Ive recently heard that There infact is a way in decoding Serv-u Passwords. Ive emailed Cat-Soft company on if they know how to decrypt these Serv-U passwords. This is some of my Feedback.
You can't actually decrypt passwords once they are encrypted. Serv-U uses UNIX 'crypt' which was designed to be one-way only (and as far as I know there has not been anyone yet that cracked this, so for all practical purposes the clear text password is gone).
What Serv-U does is encrypt the user's password again when that person logs in and then compares the enctyped password with what's stored. If the two match it is assumed the clear text was the same. There is of course always a (about) 1 in 10-to-the-power-20 chance that someone hit on something that also verifies to be the same even though the clear text did not match..
The first two characters of a encrypted password are the 'salt'. These are random and determined at the time of the first password encryption and passed on the the 'crypt' function. They are to scramble the encryption results, so if you encrypt "secret" it'll give different results each time you do that, thus making dictionary attacks difficult (you'd have to encrypt a dictionary for all possible salt values before being able to compare the dictionary with the encrypted passwords). So, to compare encrypted passwords with what the user types you need to encrypt the the user's text with the salt taken from the already encrypted password (the first two characters), using 'crypt'.
I cannot give you the source for crypt, but various sources are available on the Internet (see things like FreeBSD, Linux, and Crack). Also, the DLL version of the password util at ftp://ftp.cat-soft.com/Add-Ons/Passwd/ will do it for you (in fact, it'll compare any cleartext with any encrypted password and tell you if the two match). That DLL won't work in VB though (which is what you're using, isn't it?).
This guy says Cat-soft thinks 95% serv-u use random crypting. But there is a new method of decrypting.
(i know I know not my login just pulled it off a site real quickly )
LoCaliSe
Dec 9 2003, 11:49 PM
Orangey
Dec 15 2003, 11:31 PM
Get RainbowCrack.. It Now Supports MD5 Hash Cracking
arun0075
Dec 16 2003, 02:34 PM
hmmm.. I have 2 questions.
1. can we really dcrypt serv u passwords. if so then can sum1 be kind enogh to help me out decrtpting the password. Version=2.5.4.2 [USER=revolt] Password=evm55XQwucBAs
2. well whenever i am trying to start a new topic i get a error "Sorry, an error occurred. If you are unsure on how to use a feature, or don't know why you got this error message, try looking through the help files for more information.
The error returned was:
Sorry, you do not have permission to start a topic in this forum"
What does this mean ?? and y am i getting this error
Thank U
arun0075
Dec 16 2003, 06:17 PM
hmm.. i guess no 1 want to reply me.. pls. tell me y i am not able to start any new topic..
And also pls. guide me how to decrypt seru deamon passwords..
Thanks
aTahualPa
Dec 16 2003, 07:54 PM
password decyption is good, but servu, only reason is rehacking!? not really a fair move
god gave us a brain to search for better servers
aTa
arun0075
Dec 17 2003, 01:33 AM
QUOTE
only reason is rehacking!? not really a fair move
well.. that may be true but i ain't trying to rehack.. i just want to know how is decodeing done as i use to try a lot to decode but never got sucessful. lol.
x1`
Dec 17 2003, 04:35 AM
i also need this sort of tool cause some times i forget the password
ara2
Jan 7 2004, 12:15 AM
QUOTE
hmm.. i guess no 1 want to reply me.. pls. tell me y i am not able to start any new topic.
you need to be a member before being able to start a new topic. but by your current status im guessing this doesnt bother you anymore :X
ComSec
Jan 7 2004, 12:33 AM
hey ara2.... your not interested in anyones post.... you want to get to the downloads....i been watching you for about an hour
look at your post times also....
well you paid the price... reset to 5 and warn point issued
<<System>> MDcrack v1.2 is starting. <<System>> Using default charset : abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHI JKLMNOPQRSTUVWXYZ <<System>> Max pass size = 12 >> Entering MD5 Core 1.
