Re: [twsocket] MD5 passwords
For who cares about it, its called "freeBSD md5 crypt" or "unix md5 crypt". some text i had lying around MD5 crypt was written by Poul-Henning Kamp for FreeBSD. The main reason for using MD5 was to avoid problems with American export prohibitions on cryptographic products, and to allow for a longer password length than the 8 characters used by DES crypt. The password length is restricted only by MD5's maximum message size of 264 bits. The salt can vary from 12 to 48 bits. MD5 crypt hashes the password and salt in a number of different combinations to slow down the evaluation speed. Some steps in the algorithm make it doubtful that the scheme was designed from a cryptographic point of view--for instance, the binary representation of the password length at some point determines which data is hashed, for every zero bit the first byte of the password and for every set bit the first byte of a previous hash computation. The output is the concatenation of the version identifier ``$1$'', the salt, a ``$'' separator, and the 128-bit hash output. MD5 crypt places virtually no limit on the size of passwords, while bcrypt has a maximum of 55 bytes. We do not consider this a serious limitation of bcrypt, however. Not only are users unlikely to choose such long passwords, but if they did, MD5 crypt's 128-bit output size would become the limiting factor in security. A brute force attacker could more easily find short strings hashing to the same value as a user's password than guess the actual password. Finally, like DES crypt, MD5 crypt has fixed cost. On Sat, 21 Nov 2009 20:24:16 +0100, Ruud Kerstens wrote: the password 'test' should generate : $1$/mMVthpE$sgNAe9PaR0ORB1YCc1CVq1 The server i need these hashed passwords for is freeradius, however on that site is no real information about this. As you can see the $1$ seems to tell the server it is encrypted, as i understood. -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] MD5 passwords
well, i created the string with a linux-tool on the radius-server (freeradius). It is used as: cryptpasswd --md5 . Free pascal has a unit that does exactly what your posted perlscript code does http://florianklaempfl.de:8000/fpctrunk/file/70e283550952/packages/hash/src/unixcrypt.pas#l1 But, as the perl script, uses an imported crypt function. You just need to import it from the same dll Perl use. -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] MD5 passwords
Ok, I will go and read it. anyway, thanks for your replies, lets see if i can find any solution, if so i will let you know! Have a nice weekend!! Ruud Kerstens -- From: "Arno Garrels" Sent: Saturday, November 21, 2009 11:22 PM To: "ICS support mailing" Subject: Re: [twsocket] MD5 passwords Ruud Kerstens wrote: Well, i actually do not know, you could be right, i really do not know... I also know there are different options, like using --des for des encryption. and also --md5 for md5 way of encrypting. and a --check option to check the password. I guess it really is some encryption, but why do they name it MD5 hash.. In the perl-script is a line mentioning salt and some characters to be used for encryption.. I just found this description on internet wikipedia : MD5-based scheme http://en.wikipedia.org/wiki/Crypt_(Unix)#MD5-based_scheme What ever it is, it's not supported by ICS (currently). -- Arno Garrels -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] MD5 passwords
Ruud Kerstens wrote: > Well, i actually do not know, you could be right, i really do not > know... > > I also know there are different options, like using --des for des > encryption. and also --md5 for md5 way of encrypting. and a --check > option to check the password. > I guess it really is some encryption, but why do they name it MD5 > hash.. In the perl-script is a line mentioning salt and some > characters to be used for encryption.. > > I just found this description on internet wikipedia : > > MD5-based scheme http://en.wikipedia.org/wiki/Crypt_(Unix)#MD5-based_scheme What ever it is, it's not supported by ICS (currently). -- Arno Garrels -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] MD5 passwords
Well, i actually do not know, you could be right, i really do not know... I also know there are different options, like using --des for des encryption. and also --md5 for md5 way of encrypting. and a --check option to check the password. I guess it really is some encryption, but why do they name it MD5 hash.. In the perl-script is a line mentioning salt and some characters to be used for encryption.. I just found this description on internet wikipedia : MD5-based scheme Poul-Henning Kamp designed a baroque and (at the time) computationally expensive algorithm based on the MD5 message digest algorithm. MD5 itself would provide good cryptographic strength for the password hash, but it is designed to be quite quick to calculate relative to the strength it provides. The crypt() scheme is designed to be expensive to calculate, to slow down dictionary attacks. The printable form of MD5 password hashes starts with $1$. This scheme allows users to have any length password, and they can use any characters supported by their platform (not just 7-bit ASCII). (In practice many implementations limit the password length, but they generally support passwords far longer than any person would be willing to type.) The salt is also an arbitrary string, limited only by character set considerations. First the passphrase and salt are hashed together, yielding an MD5 message digest. Then a new digest is constructed, hashing together the passphrase, the salt, and the first digest, all in a rather complex form. Then this digest is passed through a thousand iterations of a function which rehashes it together with the passphrase and salt in a manner that varies between rounds. The output of the last of these rounds is the resulting passphrase hash. The fixed iteration count has caused this scheme to lose the computational expense that it once enjoyed. Variable numbers of rounds are now favoured. Best regards, Ruud -- From: "Arno Garrels" Sent: Saturday, November 21, 2009 10:36 PM To: "ICS support mailing" Subject: Re: [twsocket] MD5 passwords Ruud Kerstens wrote: well, i created the string with a linux-tool on the radius-server (freeradius). It is used as: cryptpasswd --md5 . Doesn't this just encrypt the MD5 value of the password? Just a wild guess.. -- Arno Garrels -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] MD5 passwords
Ruud Kerstens wrote: > well, i created the string with a linux-tool on the radius-server > (freeradius). It is used as: > cryptpasswd --md5 . Doesn't this just encrypt the MD5 value of the password? Just a wild guess.. -- Arno Garrels -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] MD5 passwords
well, i created the string with a linux-tool on the radius-server
(freeradius). It is used as:
cryptpasswd --md5 .
