Recently one of the SANS SEC504 labs updated and with the changes came a new set of hashes from the exercises. These hashes are a perfect opportunity to dive a bit deeper and try to determine what hashing algorithm is used when you’re not sure. I wrote a blog post on resources to help figure out hash formats in 2017 but one tool I didn’t cover was MDXFIND.
MDXFIND is a free tool available here: https://hashes.org/mdxfind.php
Most password cracking programs require three things. A list of the hashes you want to crack, the algorithm that they’re in and a dictionary that you would like to use for your attempts. MDXFIND is for when you have hashes and a dictionary, but you’re not sure what format the hashes are in. Let’s take a quick look at the syntax of an example.
The hashes we want to crack are the following:
- FC24F5B01909FF7A055933F6C0CD06BFAC60D3DC
- 47FA7B070774F637F4D6D6D0B97779EBA27A37CE
- 3D616AA9E23DBDB2F4627C1177C9C0A2AD63F6C2
- 76E826553BF74EC8DB0E91269816C858503F482E
- B475650D6B2694E23BCEFCCD5B52840AC72C8D44
- 03614A326B53D31D4F3B780BB275A0A50781C0E4
- CCB2ACE7865D60C1410A0D9BF5B37BB2F6237A05
By default MDXFIND wants a file of salts to use since several of its formats use salts. In this case, there doesn’t appear to be any salts so we’re going to tell MDXFIND to only make guesses for formats that do not utilize salts. Our syntax now contains:
mdxfind.exe -h ALL -h !salt -f new_day4_hashes.txt rockyou.txt
- “-h ALL” to say all hash formats
- “-h !salt” to say except for formats which require a salt
- “-f new_day4_hashes.txt” to point at the hashes to be cracked
- “rockyou.txt” the dictionary of guesses that we want to try
Since we’re not utilizing a fast GPU cracker like Hashcat, we want to choose a small dictionary like rockyou for this type of work.
Once started, you can see that it’s a slow process due to the large amount of hash formats that MDXFIND is trying.
Within a few minutes, we have success. One of the hashes cracks to the password “frenchfries” with the hashing algorithm of “SQL5x01”. The “x01” stands for one round. We can ask MDXFIND to try multiple rounds of hash formats in case developers use nested algorithms to make “custom” hash formats.
Now that we know what the format is we can stop the process and restart it specifying SQL5 as the format with “-h SQL5”. All of the hashes crack within 30 seconds.
In real life all of the hashes would likely not crack so quickly but once you find out what the algorithm is, you can use tools such as Hashcat to crack the remaining hashes at a much faster rate.
Article Link: https://digitalforensicstips.com/2019/10/a-quick-look-at-mdxfind/