Sunday, February 24, 2008

MySQL, SHA1 and me


While hacking around with SQL injection on the LSO (LearnSecurityOnline) labs, the subject of being able to crack a MySQL SHA1 password hash came up and became a topic of interest and a challenge of sorts. I have never come across this one before so I impulsively decided to pick it up and see what I could do with it before I had to get on a plane back to Seattle.


./poc


A quick Google search turned up this tool.

A proof of concept (hence the name) MySQL password hash cracker. Optimized for quad core CPU implementations

Can be downloaded from http://www.sqlhack.com/poc.c

gcc -O3 -o poc poc.c

I ran this for about 12 hours until it determined that the password was beyond 8 character and therefore out of scope for this particular program.

Performed on a Dell D600 Pentium M 1.4 Ghz Machine with 1 GB of RAM


./mysqlfast


Some initial Googling turned up this tool. I was able to run this one the longest albeit without any success.

http://packetstorm.linuxsecurity.com/Crackers/msqlfast.c

gcc -O2 -fomit-frame-pointer mysqlfast.c -o mysqlfast

I ran this tool for about 15 hours without success. It was checking 9 character passwords when I ended execution of the program.

Performed on a Dell D600 Pentium M 1.4 Ghz Machine with 1 GB of RAM


./unhash


I came across this one looking for MySQL SHA1 crackers on PacketStorm Security. I was only able to run it for a few hours before I had to pack up my laptops in preparation to catch my flight.

http://packetstorm.codar.com.br/Crackers/unhash-0.9.tgz

Performed on a Dell D600 Pentium M 1.4 Ghz Machine with 1 GB of RAM


Cain & Abel


Identified the hash as MySQL v3.23. I attempted to use the built in dictionary running as many permutations as possible without any success. It took about an hour or so to make it through the dictionary file.

Performed on a HP nc6000 Pentium M 1.6 Ghz laptop with 2 GB of RAM


John the Ripper (Joe McCray performed this test)


John is not natively capable of cracking MySQL SHA1 hashes and requires a patch to do so.

[j0e@LinuxLaptop john-1.7.2]$ wget
http://openwall.com/john/contrib/john-1.7-all-4.diff.gz

[j0e@LinuxLaptop john-1.7.2]$ gunzip -c john-1.7-all-4.diff.gz | patch
-p0

[j0e@LinuxLaptop john-1.7.2]$ cd src/

[j0e@LinuxLaptop src]$ su
Password:

[root@LinuxLaptop src]# make linux-x86-any

John was fed a 7 million entry password dictionary

[j0e@LinuxLaptop run]$ ./john
--wordlist=../../../wordlistz/MassiveDictionary.txt mysql_hash.txt
Loaded 1 password hash (Raw SHA1 [raw-sha1])
guesses: 0 time: 0:00:00:03 100% c/s: 862538 trying: zwolle

This was NOT the correct password.

Performed on a Dell D620 Core Duo 2 1.83 laptop with 2GB of RAM


If anyone out there has any suggestions on more efficient ways to go about this I would LOVE to hear about them.


UPDATE: Sandro Gauci of SipVicious.org pointed me to a great resource. Any other feedback and suggestions are welcome!


May Your Skill Prevail.

3 comments:

Daniel said...

It's possible for multiple passwords to result in the same hash; did you try the password it found?

Petka said...

You can use this site to unhash MySQL passwords
http://www.petka.biz/hash1.pl

Petka said...

Unhash passwords
http://wwww.petka.biz/hash1.pl