lbolek
asked on
IE content advisor password hash
I was wondering how the password hash is stored in registry...which algorithm is used? It can't be md5 I already compared output of an md5 calc and the reg hash, but the results were totally different:|
any suggestions?
any suggestions?
ASKER
This is an example of advisor's registry key:
[HKEY_LOCAL_MACHINE\SOFTWA RE\Microso ft\Windows \CurrentVe rsion\poli cies\Ratin gs]
"Key"=hex:14,4f,22,14,06,1 a,c1,76,35 ,86,13,8e, 3b,42,00,7 1
This key represents the encrypted pwd "123"
some more:
4321: ce,f5,be,0f,e4,87,b6,be,51 ,7d,9b,2a, 39,74,ca,d a
12: 03,cd,58,6b,aa,62,ee,c0,f7 ,03,3c,72, 00,f8,f7,f 1
2: 6d,5a,ba,bb,65,e9,ff,21,4b ,73,e8,91, b4,af,e6,e 8
[HKEY_LOCAL_MACHINE\SOFTWA
"Key"=hex:14,4f,22,14,06,1
This key represents the encrypted pwd "123"
some more:
4321: ce,f5,be,0f,e4,87,b6,be,51
12: 03,cd,58,6b,aa,62,ee,c0,f7
2: 6d,5a,ba,bb,65,e9,ff,21,4b
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Calculating hash of 4 bytes string `4321`...
SHA-160 : D5F12E53A182C062B6BF30C144 5153FAFF12 269A
SHA-256 : FE2592B42A727E977F05594738 5B709CC82B 16B9A87F88 C6ABF3900D 65D0CDC3
SHA-384 : 7A80E1C8A8F1456AE6C2735087 EBCAF60BCF 6DC17CC677 D7CB165516 CC114362EE B43FF664E2 E9F8852F9F AB7D6187A8
SHA-512 : 7E2FEAC95DCD7D1DF803345E19 7369AF4B15 6E4E7A95FC B2955BDBBB 3A11AFD8BB 9D35931BF1 5511370B18 143E38B01B 903F55C5EC BDED4AF999 34602FCDF3 8C
MD5 : D93591BDF7860E1E4EE2FCA799 911215
RIPEMD-160 : B24C985BBC7B2FD0214F6DD741 BD22848668 B0E7
HAVAL-3-128 : 6CD657053B65AE9C0777F79DF0 D64EBD
HAVAL-3-160 : D1C5A0B32B98BFE2CB5C479117 62D49A8DF2 248E
HAVAL-3-192 : B49428873D3669482E9464FD17 DB053E6590 FBDC862B02 71
HAVAL-3-224 : 0792BF1577AB2F7F8B3F71F2B4 58C7666C22 CB68DD2306 92FC5F476F
HAVAL-3-256 : 887858ACA21E11A7377131457A 2EFD88AD4A 3273FE022B C33AEF4DC3 B5E051B0
HAVAL-4-128 : A83B812478482AFBCCBABB2AEA E3B74D
HAVAL-4-160 : 125808EF413FCA3B5E36321D22 EF9F528D95 FB4F
HAVAL-4-192 : D630CAFB5A83243F6DF80F885C 34579DDFB8 5A90B1DD38 43
HAVAL-4-224 : 2BB21CFA083E941CC221E8A08E AD47621926 7D68E0A8AA 4E8C9A6EE8
HAVAL-4-256 : E862D257F730057197EE803B05 F846A652EC 6B8BC5E8FD 2D03F7BE85 F2B2B03B
HAVAL-5-128 : F4716FA4B7E2F11461036D75A9 0F7AD6
HAVAL-5-160 : 7B47C2AE9C9BE8EA0367F88DB0 CF8B89D9B9 6EC2
HAVAL-5-192 : 2772608CC35DC6E7799A5CC410 BE2AFB8716 54582961EA D7
HAVAL-5-224 : CB5001AA888ABE279E29A5B040 DAB22F6767 5121B2BBD8 5DD43178A3
HAVAL-5-256 : C2C82FDA8009B31AC411CCA7B6 89A9083498 B80106BE2A CDCC4CD980 A8E69FDA
CRC-32 : C48EBF68
SHA-160 : D5F12E53A182C062B6BF30C144
SHA-256 : FE2592B42A727E977F05594738
SHA-384 : 7A80E1C8A8F1456AE6C2735087
SHA-512 : 7E2FEAC95DCD7D1DF803345E19
MD5 : D93591BDF7860E1E4EE2FCA799
RIPEMD-160 : B24C985BBC7B2FD0214F6DD741
HAVAL-3-128 : 6CD657053B65AE9C0777F79DF0
HAVAL-3-160 : D1C5A0B32B98BFE2CB5C479117
HAVAL-3-192 : B49428873D3669482E9464FD17
HAVAL-3-224 : 0792BF1577AB2F7F8B3F71F2B4
HAVAL-3-256 : 887858ACA21E11A7377131457A
HAVAL-4-128 : A83B812478482AFBCCBABB2AEA
HAVAL-4-160 : 125808EF413FCA3B5E36321D22
HAVAL-4-192 : D630CAFB5A83243F6DF80F885C
HAVAL-4-224 : 2BB21CFA083E941CC221E8A08E
HAVAL-4-256 : E862D257F730057197EE803B05
HAVAL-5-128 : F4716FA4B7E2F11461036D75A9
HAVAL-5-160 : 7B47C2AE9C9BE8EA0367F88DB0
HAVAL-5-192 : 2772608CC35DC6E7799A5CC410
HAVAL-5-224 : CB5001AA888ABE279E29A5B040
HAVAL-5-256 : C2C82FDA8009B31AC411CCA7B6
CRC-32 : C48EBF68
Above are some known hashes i checked ... i still believe its RSA
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Alright, you're both confusing me:)I'd like you to give me a clear and working example I can then reproduce on my own. I was then hoping to write a little bruteforcer or perhaps build some rainbow tables or sth like that. But first I've got to figure out the enryption algorithm.
