?
Solved

IE content advisor password hash

Posted on 2005-04-17
17
Medium Priority
?
579 Views
Last Modified: 2013-12-04
I was wondering how the password hash is stored in registry...which algorithm is used? It can't be md5 I already compared output of an md5 calc and the reg hash, but the results were totally different:|

any suggestions?
0
Comment
Question by:lbolek
  • 8
  • 3
  • 3
14 Comments
 
LVL 16

Expert Comment

by:CodedK
ID: 13813402
Hi.
Can u paste an encrypted string?
0
 
LVL 1

Author Comment

by:lbolek
ID: 13817796
This is an example of advisor's registry key:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings]
"Key"=hex:14,4f,22,14,06,1a,c1,76,35,86,13,8e,3b,42,00,71

This key represents the encrypted pwd "123"

some more:
4321:   ce,f5,be,0f,e4,87,b6,be,51,7d,9b,2a,39,74,ca,da
12:       03,cd,58,6b,aa,62,ee,c0,f7,03,3c,72,00,f8,f7,f1
2:         6d,5a,ba,bb,65,e9,ff,21,4b,73,e8,91,b4,af,e6,e8
0
 
LVL 16

Accepted Solution

by:
CodedK earned 140 total points
ID: 13821810
:)

Its 128 bits encryption (Rsa Encryption)
Number Base 16

To check it for your self go to this link:
http://www.wasm.ru/all.php?mode=tool

Download "Rsa Tool v 1.10".

Read carefully the help file.

To check it fast ... do the following
1. Copy paste the 4321 encrypted string you gave me in the "Modulus" field.
2. Remove the commas
3. Press the "Exact Size" button. (This will show you the bits of encryption).
4. In the upper right corner there is "Number Base" ... Set it to 16.. The reason is
    obvious..
5. Press "Factor N" button. This will give you the primes..
6. Copy - paste the last prime to the "1st Prime field"
   Copy - paste the one before the last to the "2nd".
7. Press Calculate D

To fully decrypt you got to have the Exponent.
You can press test to see what it gives you for the current Exponent...

Anyway i think this answer ur question... :)
the point is that imo it is Rsa 128 bits... (widely used)
In the link i gave you there are other tools like Dsa tools for Dsa Encryption and others..

To Decrypt those values ... well another story...
Hope this helps.


0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
LVL 16

Expert Comment

by:CodedK
ID: 13821858
Calculating hash of 4 bytes string `4321`...

SHA-160     : D5F12E53A182C062B6BF30C1445153FAFF12269A

SHA-256     : FE2592B42A727E977F055947385B709CC82B16B9A87F88C6ABF3900D65D0CDC3

SHA-384     : 7A80E1C8A8F1456AE6C2735087EBCAF60BCF6DC17CC677D7CB165516CC114362EEB43FF664E2E9F8852F9FAB7D6187A8

SHA-512     : 7E2FEAC95DCD7D1DF803345E197369AF4B156E4E7A95FCB2955BDBBB3A11AFD8BB9D35931BF15511370B18143E38B01B903F55C5ECBDED4AF99934602FCDF38C

MD5         : D93591BDF7860E1E4EE2FCA799911215

RIPEMD-160  : B24C985BBC7B2FD0214F6DD741BD22848668B0E7

HAVAL-3-128 : 6CD657053B65AE9C0777F79DF0D64EBD

HAVAL-3-160 : D1C5A0B32B98BFE2CB5C47911762D49A8DF2248E

HAVAL-3-192 : B49428873D3669482E9464FD17DB053E6590FBDC862B0271

HAVAL-3-224 : 0792BF1577AB2F7F8B3F71F2B458C7666C22CB68DD230692FC5F476F

HAVAL-3-256 : 887858ACA21E11A7377131457A2EFD88AD4A3273FE022BC33AEF4DC3B5E051B0

HAVAL-4-128 : A83B812478482AFBCCBABB2AEAE3B74D

HAVAL-4-160 : 125808EF413FCA3B5E36321D22EF9F528D95FB4F

HAVAL-4-192 : D630CAFB5A83243F6DF80F885C34579DDFB85A90B1DD3843

HAVAL-4-224 : 2BB21CFA083E941CC221E8A08EAD476219267D68E0A8AA4E8C9A6EE8

HAVAL-4-256 : E862D257F730057197EE803B05F846A652EC6B8BC5E8FD2D03F7BE85F2B2B03B

HAVAL-5-128 : F4716FA4B7E2F11461036D75A90F7AD6

HAVAL-5-160 : 7B47C2AE9C9BE8EA0367F88DB0CF8B89D9B96EC2

HAVAL-5-192 : 2772608CC35DC6E7799A5CC410BE2AFB871654582961EAD7

HAVAL-5-224 : CB5001AA888ABE279E29A5B040DAB22F67675121B2BBD85DD43178A3

HAVAL-5-256 : C2C82FDA8009B31AC411CCA7B689A9083498B80106BE2ACDCC4CD980A8E69FDA

CRC-32      : C48EBF68
0
 
LVL 16

Expert Comment

by:CodedK
ID: 13821861
Above are some known hashes i checked ... i still believe its RSA
0
 
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 140 total points
ID: 13824333
It's rumored to be an MD5 hash OF the plain-text version of the "password"- and it's also 40-bit version of md5, all I have are standard 128-bit version of md5 so I can't double check.

