Форум АНТИЧАТ - MySQL Brute Force

Форум АНТИЧАТ (https://forum.antichat.xyz/index.php)

- Расшифровка хешей (https://forum.antichat.xyz/forumdisplay.php?f=76)

- - MySQL Brute Force (https://forum.antichat.xyz/showthread.php?t=65364)

MySQL Brute Force

Кто нибудь знает, как можно еще расшифровать hash MuSQL кроме как переберать в PaswordsPro? Какие можно использовать еще утилиты?

Вот сдесь http://www.securiteam.com/tools/5YP0H0A40O.html есть утилита под названием - MySQL Brute Force Password Hash Cracker, может кто то её откомпилировать

Код:

///////////////////////////////////////////////////////////////////////////////////////////////

//

// MySQL brute force password attack

//

// to compile : g++ -omysqlpassword mysqlpassword.c -O6 -lm

//

// Written by : term@rmci.net, current version http://term.rmci.net/mysqlpassword.cpp

//

#include <iostream>

#include <stdio.h>

#include <math.h>

#include <stdlib.h>

#include <string.h> // memset

#include <unistd.h> // usleep



using namespace std;



struct rand_struct {

  unsigned long seed1,seed2,max_value;

  double max_value_dbl;

};



void make_scrambled_password(char *,const char *);

char *scramble(char *,const char *,const char *, int);



int brute(const char *password) {

  // Tune stuff here, change min / max for the char range to crack and width for max password width.

  unsigned int min=32,max=122,pos=0,width=11,max_pos=0;

  unsigned char data[255];

  register unsigned long long loops=0;

  char *encrypted_password = new char[255];

  memset(encrypted_password, 0, 255);

  memset((char*)&data, min, 255);

  while(width) {

    loops++;

    if(data[pos] != max) {

      data[pos]++;

    } else {

      for(register int i=pos; i<max; i++) {

        if(data[i] != max) {

          data[i]++;

          pos=i;

          break;

        }

      }



      if(pos>max_pos)

        max_pos=pos;



      for(register int i=pos-1; i >= 0; i--) {

        if(i==0 && data[i] == max) {

          data[i] = min;

          pos = 0;

          break;

        }

        if(data[i] != max || i==0) {

          pos = i;

          break;

        }

        data[i] = min;

      }

    }



    if(max_pos>width) {

      cout<<"No match found"<<endl;

      width=0;

      return(0);

    }

    data[max_pos+1] = 0;

        make_scrambled_password(encrypted_password,(const char*)data);

    if(!strcmp(encrypted_password,password)) {

      cout<<"MATCH ["<<data<<"] ["<<encrypted_password<<"]==["<<password<<"]"<<endl;

      return(0);

    }

    data[max_pos+1] = min;

    if((loops%500000)==0) {

      cout<<"[ "<<dec<<loops<<" ]";

      for(int i=0; i<=max_pos; i++) {

          cout<<" 0x"<<hex<<(int)data[i];

      }

      data[max_pos+1] = 0;

      cout<<" ("<<data<<")";

      data[max_pos+1] = min;

      cout<<endl;

    }

  }

}



int main(int argc, char* argv[]) {

  if(argc!=2) {

    fprintf(stderr,"usage : %s [ENCRYPTED MYSQL PASSWORD]\nexample , 5d2e19393cc5ef67 is encrypted value 'password' : %s 5d2e19393cc5ef67\n",argv[0],argv[0]);

    return(0);

  }

  brute(argv[1]);

}

///////////////////////////////////////////////////////////////////////////////////////////////////////////

//

// thx mysql source ^_^

//

void randominit(struct rand_struct *rand_st,ulong seed1, ulong seed2) {

  rand_st->max_value= 0x3FFFFFFFL;

  rand_st->max_value_dbl=(double) rand_st->max_value;

  rand_st->seed1=seed1%rand_st->max_value ;

  rand_st->seed2=seed2%rand_st->max_value;

