lbolek
asked on
IE content advisor password hash
I was wondering how the password hash is stored in registry...which algorithm is used? It can't be md5 I already compared output of an md5 calc and the reg hash, but the results were totally different:|
any suggestions?
any suggestions?
ASKER
This is an example of advisor's registry key:
[HKEY_LOCAL_MACHINE\SOFTWA
"Key"=hex:14,4f,22,14,06,1
This key represents the encrypted pwd "123"
some more:
4321: ce,f5,be,0f,e4,87,b6,be,51
12: 03,cd,58,6b,aa,62,ee,c0,f7
2: 6d,5a,ba,bb,65,e9,ff,21,4b
[HKEY_LOCAL_MACHINE\SOFTWA
"Key"=hex:14,4f,22,14,06,1
This key represents the encrypted pwd "123"
some more:
4321: ce,f5,be,0f,e4,87,b6,be,51
12: 03,cd,58,6b,aa,62,ee,c0,f7
2: 6d,5a,ba,bb,65,e9,ff,21,4b
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Calculating hash of 4 bytes string `4321`...
SHA-160 : D5F12E53A182C062B6BF30C144
SHA-256 : FE2592B42A727E977F05594738
SHA-384 : 7A80E1C8A8F1456AE6C2735087
SHA-512 : 7E2FEAC95DCD7D1DF803345E19
MD5 : D93591BDF7860E1E4EE2FCA799
RIPEMD-160 : B24C985BBC7B2FD0214F6DD741
HAVAL-3-128 : 6CD657053B65AE9C0777F79DF0
HAVAL-3-160 : D1C5A0B32B98BFE2CB5C479117
HAVAL-3-192 : B49428873D3669482E9464FD17
HAVAL-3-224 : 0792BF1577AB2F7F8B3F71F2B4
HAVAL-3-256 : 887858ACA21E11A7377131457A
HAVAL-4-128 : A83B812478482AFBCCBABB2AEA
HAVAL-4-160 : 125808EF413FCA3B5E36321D22
HAVAL-4-192 : D630CAFB5A83243F6DF80F885C
HAVAL-4-224 : 2BB21CFA083E941CC221E8A08E
HAVAL-4-256 : E862D257F730057197EE803B05
HAVAL-5-128 : F4716FA4B7E2F11461036D75A9
HAVAL-5-160 : 7B47C2AE9C9BE8EA0367F88DB0
HAVAL-5-192 : 2772608CC35DC6E7799A5CC410
HAVAL-5-224 : CB5001AA888ABE279E29A5B040
HAVAL-5-256 : C2C82FDA8009B31AC411CCA7B6
CRC-32 : C48EBF68
SHA-160 : D5F12E53A182C062B6BF30C144
SHA-256 : FE2592B42A727E977F05594738
SHA-384 : 7A80E1C8A8F1456AE6C2735087
SHA-512 : 7E2FEAC95DCD7D1DF803345E19
MD5 : D93591BDF7860E1E4EE2FCA799
RIPEMD-160 : B24C985BBC7B2FD0214F6DD741
HAVAL-3-128 : 6CD657053B65AE9C0777F79DF0
HAVAL-3-160 : D1C5A0B32B98BFE2CB5C479117
HAVAL-3-192 : B49428873D3669482E9464FD17
HAVAL-3-224 : 0792BF1577AB2F7F8B3F71F2B4
HAVAL-3-256 : 887858ACA21E11A7377131457A
HAVAL-4-128 : A83B812478482AFBCCBABB2AEA
HAVAL-4-160 : 125808EF413FCA3B5E36321D22
HAVAL-4-192 : D630CAFB5A83243F6DF80F885C
HAVAL-4-224 : 2BB21CFA083E941CC221E8A08E
HAVAL-4-256 : E862D257F730057197EE803B05
HAVAL-5-128 : F4716FA4B7E2F11461036D75A9
HAVAL-5-160 : 7B47C2AE9C9BE8EA0367F88DB0
HAVAL-5-192 : 2772608CC35DC6E7799A5CC410
HAVAL-5-224 : CB5001AA888ABE279E29A5B040
HAVAL-5-256 : C2C82FDA8009B31AC411CCA7B6
CRC-32 : C48EBF68
Above are some known hashes i checked ... i still believe its RSA
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Alright, you're both confusing me:)I'd like you to give me a clear and working example I can then reproduce on my own. I was then hoping to write a little bruteforcer or perhaps build some rainbow tables or sth like that. But first I've got to figure out the enryption algorithm.
