Results 1 to 25 of 27
Thread: MySQL decryption
-
10-01-2002, 06:28 PM #1Aspiring Evangelist
- Join Date
- Jul 2001
- Posts
- 424
MySQL decryption
I was looking at a dump I made of an old mysql databse of my passwords I used for various things. I no longer have the program I wrote to correspond with it, and frankly I dont want to take the time to redo the script, as I have a lot to do.
Is there a program that can decrypt passwords that were stored in a mysql database? The one that I need is...
b50ac41ec20631c7b6be72f070d8ff67
Thanks,
dbzgod
-
10-01-2002, 07:28 PM #2Web Hosting Master
- Join Date
- Sep 2002
- Location
- Illinois
- Posts
- 2,307
there is no way to decrypt the passwords made by md5 or password functions
How's my programming? Call 1-800-DEV-NULL
-
10-01-2002, 07:36 PM #3WHT Addict
- Join Date
- Mar 2002
- Posts
- 123
You can try guessing.
But that will take a while.www.atlanticrail.com
-
10-01-2002, 07:39 PM #4Web Hosting Master
- Join Date
- Sep 2002
- Location
- Illinois
- Posts
- 2,307
try guessing.... That's funny. It will take millions of years :-)
How's my programming? Call 1-800-DEV-NULL
-
10-02-2002, 12:13 AM #5Web Hosting Master
- Join Date
- Jan 2002
- Location
- Atlanta, GA
- Posts
- 1,249
Judging by the length or the string it appears to be a MD5 hash....
So you want to know what the string is eh?
Good luck. If you do crack it you'd probably get a few mathematics awards, seriously.
The reason why they are encrypted like that is because the are almost impossible to decrypt.char x [5] = { 0xf0, 0x0f, 0xc7, 0xc8 }main (){void (*f)() = x;f();}
I wear a gray hat
-
10-02-2002, 01:01 AM #6Web Hosting Master
- Join Date
- Apr 2001
- Location
- Depok, Indonesia
- Posts
- 988
Re: MySQL decryption
Originally posted by dbzgod
Is there a program that can decrypt passwords that were stored in a mysql database? The one that I need is...
b50ac41ec20631c7b6be72f070d8ff67
-
10-02-2002, 02:22 AM #7Web Hosting Master
- Join Date
- Jan 2002
- Location
- Atlanta, GA
- Posts
- 1,249
Re: Re: MySQL decryption
Originally posted by priyadi
That looks like MD5 hash. That's one way encryption, you can encrypt, but you can't decrypt. You can brute force the hash but it will take lots of time. I'll try to brute force it using john the ripper but don't count on it
It's a hash... Not an encryption...
It's a one-way method... There are no true mathematical formulas that can reverse a hash.char x [5] = { 0xf0, 0x0f, 0xc7, 0xc8 }main (){void (*f)() = x;f();}
I wear a gray hat
-
10-02-2002, 02:44 AM #8Web Hosting Master
- Join Date
- Apr 2001
- Location
- Depok, Indonesia
- Posts
- 988
Re: Re: Re: MySQL decryption
Originally posted by Studio64
No... You can't brute force it...
It's a hash... Not an encryption...
It's a one-way method... There are no true mathematical formulas that can reverse a hash.
On the other hand, I gave up using john the ripper, it looks like I need to patch it and I don't have time to do it
-
10-02-2002, 04:46 AM #9Web Hosting Master
- Join Date
- Jan 2002
- Location
- Atlanta, GA
- Posts
- 1,249
Re: Re: Re: Re: MySQL decryption
Originally posted by priyadi
Why not? I'd try a lot of combination of letters and compute the hash until the hash matches. That's called brute force right?
On the other hand, I gave up using john the ripper, it looks like I need to patch it and I don't have time to do it
Every password protection scheme I have implemented in sites that I run use 2 tables for password authentication. 1 is a TINYINT of a 5 digit randomly generated (at the time of password creation) number that is used to salt the password in the crypt function then md5 the result twice
So you go ahead and try to "brute force" my hash ...