So,CodedK-I was able to follow your instructions,it's only that I'm not trying to decrypt the reg key to retrieve the password but the other way around.
rich- how do i get 128 bits out of 40?
Look, I've got some more points under Web Dev section-same question and I'm willing to add them all, I just want a working setup.
So,CodedK-I was able to follow your instructions,it's only that I'm not trying to decrypt the reg key to retrieve the password but the other way around.
rich- how do i get 128 bits out of 40?
Look, I've got some more points under Web Dev section-same question and I'm willing to add them all, I just want a working setup.
:)
I know that you dont want to decrypt...
I just said that by using this tool u can get the bits of encryption.
It says its 128 bits and its "RSA" ...
I am not completely sure though... (70%)
Rich said that its "md5" but 40bits not 128bits.
There is a tool for md5 that works with 128 bit encryption... (The one u checked --->"I already compared output of an md5 calc")
but not for 40.
The one i checked above was 128bit too
"MD5 : D93591BDF7860E1E4EE2FCA799 911215"
I'll try to find a 40 bit...
:)
I know that you dont want to decrypt...
I just said that by using this tool u can get the bits of encryption.
It says its 128 bits and its "RSA" ...
I am not completely sure though... (70%)
Rich said that its "md5" but 40bits not 128bits.
There is a tool for md5 that works with 128 bit encryption... (The one u checked --->"I already compared output of an md5 calc")
but not for 40.
The one i checked above was 128bit too
"MD5 : D93591BDF7860E1E4EE2FCA799
I'll try to find a 40 bit...
:)
--->I was then hoping to write a little bruteforcer
Take a look at this:
http://www.programdev.com/projects/md5brute/md5brute.txt
Its written in Perl.
You can write your brute force using this code...
Use the "Argon list" to get more possible passwords...
Hope this helps :/
Rainbow table download..
http://www.antsight.com/zsl/rainbowcrack/
Dont know if this will help u... :)
http://www.antsight.com/zsl/rainbowcrack/
Dont know if this will help u... :)
But again, in Elcomsoft's doc's (looks like one of my previous post's didn't take...) they state that it is a checksum of the "pass" but not the encrypted form of it. It's similar to MD5 checksum's of files, but this is just the phrase or pass, not a file.
Due to export regulations, M$ keeps about all of their office product encryption at 40-bit's and it was a standard in SSL for a long time as well. They have other products that also use 40-bit encryption, or encryption that is cripled in some way to keep it around 40-bit's.
Elcomsoft AOPB has a "Content Advisor" calculator, not a BruteForcer, as it's a waste of time, since you can write your own pass to the registry, and then replace the previous one with ease, even if you don't know what that value is. Just copy the current value, replace with a different known value, then if necessary put the old one back, elcom's program does this, it backs up the old, and add's a new, and let's you restore the old as well. If you know how, you can use SoftIce to look at what IE is doing when it makes the pass, or what AOPB is doing when it generates it.
-rich
Due to export regulations, M$ keeps about all of their office product encryption at 40-bit's and it was a standard in SSL for a long time as well. They have other products that also use 40-bit encryption, or encryption that is cripled in some way to keep it around 40-bit's.
Elcomsoft AOPB has a "Content Advisor" calculator, not a BruteForcer, as it's a waste of time, since you can write your own pass to the registry, and then replace the previous one with ease, even if you don't know what that value is. Just copy the current value, replace with a different known value, then if necessary put the old one back, elcom's program does this, it backs up the old, and add's a new, and let's you restore the old as well. If you know how, you can use SoftIce to look at what IE is doing when it makes the pass, or what AOPB is doing when it generates it.
-rich
ASKER
I'm not really fond of dissasembling(however, it already crossed my mind to do so) and I'm also exploring the guts of AccessData PRTK and LastBit IE Password...but I still think of this as a last resort. Anyway, if all those little fish Neverheardofthem(except AccessData) know how to do it, there has to be someone around here to tell me(considering the fact that most of this IEpwd software is really cheap some hundreds of points should compensate that)
;)
;)
I'm for a split
-rich
-rich
Can u paste an encrypted string?