MD5 cracking

MD5 is a cryptographic hash function. This means, you can give the MD5 algorithm a string and it will return another 32-character long alphanumeric string. The returned string looks quite random, but it isn't. If you use the same input, you always get the same 32 character output.

What is it good for?

Well, imagine you had a web application. Now an attacker found a security whole and can read the password-column in the database. If it was plain text, he could use the passwords to log into the users accounts. As it is hashed and the hash function can't be simply reverted. So the attacker can't take any advantage of the passwords he just read.

It is much more realistic that the attacker can read the whole database. So he can access sensitive user data. As it is very likely that you have some e-mail adresses in there, he could quite probably log into the e-mail accounts of the users with the same password. If the password is hashed, it's not that simple. He has to try to crack the MD5 hashed passwords.

I'll describe and test in the following how easy this is and how it could be done.

Tested Hashes

MD5 is a widely used cryptographic hash function. I wanted to know how easy it is to crack them, so I tested it. I used those passwords:

  • "computer": df53ca268240ca76670c8566ee54568a
  • "establishment": f469410e5ec7594a9c41603e06ccf6a3
  • "My Birthday": ce9dbd008dac54422b90b3f82f58dd40
  • "I'm born in 1990.": 834649b6298642a7576b10c6705842d8
  • "r4Nd0m9": cc11c3de28e4425eff27b2fb5f216903

Online Crackers

If you search for "md5 cracker" you find some md5 crackers. This website could crack computer, establishment and My Birthday. The other two hashes weren't cracked.

John the Ripper

Ubuntu-Users can easily install John the Ripper (sudo apt-get install john) and use it for cracking hashes. To do so, the have to create a file in their working directory (let's call it md5.txt) and execute the following command:

john --format=raw-MD5 md5.txt

Here is the time, john needed to crack the hashes:

  • "computer": 0.521 seconds
  • "establishment": after 1 h it wasn't cracked
  • "My Birthday": after 5 min it wasn't cracked
  • "I'm born in 1990.": after 5 min it wasn't cracked
  • "r4Nd0m9": after 38 min it wasn't cracked

Okay, these results aren't good. But you can also use a wordlist (e.g. the 15 MB list from http://www.bright-shadows.net/download/downloads.php) and the command john --wordlist:tbswordlist1.txt --format=raw-MD5 md5.txt

  • "computer": df53ca268240ca76670c8566ee54568a
  • "establishment": 0.568 seconds
  • "My Birthday": not cracked
  • "I'm born in 1990.": not cracked
  • "r4Nd0m9": not cracked

Published


by

Category

The Web

Tags

Contact