From: Scovetta, Michael V (Michael.Scovetta@ca.com)
Date: Thu Sep 02 2004 - 13:20:35 EDT
Nekro--
Maybe I'm just ignorant here, but if you are referring to the recent
collision attacks on MD5, how does such an attack compromise serv-u
security? Being able to create two strings that hash to the same value
is orders of magnitude easier than finding a string that hashes to some
particular hash value.
>From what I see, the serv-u hash security is weak not because of the
weakness of MD5 or any other hashing algorithm, but rather because a
simple dictionary attack (performaed 26^2 times) would be more effective
than attempting a preimage attack on the final hashed value.
If there's something here that I'm not getting, please let me know.
Regards,
Michael Scovetta
-----Original Message-----
From: M. D. [mailto:nekromancer@lycos.com]
Sent: Wednesday, September 01, 2004 11:37 AM
To: pen-test@securityfocus.com
Subject: RE: Craking Serv-u passwords stored in .ini file.
Dear colleagues,
Googling around shows THIS:
http://www.cat-soft.com/serv-u-list/08%2014-Apr-99%20To%2005-Aug-02/msg0
9499.html
With that information and any good MD5 hash cracker (Lepton's Crack
comes to mind, but feel free to chose any other, I'm a bit biased being
one of the authors ;-) I think that you can try to bruteforce these
passwords.
Hope this info helps.
Cheers,
Nekromancer
-- _______________________________________________ Find what you are looking for with the Lycos Yellow Pages http://r.lycos.com/r/yp_emailfooter/http://yellowpages.lycos.com/default .asp?SRC=lycos10 ------------------------------------------------------------------------ ------ Ethical Hacking at the InfoSec Institute. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors. Check out our Advanced Hacking course, learn to write exploits and attack security infrastructure. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. http://www.infosecinstitute.com/courses/ethical_hacking_training.html ------------------------------------------------------------------------ ------- ------------------------------------------------------------------------------ Ethical Hacking at the InfoSec Institute. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors. Check out our Advanced Hacking course, learn to write exploits and attack security infrastructure. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. http://www.infosecinstitute.com/courses/ethical_hacking_training.html -------------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:02 EDT