Challenge 18 ☆☆☆☆☆

Welcome to challenge Challenge 18. You need to guess the secret that is hidden in Java, Docker, Kubernetes, Vault, AWS or GCP.

Bad hashing

This developer has their password stored on their computer. They are no idiot, though, they have hashed it twice using the same systems many of the biggest companies in the world use. Just with a little less seasoning. Nobody is going to be able to crack this…​

The first hash is 2ab96390c7dbe3439de74d0c9b0b1767 and the second hash is F3BBBD66A63D4BF1747940578EC3D0103530E21D

Despite many large companies using these hashes, is there a way beat the system?

Cracking either hash will give you the correct answer. As an extra challenge, try cracking both.

Answer to solution :

This challenge is specifically looking at MD5 and SHA1 hashes without salting. Are these un-crackable?

You can solve this challenge using the following steps:

  1. For the first hash (MD5):

    • Use a tool such as Hashcat:

    • Install Hashcat

    • Download the rockyou.txt password list

    • Run Hashcat on the hash hashcat -m 0 "2ab96390c7dbe3439de74d0c9b0b1767" /path/to/file/rockyou.txt

  2. For the second hash (SHA1):

    • Use a tool such as Hashcat:

    • Install Hashcat

    • Download the rockyou.txt password list

    • Run Hashcat on the hash hashcat -m 100 "F3BBBD66A63D4BF1747940578EC3D0103530E21D" /path/to/file/rockyou.txt

  3. For either of the hashes:

    • Use an online hash cracking service to do the heavy lifting for you:

    • Visit https://crackstation.net/

    • Enter the hash and click "Crack Hashes"

Why MD5 and SHA1 hashing alone are not enough.

MD5 and SHA1 hash are no longer considered safe to store passwords on their own. Speed is what makes MD5 and SHA1 hashes so useful, but it is also their downfall. It only takes a few minutes to hash thousands of passwords; this also means that it only takes minutes to hash thousands of common passwords and use these hashes to compare against a hash that has been obtained.

Companies try different techniques to harden MD5 and SHA1 hashes, such as "salting" them. This is the process of adding additional characters to the password that only the person/company that should be decrypting knows. Unfortunately this is not enough either with the rise of GPU and ASIC based computations. Therefore, companies using these techniques can better migrate to Argon2 or Balloon hashing.

As a user you often have no choice in how your passwords are stored; the only thing you can do in this case is try to make your password longer and more complex. A password SHA1 that is 7 characters long with upper and lowercase characters will take roughly a minute or 5 to brute force on a proper GPU, whereas one with 25 characters will take much longer.

Note that, when these type of hashes are used over HTTP (without TLS that is, e.g. no HTTPS) as part of an integrity check, a Man in the Middle could possibly intercept the content and alter it, calculate the hashes and return those as well. An attacker could even even reuse the same hashes, and provide other content based on a hash-collission. Therefore: always use secured connections when transferring content & never rely only on hashes like MD5 or SHA1 for the integrity of the data.