Page 1 of 1
Writing a script to brute force an MD5() hash
Posted: Sat Jul 12, 2003 9:14 pm
by Moonspell
Hello, I lost my password in PHPNuke. Now, this is interesting to me, because I want to know the security of MD5. So, I ONLY want to get my password this way. No other suggestions please.
I want to write a script to start at a, use the MD5 function to get the hash, compare it with the database value, and return whether thats the password or not. I want to do this for every possible value of data A-Z and 0-9. Basically, a brute force of a hash and then a comparison. Does anybody have any ideas?
Basically I need to know the syntax for creating the MD5 hashes and testing them against the database value. Also, I need to know how I can loop through a-z and 0-9 with every possible combination
Posted: Sat Jul 12, 2003 10:04 pm
by Stoker
a rather odd approach I would say, you want to create a password tester.. If you have write access to the database it is much easier for you to just generate a md5 sum of a new password and insert it in the database..
Any other approach is to me not sane and indicates that you want to find others/multiple passwords...
To generate a new password just simply do something like
echo md5('mynewPassWord');
Posted: Sat Jul 12, 2003 10:32 pm
by qartis
Even with mysql's access speeds, you're looking at hundreds of millions of possibilities, with a range of a - 99999, and exponentially more if you add more and more digits. It's possible that you could write an incredibly optimized script to check, and crack a 6 digit password in about a week, but with 8 digits, you're better off guessing. Can you remember any of the digits, or how long it was, or anything? Unless you have 2-3 years to wait, it's kind of pointless.
Posted: Sat Jul 12, 2003 10:46 pm
by Stoker
..not to mention use of !@#$%^&*(){}[];:';?><,./`~ and other odd/international characters that multplies that several times..
Posted: Sun Jul 13, 2003 8:49 am
by m3rajk
i agree with stoker... sounds like you're trying to get into other's accounts without them knowing.
if you're really serious about this, go take a good cryptology course
Posted: Sun Jul 13, 2003 8:58 am
by m3mn0n
Code: Select all
<?php
$pff = md5($_POST['password_from_form']);
// pull password in md5 form from database here
if($row['database_md5_pass'] == $pff){
// do whatever
} else {
// die
}
?>
Posted: Sun Jul 13, 2003 3:51 pm
by Slippy
If you are really the admin of the site, why don't you just run the phpnuke "install.php" script again and reset the password.
You should be able to follow instructions from the phpnuke installation guide and just skip the steps where it asks you to create your database etc...
Brute forcing an MD5 hash with PHP is probably accomplished faster with something like PERL or C and not really suited for PHP.