}

static void old_randominit(struct rand_struct *rand_st,ulong seed1) {

  rand_st->max_value= 0x01FFFFFFL;

  rand_st->max_value_dbl=(double) rand_st->max_value;

  seed1%=rand_st->max_value;

  rand_st->seed1=seed1 ; rand_st->seed2=seed1/2;

}

double rnd(struct rand_struct *rand_st) {

  rand_st->seed1=(rand_st->seed1*3+rand_st->seed2) % rand_st->max_value;

  rand_st->seed2=(rand_st->seed1+rand_st->seed2+33) % rand_st->max_value;

  return(((double) rand_st->seed1)/rand_st->max_value_dbl);

}

inline void hash_password(ulong *result, const char *password) {

  register ulong nr=1345345333L, add=7, nr2=0x12345671L;

  ulong tmp;

  for (; *password ; password++) {

    if (*password == ' ' || *password == '\t')

      continue;

  tmp= (ulong) (unsigned char) *password;

  nr^= (((nr & 63)+add)*tmp)+ (nr << 8);

  nr2+=(nr2 << 8) ^ nr;

  add+=tmp;

  }

  result[0]=nr & (((ulong) 1L << 31) -1L); /* Don't use sign bit (str2int) */;

  result[1]=nr2 & (((ulong) 1L << 31) -1L);

  return;

}

inline void make_scrambled_password(char *to,const char *password) {

  ulong hash_res[2];

  hash_password(hash_res,password);

  sprintf(to,"%08lx%08lx",hash_res[0],hash_res[1]);

}

static inline uint char_val(char X) {

  return (uint) (X >= '0' && X <= '9' ? X-'0' : X >= 'A' && X <= 'Z' ? X-'A'+10 : X-'a'+10);

}

char *scramble(char *to,const char *message,const char *password, int old_ver) {

  struct rand_struct rand_st;

  ulong hash_pass[2],hash_message[2];

  if(password && password[0]) {

    char *to_start=to;

    hash_password(hash_pass,password);

    hash_password(hash_message,message);

    if (old_ver)

      old_randominit(&rand_st,hash_pass[0] ^ hash_message[0]);

    else

      randominit(&rand_st,hash_pass[0] ^ hash_message[0],

    hash_pass[1] ^ hash_message[1]);

    while (*message++)

      *to++= (char) (floor(rnd(&rand_st)*31)+64);

    if (!old_ver) {

      char extra=(char) (floor(rnd(&rand_st)*31));

      while(to_start != to)

        *(to_start++)^=extra;

    }

  }

  *to=0;

  return to;

}

http://www.sendspace.com/file/v4p0z1

Работает быстро. Сам юзаю для секеля..

А вот его сорц...

Код:

/* MySQL Weak Password Encryption Brute Force

* Example:

* $ gcc -O2 -fomit-frame-pointer mysqlfast.c -o mysqlfast

* $ mysqlfast 6294b50f67eda209

* Hash: 6294b50f67eda209

* Trying length 3

* Trying length 4

* Found pass: barf

*

* The MySQL password hash function could be strengthened considerably

* by:

* - making two passes over the password

* - using a bitwise rotate instead of a left shift

* - causing more arithmetic overflows

*/



#include <stdio.h>



typedef unsigned long u32;



/* Allowable characters in password; 33-126 is printable ascii */

#define MIN_CHAR 33

#define MAX_CHAR 126



/* Maximum length of password */

#define MAX_LEN 12



#define MASK 0x7fffffffL



int crack0(int stop, u32 targ1, u32 targ2, int *pass_ary)

