Solved

How to Decrypt the password using php

Posted on 2011-02-11
13
662 Views
Last Modified: 2012-05-11
hi,

I had 2 fields in my database table named  password and  password_salt.The field password had d5c673c787001acd21a550645242a741 value  and password_salt had BH3 using these two values how  i decrypt the password.

thanks
0
Comment
Question by:whspider
  • 2
  • 2
  • 2
  • +5
13 Comments
 
LVL 34

Assisted Solution

by:Beverley Portlock
Beverley Portlock earned 200 total points
ID: 34869980
It depends how you encrypted it.

If that password is the result of an MD5 operation then you cannot decrypt it. MD5's are one-way only.  The idea is that if someone enters a password then you MD5 the entered version and compare it to the stored one. If they are the same the the password entered was valid.

0
 

Author Comment

by:whspider
ID: 34870023
thanks for your replay . i know that but the issue is that they are not using the MD5 method

 for example:

Tthe original password is ramani this name is encrypted and stored in the database  like dc49a7cc03ee39b6f5ae8c43510f8284 now i had the original password and encrypted value .I  just need what technics they used to encrypt the password.
0
 
LVL 9

Assisted Solution

by:iGottZ
iGottZ earned 100 total points
ID: 34870033
MD5 = Hash
you can create hashes of everything. even files. so how will you get out of 32 letters and numbers a whole file back?
passwords can also be long. there is no limit when using md5.

you simply cannot say what this hash is made from. actually thats what hashes are made for.

you could bruteforce it but thats stupid if the password is long and you dont got a good cpu cluster or gpu to do this job.
0
 
LVL 48

Assisted Solution

by:hernst42
hernst42 earned 100 total points
ID: 34870055
They are using md5 and combining the salt with the password to generate the md5 hash. So rainbowtables does not work to recovert the password (cause of the salt). So it is not possible to reover the original password.
0
 
LVL 34

Accepted Solution

by:
Beverley Portlock earned 200 total points
ID: 34870142
"thanks for your replay . i know that but the issue is that they are not using the MD5 method"

It's 32 characters long and contains only hexadecimal data. It looks like an MD5 to me. If it is not an MD5 then what is it? If you cannot tell us then we cannot help.

Even knowing the starting password and the salt won't help. Look at this script which uses the salt, password and known result.

<?php

$p = "ramani";
$salt = "BH3";

$test = "dc49a7cc03ee39b6f5ae8c43510f8284";

$r = md5( $p );
echo "$r<br/>$test " . ($r == $test ) . "<br/><br/>";

$r = md5( $salt . $p );
echo "$r<br/>$test " . ($r == $test ) . "<br/><br/>";

$r = md5( $p . $salt );
echo "$r<br/>$test " . ($r == $test ) . "<br/><br/>";

$r = md5( $salt . $p . $salt );
echo "$r<br/>$test " . ($r == $test ) . "<br/><br/>";

$r = md5(  $p . $salt . $p );
echo "$r<br/>$test " . ($r == $test ) . "<br/><br/>";

$r = md5(  $p . $salt . $p . $salt );
echo "$r<br/>$test " . ($r == $test ) . "<br/><br/>";

Open in new window


Results (none of which match)

6b4995a929e2936ae07a4c0792385a93
dc49a7cc03ee39b6f5ae8c43510f8284

47ccfa48a11b64e54b8c60baa6aeff11
dc49a7cc03ee39b6f5ae8c43510f8284

e1acd78ee7adbc62d9806ce6bfcaaab0
dc49a7cc03ee39b6f5ae8c43510f8284

a248f99bc35ebcab0bcb07ede7a46f2d
dc49a7cc03ee39b6f5ae8c43510f8284

76c3f2177c2a6d4eaea56a708f7a64fa
dc49a7cc03ee39b6f5ae8c43510f8284

78f981b5a53196a081af0f2f04c80ef4
dc49a7cc03ee39b6f5ae8c43510f8284

Open in new window


So using known starting values I still cannot generate the hash because I do not know how these values were combined.
0
 
LVL 108

Assisted Solution

by:Ray Paseur
Ray Paseur earned 100 total points
ID: 34870169
A 32-character hexadecimal string is the signature of the md5() hash.  You can learn a little more about md5() by reading the online man pages.
http://us2.php.net/manual/en/function.md5.php

6b4995a929e2936ae07a4c0792385a93 is the md5() for "ramani"
362056820372309574a94e4d0c106339 is the md5() for "Ramani"
47ccfa48a11b64e54b8c60baa6aeff11 is the md5() for "BH3ramani"
e1acd78ee7adbc62d9806ce6bfcaaab0 is the md5() for "ramaniBH3"
6b58743532453f5adafe307665863968 is the md5() for "BH3 ramani"

etc.  You will be spending a very long time trying to decode these md5() strings back into passwords.  Perhaps you can tell us why you would want to do this?  It's a very unusual request, trying to reverse an md5() string, since the intent of using the md5() string is to obscure the data permanently and most computer scientists understand this.  What is the purpose of this exercise, in plain language?



0
How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

 
LVL 8

Expert Comment

by:kumaranmca
ID: 34870333
Cannot decrypt the MD5 values. Only overwrite the old password. use base64_encode and base64_decode functions. It might be helpful for you...
0
 
LVL 108

Expert Comment

by:Ray Paseur
ID: 34870465
base64_encode is not needed with MD5() - the md5() function does not create information that needs to be encoded.
0
 
LVL 17

Expert Comment

by:jrm213jrm213
ID: 34871007
Also just because it says it is the password and salt in those database fields it doesn't mean it is. Paranoid people do paranoid things like putting fake data in fields that say password and salt. If you have the code where they are doing the password comparisons then you should know what the encryption method is, so if you are sure it isn't MD5 then what do you know it is?
0
 
LVL 9

Expert Comment

by:iGottZ
ID: 34905163
as i said earlyer:

its technicaly impossible to decrypt an md5 hash. since decryption would require an encrypted string.

md5 is hashing not encryption.

a hash usualy has always the same length. if it doesnt it lacks of security.

you can easily put a 20000000000 char password into a 32 char md5 hash. this is technicaly possible.
but you cannot get 20000000000 chars out of 32 chars.

if you bruteforce this example you will find a string with less then 33 chars that also creates the same hash


i will say it again:

your goal that you want to achieve is technicaly impossible.
0
 

Author Comment

by:whspider
ID: 35180564
ok
0
 
LVL 142

Expert Comment

by:Guy Hengel [angelIII / a3]
ID: 37307676
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

Popularity Can Be Measured Sometimes we deal with questions of popularity, and we need a way to collect opinions from our clients.  This article shows a simple teaching example of how we might elect a favorite color by letting our clients vote for …
These days socially coordinated efforts have turned into a critical requirement for enterprises.
The viewer will learn how to count occurrences of each item in an array.
The viewer will learn how to look for a specific file type in a local or remote server directory using PHP.

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now