{"id":548,"date":"2012-04-04T14:53:33","date_gmt":"2012-04-04T13:53:33","guid":{"rendered":"http:\/\/www.phillips321.co.uk\/?p=548"},"modified":"2012-08-09T12:36:55","modified_gmt":"2012-08-09T11:36:55","slug":"cracking-an-md5-of-an-ip-address","status":"publish","type":"post","link":"https:\/\/www.phillips321.co.uk\/2012\/04\/04\/cracking-an-md5-of-an-ip-address\/","title":{"rendered":"Cracking an MD5 of an IP address"},"content":{"rendered":"<p>So I noticed whilst web app testing that  would receive a cookie with a value called bIPs:<br \/>\n<strong>709aed354747fda133a5da28dbed60e7<br \/>\n95eb48ad7eae5c0aa9766f0258ae8a35<\/strong><\/p>\n<p>Looks like it&#8217;s using a <a href=\"http:\/\/www.f5.com\/products\/big-ip\/\" target=\"_blank\">big IP load balancer<\/a>. I noticed it was MD5 and that was confirmed by finding <a href=\"http:\/\/webcache.googleusercontent.com\/search?q=cache:qt4Dajsbt7cJ:https:\/\/devcentral.f5.com\/wiki\/iRules.HttpToHTTPsCookiePersistence.ashx+&#038;cd=4&#038;hl=en&#038;ct=clnk&#038;gl=uk\" target=\"_blank\">the code that generates the hash<\/a>(cheers scriptmonkey).<\/p>\n<p>I decided to use <a href=\"http:\/\/hashcat.net\/oclhashcat-plus\/\" target=\"_blank\">Hashcat<\/a> to do the bruteforcing. First thing that came to mind was how to use a dictionary containing IP addresses. I did think about writing a script to generate a all_ips.dict file but it would be huge, 4,294,967,296 lines to be exact! No chance am I doing that!<\/p>\n<p>I then decided to try a bruteforce method but it wasn&#8217;t possible to generate a decent input mask that would work.<\/p>\n<p>A quick jump onto the hashcat irc channel at <a href=\"irc:\/\/irc.as.rizon.net:6667\/hashcat\" target=\"_blank\">#hashcat on rizon network<\/a> and help from atom and Xanaderp came to the idea to generate 2 word lists, one for the first 2 octets and another for the second 2 octets.<\/p>\n<div class=\"codecolorer-container bash vibrant\" style=\"overflow:auto;white-space:nowrap;width:100%;\"><table cellspacing=\"0\" cellpadding=\"0\"><tbody><tr><td class=\"line-numbers\"><div>1<br \/>2<br \/>3<br \/>4<br \/>5<br \/>6<br \/>7<br \/>8<br \/>9<br \/><\/div><\/td><td><div class=\"bash codecolorer\"><span class=\"co0\">#!\/bin\/bash<\/span><br \/>\n<span class=\"kw1\">for<\/span> a <span class=\"kw1\">in<\/span> <span class=\"sy0\">`<\/span><span class=\"kw2\">seq<\/span> <span class=\"nu0\">0<\/span> <span class=\"nu0\">255<\/span><span class=\"sy0\">`<\/span><br \/>\n<span class=\"kw1\">do<\/span><br \/>\n&nbsp; <span class=\"kw1\">for<\/span> b <span class=\"kw1\">in<\/span> <span class=\"sy0\">`<\/span><span class=\"kw2\">seq<\/span> <span class=\"nu0\">0<\/span> <span class=\"nu0\">255<\/span><span class=\"sy0\">`<\/span><br \/>\n&nbsp; <span class=\"kw1\">do<\/span><br \/>\n&nbsp; <span class=\"kw3\">echo<\/span> <span class=\"st0\">&quot;<span class=\"es2\">$a<\/span>.<span class=\"es2\">$b<\/span>.&quot;<\/span> <span class=\"sy0\">&gt;&gt;<\/span> ips_left.txt<br \/>\n&nbsp; <span class=\"kw3\">echo<\/span> <span class=\"st0\">&quot;<span class=\"es2\">$a<\/span>.