Summary
This video follows ethical hacker Kim as he demonstrates how hashed passwords can be cracked despite being stored as cryptographic hashes. Using a website named sallyshop.test as a target, Kim exploits a previously discovered Union Select SQL injection vulnerability to extract a list of user emails and MD5 hashes. He then utilizes John the Ripper and the SecLists wordlist to perform a dictionary attack, successfully uncovering plain-text passwords for users Jane and Joshua. The video concludes by emphasizing that weak algorithms like MD5 are insecure and explains how salting and modern hashing algorithms provide better protection.
Key Insights
Hashing is a one-way function that creates a digital fingerprint, but it is not inherently unbreakable.
A cryptographic hash is a mathematical process that transforms an input into a fixed-length string of characters. While it is irreversible, attackers can use dictionary attacks to compare the hashes of known words against a target hash. If a match is found, the original input is revealed. Common algorithms like MD5 are now considered weak because their hashes can be computed and compared extremely quickly by modern hardware.
Dictionary attacks effectively exploit human tendencies to use weak or common passwords.
Tools like John the Ripper automate the process of hashing thousands of common passwords from a wordlist and comparing them to intercepted hashes. In this demonstration, the hacker used the 'Best 15' wordlist from the SecLists repository. Because users Jane and Joshua chose common phrases like 'I love you' and 'let me in', their passwords were cracked in seconds, highlighting that the security of a hash is often only as strong as the entropy of the original password.
Salting is an essential defense mechanism to prevent precomputed and mass cracking attacks.
Salting involves adding a unique, random value to each password before it is hashed. This ensures that even if two users have the same password, their resulting hashes will be entirely different. This forces an attacker to crack each user's hash individually from scratch, making it exponentially more time-consuming and rendering precomputed 'rainbow tables' or simple dictionary comparisons against multiple users ineffective.
Sections
Data Extraction via SQL Injection
Kim uses Burp Suite to intercept traffic and identify vulnerable search parameters on the target website.
Kim launches Burp Suite's built-in browser to access sallyshop.test and searches for the word 'doctor'. He intercepts the resulting web request and sends it to the Repeater tab, which allows him to modify the search parameter and re-send it repeatedly to test for vulnerabilities without reloading the entire site manually.
A Union Select payload is injected to retrieve sensitive user data from the database instead of products.
By replacing the search term with a specific SQL payload involving a single quote, closing parentheses, and a 'union select' statement targeting the 'users' table, Kim tricks the database. Instead of returning product names, the system returns a list of user IDs, emails, and MD5 hashed passwords directly into the search results page.
Understanding Cryptographic Hashes
Hashes function as one-way digital fingerprints intended to store passwords without revealing the actual text.
The video explains that hashes are one-way functions, meaning there is no mathematical way to reverse a hash back into its original plain text. Systems store hashes so that even if a database is breached, the actual passwords remain hidden, as only the matching hash generated during login can grant access.
MD5 is identified by its signature 32-character hexadecimal string, signaling a weak security implementation.
Kim identifies the intercepted hashes as MD5 because they are exactly 32 characters long and composed entirely of hexadecimal digits (0-9, a-f). He notes that while MD5, SHA-1, and SHA-256 all follow the fixed-length output principle, MD5 is 'raw' and outdated, making it a prime target for modern cracking tools.
Cracking Hashes with John the Ripper
John the Ripper is a standard tool used for testing the strength of password hashes.
The hacker uses John the Ripper, which comes pre-installed on Kali Linux. This tool allows the user to specify the hash format (using the --format=raw-md5 flag) and the wordlist to be used for the attack. It automates the process of hashing every word in a list and checking for matches against the stolen data.
SecLists provides curated collections of common passwords leaked from real-world data breaches for penetration testing.
Kim utilizes the SecLists repository, specifically targeting the 'Common Credentials' category. He selects the 'Best 15' wordlist, which contains the fifteen most frequently used passwords of all time, including 'monkey' and 'password', to demonstrate how quickly common choices can be compromised.
The hacker organizes the target hashes into a text file labeled with usernames for efficient cracking.
Using the 'echo' and 'cat' commands in the terminal, Kim creates a file named 'hashes.txt'. He formats the entries as 'username:hash', allowing John the Ripper to track which cracked password belongs to which user. He successfully cracks Joshua's password ('let me in') and Jane's password ('I love you') using this method.
The MFA Hurdle and Prevention Strategies
Two-factor authentication acts as a critical second layer of defense even after credentials are compromised.
After cracking Jane's password, Kim attempts to log in but is blocked by a two-factor authentication (2FA) screen. This highlights that while password cracking is effective, modern security layers like 2FA can still prevent an attacker from gaining full account access.
Security can be significantly improved by using strong hashing algorithms and unique salts for each user.
The video concludes by advising developers to abandon MD5 and SHA-1 in favor of Argon 2, B-crypt, or S-crypt. Additionally, implementing unique salts ensures that identical passwords result in different hashes, effectively nullifying dictionary attacks and making the cracking process significantly more resource-intensive for hackers.
Ask a Question
*Uses 1 Wisdom coin from your coin balance