Collaborate Disseminate
I have a table for single use tokens, and one of the columns is a token_digest which contains a bcrypt hash of the access token. Since the token_digest is a salted and hashed version of the plaintext token, I can’t just run a select agains… Continue reading What can you do to make a hashed token database retrievable at a later date?
What’s the difference between this format:
Hash found: admin:$1$$oLN1UCc1Y3T30QkMcKMSx0
and the following:
5f4dcc3b5aa765d61d8327deb882cf99
And also,
How to turn the first hash format into the second one?
Thanks in advance.
Continue reading What’s the difference between these MD5 hashes?
Please how do you interpret this output from routersploit:
Hash found: admin:$1$$oLN1UCc1Y3T30QkMcKMSx0
I am trying to recover a 7z file, but have forgotten the password. It’s completely AES-256 encrypted (i.e. not even the filenames are available).
Steps:
Generated hash file with 7z2hashcat.pl
Ran a mask attack using hashcat -a 3 -m 11600 … Continue reading Recovered a 7z password with hashcat, but it’s not the right one
I’m working on an app where some accounts use passwordless authentication by email (using magic links) and some require a password to login. Is it okay to represent this rule in the account table by having a nullable password_digest? Would… Continue reading Is it unsafe to have some users with passwords and some without?
Over the weekend I was thinking about the problem of scaling various web services. One common practice to scale authorization is to use cryptographically signed tokens. This way when a request comes into your service you don’t need to look… Continue reading Can a secure key-exchange algorithm replace hashing for password authentication?
I have a background in web app development and I’m trying to up my security game but there are some things that I find confusing.
Like how does memory-hard hashed passwords protect against brute force attacks? Let’s assume I have a webapp … Continue reading How does memory-hard hashing passwords protect against brute force attacks?
I did a vulnerability scan on some of our company workstations. These are workstations used by employees (dev, HR, accounting, etc.) to do their job.
One of the common result I found is SSL/TLS Certificate Signed Using Weak Hashing Algorit… Continue reading Certificate Signed Using Weak Hashing Algorithm impact on a workstation
I’m trying to open a hash with John and HashCat, but both don’t work?
NTLMv2 Response Captured from 192.168.1.1
DOMAIN: DEV29-APP01 USER: testuser
LMHASH:Disabled LM_CLIENT_CHALLENGE:Disabled
NTHASH:3045e74dac0653865d353e93e8c5ca8c
NT_CLI… Continue reading Can’t open hash with John or Hashcat
My problem is that I’m trying to crack RAR file with is encrypted with RAR3 encryption.
Decided to try with John The Ripper.
Here are clues I have from my friend.
Max password length is 8
Only capital letters or digits
And I need now fil… Continue reading How to apply custom filters for John The Ripper when cracking RAR3 archive password?