Password size: 3
---------------------------------------- Collision found ! => tza
you see, the 2 first charakters are a Salt then there is a 32 Byte MD5-Hash - so the best Methode to brute is with the option -b in mdcrack. For the right pass you have to remove the prefixed Salt and voila..
headbanger
Jan 7 2004, 02:40 PM
QUOTE (arun0075 @ Dec 16 2003, 06:17 PM)
hmm.. i guess no 1 want to reply me.. pls. tell me y i am not able to start any new topic..
And also pls. guide me how to decrypt seru deamon passwords..
Thanks
u need to have 50 posts before u can start a thread
beenal
Jan 7 2004, 04:17 PM
QUOTE (arun0075 @ Dec 16 2003, 02:34 PM)
1. can we really dcrypt serv u passwords. if so then can sum1 be kind enogh to help me out decrtpting the password. Version=2.5.4.2 [USER=revolt] Password=evm55XQwucBAs
lol, why should some crack that pw for you? it needs a lot of cpu-power, you can't hardly do anything else when cracking
I think you got enough answers to be able to do it yourself!
zero-maitimax
Jan 8 2004, 07:27 AM
QUOTE (beenal @ Jan 7 2004, 04:17 PM)
QUOTE (arun0075 @ Dec 16 2003, 02:34 PM)
1. can we really dcrypt serv u passwords. if so then can sum1 be kind enogh to help me out decrtpting the password. Version=2.5.4.2 [USER=revolt] Password=evm55XQwucBAs
lol, why should some crack that pw for you? it needs a lot of cpu-power, you can't hardly do anything else when cracking
I think you got enough answers to be able to do it yourself!
yeah well.. mm.. he can start maybe he will tell use the pass when he get it
The Storm
Jan 8 2004, 07:32 PM
nice i always thougt MD5 can't be decrypted but this seems to be wrong. Thank you for your support all now im trying your ways to decrypt and hope I'm successfully
FiNaLBeTa
Jan 8 2004, 08:52 PM
edit, i'm sry , it dos work.
sry , nice stuff
jubbly
Jan 8 2004, 10:12 PM
well as you can see above it can't be decrypted just brute-forced.
FiNaLBeTa
Jan 9 2004, 11:48 AM
Okey, what you get out the ini is for example :
xn937F70E2778A1FA78D95940DFD3BCE04
then this is the md5 hash
xn937F70E2778A1FA78D95940DFD3BCE04
and the bruteforced pasword will be something like this :
xnBrUtForced
so you have the first two chars to start with. is there a program where you can brute force with, where you can give in the first digets?
I see that the vb frontend for mdcrack 1.2 has is, but the frontend dossen't work here.mdcrack crashes when i use it.
//found how to do it without the frontend.
The-X
Jan 9 2004, 12:14 PM
i read about rehacking... it's lame but there other ways to get in.... when you have write-access you can easy copy your own encrypted pass to the servu..ini
zero-maitimax
Jan 12 2004, 09:19 AM
QUOTE (ComSec @ Jan 7 2004, 12:33 AM)
hey ara2.... your not interested in anyones post.... you want to get to the downloads....i been watching you for about an hour
look at your post times also....
well you paid the price... reset to 5 and warn point issued
tnx its good to know you wachting the forum
TriHFH
Jan 20 2004, 05:51 AM
QUOTE (The Storm @ Jan 8 2004, 07:32 PM)
nice i always thougt MD5 can't be decrypted but this seems to be wrong. Thank you for your support all now im trying your ways to decrypt and hope I'm successfully
It can't be "decrypted"... it can be cracked/brute-forced . Im looking forward to trying rainbow crack out, still waiting for my rainbow tables to finish generating tho
Jamie
Jan 21 2004, 01:47 PM
Any ServU ini I've seen doesnt contain a 32bit md5 hash, it contains a mixture of characters etc such as b35s22/sh716 (that was just random) how would one convert this to the 32bit string?
I done the 1st one posted fine, the second one was taking a while, it got to the 7th character before I terminated it.
I could be be bloodry wrong here, but ServU does NOT use MD5 for one thing.
