Hello, today was my first job as a pen tester for my high school in which i graduated almost 2 years ago. Im atm at colledge studying Computer Science and im in an institute preparing to get the Certified Ethical Hacker and CISSP certificates.
The thing is i could found a sql blind injection vulnerability with uniscan and i exploited it with sqlmap. I got some database with the administrator account for the website account credentials. But the password is hashed (hash-identifier said it is MD5) but i could crack it as i did with other hashes. I used hashcat for this with simple rules and a 15GB dictionary which lasted for just 5 minutes but i had no success (I have a GTX 960m 2GB). Now im useing rockyou-30000 rules and its takeing about 1 day to crack it. Anyone who have more idea on password cracking could help me?
Here is the hash: aab32bf93a4b0227537c2532b6f6992f
BTW this is my first post in this forum. I had learned a lot here and i really appreciate what you are doing.
PD: I dont know if this is relevant but my native language (my school too) is Spanish. I hope someone could help me.
4 Responses
I assume you checked the usual rainbow table sites, http://security.stackexchange.com/questions/52461/how-weak-is-md5-as-a-password-hashing-function You may want to alert them that storing md5 passwords is bad form. Brute force is always slow, so you may have to wait it out. If you were able to dump ANY creds and brute them you maybe able to elevate privilege. Since the site was open to SQL injection have you attempted a web reverse TCP shell? What is the scope of your test?
Just checking for vulnerabilities. The father of a friend manage everything of the computer sector in the school and ask me to check for vulnerabilities as he doesn't know anything about pen testing.
One question, how accurate are hash-identifier results?? Because maybe the cryptography is no MD5 and im wasting my time trying to crack this passwd.
I didnt want to trying anything as u said before cracking this password. Ill make a full vulnerabilities analysis (at least the things i know) and then tell him about this just for a favor and practice, im not doing this for money.
Anyone??
I was just wondering if it was just a website test or a full network test of their IP space. That's a major vuln even if you don't crack the hash. Also it's probably not wise to post the hash on the site, and all the info that you did. It's enough information that you could be potentially doxxed.
Share Your Thoughts