{

int i, c;

u32 d, e, sum, step, diff, div, xor1, xor2, state1, state2;

u32 newstate1, newstate2, newstate3;

u32 state1_ary[MAX_LEN-2], state2_ary[MAX_LEN-2];

u32 xor_ary[MAX_LEN-3], step_ary[MAX_LEN-3];

i = -1;

sum = 7;

state1_ary[0] = 1345345333L;

state2_ary[0] = 0x12345671L;



while (1) {

while (i < stop) {

i++;

pass_ary[i] = MIN_CHAR;

step_ary[i] = (state1_ary[i] & 0x3f) + sum;

xor_ary[i] = step_ary[i]*MIN_CHAR + (state1_ary[i] << 8);

sum += MIN_CHAR;

state1_ary[i+1] = state1_ary[i] ^ xor_ary[i];

state2_ary[i+1] = state2_ary[i]

+ ((state2_ary[i] << 8) ^ state1_ary[i+1]);

}



state1 = state1_ary[i+1];

state2 = state2_ary[i+1];

step = (state1 & 0x3f) + sum;

xor1 = step*MIN_CHAR + (state1 << 8);

xor2 = (state2 << 8) ^ state1;



for (c = MIN_CHAR; c <= MAX_CHAR; c++, xor1 += step) {

newstate2 = state2 + (xor1 ^ xor2);

newstate1 = state1 ^ xor1;



newstate3 = (targ2 - newstate2) ^ (newstate2 << 8);

div = (newstate1 & 0x3f) + sum + c;

diff = ((newstate3 ^ newstate1) - (newstate1 << 8)) & MASK;

if (diff % div != 0) continue;

d = diff / div;

if (d < MIN_CHAR || d > MAX_CHAR) continue;



div = (newstate3 & 0x3f) + sum + c + d;

diff = ((targ1 ^ newstate3) - (newstate3 << 8)) & MASK;

if (diff % div != 0) continue;

e = diff / div;

if (e < MIN_CHAR || e > MAX_CHAR) continue;



pass_ary[i+1] = c;

pass_ary[i+2] = d;

pass_ary[i+3] = e;

return 1;

}



while (i >= 0 && pass_ary[i] >= MAX_CHAR) {

sum -= MAX_CHAR;

i--;

}

if (i < 0) break;

pass_ary[i]++;

xor_ary[i] += step_ary[i];

sum++;

state1_ary[i+1] = state1_ary[i] ^ xor_ary[i];

state2_ary[i+1] = state2_ary[i]

+ ((state2_ary[i] << 8) ^ state1_ary[i+1]);

}



return 0;

}



void crack(char *hash)

{

int i, len;

u32 targ1, targ2, targ3;

int pass[MAX_LEN];



if ( sscanf(hash, "%8lx%lx", &targ1, &targ2) != 2 ) {

printf("Invalid password hash: %s\n", hash);

return;

}

printf("Hash: %08lx%08lx\n", targ1, targ2);

targ3 = targ2 - targ1;

targ3 = targ2 - ((targ3 << 8) ^ targ1);

targ3 = targ2 - ((targ3 << 8) ^ targ1);

targ3 = targ2 - ((targ3 << 8) ^ targ1);



for (len = 3; len <= MAX_LEN; len++) {

printf("Trying length %d\n", len);

if ( crack0(len-4, targ1, targ3, pass) ) {

printf("Found pass: ");

for (i = 0; i < len; i++)

putchar(pass[i]);

putchar('\n');

break;

}

}

if (len > MAX_LEN)

printf("Pass not found\n");

}



int main(int argc, char *argv[])

{

int i;

if (argc <= 1)

printf("usage: %s hash\n", argv[0]);

for (i = 1; i < argc; i++)

crack(argv[i]);

return 0;

}

Цитата:

Сообщение от spider-intruder

http://www.sendspace.com/file/v4p0z1

Работает быстро. Сам юзаю для секеля..

Перезалей плиз =)

Нет проблемм:

MySQL Brute Force Password Hash Cracker

John The Ripper с патчем "all*"

Цитата:

Сообщение от nikto

John The Ripper с патчем "all*"

если под линукс, можно по подробней..
пытался брутить джоном MD5 хеши неполучилоась((