And for another, with version 5.0 they've changed encryption method, wont be long until everybody upgrades, meh
x1`
Jan 25 2004, 03:13 PM
ok i cant get this to work so whats fa948C78C24438E9F6BA4D5B756F7ACB37
it should be pass
Nexus1155
Jan 25 2004, 07:29 PM
I've been looking for one of these thanks
FiNaLBeTa
Jan 25 2004, 09:45 PM
QUOTE (gk0r @ Jan 22 2004, 09:48 PM)
I could be be bloodry wrong here, but ServU does NOT use MD5 for one thing.
And for another, with version 5.0 they've changed encryption method, wont be long until everybody upgrades, meh
I just tested it. It's still an md5 hash with salt infront of it.
phaeton
Jan 28 2004, 12:30 AM
All this talk about MD5 hash cracking, in my opinion John the Ripper (JtR) is the best cracker as it works through each hash against a set of logic rules, therefore it doesn't just blindly brute force it actually systematically works its way through different possibilities. I know this isnt directly related, but cracking a LM hash with LC4 took me 18 hours for a 9 char password, JtR took 5.
MattMannLT
Jan 28 2004, 04:00 AM
ok now
can anyone help with how to crack an iroffer password
gk0r
Jan 28 2004, 04:57 AM
QUOTE (FiNaLBeTa @ Jan 25 2004, 09:45 PM)
I just tested it. It's still an md5 hash with salt infront of it.
oh Yeah?
Well - this is MD5 hash of the same password: 7e7224816c9b2707759850155e649c29
and this is what's stored in Serv-U .INI file ar5FDFC22B8C51C00E54BEE8B7EA7DE99C
Password is the same in both cases - it's a lot of salt if you ask me....
P.S. where do I know your nick form?
FiNaLBeTa
Jan 28 2004, 07:05 AM
QUOTE (gk0r @ Jan 28 2004, 04:57 AM)
QUOTE (FiNaLBeTa @ Jan 25 2004, 09:45 PM)
I just tested it. It's still an md5 hash with salt infront of it.
oh Yeah?
Well - this is MD5 hash of the same password: 7e7224816c9b2707759850155e649c29
and this is what's stored in Serv-U .INI file ar5FDFC22B8C51C00E54BEE8B7EA7DE99C
Password is the same in both cases - it's a lot of salt if you ask me....
P.S. where do I know your nick form?
Look at those hashes, lets say the first is an md5 hash of the word "test" but the second on is an md5 hash off "artest" the ar is the salt, and delivers a new hash. Harder to brutefore, so you need mdcrack with salt option.
I havent actuely tested serv-u 5 on it, but i'm sure it's still the same, it looks like an md5 hash here.
PS: maybe you know me from NFE.
gk0r
Jan 29 2004, 04:58 AM
Look at both hashes once more. Both of those are hashes of the same password. First hash is hash provided by md5 hash feature in mysql (quickest way I knew to generate one since I run mysql locally anyway) Second hash is hash generated by servu
Don't look same to me.
P.S. Did you use any other nicks?
fuzzard
Jan 29 2004, 05:20 AM
have u ever tried to find out how md5 works gk0r ??
md5 is made to be a one time hash. So u can redo teh same password over and over and u'll rarely get teh same hash. As the other dude said. Serv-u stores the "salt" with the stored hash so servu can then use that salt with the password provided by the user connecting and get an md5 hash, and then compare teh result with what is stored.
FiNaLBeTa
Jan 29 2004, 01:49 PM
QUOTE (gk0r @ Jan 29 2004, 04:58 AM)
Look at both hashes once more. Both of those are hashes of the same password. First hash is hash provided by md5 hash feature in mysql (quickest way I knew to generate one since I run mysql locally anyway) Second hash is hash generated by servu
Don't look same to me.
P.S. Did you use any other nicks?
no i don't use other nicks.
I'll explain it one more time, but slow.
If you make an acound in serv-u this is what happent
you make the pasword "test"
serv-u will then make an md5 hash of for example "latest" it will look something like this : "5FDFC22B8C51C00E54BEE8B7EA7DE99C" using la as salt but serv-u will save it in his ini like this : "la5FDFC22B8C51C00E54BEE8B7EA7DE99C"
when a user logs in ser-u will receive the pas "test" from the user, and it wil make and compare the md5 hash of "latest" with "5FDFC22B8C51C00E54BEE8B7EA7DE99C"
So the green is the salt, reason for it is... Bruteforcing takes alot longer if you would not have the salt. a pasword like "test" becomed a 6 char pasword if u use two salt chars.