<span class=\"es2\">$b<\/span>&quot;<\/span> <span class=\"sy0\">&gt;&gt;<\/span> ips_right.txt<br \/>\n&nbsp; <span class=\"kw1\">done<\/span><br \/>\n<span class=\"kw1\">done<\/span><\/div><\/td><\/tr><\/tbody><\/table><\/div>\n<p>Update from Ben Campbell to do this all in one swoop \ud83d\ude42<\/p>\n<p>Each dictionary is 65536 lines long and so is only 500K or so in size \ud83d\ude42<\/p>\n<p>Now to perform the cracking:<\/p>\n<div class=\"codecolorer-container bash vibrant\" style=\"overflow:auto;white-space:nowrap;width:100%;height:300px;\"><table cellspacing=\"0\" cellpadding=\"0\"><tbody><tr><td class=\"line-numbers\"><div>1<br \/>2<br \/>3<br \/>4<br \/>5<br \/>6<br \/>7<br \/>8<br \/>9<br \/>10<br \/>11<br \/>12<br \/>13<br \/>14<br \/>15<br \/>16<br \/>17<br \/>18<br \/>19<br \/>20<br \/>21<br \/>22<br \/>23<br \/>24<br \/>25<br \/>26<br \/>27<br \/>28<br \/>29<br \/>30<br \/><\/div><\/td><td><div class=\"bash codecolorer\"><span class=\"co4\">phillips321@KubuntuDesktop:$ <\/span>.<span class=\"sy0\">\/<\/span>oclHashcat-plus64.bin bIPs.txt <span class=\"re5\">-a<\/span> <span class=\"nu0\">1<\/span> ips_left.dict ips_right.dict <br \/>\noclHashcat-plus v0.07 by atom starting...<br \/>\nHashes: <span class=\"nu0\">2<\/span><br \/>\nUnique digests: <span class=\"nu0\">2<\/span><br \/>\nBitmaps: <span class=\"nu0\">8<\/span> bits, <span class=\"nu0\">256<\/span> entries, 0x000000ff mask, <span class=\"nu0\">1024<\/span> bytes<br \/>\nGPU-Loops: <span class=\"nu0\">128<\/span><br \/>\nGPU-Accel: <span class=\"nu0\">40<\/span><br \/>\nPassword lengths range: <span class=\"nu0\">1<\/span> - <span class=\"nu0\">15<\/span><br \/>\nPlatform: AMD compatible platform found<br \/>\nWatchdog: Temperature limit <span class=\"kw1\">set<\/span> to 90c<br \/>\nDevice <span class=\"co0\">#1: Cayman, 2048MB, 0Mhz, 22MCU<\/span><br \/>\nDevice <span class=\"co0\">#1: Allocating 132MB host-memory<\/span><br \/>\nDevice <span class=\"co0\">#1: Kernel .\/kernels\/4098\/m0000_a1.Cayman.64.kernel (250492 bytes)<\/span><br \/>\nScanned dictionary ips_right.dict: <span class=\"nu0\">467968<\/span> bytes, <span class=\"nu0\">65536<\/span> words, <span class=\"nu0\">65536<\/span> keyspace, starting attack...<br \/>\nScanned dictionary ips_left.dict: <span class=\"nu0\">533504<\/span> bytes, <span class=\"nu0\">65536<\/span> words, <span class=\"nu0\">4294967296<\/span> keyspace, starting attack...<br \/>\n709aed354747fda133a5da28dbed60e7:172.16.40.150<br \/>\n95eb48ad7eae5c0aa9766f0258ae8a35:172.16.41.151<br \/>\nStatus.......: Cracked<br \/>\nInput.Base...: File <span class=\"br0\">&#40;<\/span>ips_left.dict<span class=\"br0\">&#41;<\/span><br \/>\nInput.Mod....: File <span class=\"br0\">&#40;<\/span>ips_right.dict<span class=\"br0\">&#41;<\/span><br \/>\nHash.Type....: MD5<br \/>\nTime.Running.: <span class=\"nu0\">4<\/span> secs<br \/>\nTime.Util....: 4001.3ms<span class=\"sy0\">\/<\/span>0.0ms Real<span class=\"sy0\">\/<\/span>CPU, <span class=\"nu0\">0.0<\/span><span class=\"sy0\">%<\/span> idle<br \/>\nSpeed........: &nbsp; 308.3M c<span class=\"sy0\">\/<\/span>s Real, &nbsp;1332.0M c<span class=\"sy0\">\/<\/span>s GPU<br \/>\nRecovered....: <span class=\"nu0\">2<\/span><span