RSS

FindMyHash

06 May

Often in penetration tests we discover password hashes. In this situation every penetration tester use the password cracking tool of his convenience ( like john the ripper) in order to crack the hashes offline and to escalate privileges. The sooner that the hash cracks the better for the results of the engagement as the penetration tester will have more time to search on the system for other important things while he has a valid password.

For that reason a script created that allows the penetration tester to crack hashes using free online services or even Google if the hash is common. The usage of the script is very simple and it can be seen below:

FindMyHash Script in action

FindMyHash Script in action

 

This is definitely something that every penetration tester should check before he starts the process of cracking a hash.

Author: https://twitter.com/laXmarcaellugar

Email: bloglaxmarcaellugar@gmail.com

Script: http://code.google.com/p/findmyhash/

About these ads
 
8 Comments

Posted by on May 6, 2013 in Tools

 

Tags: , ,

8 responses to “FindMyHash

  1. apentester

    May 7, 2013 at 4:04 pm

    I’m not sure I agree with this – posting of hashes to a public site may not appropriate. Is the source IP attributable to the client – if so the owner of the site now knows password X is likely to belong to organisation Y?

    Does the client approve of you posting sensitive password hashes to a website which cannot easily be verified?

    Does the third-party website attempt to crack (and therefore compromise) unknown password hashes?

    Most testers I know would stay clear of such sites (on a penetration test at least) for the above reasons….

     
    • Der_Stift

      May 9, 2013 at 6:51 am

      I agree with apentester, because it is quite a bit risky to use this script. Because even the hashes could include company details.
      But on the other hand: It is good when you make sure that nobody can get to your IP. Even if this is not the company IP ;) And if you have no other choice to crack that system.

      So I would say it depence on the case, if you use it or not. :)

       
  2. Voyager

    May 7, 2013 at 5:03 pm

    Cool tip, thx

     
  3. netbiosX

    May 7, 2013 at 8:49 pm

    @apentester I slightly disagree with you even though your reasons are valid. I will share my thoughts on this script and why I think that it is useful.

    First of all you can avoid sending the hash from the network of the client (if the test is internal). So this problem is solved as it will be impossible for anybody to match this hash to your client.

    Secondly the majority of these websites are performing a check in their database to see if the hash is already cracked or not. In the above example the hash is well-known so in these scenarios it can save you time especially when it is impossible for them to associate the hash with your client. If the hash is already cracked by someone else and you discover it through this script then still you will mark the issue as weak password and you will report it. So in this situation the client still needs to change the password ( so the hash will change) so nobody will have nothing.

    For me the only problem that I can think with the usage of this script is when a password is the name of the company. So in this situation yes all these third-party websites can associate the hash with the company. But someone can argue and say that if you don’t check a system for default or weak credentials as a pen tester then definitely you are not doing something correctly.

     
    • apentester

      May 9, 2013 at 8:16 am

      Key thing to remember, the hash is the clients data. You should be under NDA when conducting a pentest, the client must authorise the release of this data to a third party.

      Whether or not you believe the risk to minimal is irrelevant.

       
  4. anonymous

    May 8, 2013 at 4:40 pm

    what if hashes reveal the organisation names in different probabilities and combinations? Posting it to the public databases is highly risky in my opionion.

    A good alternative could be having nice wordlists with you on external drive or somethign and you can automate jtr/hash cat to come up with some passwords fast. Or add a rule to john to check different combinations of the client organisation name or frequently used string that you think is likely to be part of a password.

     
  5. leonteale

    June 22, 2013 at 4:39 pm

    You should not post hashes to third party sites when performing a penetration test for a client. scripts like this are bad and should be used only under your own lab or if you have explained to the client what the script does and who it talks too and get their consent. but even still they likely wont understand the risk to this. sorry but this is not a good recommendation. Pentesters be be weary!

     

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
Follow

Get every new post delivered to your Inbox.

Join 619 other followers

%d bloggers like this: