• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

Cracking vBulletin Password Hashes

lxskllr

lxskllr

No Lifer
A forum I'm associated with got hacked, and I'm not clear on the damage that was caused. Assuming they got the password list, what's the likelihood of them being able to crack the hashes? I don't know how it was setup, but assuming it was default, I think it gets salted twice. It's vBulletin 4.1x(I think).

Has the cracking art advanced enough to be able to extract much data?
 
If they had enough GPUs they could brute force it...
IIRC, nothing in the database is encrypted (besides passwords), so, assuming they got the whole database, then can read pretty much anything in it.
 
It depends on the hash algorithm used.

I know that Xenforo (The software i use) uses SHA256 which is considered safe. I would presume that vBulliten 4 uses the same.

SHA1 is considered depreciated
MD5 is a no go for new software

This code posted in this old post uses MD5: http://www.vbulletin.com/forum/foru...vbulletin-using-for-user-passwords-protection

Code: 
[COLOR=#000000][COLOR=#0000BB]$sql [/COLOR][COLOR=#007700]= [/COLOR][COLOR=#DD0000]"SELECT username FROM vb_user 
                       WHERE username = '[/COLOR][COLOR=#007700]{[/COLOR][COLOR=#0000BB]$_POST[/COLOR][COLOR=#007700][[/COLOR][COLOR=#DD0000]'fusername'[/COLOR][COLOR=#007700]]}[/COLOR][COLOR=#DD0000]' 
                       AND password = [U][B]md5[/B][/U]( concat( md5('[/COLOR][COLOR=#007700]{[/COLOR][COLOR=#0000BB]$_POST[/COLOR][COLOR=#007700][[/COLOR][COLOR=#DD0000]'fpassword'[/COLOR][COLOR=#007700]]}[/COLOR][COLOR=#DD0000]'), salt));"[/COLOR][COLOR=#007700];  [/COLOR][/COLOR]
I also just had a quick look at their register.php and their function_digest.php, functions_login.php file from version 4.1.4 and it seems like MD5 there as well.

Code: 
function verify_authentication($username, $password, $md5password, $md5password_utf, $cookieuser, $send_cookies)
So if they are using MD5 then I'd say anyone with a password there should consider it compromised. If the password is nice and long then you might be OK, but i wouldn't put my chances down to luck.

The chance is high of cracking short password (12ish and below characters) due to rainbow tables which are freely available on the net as well as the multitude of websites offering free MD5 cracking facilities.

edit-again:
A quick check of version 4.2 reveals MD5 as well. Unless I'm missing something or looking at the wrong php files. But MD5 is everywhere.
 
Last edited:
Near as I can tell, it uses md5. The part that really has me curious is the salt. I've looked around the web a bit, and it's been implied that their salted hash can be cracked, but I haven't found explicit instructions. I don't really hang around black arts forums, so I'm not sure how feasible it is. The results close to the top could be the low hanging fruit, while the real goodies are better hidden.
 
You must log in or register to reply here.

TRENDING THREADS

Back
Top