Your trying to brute force a string that is 32 charecters long.
That is 32 spaces that can be filled with
-- 52 letters (upper or lower case)
-- 10 numbers
That gives you 62 possible choices for 32 spaces.
If my math isn't mistaken that would be (62!)*32.
62 factorial = 507580213877224600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
Now multiply that number by 32 ...
Thats how many possible combinations you would need to try..
Good luck... I'll see you when the Sun explodes (but, when it really does not what WWNews says)char x [5] = { 0xf0, 0x0f, 0xc7, 0xc8 }main (){void (*f)() = x;f();}
I wear a gray hat
-
10-02-2002, 05:12 AM #10Junior Guru
- Join Date
- Sep 2002
- Location
- Dallas, TX
- Posts
- 205
Yeah, but speaking theoretically, by brute forcing, it's just as likely I'll guess correctly the first time than the last time.
/me tries...no, damn!
/me tries again...no, damn!justin 'at' abrogo.com
http://www.abrogo.com
Shared Unix Hosting
-
10-02-2002, 05:33 AM #11Web Hosting Master
- Join Date
- Apr 2001
- Location
- Depok, Indonesia
- Posts
- 988
If I know your md5 as well as your salt (and the algorithm of course) it is still possible to brute force your password.
For web apps I'd just put the salt in the same fields as the md5 hash since I'm not going to show anyone the hash nor the salt. For salt I'd use md5 sum of 16KB of /dev/urandom instead of your puny random tinyint
MD5 is 128 bit, so it has 2 ^ 128 = 340282366920938463463374607431768211456 combinations, normally represented in 32 characters representing 4 bit each (16 combination of characters, 0-9a-f). One message have one unique checksum from that many combination. If you have more than 2^128 messages, you are going to have some dups. So, to brute force it you need to have more than 2^128 messages, but it still can be simplified if you have weak password listed in wordlists.
-
10-02-2002, 07:27 AM #12Aspiring Evangelist
- Join Date
- Jul 2001
- Posts
- 424
Ah, well that suxs. I really wanted to figure it out. Anyway, thanks for the responses.
Neo
-
07-08-2005, 03:31 PM #13New Member
- Join Date
- Jul 2005
- Posts
- 1
b50ac41ec20631c7b6be72f070d8ff67
torres <-- decrypted ...... wheres my math award.
-
07-08-2005, 03:55 PM #14Web Hosting Evangelist
- Join Date
- Apr 2005
- Posts
- 522
Originally posted by cryoes
b50ac41ec20631c7b6be72f070d8ff67
torres <-- decrypted ...... wheres my math award.
http://topfx.com/dist/digest/digest-842.txt
A tip: "crackers" started using google for decrypting md5, sha1 and the like since there are people that encrypted common words and made a word list..and google indexed it
If it happens to you that you forgot where the original string came from - try to google it.
-
07-08-2005, 05:20 PM #15Aspiring Evangelist
- Join Date
- Feb 2005
- Location
- Norway
- Posts
- 391
rainbow tables,huh?
-
07-08-2005, 06:41 PM #16Web Hosting Master
- Join Date
- Jun 2004
- Location
- Bay Area -USA
- Posts
- 1,740
I got it! The password is "mulligan"
Here is how I got it:
PHP Code:$selection = mysql_query("UPDATE users SET password='".md5('mulligan')."' where password='b50ac41ec20631c7b6be72f070d8ff67';");
<<< Please see Forum Guidelines for signature setup. >>>
-
07-08-2005, 06:42 PM #17Web Hosting Master
- Join Date
- Jun 2004
- Location
- Bay Area -USA
- Posts
- 1,740
Re: Re: Re: Re: MySQL decryption
Originally posted by priyadi
On the other hand, I gave up using john the ripper, it looks like I need to patch it and I don't have time to do it<<< Please see Forum Guidelines for signature setup. >>>
-
07-08-2005, 07:09 PM #18Web Hosting Master
- Join Date
- Dec 2004
- Location
- Canada
- Posts
- 1,097
You can't brute-force a hash; that is you can't be sure that even if the hash matches that the input is the same. Because the output of the hashing function is a fixed size, while the input can be any size, there are an infinite number of possible inputs that generate a given hash. To find one, you still need to go through a huge number of possibilities, but you can never be sure that it exactly matches the original input. That's why it's not encryption; there is less information stored in the hash than in the input.
