The big lie of computer security is that security improves by imposing complex passwords on users. In real life, people write down anything they can't remember. Security is increased by designing for the way humans actually behave. -Jakob Nielsen
Since there is no other walthrough/guide for Realistic Mission 5, I made one :P
What you will have learnt at the end of this guide :
1. What is hashing in general ?
2. Is hashed password safe? Can it be decrypted/cracked ?
3. What are collisions and how are they created ?
Telemarketers are invading peoples privacy and peace and quiet. Get the password for the administrative section of the site to delete their database and return the privacy of their victims!
Message: Yo! This is Spiffomatic64 from Hackthissite.org! I'm a bit of a hacker myself as you can see, but I recently came upon a problem I couldn't resolve...
Lately I've been getting calls day and night from the telemarketing place. I've gone to their website and hacked it once deleting all of their phone numbers so they wouldn't call me anymore. That was a temporary fix but they put their database back up, this time with an encrypted password. When I hacked them I noticed everything they used was 10 years out of date and the new password seems to be a 'message digest'. I have done some research and I think it could be something called MD5. I think you could somehow reverse engineer it or brute force it. I also think it would be a good idea to look around the server for anything that may help you.
So we begin...
First step is to observe closely all content on the site, especially the news items. Read all the news, did you find anything suspicious?
9/15/03 - Google was grabbing links it shouldn't be so I have taken extra precautions.
So yes, you got it, now the question is how does one prevent Google from indexing his site? Answer is pretty simple, google it.
Considering you have made it past the first stage, you now have access to 2 new directories. One will allow you to download a hash file and the other will give you a 32 bit HEX string (0-9a-f). Both of these are equally important for this mission.
Now remember go back to the Mission Message and read it again, thouroughly. It gives an idea regarding the algorithm used for hashing the password along with a statement that goes like.....
...When I hacked them I noticed everything they used was 10 years out of date.......
Suspicious isn't it? But now since you have acquired the hash file lets make some good use of it. What do you do with a file that hash no extension, open it up in notepad to see what treasure lies inside. Yes indeed it gives you...
1. The algorithm used for hashing
2. The Character Set used for the password.
Now that you know what the algorithm is lets enlighten ourselves, read up a little on the algorithm.
OK I wouldn't go into details explaining the actual algorithms behind hashing strings using MD4/MD5 etc but a general explanation of what hashing actually is.
A hash value (or simply hash), also called a message digest, is a number generated from a string of text. The hash is substantially smaller than the text itself, and is generated by a formula in such a way that it is extremely unlikely that some other text will produce the same hash value.
Make a note of that last statement
extremely unlikely that some other text will produce the same hash value....
Yes, indeed extremely unlikely, but definately possible.
Weaknesses in MD4 were demonstrated by Den Boer and Bosselaers in a paper published in 1991. In August 2004, researchers reported generating collisions in MD4 using "hand calculation" , alongside attacks on later hash function designs in the MD4/MD5/SHA/RIPEMD family.
So a little summary..
* MD4/MD5 are message digest/hashing algorithms which will produce a 32 character hexdecimal string, no matter however long the input may be.
* Since the possible combinations of hashes is a limited amount (2^128) for 128bit hashes, and the possibility of input strings is infinity, there will always be more than one string generating the same MD4/MD5 hash. These strings are known as collisions.
* They are one way algorithms hence, MD4/MD5 cannot be cracked, but they can be bruteforced to find collisions.
Once you find a collision the telemarketing site will accept that password and do a md4/md5 hash of the password and compare it with the md4/md5 value stored in the database. When they match you will be given access.
But now the question arises, how will you find a collision? Simple answer again a Google search will reveal numerous tools for bruteforcing MD4/MD5 hashes.
Head on to http://membres.lycos.fr/mdcrack/ and download MDCrack GUI version.
Now comes the fun part, where we will actually bruteforce the MD4/MD5 hash we got earlier using this tool.
Enter the 32 chracter hash into the box. Select the Character Set you found in the hash file. And from the algorithms menu select the algorithm you found within the hash file. When thats done hit the Start button and wait for about 30 seconds. The program will find the first collision and stop. Make a note of that collision string, thats your password through Mission 5.
Now a few footnotes. You may conclude from the above that MD5 algorithm is absolutely unsafe. Well, not always. A general practice on a website is to accept user input of password append it on both sides with a secret key (consisting of random ASCII characters, yes, all 255 characters are allowed), and then MD5 the resultant string and compare it with the MD5 stored in the database for authentication. So even if you DO find a collision for that MD5 hash, its certainly of no use since when the website appends the secret key to both its sides it becomes different from what the original password string would look like when hashed using MD5.
I find a collision for 3d5e7f9a9c47af65de95b876c065d87e
Say it is b348hi
And the Secret stored in the Database of the server is hf&^ft%
The actual password of the user is : flash
Now 'b348hi' when hashed using MD5 will generate the above hash.
But hf&^ft%b348hihf&^ft% will generate a completely different hash when compared to hf&^ft%flashhf&^ft%
Cast your vote on this article 10 - Highest, 1 - Lowest