RE: Craking Serv-u passwords stored in .ini file.

From: Scovetta, Michael V (Michael.Scovetta@ca.com)
Date: Thu Sep 02 2004 - 13:20:35 EDT


Nekro--

Maybe I'm just ignorant here, but if you are referring to the recent
collision attacks on MD5, how does such an attack compromise serv-u
security? Being able to create two strings that hash to the same value
is orders of magnitude easier than finding a string that hashes to some
particular hash value.

>From what I see, the serv-u hash security is weak not because of the
weakness of MD5 or any other hashing algorithm, but rather because a
simple dictionary attack (performaed 26^2 times) would be more effective
than attempting a preimage attack on the final hashed value.

If there's something here that I'm not getting, please let me know.

Regards,

Michael Scovetta

-----Original Message-----
From: M. D. [mailto:nekromancer@lycos.com]
Sent: Wednesday, September 01, 2004 11:37 AM
To: pen-test@securityfocus.com
Subject: RE: Craking Serv-u passwords stored in .ini file.

Dear colleagues,

Googling around shows THIS:

http://www.cat-soft.com/serv-u-list/08%2014-Apr-99%20To%2005-Aug-02/msg0
9499.html

With that information and any good MD5 hash cracker (Lepton's Crack
comes to mind, but feel free to chose any other, I'm a bit biased being
one of the authors ;-) I think that you can try to bruteforce these
passwords.
Hope this info helps.
Cheers,

Nekromancer

-- 
_______________________________________________
Find what you are looking for with the Lycos Yellow Pages
http://r.lycos.com/r/yp_emailfooter/http://yellowpages.lycos.com/default
.asp?SRC=lycos10
------------------------------------------------------------------------
------
Ethical Hacking at the InfoSec Institute. All of our class sizes are
guaranteed to be 12 students or less to facilitate one-on-one
interaction
with one of our expert instructors. Check out our Advanced Hacking
course,
learn to write exploits and attack security infrastructure. Attend a
course
taught by an expert instructor with years of in-the-field pen testing
experience in our state of the art hacking lab. Master the skills of an
Ethical Hacker to better assess the security of your organization.
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
------------------------------------------------------------------------
-------
------------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. All of our class sizes are
guaranteed to be 12 students or less to facilitate one-on-one interaction
with one of our expert instructors. Check out our Advanced Hacking course,
learn to write exploits and attack security infrastructure. Attend a course
taught by an expert instructor with years of in-the-field pen testing
experience in our state of the art hacking lab. Master the skills of an
Ethical Hacker to better assess the security of your organization.
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
-------------------------------------------------------------------------------


This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:02 EDT