PS: when generating an md5 hash for test, it will not always give the same has.
gk0r
Jan 31 2004, 05:51 AM
QUOTE (FiNaLBeTa @ Jan 29 2004, 01:49 PM)
QUOTE (gk0r @ Jan 29 2004, 04:58 AM)
Look at both hashes once more. Both of those are hashes of the same password. First hash is hash provided by md5 hash feature in mysql (quickest way I knew to generate one since I run mysql locally anyway) Second hash is hash generated by servu
Don't look same to me.
P.S. Did you use any other nicks?
no i don't use other nicks.
I'll explain it one more time, but slow.
If you make an acound in serv-u this is what happent
you make the pasword "test"
serv-u will then make an md5 hash of for example "latest" it will look something like this : "5FDFC22B8C51C00E54BEE8B7EA7DE99C" using la as salt but serv-u will save it in his ini like this : "la5FDFC22B8C51C00E54BEE8B7EA7DE99C"
when a user logs in ser-u will receive the pas "test" from the user, and it wil make and compare the md5 hash of "latest" with "5FDFC22B8C51C00E54BEE8B7EA7DE99C"
So the green is the salt, reason for it is... Bruteforcing takes alot longer if you would not have the salt. a pasword like "test" becomed a 6 char pasword if u use two salt chars.
PS: when generating an md5 hash for test, it will not always give the same has.
Slow is good.
It is obvious that MD5 hash of the same password will be identical regardless the time it was generated, correct? Otherwise it would be pointless to use it for authentication purposes, or any other for that matter.
Forget about the "la" for a second and look at the big picture. Try this for me. Get two sources of MD5 hashes. You can use MYSQL to generate one, or PERL, whatever turns you on. You can even use any windows application should you find one, or any net script. Generate hash of password "test" - generate it twice, from another source.
Then create user account on Serv-U with password "test" and see if there are any remote matches at all. You will see that the two hashes of true MD5 you've got will be different (completely) from the one you get from Serv-U. Which could only mean one thing - hash you receive from Serv-U is not really MD5 hash.
I don't have time to dig around and match hashes to find out which encryption method Serv-U truly uses, however back at version 2.5 according to the guy who made Serv-U (Tommy) Serv-U used standard MD4/Crypt.
Yea MD5 is a 1 way algorithm, But It doesn't change each time you run it through the algorithm, as someone said previously their would be no reason for authentication then.
FiNaLBeTa
Jan 31 2004, 10:34 AM
QUOTE (gk0r @ Jan 31 2004, 05:51 AM)
QUOTE (FiNaLBeTa @ Jan 29 2004, 01:49 PM)
QUOTE (gk0r @ Jan 29 2004, 04:58 AM)
Look at both hashes once more. Both of those are hashes of the same password. First hash is hash provided by md5 hash feature in mysql (quickest way I knew to generate one since I run mysql locally anyway) Second hash is hash generated by servu
Don't look same to me.
P.S. Did you use any other nicks?
no i don't use other nicks.
I'll explain it one more time, but slow.
If you make an acound in serv-u this is what happent
you make the pasword "test"
serv-u will then make an md5 hash of for example "latest" it will look something like this : "5FDFC22B8C51C00E54BEE8B7EA7DE99C" using la as salt but serv-u will save it in his ini like this : "la5FDFC22B8C51C00E54BEE8B7EA7DE99C"
when a user logs in ser-u will receive the pas "test" from the user, and it wil make and compare the md5 hash of "latest" with "5FDFC22B8C51C00E54BEE8B7EA7DE99C"
So the green is the salt, reason for it is... Bruteforcing takes alot longer if you would not have the salt. a pasword like "test" becomed a 6 char pasword if u use two salt chars.
PS: when generating an md5 hash for test, it will not always give the same has.
Slow is good.
