RE: Craking Serv-u passwords stored in .ini file.

From: Altheide, Cory B. (IARC) (AltheideC@nv.doe.gov)
Date: Thu Sep 02 2004 - 18:20:20 EDT


> -----Original Message-----
> From: Scovetta, Michael V [mailto:Michael.Scovetta@ca.com]
> Sent: Thursday, September 02, 2004 1:23 PM
> To: Altheide, Cory B. (IARC); Jérôme ATHIAS;
> pen-test@securityfocus.com
> Subject: RE: Craking Serv-u passwords stored in .ini file.
>
>
> I realize this is pedantic, but there's a fundamental
> difference between "cracking" MD5 and looking up pre-computed
> values. Of course, it may be useful to find out what password
> generated some particular md5 hash, but the is only
> non-trivial because the implementation of the hashing
> algorithm did not include salt while hashing.

The only real difference is by using precomputed tables you're front-loading
your work and only doing computations that would normally be needlessly
repetitive once. Otherwise the "cracking," as it were, is the basically
same.

I don't need to be directly addressed on messages to a mailing list I
obviously subscribe to. ;)

-- Cory

------------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. All of our class sizes are
guaranteed to be 12 students or less to facilitate one-on-one interaction
with one of our expert instructors. Check out our Advanced Hacking course,
learn to write exploits and attack security infrastructure. Attend a course
taught by an expert instructor with years of in-the-field pen testing
experience in our state of the art hacking lab. Master the skills of an
Ethical Hacker to better assess the security of your organization.

http://www.infosecinstitute.com/courses/ethical_hacking_training.html
-------------------------------------------------------------------------------



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:03 EDT