[Sh4dowWalker]

People, people... why not to search the source for informations?

Here's an info from Serv-U Knowledge Base:

Quote

Knowledge Base Search Results
Manually Entering Encrypted Passwords into the ServUDaemon.ini File

To generate an encrypted password, first two random characters (the 'salt' - in the range a..z, A..Z) are added to the beginning of the clear-text password. This is then hashed using MD5 and the resulting hash is hex-encoded. The result of this is written as plain-text salt first, followed by the hex-encoded hash.

So, for a user account in the .ini file this would look like:

Password=cb644FB1F31184F8D3D169B54B3D46AB1A

The salt is the string "cb", the MD5 hash is "644FB1F31184F8D3D169B54B3D46AB1A".

Serv-U does pretty much the same thing when verifying a password. It picks the salt-to-use from the user's account information (ie. "cb" in this case), prepends it the password the user entered, MD5 hashes it, and compares the result with the stored hash. If both are the same it is assumed the password was correct.

If you are having problems updating the ini file without restarting Serv-U please see article number 1176.

[pratik]

Hi guys can...
can someone help me with this..
ok i put the normal pass in servu.ini rite now when i try to connect it thru fxp
it doesnt....so is it like do i have to put the encrypted pass in the servu.ini file?

IF yes..then is there any way to crack my normal pass in servu.ini that i have put...so that i can login thru fxp...like i want to login thru fxp...but it doesnt accept the pas..anyone have suggestion plz reply me...thankz
thankz

[FiNaLBeTa]

mr.anderson, on Feb 2 2004, 05:20 PM, said:

OK here is a method you can use but it can take time!!!
1)Download the daemon.ini with password you want to crack.
2)Setup Servu on your own box with the INI with to-be-cracked pass.
3)Get any FTP pass cracking program and good dictionary and bruteforce it :-)

that is absolutly the dummest thing i have ever heared.
realy. Lmao.

read the thread.

to the guy saying make the salt 8 chars.

read the thread.

making the salt larger has no effect on cracking the password the way we said here...
Onely when sniffing a password it would greatly help.

[Jumpi]

... so cracking serv-u passwords with rainbow is completely impossible cause of the salt? it is not possible to "unsalt" the hash? (i don't know much about crypt)

[FiNaLBeTa]

Jumpi, on May 12 2005, 02:11 AM, said:

... so cracking serv-u passwords with rainbow is completely impossible cause of the salt? it is not possible to "unsalt" the hash? (i don't know much about crypt)

<{POST_SNAPBACK}>

READ THIS FOR A HOWTO
http://www.governmen...showtopic=10267

[-Arthy-]

Ok, correct me if I'm wrong
But when you have this password:
Password=cb644FB1F31184F8D3D169B54B3D46AB1A

You crack the MD5 hash "644FB1F31184F8D3D169B54B3D46AB1A"
The crack result will give you something like: cb******
The result from the cracking method will be the password with "cb" stored in front of it.
Simply it will be the password without the "cb"

This way there won't be any difficulty cracking the password or any thing other then cracking a normal MD5 hash?

Then my next question is, why do they use it?
I don't see anything, storing the password this way, giving you more security?
It's just a useless add-on it seems to me...

[FiNaLBeTa]

Not useless. For example, you can't really use rainbowtables on it anymore.

Further more this once was state of the art salting. mdcrack adapted to it making it obsolete.
But it�s possible to make harder saltings, pass = testtest , salt = khkdlq , hashed = ktehksthte...
This would once again ask for a special tool.
If you don't have the tool, a normal brute force would take a hell of a long time.

[tibbar]

enough serv-u discussions! Closed.