I've been playing with this for 2 days now. I found out so far that this was an MD* ...x type hash with both the salt and the hash value hashed together.
It has a salt which should prevent me from any attacks (BF, dict, rainbow), and the crypt algorithm is very slow, so does it make sense at all to play with a cracker program?
What program should I use? I do have PasswordPro but it coulnd't solve it. Maybe any tips for restrictions to use, like dictionary, rules etc? (I have read that rainbow tables won't work with these...)
-- Tue Nov 27, 2012 6:13 pm --
[quote="UsernameHerpDerp"]OK, I have several problems with this mission.Secondly - Why the shit would the .htpasswd file have a password encrypted in some bullshit hash? .htpasswd files are in the format username:password, where the password is A 13-CHARACTER crypt() ENCRYPTION OF THE FIRST 8 LETTERS OF THE USER-ENTERED PASSWORD. That is the standard, and that is what .htaccess uses. Maybe I'm being obtuse here; maybe there is some way to change the encryption algorithm from crypt() to some custom hashing algorithm. But if the web designer was stupid enough to put the .htaccess file in the same directory that he was blocking off, I really doubt he would be cautious enough to change the encryption on the password, and even if he was, he sure as hell wouldn't change it to something that can be cracked with a simple rainbow table, he would salt it appropriately etc.
-From the Apache site, about switches: "-m: Use MD5 encryption for passwords. This is the default."
-As for the ridiculous security leak.. what if they put it in restricted URI? The mission would not be harder but IMPOSSIBLE
IMHO this mission is cool anyway. If it was only for a weak encryption it would be boring. I also liked the part of finding out the hash format. And I'm not finished yet