So,CodedK-I was able to follow your instructions,it's only that I'm not trying to decrypt the reg key to retrieve the password but the other way around.
rich- how do i get 128 bits out of 40?
Look, I've got some more points under Web Dev section-same question and I'm willing to add them all, I just want a working setup.
So,CodedK-I was able to follow your instructions,it's only that I'm not trying to decrypt the reg key to retrieve the password but the other way around.
rich- how do i get 128 bits out of 40?
Look, I've got some more points under Web Dev section-same question and I'm willing to add them all, I just want a working setup.
:)
I know that you dont want to decrypt...
I just said that by using this tool u can get the bits of encryption.
It says its 128 bits and its "RSA" ...
I am not completely sure though... (70%)
Rich said that its "md5" but 40bits not 128bits.
There is a tool for md5 that works with 128 bit encryption... (The one u checked --->"I already compared output of an md5 calc")
but not for 40.
The one i checked above was 128bit too
"MD5 : D93591BDF7860E1E4EE2FCA799
I'll try to find a 40 bit...
:)
I know that you dont want to decrypt...
I just said that by using this tool u can get the bits of encryption.
It says its 128 bits and its "RSA" ...
I am not completely sure though... (70%)
Rich said that its "md5" but 40bits not 128bits.
There is a tool for md5 that works with 128 bit encryption... (The one u checked --->"I already compared output of an md5 calc")
but not for 40.
The one i checked above was 128bit too
"MD5 : D93591BDF7860E1E4EE2FCA799
I'll try to find a 40 bit...
:)
--->I was then hoping to write a little bruteforcer
Take a look at this:
http://www.programdev.com/projects/md5brute/md5brute.txt
Its written in Perl.
You can write your brute force using this code...
Use the "Argon list" to get more possible passwords...
Hope this helps :/
Rainbow table download..
http://www.antsight.com/zsl/rainbowcrack/
Dont know if this will help u... :)
http://www.antsight.com/zsl/rainbowcrack/
Dont know if this will help u... :)
But again, in Elcomsoft's doc's (looks like one of my previous post's didn't take...) they state that it is a checksum of the "pass" but not the encrypted form of it. It's similar to MD5 checksum's of files, but this is just the phrase or pass, not a file.
Due to export regulations, M$ keeps about all of their office product encryption at 40-bit's and it was a standard in SSL for a long time as well. They have other products that also use 40-bit encryption, or encryption that is cripled in some way to keep it around 40-bit's.
Elcomsoft AOPB has a "Content Advisor" calculator, not a BruteForcer, as it's a waste of time, since you can write your own pass to the registry, and then replace the previous one with ease, even if you don't know what that value is. Just copy the current value, replace with a different known value, then if necessary put the old one back, elcom's program does this, it backs up the old, and add's a new, and let's you restore the old as well. If you know how, you can use SoftIce to look at what IE is doing when it makes the pass, or what AOPB is doing when it generates it.
-rich
Due to export regulations, M$ keeps about all of their office product encryption at 40-bit's and it was a standard in SSL for a long time as well. They have other products that also use 40-bit encryption, or encryption that is cripled in some way to keep it around 40-bit's.
Elcomsoft AOPB has a "Content Advisor" calculator, not a BruteForcer, as it's a waste of time, since you can write your own pass to the registry, and then replace the previous one with ease, even if you don't know what that value is. Just copy the current value, replace with a different known value, then if necessary put the old one back, elcom's program does this, it backs up the old, and add's a new, and let's you restore the old as well. If you know how, you can use SoftIce to look at what IE is doing when it makes the pass, or what AOPB is doing when it generates it.
-rich
ASKER
I'm not really fond of dissasembling(however, it already crossed my mind to do so) and I'm also exploring the guts of AccessData PRTK and LastBit IE Password...but I still think of this as a last resort. Anyway, if all those little fish Neverheardofthem(except AccessData) know how to do it, there has to be someone around here to tell me(considering the fact that most of this IEpwd software is really cheap some hundreds of points should compensate that)
;)
;)
I'm for a split
-rich
-rich
Can u paste an encrypted string?