A Quick Look at MDXFIND

Recently one of the SANS SEC504 labs updated and with the changes came a new set of hashes from the exercises. These hashes are a perfect opportunity to dive a bit deeper and try to determine what hashing algorithm is used when you’re not sure. I wrote a blog post on resources to help figure out hash formats in 2017 but one tool I didn’t cover was MDXFIND.

MDXFIND is a free tool available here: https://hashes.org/mdxfind.php

Most password cracking programs require three things. A listof the hashes you want to crack, the algorithm that they’re in and a dictionarythat you would like to use for your attempts. MDXFIND is for when you havehashes and a dictionary, but you’re not sure what format the hashes are in. Let’stake a quick look at the syntax of an example.

The hashes we want to crack are the following:

  • FC24F5B01909FF7A055933F6C0CD06BFAC60D3DC
  • 47FA7B070774F637F4D6D6D0B97779EBA27A37CE
  • 3D616AA9E23DBDB2F4627C1177C9C0A2AD63F6C2
  • 76E826553BF74EC8DB0E91269816C858503F482E
  • B475650D6B2694E23BCEFCCD5B52840AC72C8D44
  • 03614A326B53D31D4F3B780BB275A0A50781C0E4
  • CCB2ACE7865D60C1410A0D9BF5B37BB2F6237A05

By default MDXFIND wants a file of salts to use since several of its formats use salts. In this case, there doesn’t appear to be any salts so we’re going to tell MDXFIND to only make guesses for formats that do not utilize salts. Our syntax now contains:

mdxfind.exe -h ALL -h !salt -f new_day4_hashes.txt rockyou.txt

  1. “-h ALL” to say all hash formats
  2. “-h !salt” to say except for formats which requirea salt
  3. “-f new_day4_hashes.txt” to point at the hashesto be cracked
  4. “rockyou.txt” the dictionary of guesses that wewant to try

Since we’re not utilizing a fast GPU cracker like Hashcat,we want to choose a small dictionary like rockyou for this type of work.

Once started, you can see that it’s a slow process due tothe large amount of hash formats that MDXFIND is trying.

Within a few minutes, we have success. One of the hashescracks to the password “frenchfries” with the hashing algorithm of “SQL5x01”.The “x01” stands for one round. We can ask MDXFIND to try multiple rounds ofhash formats in case developers use nested algorithms to make “custom” hashformats.

Now that we know what the format is we can stop the processand restart it specifying SQL5 as the format with “-h SQL5”. All of the hashescrack within 30 seconds.

In real life all of the hashes would likely not crack soquickly but once you find out what the algorithm is, you can use tools such as Hashcatto crack the remaining hashes at a much faster rate.

Comments

Post a Comment

Popular posts from this blog

SANS Index How To Guide with Pictures

Image
I got some great advice recently on creating an index for SANS exams and I wanted to write a blog post to share it with others. I took the SANS FOR 508 Computer Forensics course in 2008. It was way over my head but I had a great time and learned a ton. A few months ago I finally decided to go for my GCFA certification. I had four year old material from a course that had been completely revamped and no index. I passed the exam with a score in the 80s but it was a grueling experience. I had to rush on the last part of the exam and never felt comfortable. A few months after my GCFA exam I got an opportunity to attend a SANS SEC 504 class. I really wanted to prepare for my GCIH exam the right way so while I was at the conference I asked several individuals how they prepared their index. Most people told me that their indexes were 8-10 pages. A lot of these people had more SANS certs than I have friends so their methods obviously worked for them. My class had a teaching assistant (also SANS
Read more

Introducing FaviconLocator: The Eazy Button to Searching by Favicon

Image
  Favicons (short for favorite icons) are the cute little pixelated images that appear next to the site name in web browser tabs, bookmarks, etc. In the image below we can see the iconic GitHub logo on their site and the KFC logo on a bucket of chicken on their site. Originally, favicons were designed to add a touch of professionalism and branding, but for anyone who is like me and has over a dozen tabs open at any time, favicons are the only thing displayed and how I navigate tabs. Most of us rely on favicons on a daily basis but many never think of them as a tool we can use in OSINT and CTI investigations. That’s what we’re doing to talk about here as well as introduce a new tool. In addition to branding and aiding in navigation between tabs, favicons can serve as unique identifiers for websites. These unique identifiers can help us: Trace the online presence of organizations and discover obscure digital assets Map the online infrastructure of potential threats Potentially de-ano
Read more

Automating Domain Squatting Detection with DNSTwist and Python

Image
  There’s a good chance that, at some point, you’ve received a spam email with a link that looked close to the name of a popular domain but was just a little off. Payapl.com instead of Paypal.com or similar. Domain squatting is a malicious activity where attackers register domain names similar to legitimate ones. Attackers may use these domains to deceive users into believing they are visiting a legitimate website, which can lead to phishing and other attacks. DNSTwist (available here: https://github.com/elceef/dnstwist ) is a popular tool that helps identify domain names that are similar to a given domain name. It generates a list of potential domain names by applying various fuzzing techniques to the given domain name and then checks if these domains are registered. Check out the list of Bank Of America copycat domains: DNSTwist is an amazing tool that should likely be a part of every organization's Cyber Threat Intelligence monitoring efforts, and I wanted to automate it
Read more