|
|
|
|
Menu |
|
|
Home |
| |
|
Discussions |
| |
|
Tools |
| |
|
Affiliates |
| |
|
Content |
| |
|
Info |
| | |
|
|
|
|
|
User Info |
|
Membership:
Latest: MichaelSnaRe
New Today: 0
New Yesterday: 0
Overall: 9144
People Online:
Visitors: 179
Members: 0
Total: 179
|
|
|
|
|
|
Full disclosure |
|
|
|
|
|
|
|
|
|
IT Security and Insecurity Portal |
|
|
MD5 Collision Generation - MD4 Collision Generation |
|
Posted: Tue Nov 22, 2005 2:52 pm |
|
|
LINUX |
Moderator |
|
|
Joined: May 24, 2004 |
Posts: 404 |
Location: Caiman |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Posted: Tue Nov 22, 2005 4:55 pm |
|
|
waraxe |
Site admin |
|
|
Joined: May 11, 2004 |
Posts: 2407 |
Location: Estonia, Tartu |
|
|
|
|
|
|
Have you allready tested it? This code seems not finished yet. Just some proof of concept. But if there is or will be md5 collision generator, which can generate collisions for arbitrary md5 hashes, then this can be very interesting for phpnuke/phpbb/other md5 hash using software exploiters.
Just think about this - you have gotten md5 hash (cookie stealing, sql injection) and now you want to know password. You can bruteforce, use wordlists or use rainbow tables. But if password was really good, then your mission is failed. Now, you will use md5 hash collision generator and within reasonable timespan it is outputting some "garbage" data - not original password, but other plaintext, which will get SAME md5 hash. And now we can use this as password. Of course there can be problems with data sanitize (if plaintext contains non-ascii stuff,if it is very long, etc), but anyway, this can give to exploiters brand new weaponry |
|
|
|
|
|
www.waraxe.us Forum Index -> Tools
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
All times are GMT
Page 1 of 1
|
|
|
Powered by phpBB © 2001-2008 phpBB Group
|
|
|
|
|
|
|