Jump to content

MD5 cracker

slpctrl

By slpctrl
in PHP Coding Help

 Share

Recommended Posts

slpctrl Regular Member

slpctrl

Posted
Posted

Hello, I've tried to code an MD5 cracker, here's what I got:

 

 

function hashcrack()
{
$words = file("file.txt");
foreach ($words as $word) {
  $word = rtrim($word);
    if (md5($word) == $hash) {
      $word = $postvalue;
      exit;
    }
}
print "No matches found!\n";
}

 

Should this be right? I've got a MD5 hash that was hashed using PHP, and I know that the hashes should always be the same, so if I take a wordlist with a word which I know has the word for the hash, it should give me a match right? Well it's not working and I'm not sure why :[

Link to comment
Share on other sites
slpctrl Regular Member

slpctrl

Posted
  • Author
Posted

i dont mean to burst your bubble... actually, im meaning to do just that, but md5 virtually cant be cracked homie

 

Actually that's not true. If I were to use the MD5() function in PHP to hash a text value, it will always return the same hash for the same value. If you can then take a wordlist, split up each word into an array and hash each word to check them against the hash value you have, then you can determine what the value of the hash is. I know it can be done, I'm 100% sure of it. I also know that you can script something long and drawn out that will brute force it, but that's not what I'm after. Milw0rm has a good PHP MD5 cracker that checks against a wordlist here:

 

http://www.milw0rm.com/cracker/insert.php

 

Sorry to burst your bubble  :D

Link to comment
Share on other sites
revraz Member

revraz

Posted
Posted

Thats called brute force and isn't the same as cracking.

 

i dont mean to burst your bubble... actually, im meaning to do just that, but md5 virtually cant be cracked homie

 

Actually that's not true. If I were to use the MD5() function in PHP to hash a text value, it will always return the same hash for the same value. If you can then take a wordlist, split up each word into an array and hash each word to check them against the hash value you have, then you can determine what the value of the hash is. I know it can be done, I'm 100% sure of it. I also know that you can script something long and drawn out that will brute force it, but that's not what I'm after. Milw0rm has a good PHP MD5 cracker that checks against a wordlist here:

 

http://www.milw0rm.com/cracker/insert.php

 

Sorry to burst your bubble  :D

Link to comment
Share on other sites
cooldude832 Advanced Member

cooldude832

Posted
Posted

MD5 by definition is an uncrackable encryption method.

  Why, because the encrypted key is of length greater than the original key.  This meaning that you can generated the original string  unencrypted before the encrypted.

 

Secondly just from the little i know of its algorithm it follows a rotating pattern encrypted in the key, and then the words use mean nothing as string length, character order, ascii numbers etc are all parts of it

 

If you can crack md5 you wouldn't be looking for help here

 

http://en.wikipedia.org/wiki/Md5

Link to comment
Share on other sites
slpctrl Regular Member

slpctrl

Posted
  • Author
Posted

Thats called brute force and isn't the same as cracking.

 

i dont mean to burst your bubble... actually, im meaning to do just that, but md5 virtually cant be cracked homie

 

Actually that's not true. If I were to use the MD5() function in PHP to hash a text value, it will always return the same hash for the same value. If you can then take a wordlist, split up each word into an array and hash each word to check them against the hash value you have, then you can determine what the value of the hash is. I know it can be done, I'm 100% sure of it. I also know that you can script something long and drawn out that will brute force it, but that's not what I'm after. Milw0rm has a good PHP MD5 cracker that checks against a wordlist here:

 

http://www.milw0rm.com/cracker/insert.php

 

Sorry to burst your bubble  :D

 

So checking a wordlist nor brute forcing is cracking? Those are really only 2 of 3 options my password cracker has (jtr...besides rainbow tables) and I would consider JTR a password cracker... ???

Link to comment
Share on other sites
slpctrl Regular Member

slpctrl

Posted
  • Author
Posted

MD5 by definition is an uncrackable encryption method?  Why, because the encrypted key is of length greater than the original key.  This meaning that you can generated the original string  unencrypted before the encrypted.

 

Secondly just from the little i know of its algorithm it follows a rotating pattern encrypted in the key, and then the words use mean nothing as string length, character order, ascii numbers etc are all parts of it

 

If you can crack md5 you wouldn't be looking for help here

 

http://en.wikipedia.org/wiki/Md5

 

That's not why it can't be cracked, the same can be said for almost any form of encryption. It's because it's mathematically irreversible. Can someone just help me out with checking hashes against a wordlist please?