class=\"sy0\">\/<\/span><span class=\"nu0\">2<\/span> Digests, <span class=\"nu0\">1<\/span><span class=\"sy0\">\/<\/span><span class=\"nu0\">1<\/span> Salts<br \/>\nProgress.....: <span class=\"nu0\">1233633280<\/span><span class=\"sy0\">\/<\/span><span class=\"nu0\">4294967296<\/span> <span class=\"br0\">&#40;<\/span><span class=\"nu0\">28.72<\/span><span class=\"sy0\">%<\/span><span class=\"br0\">&#41;<\/span><br \/>\nRejected.....: <span class=\"nu0\">0<\/span><span class=\"sy0\">\/<\/span><span class=\"nu0\">1233633280<\/span> <span class=\"br0\">&#40;<\/span><span class=\"nu0\">0.00<\/span><span class=\"sy0\">%<\/span><span class=\"br0\">&#41;<\/span><br \/>\n<span class=\"co4\">HW.Monitor.#<\/span><span class=\"nu0\">1<\/span>: &nbsp;<span class=\"nu0\">0<\/span><span class=\"sy0\">%<\/span> GPU, 44c Temp<br \/>\nStarted: Wed Apr &nbsp;<span class=\"nu0\">4<\/span> <span class=\"nu0\">14<\/span>:<span class=\"nu0\">29<\/span>:<span class=\"nu0\">31<\/span> <span class=\"nu0\">2012<\/span><br \/>\nStopped: Wed Apr &nbsp;<span class=\"nu0\">4<\/span> <span class=\"nu0\">14<\/span>:<span class=\"nu0\">29<\/span>:<span class=\"nu0\">36<\/span> <span class=\"nu0\">2012<\/span><\/div><\/td><\/tr><\/tbody><\/table><\/div>\n<p>Bingo, MD5 hashes of IP addresses cracked in 4 seconds!<\/p>\n<p><strong>Update:<\/strong> Speaking with unix-ninja on the hashcat forum he mentioned that some devices do actually store the zero&#8217;s within their IP address, so 192.168.1.1 would actually be 192.168.001.001.<\/p>\n<p>Taking this into consideration I decided to quick throw together another script to combat this:<\/p>\n<div class=\"codecolorer-container bash vibrant\" style=\"overflow:auto;white-space:nowrap;width:100%;height:300px;\"><table cellspacing=\"0\" cellpadding=\"0\"><tbody><tr><td class=\"line-numbers\"><div>1<br \/>2<br \/>3<br \/>4<br \/>5<br \/>6<br \/>7<br \/>8<br \/>9<br \/>10<br \/>11<br \/>12<br \/>13<br \/>14<br \/>15<br \/>16<br \/>17<br \/>18<br \/>19<br \/>20<br \/>21<br \/>22<br \/>23<br \/>24<br \/>25<br \/>26<br \/><\/div><\/td><td><div class=\"bash codecolorer\"><span class=\"co0\">#!\/bin\/bash<\/span><br \/>\n<span class=\"kw1\">for<\/span> a <span class=\"kw1\">in<\/span> <span class=\"sy0\">`<\/span><span class=\"kw2\">seq<\/span> <span class=\"nu0\">0<\/span> <span class=\"nu0\">2<\/span><span class=\"sy0\">`<\/span><br \/>\n<span class=\"kw1\">do<\/span><br \/>\n&nbsp;<span class=\"kw1\">for<\/span> b <span class=\"kw1\">in<\/span> <span class=\"sy0\">`<\/span><span class=\"kw2\">seq<\/span> <span class=\"nu0\">0<\/span> <span class=\"nu0\">9<\/span><span class=\"sy0\">`<\/span><br \/>\n&nbsp; <span class=\"kw1\">do<\/span><br \/>\n&nbsp; <span class=\"kw1\">for<\/span> c <span class=\"kw1\">in<\/span> <span class=\"sy0\">`<\/span><span class=\"kw2\">seq<\/span> <span class=\"nu0\">0<\/span> <span class=\"nu0\">9<\/span><span class=\"sy0\">`<\/span><br \/>\n&nbsp; &nbsp; <span class=\"kw1\">do<\/span><br \/>\n&nbsp; &nbsp;<span class=\"kw1\">for<\/span> d <span class=\"kw1\">in<\/span> <span class=\"sy0\">`<\/span><span class=\"kw2\">seq<\/span> <span class=\"nu0\">0<\/span> <span class=\"nu0\">2<\/span><span