IE content advisor password hash

I was wondering how the password hash is stored in registry...which algorithm is used? It can't be md5 I already compared output of an md5 calc and the reg hash, but the results were totally different:|

any suggestions?
LVL 1
lbolekAsked:
Who is Participating?
 
CodedKCommented:
:)

Its 128 bits encryption (Rsa Encryption)
Number Base 16

To check it for your self go to this link:
http://www.wasm.ru/all.php?mode=tool

Download "Rsa Tool v 1.10".

Read carefully the help file.

To check it fast ... do the following
1. Copy paste the 4321 encrypted string you gave me in the "Modulus" field.
2. Remove the commas
3. Press the "Exact Size" button. (This will show you the bits of encryption).
4. In the upper right corner there is "Number Base" ... Set it to 16.. The reason is
    obvious..
5. Press "Factor N" button. This will give you the primes..
6. Copy - paste the last prime to the "1st Prime field"
   Copy - paste the one before the last to the "2nd".
7. Press Calculate D

To fully decrypt you got to have the Exponent.
You can press test to see what it gives you for the current Exponent...

Anyway i think this answer ur question... :)
the point is that imo it is Rsa 128 bits... (widely used)
In the link i gave you there are other tools like Dsa tools for Dsa Encryption and others..

To Decrypt those values ... well another story...
Hope this helps.


0
 
CodedKCommented:
Hi.
Can u paste an encrypted string?
0
 
lbolekAuthor Commented:
This is an example of advisor's registry key:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings]
"Key"=hex:14,4f,22,14,06,1a,c1,76,35,86,13,8e,3b,42,00,71

This key represents the encrypted pwd "123"

some more:
4321:   ce,f5,be,0f,e4,87,b6,be,51,7d,9b,2a,39,74,ca,da
12:       03,cd,58,6b,aa,62,ee,c0,f7,03,3c,72,00,f8,f7,f1
2:         6d,5a,ba,bb,65,e9,ff,21,4b,73,e8,91,b4,af,e6,e8
0
On-Demand: Securing Your Wi-Fi for Summer Travel

Traveling this summer?Check out our on-demand webinar to learn about the importance of Wi-Fi security and 3 easy measures you can start taking immediately to protect your private data while using public Wi-Fi. Follow us today to learn more!

 
CodedKCommented:
Calculating hash of 4 bytes string `4321`...

SHA-160     : D5F12E53A182C062B6BF30C1445153FAFF12269A

SHA-256     : FE2592B42A727E977F055947385B709CC82B16B9A87F88C6ABF3900D65D0CDC3

SHA-384     : 7A80E1C8A8F1456AE6C2735087EBCAF60BCF6DC17CC677D7CB165516CC114362EEB43FF664E2E9F8852F9FAB7D6187A8

SHA-512     : 7E2FEAC95DCD7D1DF803345E197369AF4B156E4E7A95FCB2955BDBBB3A11AFD8BB9D35931BF15511370B18143E38B01B903F55C5ECBDED4AF99934602FCDF38C

MD5         : D93591BDF7860E1E4EE2FCA799911215

RIPEMD-160  : B24C985BBC7B2FD0214F6DD741BD22848668B0E7

HAVAL-3-128 : 6CD657053B65AE9C0777F79DF0D64EBD

HAVAL-3-160 : D1C5A0B32B98BFE2CB5C47911762D49A8DF2248E

HAVAL-3-192 : B49428873D3669482E9464FD17DB053E6590FBDC862B0271

HAVAL-3-224 : 0792BF1577AB2F7F8B3F71F2B458C7666C22CB68DD230692FC5F476F

HAVAL-3-256 : 887858ACA21E11A7377131457A2EFD88AD4A3273FE022BC33AEF4DC3B5E051B0

HAVAL-4-128 : A83B812478482AFBCCBABB2AEAE3B74D

HAVAL-4-160 : 125808EF413FCA3B5E36321D22EF9F528D95FB4F

HAVAL-4-192 : D630CAFB5A83243F6DF80F885C34579DDFB85A90B1DD3843

HAVAL-4-224 : 2BB21CFA083E941CC221E8A08EAD476219267D68E0A8AA4E8C9A6EE8

HAVAL-4-256 : E862D257F730057197EE803B05F846A652EC6B8BC5E8FD2D03F7BE85F2B2B03B

HAVAL-5-128 : F4716FA4B7E2F11461036D75A90F7AD6

HAVAL-5-160 : 7B47C2AE9C9BE8EA0367F88DB0CF8B89D9B96EC2

HAVAL-5-192 : 2772608CC35DC6E7799A5CC410BE2AFB871654582961EAD7

HAVAL-5-224 : CB5001AA888ABE279E29A5B040DAB22F67675121B2BBD85DD43178A3

HAVAL-5-256 : C2C82FDA8009B31AC411CCA7B689A9083498B80106BE2ACDCC4CD980A8E69FDA

CRC-32      : C48EBF68
0
 
CodedKCommented:
Above are some known hashes i checked ... i still believe its RSA
0
 