Link to comment
Share on other sites
alecks Member

alecks

Posted
Posted

Hashing algorithms such as md5, sha1, are one way operations. They are used in password databases because if a hacker were to gain access to a database of hashed passwords, be couldn't do anything with it because theoretically there is no way he could get the base strings (un-hashed passwords) for those hashes. However, programs such as Ophcrack use precompiled tables of hash values, called 'rainbow tables,' to try and get the base string. These rainbow tables can become insanely huge, 15gb+ in most cases. There are some online databases, but they are often incomplete :/, ex. http://md5.rednoize.com/

Link to comment
Share on other sites
cooldude832 Advanced Member

cooldude832

Posted
Posted

did you read the wiki on it, either way you don't get it

a space is an ascii charcter just like a,b,c,d,e,f,g,h splitting at words isn't going to get you anyhting, its the 32 byte subsets generated from the string that are used in the random collisions of this encryption method.

 

Yes it has been cracked, but a method is classified as "uncrackable" when the generated string is greater than the original, this is because when a crack is needed for a single application you won't try and reproduce a checksum, you reproduce the original string assuming it follows a uncrackable state. 

 

Some cracks will compress a string, in this case md5 doesn't

 

Working with words isn't going to get you anywhere, working on 32-bit strings might.

Link to comment
Share on other sites
sKunKbad Advanced Member

sKunKbad

Posted
Posted

I've seen and used md5 crackers that were actually pretty good (for most people's lame passwords), but all it was doing was looking through an existing database of passwords. The only good reason I could find to crack passwords was to be able to send it back to a user in case they forgot their password. There are of course alternatives.

Link to comment
Share on other sites
trq Prolific Member

trq

Posted
Posted
Can someone just help me out with checking hashes against a wordlist please?

 

Your function doesn't actually return anything when it finds a match. It also uses a variable that isn't defined. You might try something like....

 

<?php

function hashcrack($hash) {
 $words = file("file.txt");
 foreach ($words as $word) {
   $word = trim($word);
   if (md5($word) == $hash) {
     return $word;
   }
 }
 return false;
}

if ($result = hashtocrack('cd07ddb17471e8ff66014578c8e93280')) {
 echo "hash matches $result";
} else {
 echo "No match found";
}

Link to comment
Share on other sites
slpctrl Regular Member

slpctrl

Posted
  • Author
Posted

Can someone just help me out with checking hashes against a wordlist please?

 

Your function doesn't actually return anything when it finds a match. It also uses a variable that isn't defined. You might try something like....

 

<?php

function hashcrack($hash) {
  $words = file("file.txt");
  foreach ($words as $word) {
    $word = trim($word);
    if (md5($word) == $hash) {
      return $word;
    }
  }
  return false;
}

if ($result = hashtocrack('cd07ddb17471e8ff66014578c8e93280')) {
  echo "hash matches $result";
} else {
  echo "No match found";
}

 

What if I have it defined outside of the function? And a few questions, where did $result come from? I have a variable assigned to that name already.

Link to comment
Share on other sites
cooldude832 Advanced Member

cooldude832

Posted
Posted

What you should do is not crack, but write an algorthim to start testing through every ascii string from length 1 to length 32 and then from there you have a very nice rainbow table to work with

only issue

there is 127 ascii characters so the number of choices you would have is

127^32 choices which is 2.09758259 × 10^67

 

if you move up to 64 charcter strings, it is

well over a google of check sums

 

so you be search 10^67 records of 32 bytes each which is about 10^43 yottabyes so have fun with that

Link to comment
Share on other sites
trq Prolific Member

trq

Posted
Posted
What if I have it defined outside of the function?

 

It does not exist within the function. You need to read up on scope

 

And a few questions, where did $result come from?

 

It is defined in the....

 

if ($result = hashtocrack('cd07ddb17471e8ff66014578c8e93280')) {

 

line and recieves the result from your function. It could be called whatever you like.

Link to comment
Share on other sites
rab Member

rab

Posted
Posted

It appears as if Wes's account was hacked after he posted his hash.

 

ownedfm4.png

 

 

Anyways, MD5 is "uncrackable" but there have been advancements in generating the same MD5 sum with a different file. I don't think this applies to raw MD5 on strings though, correct me if I'm wrong.

Link to comment
Share on other sites
Wes1890 Member

Wes1890

Posted
Posted

It appears as if Wes's account was hacked after he posted his hash.

 

ownedfm4.png

 

 

Anyways, MD5 is "uncrackable" but there have been advancements in generating the same MD5 sum with a different file. I don't think this applies to raw MD5 on strings though, correct me if I'm wrong.

 

haha.. nope, im still me :D

a mod has changed my sig tho.. that kinda pisses me off

Link to comment
Share on other sites
mr_mind Member

mr_mind

Posted
Posted

Why not create a script to insert every possible combination of letters and numbers into a database then do mysql_fetch_array in your php script this would do the work for you so that you dont have to type in all those pesky combinations and it would be basically no work at all

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.