Dump user's password to try to crack them

potemkin_ai

@potemkin_ai said in Dump user's password to try to crack them:

@nebulon Thank you! Would you mind helping with selecting proper resulting encryption, please?

It'something at that page: https://hashcat.net/wiki/doku.php?id=example_hashes and I though it shall be 7300, but it isn't...

P.S. Yeah, forcing some password complexity would be nice!

@nebulon , @girish , (or anyone else, actually) I offload the task from my radars for now, but as soon as you want me to run a brute-force attack of the algorithms you've chosen using modern GPU HW, please, let me know the function from hashcat to run.

For my or any other reference, here are the steps to do:

mysql -uroot -ppassword box -e "select username,password,salt from users;" > users.list # note salt field - it's a must

Use hashcat -m $mode $password:$salt then to try if it will be accepted.
$mode to be taken from example hashes table above, better also verify if with hashcat -m $mode --example-hash - the later will show the hash structure expected by hashcat.

Once appropriate mode found (hashcat starts checking the hashes) - this could be offloaded to GPU for a much faster checks and verification against various dictionaries, etc.

I had to do some other password recovery task now and I was unpleasantly surprised with the speed of the brute force efficiency (with john just on modern CPU).

Shall my time permit, I will return here some time in the future; otherwise would be glad to pick up this task once Cloudron's resulting hash will be matched with hashcat's one (or a new mode created).