class=\"sy0\">`<\/span><br \/>\n&nbsp; &nbsp;<span class=\"kw1\">do<\/span><br \/>\n&nbsp; &nbsp; <span class=\"kw1\">for<\/span> e <span class=\"kw1\">in<\/span> <span class=\"sy0\">`<\/span><span class=\"kw2\">seq<\/span> <span class=\"nu0\">0<\/span> <span class=\"nu0\">9<\/span><span class=\"sy0\">`<\/span><br \/>\n&nbsp; &nbsp; &nbsp;<span class=\"kw1\">do<\/span><br \/>\n&nbsp; &nbsp; &nbsp;<span class=\"kw1\">for<\/span> f <span class=\"kw1\">in<\/span> <span class=\"sy0\">`<\/span><span class=\"kw2\">seq<\/span> <span class=\"nu0\">0<\/span> <span class=\"nu0\">9<\/span><span class=\"sy0\">`<\/span><br \/>\n&nbsp; &nbsp; &nbsp; &nbsp;<span class=\"kw1\">do<\/span><br \/>\n&nbsp; &nbsp; &nbsp; <span class=\"kw3\">echo<\/span> <span class=\"st0\">&quot;<span class=\"es2\">$a<\/span><span class=\"es2\">$b<\/span><span class=\"es2\">$c<\/span>.<span class=\"es2\">$d<\/span><span class=\"es2\">$e<\/span><span class=\"es2\">$f<\/span>.&quot;<\/span> <span class=\"sy0\">&gt;&gt;<\/span> ips_left.txt<br \/>\n&nbsp; &nbsp; &nbsp; &nbsp; <span class=\"kw3\">echo<\/span> <span class=\"st0\">&quot;<span class=\"es2\">$a<\/span><span class=\"es2\">$b<\/span><span class=\"es2\">$c<\/span>.<span class=\"es2\">$d<\/span><span class=\"es2\">$e<\/span><span class=\"es2\">$f<\/span>&quot;<\/span> <span class=\"sy0\">&gt;&gt;<\/span> ips_right.txt<br \/>\n&nbsp; &nbsp; &nbsp;<span class=\"kw1\">done<\/span><br \/>\n&nbsp; &nbsp; <span class=\"kw1\">done<\/span><br \/>\n&nbsp; &nbsp;<span class=\"kw1\">done<\/span><br \/>\n&nbsp; <span class=\"kw1\">done<\/span><br \/>\n&nbsp; <span class=\"kw1\">done<\/span><br \/>\n<span class=\"kw1\">done<\/span><br \/>\n<span class=\"kw1\">for<\/span> i <span class=\"kw1\">in<\/span> <span class=\"sy0\">`<\/span><span class=\"kw2\">seq<\/span> <span class=\"nu0\">256<\/span> <span class=\"nu0\">299<\/span><span class=\"sy0\">`<\/span><br \/>\n<span class=\"kw1\">do<\/span><br \/>\n&nbsp;<span class=\"kw2\">grep<\/span> <span class=\"re5\">-v<\/span> <span class=\"re1\">$i<\/span> ips_left.txt <span class=\"sy0\">&gt;<\/span> ips_left.tmp <span class=\"sy0\">&amp;&amp;<\/span> <span class=\"kw2\">mv<\/span> ips_left.tmp ips_left.txt<br \/>\n&nbsp;<span class=\"kw2\">grep<\/span> <span class=\"re5\">-v<\/span> <span class=\"re1\">$i<\/span> ips_right.txt <span class=\"sy0\">&gt;<\/span> ips_right.tmp <span class=\"sy0\">&amp;&amp;<\/span> <span class=\"kw2\">mv<\/span> ips_right.tmp ips_right.txt<br \/>\n<span class=\"kw1\">done<\/span><\/div><\/td><\/tr><\/tbody><\/table><\/div>\n<p><strong>Update<\/strong><br \/>\nPrior to F5 load balancers using MD5 for the cookie they used to just encode it so you would result in something like:<\/p>\n<div class=\"codecolorer-container text vibrant\" style=\"overflow:auto;white-space:nowrap;width:100%;\"><table cellspacing=\"0\" cellpadding=\"0\"><tbody><tr><td class=\"line-numbers\"><div>1<br \/><\/div><\/td><td><div class=\"text codecolorer\">f5cookie=1005421066.20736.0000<\/div><\/td><\/tr><\/tbody><\/table><\/div>\n<p>This is relatively easy to decode:<\/p>\n<div class=\"codecolorer-container python vibrant\" style=\"overflow:auto;white-space:nowrap;width:100%;\"><table