MD5 cracker

Hello, I've tried to code an MD5 cracker, here's what I got:

function hashcrack()
{
$words = file("file.txt");
foreach ($words as $word) {
  $word = rtrim($word);
    if (md5($word) == $hash) {
      $word = $postvalue;
      exit;
    }
}
print "No matches found!\n";
}

Should this be right? I've got a MD5 hash that was hashed using PHP, and I know that the hashes should always be the same, so if I take a wordlist with a word which I know has the word for the hash, it should give me a match right? Well it's not working and I'm not sure why :[

Oh and if theres any confusion, the function attempts, after finding the correct word, to make the word the variable $postvalue, I need it for something later.

i dont mean to burst your bubble... actually, im meaning to do just that, but md5 virtually cant be cracked homie

i dont mean to burst your bubble... actually, im meaning to do just that, but md5 virtually cant be cracked homie

Actually that's not true. If I were to use the MD5() function in PHP to hash a text value, it will always return the same hash for the same value. If you can then take a wordlist, split up each word into an array and hash each word to check them against the hash value you have, then you can determine what the value of the hash is. I know it can be done, I'm 100% sure of it. I also know that you can script something long and drawn out that will brute force it, but that's not what I'm after. Milw0rm has a good PHP MD5 cracker that checks against a wordlist here:

http://www.milw0rm.com/cracker/insert.php

Sorry to burst your bubble 

^ checking a wordlist isn't cracking

if you think you can get it though, then here is my md5 password for these phpfreaks forums

cd07ddb17471e8ff66014578c8e93280

enjoy

Thats called brute force and isn't the same as cracking.

i dont mean to burst your bubble... actually, im meaning to do just that, but md5 virtually cant be cracked homie

 

Actually that's not true. If I were to use the MD5() function in PHP to hash a text value, it will always return the same hash for the same value. If you can then take a wordlist, split up each word into an array and hash each word to check them against the hash value you have, then you can determine what the value of the hash is. I know it can be done, I'm 100% sure of it. I also know that you can script something long and drawn out that will brute force it, but that's not what I'm after. Milw0rm has a good PHP MD5 cracker that checks against a wordlist here:

 

http://www.milw0rm.com/cracker/insert.php

 

Sorry to burst your bubble 

MD5 by definition is an uncrackable encryption method.

  Why, because the encrypted key is of length greater than the original key.  This meaning that you can generated the original string  unencrypted before the encrypted.

Secondly just from the little i know of its algorithm it follows a rotating pattern encrypted in the key, and then the words use mean nothing as string length, character order, ascii numbers etc are all parts of it

If you can crack md5 you wouldn't be looking for help here

http://en.wikipedia.org/wiki/Md5

Thats called brute force and isn't the same as cracking.

 

i dont mean to burst your bubble... actually, im meaning to do just that, but md5 virtually cant be cracked homie

 

Actually that's not true. If I were to use the MD5() function in PHP to hash a text value, it will always return the same hash for the same value. If you can then take a wordlist, split up each word into an array and hash each word to check them against the hash value you have, then you can determine what the value of the hash is. I know it can be done, I'm 100% sure of it. I also know that you can script something long and drawn out that will brute force it, but that's not what I'm after. Milw0rm has a good PHP MD5 cracker that checks against a wordlist here:

 

http://www.milw0rm.com/cracker/insert.php

 

Sorry to burst your bubble 

So checking a wordlist nor brute forcing is cracking? Those are really only 2 of 3 options my password cracker has (jtr...besides rainbow tables) and I would consider JTR a password cracker... ???

MD5 by definition is an uncrackable encryption method?  Why, because the encrypted key is of length greater than the original key.  This meaning that you can generated the original string  unencrypted before the encrypted.

 

Secondly just from the little i know of its algorithm it follows a rotating pattern encrypted in the key, and then the words use mean nothing as string length, character order, ascii numbers etc are all parts of it

 

If you can crack md5 you wouldn't be looking for help here

 

http://en.wikipedia.org/wiki/Md5

That's not why it can't be cracked, the same can be said for almost any form of encryption. It's because it's mathematically irreversible. Can someone just help me out with checking hashes against a wordlist please?

Hashing algorithms such as md5, sha1, are one way operations. They are used in password databases because if a hacker were to gain access to a database of hashed passwords, be couldn't do anything with it because theoretically there is no way he could get the base strings (un-hashed passwords) for those hashes. However, programs such as Ophcrack use precompiled tables of hash values, called 'rainbow tables,' to try and get the base string. These rainbow tables can become insanely huge, 15gb+ in most cases. There are some online databases, but they are often incomplete :/, ex. http://md5.rednoize.com/

did you read the wiki on it, either way you don't get it

a space is an ascii charcter just like a,b,c,d,e,f,g,h splitting at words isn't going to get you anyhting, its the 32 byte subsets generated from the string that are used in the random collisions of this encryption method.

Yes it has been cracked, but a method is classified as "uncrackable" when the generated string is greater than the original, this is because when a crack is needed for a single application you won't try and reproduce a checksum, you reproduce the original string assuming it follows a uncrackable state. 

Some cracks will compress a string, in this case md5 doesn't

Working with words isn't going to get you anywhere, working on 32-bit strings might.

yeah rainbow tables are just like that german book of all solved differential equations, huge and incomplete.

I've seen and used md5 crackers that were actually pretty good (for most people's lame passwords), but all it was doing was looking through an existing database of passwords. The only good reason I could find to crack passwords was to be able to send it back to a user in case they forgot their password. There are of course alternatives.

Can someone just help me out with checking hashes against a wordlist please?

Your function doesn't actually return anything when it finds a match. It also uses a variable that isn't defined. You might try something like....

<?php

function hashcrack($hash) {
 $words = file("file.txt");
 foreach ($words as $word) {
   $word = trim($word);
   if (md5($word) == $hash) {
     return $word;
   }
 }
 return false;
}

if ($result = hashtocrack('cd07ddb17471e8ff66014578c8e93280')) {
 echo "hash matches $result";
} else {
 echo "No match found";
}

Can someone just help me out with checking hashes against a wordlist please?

 

Your function doesn't actually return anything when it finds a match. It also uses a variable that isn't defined. You might try something like....

 

<?php

function hashcrack($hash) {
  $words = file("file.txt");
  foreach ($words as $word) {
    $word = trim($word);
    if (md5($word) == $hash) {
      return $word;
    }
  }
  return false;
}

if ($result = hashtocrack('cd07ddb17471e8ff66014578c8e93280')) {
  echo "hash matches $result";
} else {
  echo "No match found";
}

What if I have it defined outside of the function? And a few questions, where did $result come from? I have a variable assigned to that name already.

What you should do is not crack, but write an algorthim to start testing through every ascii string from length 1 to length 32 and then from there you have a very nice rainbow table to work with

only issue

there is 127 ascii characters so the number of choices you would have is

127^32 choices which is 2.09758259 × 10^67

if you move up to 64 charcter strings, it is

well over a google of check sums

so you be search 10^67 records of 32 bytes each which is about 10^43 yottabyes so have fun with that

What if I have it defined outside of the function?

It does not exist within the function. You need to read up on scope

And a few questions, where did $result come from?

It is defined in the....

if ($result = hashtocrack('cd07ddb17471e8ff66014578c8e93280')) {

line and recieves the result from your function. It could be called whatever you like.

there is 127 ascii characters so the number of choices you would have is

127^32 choices which is 2.09758259 × 10^67

 

if you move up to 64 charcter strings, it is

well over a google of check sums

Except that there are only rougly 2.3*10^57 different MD5 hashes that is.

Mis read it, but still even at 57 we are grossly over what is a reasonable amount of data to be stored. 

How does

if you move up to 64 charcter strings, it is

well over a google of check sums

consititute a mis-reading of something?

It appears as if Wes's account was hacked after he posted his hash.

Anyways, MD5 is "uncrackable" but there have been advancements in generating the same MD5 sum with a different file. I don't think this applies to raw MD5 on strings though, correct me if I'm wrong.

and to think that no-one mentioned salts!

http://www.md5decrypter.com/

http://www.md5encryption.com/

It appears as if Wes's account was hacked after he posted his hash.

 

 

 

Anyways, MD5 is "uncrackable" but there have been advancements in generating the same MD5 sum with a different file. I don't think this applies to raw MD5 on strings though, correct me if I'm wrong.

haha.. nope, im still me

a mod has changed my sig tho.. that kinda pisses me off

or some mod hacked you oh oh!

Why not create a script to insert every possible combination of letters and numbers into a database then do mysql_fetch_array in your php script this would do the work for you so that you dont have to type in all those pesky combinations and it would be basically no work at all