Showing posts with label password hacking. Show all posts
Showing posts with label password hacking. Show all posts

Monday 19 November 2012

PHP 5.5 To Include Simple And Secure Password Hashing API

Few days ago, we saw the release of PHP 5.5.0 Alpha 1 to the public. The PHP development team is serious about addressing all the criticism it gets time and again. With the recent leaks of several high profile sites, a simple to use yet secure password hashing API has been introduced now.

Here's the RFC for simple password hashing API proposed by ircmaxell and now it has been implemented as a PHP core in 5.5.0 Alpha 1 release and will continue to be part of the PHP core in future releases.

In case you would like to use the API functions in older releases, there's a compatible PHP library for PHP >= 5.3.7. The reason for this is that PHP prior to 5.3.7 contains a security issue with its BCRYPT implementation.



Basically the idea behind simple password hashing API is that most of the PHP developers either don't understand or don't think worth the effort the whole concept of strong password hashing. By providing a simple API that can be called, which takes care of all of those issues for you, hopefully more projects and developers will be able to use secure password hashing.

Using the API is quite simple. All you have to do to get the hash is:

$hash = password_hash($password, PASSWORD_BCRYPT);


Verifying the password is also quite simple.

if (password_verify($password, $hash)) {
    // pass is correct :)
} else {
    // pass is correct :/
}


The simple password hashing API provides sets of password_* functions for the developers to make use of strong password hashing.

Reading materials



RFC for simple password hashing API

Designing an API

PHP 5.5.0 Alpha 1 released


Read more...

Tuesday 28 February 2012

List of Hashing Algorithms Used In Major CMS & Forums

Just found this random image from one digital friend and its a pretty good list of hashing algorithms used in many web based applications such as CMS and forum softwares. Some of these algorithms might get outdated with newer versions, but still it will be a good reference.

list of hash algorithms for major web apps

View Full Size Image

Note for creator: If you are the owner of this image, please let me know so that I can give you the credit.


Read more...

Thursday 2 February 2012

Brute Force Vulnerability - Damn Vulnerable Web App Part 1

Welcome to the part 1 of the web hacking series based on damn vulnerable web application. I will be guiding all the beginners through the various web hacking technologies by using the open source DVWA application. I would like to suggest to try things on your own before reading all of these tutorials and you could actually use these series of tutorial as walkthroughs.

By now, I suppose you have already installed the damn vulnerable web application in your local web server(or maybe in local area network). Login to the DVWA interface with the default username/password combination which is admin:password Also we will first start with the low security level that can be set from within the interface by clicking on "DVWA security" link. So please set the security level as low and make sure you have not enabled PHPIDS for now.

In this very first tutorial, I will be guiding you in bruteforcing the login form which you can access from the "Brute Force" item in the left navigation menu.

*** For some reason, code looks ugly but copy/paste will work perfectly. ***

A bit of information on bruteforce: Bruteforce is a trial and hit method used to enumerate the working set of candidates for any system. In computer security field, bruteforcing is generally used to determine the authentication credentials by either making extensive guess using the permutation and combination methods(pure bruteforce) or by making use of dictionary(called dictionary attack). Usually, one of the keys is run through the same algorithm that has been employed in the system and the keys are tested on the system's authentication mechanism to determine the correct set of combinations. In our example, we will be performing dictionary attack on the web based form authentication system.

1) Lets test the login form with a random login information(I will test with admin:admin combination). And on giving wrong credentials, the login system shows us the error Username and/or password incorrect.. And we can see the URL in address bar changes to http://localhost/pvt/dvwa/vulnerabilities/brute/?username=admin&password=admin&Login=Login#. The URL suggests us that form is using the GET method and hence our credentials are being part of querystring on the URL.

2) Manual bruteforcing might take a lot longer time than expected so its a good idea to write a form bruteforcer. Of course, there are several tools on the internet for form bruteforcing but we will write our own tool in python programming language. Writing a bruteforcer is not a very difficult task but I expect you know one of the programming languages. If not, I suggest you to grab the basics of at least one language among PHP, Python, PERL and Ruby. Our attack will actually be a dictionary attack, a variant of bruteforcing technique in which we will be testing several user:password combination to find if any of those combinations work.

