exploits and attack security infrastructure. Attend a
course
taught by an expert instructor with years of in-the-field pen testing
experience in our state of the art hacking lab. Master the skills of an
Ethical Hacker to better assess the security of your organization.

http://www.infosecinstitute.com/courses/ethical_hacking_training.html
------------------------------------------------------------------------
-------





------------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. All of our class sizes are
guaranteed to be 12 students or less to facilitate one-on-one interaction
with one of our expert instructors. Check out our Advanced Hacking course,
learn to write exploits and attack security infrastructure. Attend a course
taught by an expert instructor with years of in-the-field pen testing
experience in our state of the art hacking lab. Master the skills of an
Ethical Hacker to better assess the security of your organization.

http://www.infosecinstitute.com/courses/ethical_hacking_training.html
-------------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault