Need help With hashes

[divide100]

ok i was wondering if somebody can help me by telling me were the hashes are located in the URL or any other Places it might be.

-divide100

[fashizzlepop]

I don't think you understand the concept of hashes. You might want to read up on it. That and try Real 5 I think... (Damn Telemarketers)

[thedotmaster]

Yeah, I think you've got the wrong end of the stick.
Let's say I hack a server and I find a password file in plaintext (i.e. let's say the password is "hello", the password would be stored in the file as simply "hello").
Now to make it more secure, the server owner might decide to use a hashing algorithm (such as md5 or base64) to protect the password.
The point of hashing is that you can encrypt the password into a load of garble - but you can't decrypt it, even if you had the entire algorithm in front of you, it is 100% impossible to decrypt it. Sounds sort of impossible but this is how it's done:
I'm going to show you a really basic and really insecure hash. In real life it'd be much more complicated and secure, but the principal is the same.
I enter the password "abc".
The hashing algorithm is "a=1,b=2,c=3, d=4 etc etc".
abc = 1+2+3 = 6.
Therefore if I found the hash of "abc" it'd be "6".
Now I cannot get the actual password back out of that though I can guess. This is called bruteforcing.
You can get programs (such as 'Cain and Abel') that will repeatedly test a hash to try and get the password.
Keeping with our really rubbish hashing algorithm, the program would test it like this:
Test 'aaa': 1+1+1 = 3, is hash '3'? No, try again.
Test 'aab': 1+1+2 = 4, is hash '4'? No, try again.
Test 'aac': 1+1+3 = 5, is hash '5'? No, try again.
Test 'aad': 1+1+4 = 6, is hash '6'? Yes - stop testing.
Using the algorithm "a=1, b=2 etc", if your password is 'abc', you can also enter 'aad' and 'bbb' and countless other combinations. That is a poor algorithm, of course. A good algorithm like md5 would take ages to bruteforce as there are so few possibilities.

Now, having written all that, I'm starting to think you might be wondering where hashes are usually stored..
Lmaoo..
On a Unix server, generally taking a look around the directory "etc" is always a good idea.
Learning Unix directory structure would be a good idea: http://docweb.cns.ufl.edu/docs/d0107/ar07s03.html
Hope that helped,
thedotmaster

[nathandelane]

...The point of hashing is that you can encrypt the password into a load of garble - but you can't decrypt it, even if you had the entire algorithm in front of you, it is 100% impossible to decrypt it...

May I interject? Ok thanks. These statements may be misleading. First off, I'd like to point out that hashing doesn't turn a password into garble, it turns it into a hash. A hash is typically a number, though I'm certain it could be something else. The easiest way to hash something, like thedotmaster pointed out, is to take the characters used in the password and add up values associated with those characters. Another important piece of hashing however, includes avoiding collisions. A collision occurs in a hashing algorithm when multiple source values hash to the same value. For example, although they are unique both abcdef and acbdfe would hash to the same number using simple hashing. To avoid collisions they must be handled in some way - that's probably the more difficult part of writing hashing algorithms. There are however many hashing algorithms that have been proven to work so well that collisions are reduced significantly. Hashes are the basis for hashtables, which you may discover while learning how to program. They are a type of collection, similar to arrays.

The point I'm trying to make is that hashes, though difficult to decypher, are not unhackable, it would just take a lot of brute force to hack them, on the other hand if you know the method used to hash a password, then you could try several million passwords, hash them using the known method, and if one of them matches then you've either found the password, or at least one that collides with the same hash, just like thedotmaster pointed out.

[thedotmaster]

May I interject? Ok thanks.......

Ok yes, fair enough about the garble bit - I was just trying to make it a little easier to understand.
But yes I shouldn't have said that.
Now they are 100% unhackable for when I say unhackable I mean they cannot be decrypted. I personally do not call brute forcing, hacking - though sometimes it is very useful. That is my own personal opinion.
But yeah, hashes are something that are a little hard to explain.
peace
thedotmaster

[Static-Oblivion]

Brute forcing is indeed a form of hacking and is sometimes a technique that is overlooked "hackers" how ever the fact of the matter is that it is a invaluable technique in the trade and if you going to think anything is un-hackable you are in the wrong state of mind to be hacking.

[thedotmaster]

Brute forcing is indeed a form of hacking and is sometimes a technique that is overlooked "hackers" how ever the fact of the matter is that it is a invaluable technique in the trade and if you going to think anything is un-hackable you are in the wrong state of mind to be hacking.

Bruteforcing can get you unauthorised access to a website, but it isn't hacking.
Hacking involves skill; brute forcing rarely does.
It all depends on how you define a hacker, but the hacker mentality can be applied to many fields of life - not just computers.
If you need to get access to a website, brute forcing is a last resort. It's slow, it's not secure (easily caught) and it's clumsy.

[mutants_r_us_guild]

@thedotmaster

Brute Forcing isn't necessarily easily caught. Only if you aren't brute forcing on the server. Several million extra POST requests is enough to raise anyone's eyebrows. However, say you find a hash on the server. You can run that through Cain or JTR as many times as you want and nobody can catch you. As for the clumsy part... yeah, you got me there. I've only ever had to brute force two times in the wild. One was some bulletin board site like PHBB or Proboards or something. Cain handled that like it was nothing. The second time however was a tad more sophisticated. It was a site called asciiconvert.com. It allowed you to upload images that were then converted to ascii art and saved to the server. So, being the hacker that I am, I couldn't resist the temptation of attempting to upload a shell to it. And wouldn't ya know it... it worked. I found the .htaccess file and tried to crack the hashes.. but 2 hours later... nothing. Then I realized how dumb I was. I was cracking a hash to get the pass for the admin page however, I had the ability to download the source for any file on the server.. including the admin page. lol. So I just saved it as a php file on my desktop and uploaded the same way I did the shell. Then I could do everything the admin could do... even modify pages via the shell. I don't know if they fixed it or not... itll still upload a shell without any errors, but it wont tell you where the file went on the server so I can't find the shell. Oh well.. It was fun while it lasted.

BTW... .htaccess is also a good place to look for hashes as well. Cookies too... A cookie stealer can work wonders on small forum sites.

[thedotmaster]

To the above ^
When I said "brute forcing", I meant brute forcing a login. Brute forcing a hash is the only way to get a password out of it!
And I don't know why you thought yourself stupid by bruting a hash, it's the best thing to do.

[Froger]

Lol I get a forbidden message when entering .htaccess at the end of small forums.


Forbidden
You don't have permission to access /board/.htaccess on this server.


--------------------------------------------------------------------------------

Apache/1.3.27 Server at www.cgshade.com Port 80

Was funny to try though lol