3) I hope you have already learnt basics of one of the above said languages. Now lets create list of possible usernames and list of possible passwords. You might write these two lists separately in two files for big list but for now I'll be putting possible usernames and passwords as tuple in the python code itself.

users = ("admin", "administrator", "1337")
passwords = ("admin", "administrator", "hacker", "password", "jessica", "qwerty", "iloveyou", "123456", "1337", "leet", "john", "stephen", "charley")

4) Now we will use urllib2 python module to send the HTTP requests with our username:password combinations. So first lets create the URL we will make request with. We have earlier found that login information is being passed as the GET parameters so things will be little bit easier. We can directly craft the action URL using our combinations which will look as below:

for user in users:
    for password in passwords:
        url = "http://localhost/pvt/dvwa/vulnerabilities/brute/?username=%s&password=%s&Login=Login" %(user, password)

5) Now that we have successfully crafted the URL, we will have to add cookies to the request header. This can be easily done by using urllib2 module. We need to put cookies to reflect our logged-in status to the DVWA interface otherwise we will be redirected to the login page of DVWA itself. We can grab our cookies from the browser. I used "View Cookie Information" feature of "Web Developer" plugin I had installed in my firefox browser. The two cookie fields were PHPSESSID and security. So our code becomes:

for user in users:
    for password in passwords:
        url = "http://localhost/pvt/dvwa/vulnerabilities/brute/?username=%s&password=%s&Login=Login" %(user, password)
        req = urllib2.Request(url)
        req.add_header("Cookie", "PHPSESSID=sdenfruj4kh1o8miaj443taul1;security=low")
        response = urllib2.urlopen(req)
        html = response.read()

6) Now we have successfully read the HTML response, we will just make use of the information we had earlier when our credentials were wrong. What I mean is that providing wrong credentials was throwing us an error Username and/or password incorrect. in the HTML output. Hence, we can search for this string and if this string is not present in the HTML output, we can be sure that our current username:password combination is working. Hence our final code becomes:
#!/usr/bin/python

import urllib2

users = ("admin", "administrator", "1337")
passwords = ("admin", "administrator", "hacker", "password", "jessica", "qwerty", "iloveyou", "123456", "1337", "leet", "john", "stephen", "charley")

for user in users:
    for password in passwords:
        url = "http://localhost/pvt/dvwa/vulnerabilities/brute/?username=%s&password=%s&Login=Login" %(user, password)
        req = urllib2.Request(url)
        req.add_header("Cookie", "PHPSESSID=sdenfruj4kh1o8miaj443taul1;security=low")
        response = urllib2.urlopen(req)
        html = response.read()
        if "Username and/or password incorrect." not in html:
            print "Working combination --- %s : %s" %(user, password)

7) Now lets run this code from terminal by typing python bruteforce.py and following was the result:

samar@Techgaun:~/Desktop$ python bruteforce.py
Working combination --- admin : password
Working combination --- 1337 : charley
samar@Techgaun:~/Desktop$

8) Lets see if our extracted combinations really work in the website. And voila!!! They work like a charm. This was just a very basic example on how you could bruteforce the HTTP forms and perform dictionary attack. I hope you learnt basic of bruteforcing from this tutorial.



Read more...

Tuesday 22 November 2011

How To Check Your Password Strength

With the increase in number of hackers and hack attacks, choosing strong and hard to guess passwords is one of the ways to keep yourself secure. While there are other numerous parameters to take care of to keep yourself secure, one of the primitives is choosing the strong password. In this post, I'll let you know how you can determine the strength of the password you choose to use.

Strength of the password can be tested by studying the character combinations used in the password and there are some tools to assist you in this process.

The first tool is the password strength checker. This online tool gives a very comrehensive detail of the strenght of the password.


Another tool to test the strength of the password is to calculate the bruteforce attack time to retrieve the password from hash. One such tool is a excel template available HERE which gives the estimate of how fast a password is hacked by these widely available tools running on today's desktops. Another online tool for the similar purpose is howsecureismypassword.net which provides bruteforce time and informs if your password is the common one or not.

I hope you find this information useful. :)



Read more...

Wednesday 9 November 2011

How To Crack Emesene Messenger Passwords Easily

Emesene is a lightweight messenger for MSN users. Now that Emesene stores the passwords for emails in users.dat file with very simple ASCII to Hex encryption, it is very easy to reverse it to get the passwords.

The users.dat file is located in /home/current_user/.config/emesene1.0/users.dat and you can view the content of this file by issuing the command as below:

cat ~/.config/emesene1.0/users.dat

The format in which the login information is saved is email:hex_encrypted_password:status which is later read by emesene in next launch. Now to get the original password, all you have to do is decrypt the hex string using the encrypter/decrypter tool.

Copy the hex encoded part(i.e. password part) from the users.dat file. Mine users.dat file was samar_acharya@hotmail.com:74657374696e67:busy where 74657374696e67 is the password in the hex form. All I have to do is open the encrypter/decrypter tool, paste this hex string in the input box, select the Hex decoding optioni from dropdown list and then click on Submit to get the actual password to my account.



Read more...