Page 1 of 1

Forgot Admin Password

Posted: Mon Apr 19, 2010 1:59 pm
by danielmyles
hey guys

I need a proffesional opinion hear, i have RBS script intalled http://www.outsourcedjobs.co.za

and i have forgotten the password to the admin panel namely www.outsourcedjobs.co.za/index.php/siteadmin

i have searched through all my hosting files to find the username & password file to no avail .... is there someone who can help?

possibly email me... admin@outsourcedjobs.co.za

i would greatly appreciate it !

Re: Forgot Admin Password

Posted: Tue Apr 20, 2010 5:47 pm
by social_experiment
If this software is worth anything your password is most likely hashed and even if you did find it you would have a fun time trying to reverse engineer it. Checking the database (and the code) will reveal whether the password has been hashed.

Re: Forgot Admin Password

Posted: Tue Apr 20, 2010 10:56 pm
by Bind
Additionally, you need to find the database entry for the administrator user account and replace the password hash with a new one matching the new password you wish to use, using PHPmyAdmin for MySQL or another database administration utility.

Usually scripts use MD5() for password database entry and validation, but newer scripts are using SHA1() and above. It's hard to tell what script you are using since it appears you have stripped-out the applications name and developer authorship from the browser output, so I cant look into it for you unless you provide the name of the application or post source code.

MD5() is 32 chracters long btw.

Look for an online md5/SHA1 hash generator to obtain a new hash for the new password you wish to use before changing it in the database.

Re: Forgot Admin Password

Posted: Wed Apr 21, 2010 3:51 am
by social_experiment
Bind wrote:Look for an online md5/SHA1 hash generator to obtain a new hash for the new password you wish to use before changing it in the database.
If the source code is available why not use that to create another hash?

danielmyles : What web-software are you using? I had a look at the site and it looks a bit like joomla?

Re: Forgot Admin Password

Posted: Wed Apr 21, 2010 9:38 pm
by Bind
social_experiment wrote:
Bind wrote:Look for an online md5/SHA1 hash generator to obtain a new hash for the new password you wish to use before changing it in the database.
If the source code is available why not use that to create another hash?
I don't know about you, but as a professional developer, I would not want a critical insecurity like that anywhere near any of my applications, unless you are going to code in robust security and user authentication into it, which is the reason for the need of change here in the first place - to log into his system as admin. Besides, why take the time to slop through the source code, trying to figure a way to hack past their admin authentication to code a way in when one already exists straight into the database itself, which all that needs changed anyway. It's best to just change the hash in the database on all counts. If the system was developed in a decent structure it should only take 5 seconds once you find the the user accounts table - SystemAdmin should be one of the first rows.

Re: Forgot Admin Password

Posted: Thu Apr 22, 2010 3:21 am
by social_experiment
Bind wrote:...I would not want a critical insecurity like that anywhere near any of my applications...
Are you refering to the ability of viewing source code here? I do refer to that option but not via the browser. Using software where the inner workings reveals traces of it's workings inside the source code (when viewing the html source) is so bad i don't have to explain the implications.
Bind wrote:Look for an online md5/SHA1 hash generator to obtain a new hash for the new password you wish to use before changing it in the database.
And finding a generator (online) that generates specific hashes for your system is not an insecurity? It sounds like a much bigger insecurity than scouring through your source code to look for how that administrator password is constructed.

Even if you do find the administrator password hash in the database, how do you know the construction of the hashed value? Sure you can take a look at the length of the hash but that does not make it a given that the password has just be been 'hashed' with sha1 or something similar. There could be a salt, unique id which might not be apparent by just looking at that password hash.
Bind wrote:If the system was developed in a decent structure it should only take 5 seconds once you find the the user accounts table
This will also then apply to a cracker, and then using an 'online md5/sha1 hash generator' they can quickly change your admin password. If the attacker can access your files to check the source code for how the password is constructed then having a administrator password to protected the system is moot.

Re: Forgot Admin Password

Posted: Thu Apr 22, 2010 10:56 pm
by Bind
social_experiment wrote:
Bind wrote:...I would not want a critical insecurity like that anywhere near any of my applications...
Are you refering to the ability of viewing source code here? I do refer to that option but not via the browser.
I am refering to what you were refering to when you stated, "... If the source code is available why not use that to create another hash? ..."

