I asked a question yesterday about secure hashing, which got me thinking about how one would actually go about breaking a password created with a custom hashing algorithm. My current (very unsecure) password script uses an iteration of sha1 on the password, and then an iteration on the hash generated by that prepended with a 3 digit salt.
$hash = sha1($pass1);
//creates a 3 character sequence
function createSalt()
{
$string = md5(uniqid(rand(), true));
return substr($string, 0, 3);
}
$salt = createSalt();
$hash = sha1($salt . $hash);
Now I, being the administrator of this server and having complete access to the source code and password table, plus administrative tools can simply reset a user’s password to whatever I would like, but for the sake of understanding security better, I am curious how to go about doing this the way a hacker would. I have a program called cain & abel which brute forces against a specific hash algorithm, but how would I do something like taking each attemped password, sha1 ing it, concatenate it to the (known) salt, and sha1 ing it again? This seems like it would be very simple to do, but I have never programmed in a language like C++ and I presume that is what is necessary.
EDIT:
I should specify the following:
This is an offline brute-force attack.
I have the database full of hashes and their respective salts.
The salts are per user, but I only want to attack one user’s password at a time.
Specifically, I am asking how to brute force a password using a custom series of hashing algorithms, such as the one I showed above:
pseudocode:
$hash = sha1( 'password' );
$salt = '3Sf';
$hash = sha1( $salt.$hash);
I presume whatever method would be used to do this could also be used to brute force a password hashed with a known algorithm such as:
$hash = sha1( 'password' );
$salt = '3Sf';
for($i; $i<1000; $i++){
$hash = sha1( $salt.$hash);
}
So I am not specifically asking for the CODE to do the first thing, I am asking by what method I can run a brute force program against a customized hashing algorithm like the 2 I have listed above.
NOTE: I am in no way stating I am likely to encounter this situation, but I would like to know how it is done.
To my knowledge, no broadly available hash-cracking tool supports this functionality.
However, as you said, it would be extremely simple to write a program to crack the hashes given enough time.
If your attacker already knows your way of computing the salted hashes, we can safely assume he either has access to your DB (which would necessarily store the salts as well), a dump of it or access to plaintext communication between your app and a client.
To then crack the hashes, he would simply replicate your sha1($salt . $hash) function and start feeding common passwords to it. This would save time compared to purely brute forcing all possible combinations. He’d take the $salt from you DB and compare the result of the hashed-salted-hashed password to the salted hash stored in the same DB.
If the resulting hashes match, the password has been “cracked”.
In general, using individual salts for each user is a good idea as it increases the time to crack an entire DB table of passwords exponentially. Instead of running a wordlist against a single hashing function with a single salt, he’ll have to run the entire wordlist against every single hashed PW in your database.
That said, if the attacker is far enough into your system to actually acquire the hashes / salts it would be much easier for him to alter your code to send him plain text copies of credentials of users logging in in the first place.