hashcat
hashcat copied to clipboard
hashcat
Mode 3710 - First MD5 in upper case
mode 3710 takes md5($salt.md5($pass)) as hash.
The first md5($pass) returns a md5 sum in lowercase, which in turn is hashed again with the addition of $salt.
Is it possible to make the first hash (md5($pass)) return an uppercase string, e.g. it is being hashed as $salt.UPPERCASE_MD5($pass)?
I tried editing the code by myself with no success.
Thanks.
I'll elaborate further, according to this: https://github.com/mcw0/PoC/blob/master/dahua-telnetd-json.py: `def dahua_md5_hash(Dahua_random, Dahua_realm, username, password):
PWDDB_HASH = hashlib.md5(username + ':' + Dahua_realm + ':' + password + '').hexdigest().upper()
PASS = ''+ username + ':' + Dahua_random + ':' + PWDDB_HASH + ''
RANDOM_HASH = hashlib.md5(PASS).hexdigest().upper()
print "[i] MD5 hash:",PWDDB_HASH
print "[i] Random value to encrypt with:",Dahua_random
print "[i] Built password:",PASS
print "[i] MD5 generated login hash:",RANDOM_HASH
return RANDOM_HASH`
if i get the hash from the authentication process i'll be able to recover the password by having all the parameters: random, username, realm (which is "Login to SN in md5). i was able to change 3710 mode to make it create the "first" md5 hash in upper case and i'm able to crack the hash and recover my password but in a very "ugly" way. first i get the md5 hash from Wireshark, i also get the random (which is a 10 digit number) and the Realm (which is Login to blablamd5string). then i'm creating hashlist which looks like that: 8743b52063cd84097a65d1633f5c74f5:$(HERE is the username and random in upper case hex)
after that i'm able to crack using this command for Ex: -a3 -w4 -m 3710 hash.file -1 ?l?d --hex-salt "admin:Login to $(SN in MD5):?1?1?1?1?1?1?1"
It doesn't work with wordlists and the entire process is a pain is the a$$.
any help is much appreciated. John.
Hey, could you clarify few things about this algorithm? SN is already hashed or you have to do it by yourself?
It would be perfect if you could provide a hash with known plaintext, Dahua_random, username and Dahua_realm or at least if you can try cracking an example hash I generated in order to make sure we are thinking about the same algorithm
SN: example
Dahua_realm: Login to 1a79a4d60de6718e8e5b326e338ae533
Dahua_random: 8120678620
username: username
password: hashcat
hash: bcd872cd13cd5ac66744105656f1cac7
Hi! thanks for replying! your example works perfectly, i'm adding my code for further testing.
`import hashlib import sys
def DAHUA_HASH(wordlist, random, sn, username, sniffed_hash): random = str(random) with open(wordlist) as infile: try: for password in infile: PWDDB_HASH = hashlib.md5((username + ':' + sn + ':' + password.strip()).encode('utf-8')).hexdigest().upper() PASS = (username + ':' + random + ':' + PWDDB_HASH).encode('latin-1') RANDOM_HASH = hashlib.md5(PASS).hexdigest().upper() if RANDOM_HASH.lower() == sniffed_hash: print(f'Found password: {password}') print(password,file='/home/john/password.txt') break except: None
wordlist = sys.argv[1] print(str(sys.argv[1])) random = '8120678620' username = 'username' sn = 'Login to 1a79a4d60de6718e8e5b326e338ae533' sniffed_hash = 'bcd872cd13cd5ac66744105656f1cac7' DAHUA_HASH(wordlist, random, sn, username, sniffed_hash) ` so for now we're on the same page. Thanks again, John.
BTW, just to clarify, the hashed serial number is not something i do, that's how i get it from wireshark, i'm not sure that it's actully an md5sum of the original SN, but, it doesn't mattet because i use it "as is" and it works. Just treat it like normal long string that uses as salt.
any help on this? how the hash format on the 3730 mode should actually be
any help on this? how the hash format on the 3730 mode should actually be
I also can't figure out how it works...
