Go Back  DVD Talk Forum > General Discussions > Tech Talk
Reload this Page >

Anyone know how to crack that simple JavaScript Hash login code?

Tech Talk Discuss PC Hardware, Software, Internet and Other Technology

Anyone know how to crack that simple JavaScript Hash login code?

Old 09-26-01, 03:32 PM
  #1  
DVD Talk Limited Edition
Thread Starter
 
Join Date: Jul 2000
Posts: 5,663
Likes: 0
Received 0 Likes on 0 Posts
Anyone know how to crack that simple JavaScript Hash login code?

It's client side, so it can't possibly be secure, but I forget how hash tables work.

You can go here to see the code I'm talking about :
http://hotlink4u.com/logincoderpas.html.htm

Its one of my friends sororities and she bet I couldn't get in the sisters only section.

Here's the important bit of code from the page:
option value='phisig|47822|TRUAKASH'phisig
Old 09-26-01, 03:37 PM
  #2  
X
Administrator
 
X's Avatar
 
Join Date: Oct 1987
Location: AA-
Posts: 10,763
Likes: 0
Received 4 Likes on 3 Posts
This belongs here.

I think you better leave it here this time.
Old 09-26-01, 03:41 PM
  #3  
DVD Talk Hero
 
Join Date: Aug 2000
Location: Bartertown due to it having a better economy than where I really live, Buffalo NY
Posts: 29,706
Likes: 0
Received 0 Likes on 0 Posts
actually hashes are quite secure. really easy to hash the plain text into encrypted, but extremely hard to reverse it
Old 09-26-01, 05:02 PM
  #4  
DVD Talk Gold Edition
 
Join Date: Feb 1999
Location: HB, CA
Posts: 2,601
Likes: 0
Received 0 Likes on 0 Posts
It looks like you know the algorithm and the output of the hash function you need. Couldn't you write a fairly simple program to perform a brute force attack? If the password he needs is the same as the example site he linked for us where the password has to be 8 characters a-z, then it shouldn't take very long at all. Especially, if you started with a dictionary of 8 letter words.
Old 09-26-01, 08:29 PM
  #5  
DVD Talk Limited Edition
Thread Starter
 
Join Date: Jul 2000
Posts: 5,663
Likes: 0
Received 0 Likes on 0 Posts
That would certainly work, and thinking about it more, probably wouldn't take as long as I imagined.
Old 09-26-01, 08:35 PM
  #6  
DVD Talk Limited Edition
Thread Starter
 
Join Date: Jul 2000
Posts: 5,663
Likes: 0
Received 0 Likes on 0 Posts
I take that back. The hash index is based on the target html file as well. So you have an 8 character password and an 8 character html file. That's a lot of possibilities!
Old 09-27-01, 09:59 AM
  #7  
DVD Talk Platinum Edition
 
Join Date: Sep 1999
Location: Seattle, Washington, America the Beautiful
Posts: 3,767
Likes: 0
Received 0 Likes on 0 Posts
As to biasing your brute force attack, come now, do you think those girls are going to choose an easy to remember password (doesn't have to be written down on a slip of paper) such as 2%8#@(4A or will they choose a password like ASABASE69
Old 09-27-01, 01:19 PM
  #8  
DVD Talk Gold Edition
 
Join Date: Feb 1999
Location: HB, CA
Posts: 2,601
Likes: 0
Received 0 Likes on 0 Posts
Originally posted by Startide
As to biasing your brute force attack, come now, do you think those girls are going to choose an easy to remember password (doesn't have to be written down on a slip of paper) such as 2%8#@(4A or will they choose a password like ASABASE69
I guess that depends on how much credit you give the girls.

asabase, I didn't look at it too long, but why would you need to guess the filename also? My impression was that the target filename, though encrypted, was essentially hardcoded into the client side script.

If the only user input on the login screen required is the 8 letter password (a-z only, case nonspecific), then that should be all that you need to guess.

That's only 26^8 or 208 trillion combos. I haven't the faintest clue, but how many CPU cycles would it take to try 1 key?

1,000? That's 58 hours of 1 GHz CPU time to try every key, or 29 hours on average to find the correct key.

How motivated are you?
Old 09-27-01, 03:24 PM
  #9  
DVD Talk Platinum Edition
 
Join Date: Sep 1999
Location: Seattle, Washington, America the Beautiful
Posts: 3,767
Likes: 0
Received 0 Likes on 0 Posts
Well, asabase could run a script on several machines. Combinations starting with Z on PC#1 with letter Y the next one after all the Z's are done. On PC#2, combinations starting with A are processed with the letter B the next one up after all the A's are done.
Old 10-01-01, 07:36 PM
  #10  
DVD Talk Limited Edition
Thread Starter
 
Join Date: Jul 2000
Posts: 5,663
Likes: 0
Received 0 Likes on 0 Posts
Yeah, I guess I only need to brute force the password since the script uses the encrypted filename, right? I doubt its going to be anything like we69foru, but will still be more than a simple word in a dictionary list so I'll still have to try just about everything.

I'm busy this week, but will try and get something set up this weekend. I have 16 Sun Enterprise450 processors at my disposal, so it shouldn't take too long once I get the code written.

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is On
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Thread Tools
Search this Thread

Archive - Advertising - Cookie Policy - Privacy Statement - Terms of Service - Do Not Sell My Personal Information

Copyright 2018 MH Sub I, LLC dba Internet Brands. All rights reserved. Use of this site indicates your consent to the Terms of Use.