It is obvious that MD5 hash of the same password will be identical regardless the time it was generated, correct? Otherwise it would be pointless to use it for authentication purposes, or any other for that matter.
Forget about the "la" for a second and look at the big picture. Try this for me. Get two sources of MD5 hashes. You can use MYSQL to generate one, or PERL, whatever turns you on. You can even use any windows application should you find one, or any net script. Generate hash of password "test" - generate it twice, from another source.
Then create user account on Serv-U with password "test" and see if there are any remote matches at all. You will see that the two hashes of true MD5 you've got will be different (completely) from the one you get from Serv-U. Which could only mean one thing - hash you receive from Serv-U is not really MD5 hash.
I don't have time to dig around and match hashes to find out which encryption method Serv-U truly uses, however back at version 2.5 according to the guy who made Serv-U (Tommy) Serv-U used standard MD4/Crypt.
I explained slow, i can't do it any bether. You just didn't read it.
and md5 hash of test , and an md5 hash of serv-u pasword "test" can't be thesame.
So if you have just proven that to the world, congrats, we already know.
FiNaLBeTa
Jan 31 2004, 10:47 AM
here, i tested it, v5.0 still uses md5 encryption.
I made a pasword 123 in serv-u the generated code was
Password=tg5D5E50C22BD32992937AFF199C01D47C so the salt is "tg" and the md 5 hash is = 5D5E50C22BD32992937AFF199C01D47C
so when i brute the hash, the pasword i find wil be : tg123
QUOTE
C:\Documents and Settings\Administrator\Bureaublad\MDcrack>mdcrack -M MD5 -b tg 5D5E50C22BD32992937AFF199C01D47C
<<System>> MDcrack v1.2 is starting. <<System>> Using default charset : abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGH JKLMNOPQRSTUWXYZ <<System>> Max pass size = 12 >> Entering MD5 Core 1.
Password size: 3
Password size: 4
Password size: 5
---------------------------------------- Collision found ! => tg123
Collision(s) tested : 113427 in 0 second(s), 60 millisec, 0 microsec. Average of 1890450.0 hashes/sec.
Sh4dowWalker
Jan 31 2004, 04:09 PM
People, people... why not to search the source for informations?
Here's an info from Serv-U Knowledge Base:
QUOTE
Knowledge Base Search Results Manually Entering Encrypted Passwords into the ServUDaemon.ini File
To generate an encrypted password, first two random characters (the 'salt' - in the range a..z, A..Z) are added to the beginning of the clear-text password. This is then hashed using MD5 and the resulting hash is hex-encoded. The result of this is written as plain-text salt first, followed by the hex-encoded hash.
So, for a user account in the .ini file this would look like:
Password=cb644FB1F31184F8D3D169B54B3D46AB1A
The salt is the string "cb", the MD5 hash is "644FB1F31184F8D3D169B54B3D46AB1A".
Serv-U does pretty much the same thing when verifying a password. It picks the salt-to-use from the user's account information (ie. "cb" in this case), prepends it the password the user entered, MD5 hashes it, and compares the result with the stored hash. If both are the same it is assumed the password was correct.
If you are having problems updating the ini file without restarting Serv-U please see article number 1176.
levano
Feb 1 2004, 09:46 AM
Guys, why not make salt more than 2 characters ? Won't it make bruteforce impossible if you make salt 8+ characters ?
gk0r
Feb 1 2004, 11:59 AM
AAAAAAAA
I get it. It is added to password before the encryption and then once more shortly after before the actual hash - stupid if you ask me but what the hell ......
mr.anderson
Feb 2 2004, 05:20 PM
OK here is a method you can use but it can take time!!! 1)Download the daemon.ini with password you want to crack. 2)Setup Servu on your own box with the INI with to-be-cracked pass. 3)Get any FTP pass cracking program and good dictionary and bruteforce it :-)
moeman
Feb 8 2004, 04:41 PM
Hi, i need to know whats the user name for this
[USER=driveax|1]
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
not my login just pulled it off a site real quickly 
only reason is rehacking!? not really a fair move 
but there other ways to get in.... when you have write-access you can easy copy your own encrypted pass to the servu..ini 
