Breaking passwords hashes from database information

Home Forums Breaking passwords hashes from database information

This topic contains 0 replies, has 1 voice, and was last updated by  BrianMiz 3 weeks, 5 days ago.

  • Author
    Posts
  • #136461

    BrianMiz
    Member

    Hi. I’m currently taking an Information Security course and as a main task we had to do a SQL injection attack to a given database. As a result, we obtain the following: User names, password hashes, salts.

    As an extra problem, we are tasked to break (at least some) password hashes of the users. We are given the way the has is calculated:

    `password_hash = truncate_to_32_character(convert_to_hex(sha256(constant_prefix + password + salt))`
    Where `constant_prefix` is given.

    I think that a dictionary attack is the way to go and I managed to crack two of the passwords by using as a dictionary files from here: [https://github.com/danielmiessler/SecLists/blob/master/Passwords/Common-Credentials/10-million-password-list-top-1000000.txt](https://github.com/danielmiessler/SecLists/blob/master/Passwords/Common-Credentials/10-million-password-list-top-1000000.txt)

    I tried all the other .txt files directly under the /Passwords and /Passwords/Common-Credentials to no avail: I only got the same two password hashes that I got before.

    I asked a TA and he suggested using the information from the database (user names, etc.) and most common English words to produce my own dictionary. Assuming that I have two files, the DB data and most common words in English language, how to I produce a mutation of the two in a smart way? By “smart way” I mean that I take word 1 from file A, word 2 from file B and maybe add some noise or change lower character to upper character etc.

    Thanks!

You must be logged in to reply to this topic.