Rich RumbleSecurity SamuraiCommented:
It's rumored to be an MD5 hash OF the plain-text version of the "password"- and it's also 40-bit version of md5, all I have are standard 128-bit version of md5 so I can't double check.

So if your password is Eight a's
aaaaaaaa
your password in md5-hmac is 3DBE00A167653A1AAEE01D93E77E730E
But IE says it's
aaaaaaaa equals
3ca93cf53efaa7d5c3a7424e702889db
IE is making a checksum of the phrase "aaaaaaa" not encrypting aaaaaaa into md5

echo aaaaaaaa | md5sum  (this is 128bit md5, and we need 40bit)
65466125197978378ec6340989ac50db

-rich
0
 
lbolekAuthor Commented:
Alright, you're both confusing me:)I'd like you to give me a clear and working example I can then reproduce on my own. I was then hoping to write a little bruteforcer or perhaps build some rainbow tables or sth like that. But first I've got to figure out the enryption algorithm.

So,CodedK-I was able to follow your instructions,it's only that I'm not trying to decrypt the reg key to retrieve the password but the other way around.

rich- how do i get 128 bits out of 40?

Look, I've got some more points under Web Dev section-same question and I'm willing to add them all, I just want a working setup.
0
 
CodedKCommented:
:)

I know that you dont want to decrypt...
I just said that by using this tool u can get the bits of encryption.
It says its 128 bits and its "RSA" ...
I am not completely sure though... (70%)

Rich said that its "md5" but 40bits not 128bits.
There is a tool for md5 that works with 128 bit encryption... (The one u checked --->"I already compared output of an md5 calc")
but not for 40.

The one i checked above was 128bit too
"MD5         : D93591BDF7860E1E4EE2FCA799911215"

I'll try to find a 40 bit...

:)
0
 
CodedKCommented:

--->I was then hoping to write a little bruteforcer
Take a look at this:

http://www.programdev.com/projects/md5brute/md5brute.txt

Its written in Perl.

You can write your brute force using this code...
Use the "Argon list" to get more possible passwords...

Hope this helps :/
0
 
CodedKCommented:
0
 
CodedKCommented:
Rainbow table download..
http://www.antsight.com/zsl/rainbowcrack/

Dont know if this will help u... :)
0
 
Rich RumbleSecurity SamuraiCommented:
But again, in Elcomsoft's doc's (looks like one of my previous post's didn't take...) they state that it is a checksum of the "pass" but not the encrypted form of it. It's similar to MD5 checksum's of files, but this is just the phrase or pass, not a file.
Due to export regulations, M$ keeps about all of their office product encryption at 40-bit's and it was a standard in SSL for a long time as well. They have other products that also use 40-bit encryption, or encryption that is cripled in some way to keep it around 40-bit's.

Elcomsoft AOPB has a "Content Advisor" calculator, not a BruteForcer, as it's a waste of time, since you can write your own pass to the registry, and then replace the previous one with ease, even if you don't know what that value is. Just copy the current value, replace with a different known value, then if necessary put the old one back, elcom's program does this, it backs up the old, and add's a new, and let's you restore the old as well. If you know how, you can use SoftIce to look at what IE is doing when it makes the pass, or what AOPB is doing when it generates it.
-rich
0
 
lbolekAuthor Commented:
I'm not really fond of dissasembling(however, it already crossed my mind to do so) and I'm also exploring the guts of  AccessData PRTK and LastBit IE Password...but I still think of this as a last resort. Anyway, if all those little fish Neverheardofthem(except AccessData) know how to do it, there has to be someone around here to tell me(considering the fact that most of this IEpwd software is really cheap some hundreds of points should compensate that)

;)
0
 
Rich RumbleSecurity SamuraiCommented:
I'm for a split
-rich
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.