Writing a script to brute force an MD5() hash

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
Moonspell
Forum Newbie
Posts: 21
Joined: Tue May 13, 2003 4:54 pm

Writing a script to brute force an MD5() hash

Post by Moonspell »

Hello, I lost my password in PHPNuke. Now, this is interesting to me, because I want to know the security of MD5. So, I ONLY want to get my password this way. No other suggestions please.

I want to write a script to start at a, use the MD5 function to get the hash, compare it with the database value, and return whether thats the password or not. I want to do this for every possible value of data A-Z and 0-9. Basically, a brute force of a hash and then a comparison. Does anybody have any ideas?

Basically I need to know the syntax for creating the MD5 hashes and testing them against the database value. Also, I need to know how I can loop through a-z and 0-9 with every possible combination
User avatar
Stoker
Forum Regular
Posts: 782
Joined: Thu Jan 23, 2003 9:45 pm
Location: SWNY
Contact:

Post by Stoker »

a rather odd approach I would say, you want to create a password tester.. If you have write access to the database it is much easier for you to just generate a md5 sum of a new password and insert it in the database..

Any other approach is to me not sane and indicates that you want to find others/multiple passwords...

To generate a new password just simply do something like
echo md5('mynewPassWord');
qartis
Forum Contributor
Posts: 271
Joined: Sat Dec 14, 2002 4:43 pm
Location: BC, Canada
Contact:

Post by qartis »

Even with mysql's access speeds, you're looking at hundreds of millions of possibilities, with a range of a - 99999, and exponentially more if you add more and more digits. It's possible that you could write an incredibly optimized script to check, and crack a 6 digit password in about a week, but with 8 digits, you're better off guessing. Can you remember any of the digits, or how long it was, or anything? Unless you have 2-3 years to wait, it's kind of pointless.
User avatar
Stoker
Forum Regular
Posts: 782
Joined: Thu Jan 23, 2003 9:45 pm
Location: SWNY
Contact:

Post by Stoker »

..not to mention use of !@#$%^&*(){}[];:';?><,./`~ and other odd/international characters that multplies that several times..
m3rajk
DevNet Resident
Posts: 1191
Joined: Mon Jun 02, 2003 3:37 pm

Post by m3rajk »

i agree with stoker... sounds like you're trying to get into other's accounts without them knowing.

if you're really serious about this, go take a good cryptology course
User avatar
m3mn0n
PHP Evangelist
Posts: 3548
Joined: Tue Aug 13, 2002 3:35 pm
Location: Calgary, Canada

Post by m3mn0n »

Code: Select all

<?php
$pff = md5($_POST['password_from_form']);
  // pull password in md5 form from database here

if($row['database_md5_pass'] == $pff){
   // do whatever
 } else {
   // die
}
?>
User avatar
Slippy
Forum Contributor
Posts: 113
Joined: Sat Jul 12, 2003 11:31 pm
Location: Vancouver eh!

Post by Slippy »

If you are really the admin of the site, why don't you just run the phpnuke "install.php" script again and reset the password.

You should be able to follow instructions from the phpnuke installation guide and just skip the steps where it asks you to create your database etc...

Brute forcing an MD5 hash with PHP is probably accomplished faster with something like PERL or C and not really suited for PHP.
Post Reply