MD5 Hash

For the discussion of Perl, Python, Ruby, and PHP and other interpreted languages.

MD5 Hash

Post by wildboy211 on Sat Sep 20, 2008 3:18 am
([msg=12088]see MD5 Hash[/msg])

Okay, im trying to figure out if theres a vulnerability on my website. My website encrypts passwords via MD5, is there any PHP or SQL vulnerablity to get a password from my site, here some code that my site uses to encrypt a password:
Code: Select all
$row['pass'] == md5($row['secret'] . $password . $row['secret'])

$row['secret'] is a random md5 hash generated when the user registered stored in the database. Is there a way to hack into the database and find the password? I also know that after a user logs in, it stores a cookie with the username and MD5 hash value.
wildboy211
New User
New User
 
Posts: 2
Joined: Fri Sep 19, 2008 5:59 am
Blog: View Blog (0)


Re: MD5 Hash

Post by BhaaL on Sun Sep 21, 2008 6:20 am
([msg=12171]see Re: MD5 Hash[/msg])

Knowing 'secret', one could attempt to brute-force the password. But considering you store it in a cookie, also add stuff like the Users IP for example and check that. Else one could forge a cookie with the Username/Hash (think of someone dumping your database, having obtained the whole user table, but no passwords cracked yet) and be logged in without ever knowing the password.
BhaaL
Poster
Poster
 
Posts: 270
Joined: Sun Apr 13, 2008 11:16 am
Blog: View Blog (0)


Re: MD5 Hash

Post by dotdotslash on Tue Oct 28, 2008 9:35 am
([msg=14179]see Re: MD5 Hash[/msg])

Can some one tell me how to recognize a md5,md4 hash ? whats the diffrence between these hashes (SHA,md5 )and all .Just by looking and if not is there any other means ..
dotdotslash
New User
New User
 
Posts: 2
Joined: Mon Oct 27, 2008 9:57 am
Blog: View Blog (0)


Re: MD5 Hash

Post by nathandelane on Wed Jan 14, 2009 10:40 am
([msg=16202]see Re: MD5 Hash[/msg])

dotdotslash wrote:Can some one tell me how to recognize a md5,md4 hash ? whats the diffrence between these hashes (SHA,md5 )and all .Just by looking and if not is there any other means ..


MD4 Sums are 128 bits in length, for example b86e130ce7028da59e672d56ad0113df. MD5 Sums are also 128 bits in length, for example 9e107d9d372bb6826bd81d3542a419d6 (both hashes are from the phrase "The quick brown fox jumps over the lazy dog"). So I can see that it would be somewhat difficult to tell them apart. I don't believe that there is a way to know the difference just by looking at them. But you can probably guess in most cases, especially if you know when the hash (date-wise) was created. Most people will opt for a higher quality hash as the quality of hashes is found to be fragile. In the case of MD4, "Weaknesses in MD4 were demonstrated by Den Boer and Bosselaers in a paper published in 1991," (From Wikipedia) so I suspect that most programs written after 1991 utilize SHA-like or MD5 hashing.

Knowing your history really counts when it comes to hacking.
Me, Nathandelane, Highly influential to Hackerdom, Premature Optimization=http://c2.com/cgi/wiki?PrematureOptimization
User avatar
nathandelane
Poster
Poster
 
Posts: 204
Joined: Thu Jun 26, 2008 11:26 am
Location: Utah
Blog: View Blog (0)



Return to Interpreted Languages

Who is online

Users browsing this forum: No registered users and 0 guests

cron