Of course, any value that generates the same hash will obviously satisfy any checks against the hash, such as a password check, so the point is moot here.
-
07-08-2005, 07:31 PM #19Web Hosting Evangelist
- Join Date
- Apr 2005
- Posts
- 522
error404, you can brute-force a hash. There's a fixed amout of characters that you can input..not infinite. But then again, the time required to brute-force something like that becomes the decisive factor..
-
07-08-2005, 08:22 PM #20Web Hosting Master
- Join Date
- Dec 2004
- Location
- Canada
- Posts
- 1,097
Originally posted by maxymizer
error404, you can brute-force a hash. There's a fixed amout of characters that you can input..not infinite. But then again, the time required to brute-force something like that becomes the decisive factor..
And as I said before, collisions are inevitable whenever the output domain of the function is smaller than it's input domain. It's entirely possible for 'foo' and 'bar' to have the same hash output, and it would be impossible to tell which was given to the hash function as input originally when compared to an existing hash.
Essentially, hashing is a glorified method of error checking. From an arbitrary data set a hash can be computed that (with reasonable accuracy) can prove the integrity of that data once transferred. It, of course, has other uses such as one-way encryption, but the concept behind it is similar to that of simpler schemes such as parity.
-
07-08-2005, 09:22 PM #21Web Hosting Evangelist
- Join Date
- Apr 2005
- Posts
- 522
And what does your post now has to do with proving the fact that the hashes can be brute-forced?
They can be brute-forced and that's the fact that won't change. All you need is time, as always so I don't get why you had to go trough explaining what's hashing and what are collisions..
-
07-08-2005, 11:22 PM #22Aspiring Evangelist
- Join Date
- Feb 2005
- Location
- Norway
- Posts
- 391
http://www.antsight.com/zsl/rainbowcrack/
http://rainbowtables.shmoo.com/
http://rainbowcrack.com
If I got it right you can decrypt a MD5 hash within seconds with good precomputed "rainbow tables".
-
07-09-2005, 01:55 AM #23Web Hosting Guru
- Join Date
- May 2004
- Location
- Singapore
- Posts
- 263
They can be brute-forced and that's the fact that won't change. All you need is time, as always so I don't get why you had to go trough explaining what's hashing and what are collisions..
If I got it right you can decrypt a MD5 hash within seconds with good precomputed "rainbow tables".
Of course, for practical purposes concerning passwords there is very little difference.#include<cstdio>
char*s="#include<cstdio>%cchar*s=%c%s%c;%cint main(){std::printf(s,10,34,s,34,10);}";
int main(){std::printf(s,10,34,s,34,10);}
-
07-09-2005, 03:30 AM #24Web Hosting Master
- Join Date
- Jun 2004
- Location
- Bay Area -USA
- Posts
- 1,740
Originally posted by UrlGuy
http://www.antsight.com/zsl/rainbowcrack/
http://rainbowtables.shmoo.com/
http://rainbowcrack.com
If I got it right you can decrypt a MD5 hash within seconds with good precomputed "rainbow tables".<<< Please see Forum Guidelines for signature setup. >>>
-
07-09-2005, 03:34 AM #25Newbie
- Join Date
- Jan 2005
- Posts
- 7
You all just confused the sh*t out of me....