The only way that is accomplished would be by using a browser.
social_experiment wrote:
Bind wrote:Look for an online md5/SHA1 hash generator to obtain a new hash for the new password you wish to use before changing it in the database.
And finding a generator (online) that generates specific hashes for your system is not an insecurity? It sounds like a much bigger insecurity than scouring through your source code to look for how that administrator password is constructed.
You are talking about 2 completely different things here. 1-Finding the hash method and 2-developing a hash using that method. Neither is insecure.
social_experiment wrote:Even if you do find the administrator password hash in the database, how do you know the construction of the hashed value? Sure you can take a look at the length of the hash but that does not make it a given that the password has just be been 'hashed' with sha1 or something similar. There could be a salt, unique id which might not be apparent by just looking at that password hash.
It very well could be. Absolutely one should look through the source code in replacing the hash doesnt gain admin access, but to replace the hash, it should be direct database access and replacement - not scripted. I tend to try the easiest thing first instead of slopping through a boatload of source code. I have fixed hundreds of databases where administrators could not gain access in many applications. I have yet to find a password that required $salt. You do bring up an excellent point though. By combining different static user details as $salt+password to generate the value it would appear to make the system much more secure if any datacenter employees got nosey or anyone got database access locally. But still, if they have that access, they have access to the source code and would know what to look for if they were seriously intent on snagging user accout passwords, so at best, in this instance, its wet paper bag security in my opinion.
social_experiment wrote:
Bind wrote:If the system was developed in a decent structure it should only take 5 seconds once you find the the user accounts table
This will also then apply to a cracker, and then using an 'online md5/sha1 hash generator' they can quickly change your admin password. If the attacker can access your files to check the source code for how the password is constructed then having a administrator password to protected the system is moot.
All decent database servers have remote connections/access disabled by default, so a cracker would not be able to get in to the server to begin with unless the applications security was compromised,

How would they know the hash ?

How would they gain access to change it ?

Even PHPmyAdmin is HTTP_AUTH protected so they couldnt get in there TO change it.


What you are doing is simply going in and changing the value.

You do not want this to be in your source code at all - you want to do it manually for security purposes.

Its such a rare occurrance that the need for scripted ease-of-changing does not over-ride the sercurity implications - at least not for administration privilage purposes. For user accounts its fine and should be there, but not for administration.

Re: Forgot Admin Password

Posted: Fri Apr 23, 2010 6:14 am
by social_experiment
Bind wrote:I am refering to what you were refering to when you stated, "... If the source code is available why not use that to create another hash? ..."

The only way that is accomplished would be by using a browser.
Download wordpress, joomla, drupal, kohana then open the php files with your IDE or plain-text editor. That is the 'source code' i am refering to.
Bind wrote:Absolutely one should look through the source code in replacing the hash doesnt gain admin access, but to replace the hash, it should be direct database access and replacement - not scripted. I tend to try the easiest thing first instead of slopping through a boatload of source code.I have fixed hundreds of databases where administrators could not gain access in many applications.
...

What you are doing is simply going in and changing the value.

You do not want this to be in your source code at all - you want to do it manually for security purposes.

Its such a rare occurrance that the need for scripted ease-of-changing does not over-ride the sercurity implications - at least not for administration privilage purposes. For user accounts its fine and should be there, but not for administration.
I am not suggesting using a script to change the administrator password from outside the database. I am suggestion however that once you do find the method of password hash generation, you create a script (a personal version of an 'online-generator' if you will) that creates a hashed version of a plain text password and then put (by 'put' i am inferring manually inserting) that (new) hashed version inside the database. It might have been a faux pas on my part for not mentioning the replacing of the password in the database.
Bind wrote:All decent database servers have remote connections/access disabled by default, so a cracker would not be able to get in to the server to begin with unless the applications security was compromised,

How would they know the hash ?

How would they gain access to change it ?

Even PHPmyAdmin is HTTP_AUTH protected so they couldnt get in there TO change it.
...
Finding the tables containing usernames and password hashes are not rocket-science. If the attacker is familiar with the application being used (let's assume that this 'application' is being used in it's default state and that it is a commonly used or well-known application) then finding these details would be relatively simple. Those 'online generators' you refered to could well be a ploy to gather passwords, hash them and use them in rainbow tables.

I agree that it would be very difficult if not impossible to get past the security precautions you mention, but I dont think that these measures are 100% percent foolproof. Creating a hashed password with a salt is thus beneficial in such a circumstance, where the attacker only had access to your database and not your file system. It might not be 'crack-proof' but it will take a while longer than attempting to crack a hashed password using no salt.