Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Where you should disclose your vulnerabilities. Go read RFPolicy if you want to do responsible disclosure, and go here for when all else fails. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Determine Salt
Posted by: RonPaul
Date: June 03, 2012 05:51PM

i have a site i can see the users table

i figured out that they are using some unique salt, because of the 20,000 people, there are no matching md5 hashes

i tryed adding the userid before and after the plain text

i have looked thru all tables but can not find any salt value

i do not have read capabilities on files so i can not look at code

how do you suggest i figure out the hash?

make 100 accounts with the same password?

use a tool?

thx

Options: ReplyQuote
Re: Determine Salt
Posted by: Skyphire
Date: June 18, 2012 06:35PM

I would try to attack the weakness of a short salt.

Create an account with password that is 1 to 3 letters long: 'a' (if it will allow you to do so), get the password hash and run a rainbow table against it. If they use a short salt, then the chances are great to discover the salt if the password consists of only one to 3 letters.

For example:

Password: a
Salt: 194583
Result: a194583

If they allow numbers as a password, it would be even better!

Which would be fairly easy to run against, considering that a 8 char password can be 'cracked' in 12 minutes on a proper system.

Also try timestamps, time(), microtime(), rand(0,9) as salt, developers are lazy.

.



Edited 1 time(s). Last edit at 06/18/2012 06:39PM by Skyphire.

Options: ReplyQuote


Sorry, only registered users may post in this forum.