## Need help With hashes

Discuss the many weaknesses of browser security and ways to mitigate the threat

### Need help With hashes

ok i was wondering if somebody can help me by telling me were the hashes are located in the URL or any other Places it might be.

-divide100
divide100
New User

Posts: 1
Joined: Sat May 31, 2008 6:23 pm
Blog: View Blog (0)

### Re: Need help With hashes

I don't think you understand the concept of hashes. You might want to read up on it. That and try Real 5 I think... (Damn Telemarketers)
The glass is neither half-full nor half-empty; it's merely twice as big as it needs to be.

fashizzlepop
Developer

Posts: 2190
Joined: Sat May 24, 2008 1:20 pm
Blog: View Blog (0)

### Re: Need help With hashes

Yeah, I think you've got the wrong end of the stick.
Let's say I hack a server and I find a password file in plaintext (i.e. let's say the password is "hello", the password would be stored in the file as simply "hello").
Now to make it more secure, the server owner might decide to use a hashing algorithm (such as md5 or base64) to protect the password.
The point of hashing is that you can encrypt the password into a load of garble - but you can't decrypt it, even if you had the entire algorithm in front of you, it is 100% impossible to decrypt it. Sounds sort of impossible but this is how it's done:
I'm going to show you a really basic and really insecure hash. In real life it'd be much more complicated and secure, but the principal is the same.
The hashing algorithm is "a=1,b=2,c=3, d=4 etc etc".
abc = 1+2+3 = 6.
Therefore if I found the hash of "abc" it'd be "6".
Now I cannot get the actual password back out of that though I can guess. This is called bruteforcing.
You can get programs (such as 'Cain and Abel') that will repeatedly test a hash to try and get the password.
Keeping with our really rubbish hashing algorithm, the program would test it like this:
Test 'aaa': 1+1+1 = 3, is hash '3'? No, try again.
Test 'aab': 1+1+2 = 4, is hash '4'? No, try again.
Test 'aac': 1+1+3 = 5, is hash '5'? No, try again.
Test 'aad': 1+1+4 = 6, is hash '6'? Yes - stop testing.
Using the algorithm "a=1, b=2 etc", if your password is 'abc', you can also enter 'aad' and 'bbb' and countless other combinations. That is a poor algorithm, of course. A good algorithm like md5 would take ages to bruteforce as there are so few possibilities.

Now, having written all that, I'm starting to think you might be wondering where hashes are usually stored..
Lmaoo..
On a Unix server, generally taking a look around the directory "etc" is always a good idea.
Learning Unix directory structure would be a good idea: http://docweb.cns.ufl.edu/docs/d0107/ar07s03.html
Hope that helped,
thedotmaster

thedotmaster
Contributor

Posts: 988
Joined: Sun May 04, 2008 4:39 pm
Location: North West UK
Blog: View Blog (1)

### Re: Need help With hashes

thedotmaster wrote:...The point of hashing is that you can encrypt the password into a load of garble - but you can't decrypt it, even if you had the entire algorithm in front of you, it is 100% impossible to decrypt it...

May I interject? Ok thanks. These statements may be misleading. First off, I'd like to point out that hashing doesn't turn a password into garble, it turns it into a hash. A hash is typically a number, though I'm certain it could be something else. The easiest way to hash something, like thedotmaster pointed out, is to take the characters used in the password and add up values associated with those characters. Another important piece of hashing however, includes avoiding collisions. A collision occurs in a hashing algorithm when multiple source values hash to the same value. For example, although they are unique both abcdef and acbdfe would hash to the same number using simple hashing. To avoid collisions they must be handled in some way - that's probably the more difficult part of writing hashing algorithms. There are however many hashing algorithms that have been proven to work so well that collisions are reduced significantly. Hashes are the basis for hashtables, which you may discover while learning how to program. They are a type of collection, similar to arrays.

The point I'm trying to make is that hashes, though difficult to decypher, are not unhackable, it would just take a lot of brute force to hack them, on the other hand if you know the method used to hash a password, then you could try several million passwords, hash them using the known method, and if one of them matches then you've either found the password, or at least one that collides with the same hash, just like thedotmaster pointed out.
Me, Nathandelane, Highly influential to Hackerdom, Premature Optimization=http://c2.com/cgi/wiki?PrematureOptimization

nathandelane
Poster

Posts: 204
Joined: Thu Jun 26, 2008 11:26 am
Location: Utah
Blog: View Blog (0)

### Re: Need help With hashes

nathandelane wrote:May I interject? Ok thanks.......

Ok yes, fair enough about the garble bit - I was just trying to make it a little easier to understand.
But yes I shouldn't have said that.
Now they are 100% unhackable for when I say unhackable I mean they cannot be decrypted. I personally do not call brute forcing, hacking - though sometimes it is very useful. That is my own personal opinion.
But yeah, hashes are something that are a little hard to explain.
peace
thedotmaster

thedotmaster
Contributor

Posts: 988
Joined: Sun May 04, 2008 4:39 pm
Location: North West UK
Blog: View Blog (1)

### Re: Need help With hashes

Brute forcing is indeed a form of hacking and is sometimes a technique that is overlooked "hackers" how ever the fact of the matter is that it is a invaluable technique in the trade and if you going to think anything is un-hackable you are in the wrong state of mind to be hacking.
Static-Oblivion
New User

Posts: 33
Joined: Thu May 15, 2008 6:21 am
Blog: View Blog (0)

### Re: Need help With hashes

Static-Oblivion wrote:Brute forcing is indeed a form of hacking and is sometimes a technique that is overlooked "hackers" how ever the fact of the matter is that it is a invaluable technique in the trade and if you going to think anything is un-hackable you are in the wrong state of mind to be hacking.

Bruteforcing can get you unauthorised access to a website, but it isn't hacking.
Hacking involves skill; brute forcing rarely does.
It all depends on how you define a hacker, but the hacker mentality can be applied to many fields of life - not just computers.
If you need to get access to a website, brute forcing is a last resort. It's slow, it's not secure (easily caught) and it's clumsy.

thedotmaster
Contributor

Posts: 988
Joined: Sun May 04, 2008 4:39 pm
Location: North West UK
Blog: View Blog (1)

### Re: Need help With hashes

@thedotmaster

BTW... .htaccess is also a good place to look for hashes as well. Cookies too... A cookie stealer can work wonders on small forum sites.

mutants_r_us_guild
Poster

Posts: 246
Joined: Fri May 30, 2008 7:56 pm
Blog: View Blog (0)

### Re: Need help With hashes

To the above ^
When I said "brute forcing", I meant brute forcing a login. Brute forcing a hash is the only way to get a password out of it!
And I don't know why you thought yourself stupid by bruting a hash, it's the best thing to do.

thedotmaster
Contributor

Posts: 988
Joined: Sun May 04, 2008 4:39 pm
Location: North West UK
Blog: View Blog (1)

### Re: Need help With hashes

Lol I get a forbidden message when entering .htaccess at the end of small forums.

Forbidden
You don't have permission to access /board/.htaccess on this server.

--------------------------------------------------------------------------------

Apache/1.3.27 Server at www.cgshade.com Port 80

Was funny to try though lol
Froger
New User

Posts: 39
Joined: Sat Aug 09, 2008 6:11 pm
Blog: View Blog (0)

Next