So if your password is Eight a's
aaaaaaaa
your password in md5-hmac is 3DBE00A167653A1AAEE01D93E77E730E
But IE says it's
aaaaaaaa equals
3ca93cf53efaa7d5c3a7424e702889db
IE is making a checksum of the phrase "aaaaaaa" not encrypting aaaaaaa into md5

echo aaaaaaaa | md5sum  (this is 128bit md5, and we need 40bit)
65466125197978378ec6340989ac50db

-rich
0
 
LVL 1

Author Comment

by:lbolek
ID: 13827328
Alright, you're both confusing me:)I'd like you to give me a clear and working example I can then reproduce on my own. I was then hoping to write a little bruteforcer or perhaps build some rainbow tables or sth like that. But first I've got to figure out the enryption algorithm.

So,CodedK-I was able to follow your instructions,it's only that I'm not trying to decrypt the reg key to retrieve the password but the other way around.

rich- how do i get 128 bits out of 40?

Look, I've got some more points under Web Dev section-same question and I'm willing to add them all, I just want a working setup.
0
 
LVL 16

Expert Comment

by:CodedK
ID: 13827682
:)

I know that you dont want to decrypt...
I just said that by using this tool u can get the bits of encryption.
It says its 128 bits and its "RSA" ...
I am not completely sure though... (70%)

Rich said that its "md5" but 40bits not 128bits.
There is a tool for md5 that works with 128 bit encryption... (The one u checked --->"I already compared output of an md5 calc")
but not for 40.

The one i checked above was 128bit too
"MD5         : D93591BDF7860E1E4EE2FCA799911215"

I'll try to find a 40 bit...

:)
0
 
LVL 16

Expert Comment

by:CodedK
ID: 13827980

--->I was then hoping to write a little bruteforcer
Take a look at this:

http://www.programdev.com/projects/md5brute/md5brute.txt

Its written in Perl.

You can write your brute force using this code...
Use the "Argon list" to get more possible passwords...

Hope this helps :/
0
 
LVL 16

Expert Comment

by:CodedK
ID: 13828035
0
 
LVL 16

Expert Comment

by:CodedK
ID: 13828440
Rainbow table download..
http://www.antsight.com/zsl/rainbowcrack/

Dont know if this will help u... :)
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 13830213
But again, in Elcomsoft's doc's (looks like one of my previous post's didn't take...) they state that it is a checksum of the "pass" but not the encrypted form of it. It's similar to MD5 checksum's of files, but this is just the phrase or pass, not a file.
Due to export regulations, M$ keeps about all of their office product encryption at 40-bit's and it was a standard in SSL for a long time as well. They have other products that also use 40-bit encryption, or encryption that is cripled in some way to keep it around 40-bit's.

Elcomsoft AOPB has a "Content Advisor" calculator, not a BruteForcer, as it's a waste of time, since you can write your own pass to the registry, and then replace the previous one with ease, even if you don't know what that value is. Just copy the current value, replace with a different known value, then if necessary put the old one back, elcom's program does this, it backs up the old, and add's a new, and let's you restore the old as well. If you know how, you can use SoftIce to look at what IE is doing when it makes the pass, or what AOPB is doing when it generates it.
-rich
0
 
LVL 1

Author Comment

by:lbolek
ID: 13838521
I'm not really fond of dissasembling(however, it already crossed my mind to do so) and I'm also exploring the guts of  AccessData PRTK and LastBit IE Password...but I still think of this as a last resort. Anyway, if all those little fish Neverheardofthem(except AccessData) know how to do it, there has to be someone around here to tell me(considering the fact that most of this IEpwd software is really cheap some hundreds of points should compensate that)

;)
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 15707400
I'm for a split
-rich
0

Featured Post

Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as the high-speed power of the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

No security measures warrant 100% as a "silver bullet". The truth is we also cannot assume anything but a defensive and vigilance posture. Adopt no trust by default and reveal in assumption. Only assume anonymity or invisibility in the reverse. Safe…
Recently, I read that Microsoft has analysed statistics for their security intelligence report. It revealed: still, the clear majority of windows users do their daily work as administrator. An administrative account is a burden, security-wise. My ar…
This lesson discusses how to use a Mainform + Subforms in Microsoft Access to find and enter data for payments on orders. The sample data comes from a custom shop that builds and sells movable storage structures that are delivered to your property. …
With just a little bit of  SQL and VBA, many doors open to cool things like synchronize a list box to display data relevant to other information on a form.  If you have never written code or looked at an SQL statement before, no problem! ...  give i…
Suggested Courses
Course of the Month14 days, 8 hours left to enroll

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question