cellspacing=\"0\" cellpadding=\"0\"><tbody><tr><td class=\"line-numbers\"><div>1<br \/>2<br \/>3<br \/>4<br \/>5<br \/>6<br \/><\/div><\/td><td><div class=\"python codecolorer\"><span class=\"sy0\">&gt;&gt;&gt;<\/span> <span class=\"kw1\">import<\/span> <span class=\"kw3\">struct<\/span><br \/>\n<span class=\"sy0\">&gt;&gt;&gt;<\/span> cookie <span class=\"sy0\">=<\/span> <span class=\"st0\">&quot;1005421066.20736.0000&quot;<\/span><br \/>\n<span class=\"sy0\">&gt;&gt;&gt;<\/span> <span class=\"br0\">&#40;<\/span>ip<span class=\"sy0\">,<\/span>port<span class=\"sy0\">,<\/span>end<span class=\"br0\">&#41;<\/span><span class=\"sy0\">=<\/span>cookie.<span class=\"me1\">split<\/span><span class=\"br0\">&#40;<\/span><span class=\"st0\">&quot;.&quot;<\/span><span class=\"br0\">&#41;<\/span><br \/>\n<span class=\"sy0\">&gt;&gt;&gt;<\/span> <span class=\"br0\">&#40;<\/span>a<span class=\"sy0\">,<\/span>b<span class=\"sy0\">,<\/span>c<span class=\"sy0\">,<\/span>d<span class=\"br0\">&#41;<\/span><span class=\"sy0\">=<\/span><span class=\"br0\">&#91;<\/span><span class=\"kw2\">ord<\/span><span class=\"br0\">&#40;<\/span>i<span class=\"br0\">&#41;<\/span> <span class=\"kw1\">for<\/span> i <span class=\"kw1\">in<\/span> <span class=\"kw3\">struct<\/span>.<span class=\"me1\">pack<\/span><span class=\"br0\">&#40;<\/span><span class=\"st0\">&quot;i&quot;<\/span><span class=\"sy0\">,<\/span><span class=\"kw2\">int<\/span><span class=\"br0\">&#40;<\/span>ip<span class=\"br0\">&#41;<\/span><span class=\"br0\">&#41;<\/span><span class=\"br0\">&#93;<\/span><br \/>\n<span class=\"sy0\">&gt;&gt;&gt;<\/span> <span class=\"kw1\">print<\/span> <span class=\"st0\">&quot;Decoded IP: %s %s %s %s&quot;<\/span> % <span class=\"br0\">&#40;<\/span>a<span class=\"sy0\">,<\/span>b<span class=\"sy0\">,<\/span>c<span class=\"sy0\">,<\/span>d<span class=\"br0\">&#41;<\/span><br \/>\nDecoded IP: 10.130.237.59<\/div><\/td><\/tr><\/tbody><\/table><\/div>\n","protected":false},"excerpt":{"rendered":"<p>So I noticed whilst web app testing that would receive a cookie with a value called bIPs: 709aed354747fda133a5da28dbed60e7 95eb48ad7eae5c0aa9766f0258ae8a35 Looks like it&#8217;s using a big IP load balancer. I noticed it was MD5 and that was confirmed by finding the code that generates the hash(cheers scriptmonkey). I decided to use Hashcat to do the bruteforcing. [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[1],"tags":[207,186,206,205,195],"_links":{"self":[{"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/posts\/548"}],"collection":[{"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/comments?post=548"}],"version-history":[{"count":10,"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/posts\/548\/revisions"}],"predecessor-version":[{"id":620,"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/posts\/548\/revisions\/620"}],"wp:attachment":[{"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/media?parent=548"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/categories?post=548"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/tags?post=548"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}