Home page logo

pen-test logo Penetration Testing mailing list archives

RE: Craking Serv-u passwords stored in .ini file.
From: avarni () tech cj com
Date: Fri, 3 Sep 2004 11:57:14 -0700 (PDT)

On Fri, 3 Sep 2004, M. D. wrote:

Hi Michael,

It would have been much stronger, for example, the following:

1) hash the password, with or without prepending the salt, doesn't matter. I'm not using it in this example:
    password: test
    MD5 hash: 098F6BCD4621D373CADE4E832627B4F6

2) append the salt to the hash:
    new "password": ab098F6BCD4621D373CADE4E832627B4F6

3) hash the resulting string:
    new MD5 hash: BDF3BAAC3C947956A57CFA97310B5DE0

4) append the salt to the last hash if you like, but I don't see any particular reason to do so

Huh?  Salting does make things harder for password crackers.  And yes,
you need to display the salt in plaintext.  If you skip step #4 as
you propose here, then how does the authentication program know which
salt was used?

Prepending or appending the cleartext salt is a requirement. Otherwise
you'd have to check all possible salts each time someone tries to

OK, that's it for now.


Ethical Hacking at the InfoSec Institute. All of our class sizes are
guaranteed to be 12 students or less to facilitate one-on-one interaction
with one of our expert instructors. Check out our Advanced Hacking course,
learn to write exploits and attack security infrastructure. Attend a course
taught by an expert instructor with years of in-the-field pen testing
experience in our state of the art hacking lab. Master the skills of an
Ethical Hacker to better assess the security of your organization.


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]