Ruud Kerstens.
this is the cryptpasswd perlscript below (not farmiliar with perl) :
#...@perl@
#
# cryptpasswd Generate or check md5 and DES hashed passwords.
#
#This program is free software; you can redistribute it and/or modify
#it under the terms of the GNU General Public License as published by
#the Free Software Foundation; either version 2 of the License, or
#(at your option) any later version.
#
#This program is distributed in the hope that it will be useful,
#but WITHOUT ANY WARRANTY; without even the implied warranty of
#MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
#GNU General Public License for more details.
#
#You should have received a copy of the GNU General Public License
#along with this program; if not, write to the Free Software
#Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307
USA
#
#Copyright (C) 2001 The FreeRADIUS Project http://www.freeradius.org
#
#Written by Miquel van Smoorenburg
#
#$Id: cryptpasswd.in,v 1.1 2001/09/28 14:04:29 aland Exp $
#
use Getopt::Long;
sub check_des {
return (crypt("fnord", "aa") =~ m/^aa/);
}
sub check_md5 {
return (crypt("fnord", "\$1\$aa") =~ m/^\$1\$/);
}
sub usage {
die "Usage: cryptpasswd [--des|--md5|--check] plaintext_password
[crypted_password]\n";
}
@saltc = ( '.', '/', '0'..'9', 'A'..'Z', 'a'..'z' );
#
# MAIN
#
sub main {
Getopt::Long::Configure("no_ignore_case", "bundling");
my @options = ( "des|d+", "md5|m+", "check|c+" );
usage() unless (eval { Getopt::Long::GetOptions(@options) } );
if ($opt_check) {
usage unless ($#ARGV == 1);
if (crypt($ARGV[0], $ARGV[1]) ne $ARGV[1]) {
print "Password BAD\n";
return 0;
} else {
print "Password OK\n";
return 1;
}
}
usage() unless ($opt_des || $opt_md5);
usage() unless ($#ARGV == 0);
die "DES password hashing not available\n"
if ($opt_des && !check_des());
die "MD5 password hashing not available\n"
if ($opt_md5 && !check_md5());
$salt = ($opt_md5 ? '$1$' : '');
for ($i = 0; $i < ($opt_md5 ? 8 : 2); $i++) {
$salt .= $saltc[rand 64];
}
$salt .= '$' if ($opt_md5);
print crypt($ARGV[0], $salt), "\n";
1;
}
exit !main();
--
From: "Arno Garrels"
Sent: Saturday, November 21, 2009 9:33 PM
To: "ICS support mailing"
Subject: Re: [twsocket] MD5 passwords
Ruud Kerstens wrote:
the password 'test' should generate :
$1$/mMVthpE$sgNAe9PaR0ORB1YCc1CVq1
A MD5 checksum/hash value is an array of 16 bytes, mostly
represented as a hex string, that's what StrMD5() returns.
The MD5 of "test" as a hex string looks like
"7318EFC576D8C24B47540D5ACFD58E5A"
The same MD5 Base64 encoded was "cxjvxXbYwktHVA1az9WOWg=="
I'm sorry, I've currently no idea what encoding might have
produced the string you posted above?
Someone else?
--
Arno Garrels
--
To unsubscribe or change your settings for TWSocket mailing list
please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket
Visit our website at http://www.overbyte.be
--
To unsubscribe or change your settings for TWSocket mailing list
please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket
Visit our website at http://www.overbyte.be
Re: [twsocket] MD5 passwords
Ruud Kerstens wrote: > > the password 'test' should generate : > $1$/mMVthpE$sgNAe9PaR0ORB1YCc1CVq1 A MD5 checksum/hash value is an array of 16 bytes, mostly represented as a hex string, that's what StrMD5() returns. The MD5 of "test" as a hex string looks like "7318EFC576D8C24B47540D5ACFD58E5A" The same MD5 Base64 encoded was "cxjvxXbYwktHVA1az9WOWg==" I'm sorry, I've currently no idea what encoding might have produced the string you posted above? Someone else? -- Arno Garrels -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
[twsocket] MD5 passwords
Hi all, I am busy creating some database connection, and i have been looking to create the famous MD5 passwords. After testing some generators on internet, i decided to write the generator in my application, using the ics component. If I try the example, i see the string is only in normal characters, as a MD5 password also contains characters as a / for example (don't know how to call these characters in english). Is there any way to generate these type of passwords with the ICS component? If not, where can i find information on this, as i have been looking around the internet, and allways get tools doing exactly the same as the results i get with ICS. i give an example here: the password 'test' should generate : $1$/mMVthpE$sgNAe9PaR0ORB1YCc1CVq1 The server i need these hashed passwords for is freeradius, however on that site is no real information about this. As you can see the $1$ seems to tell the server it is encrypted, as i understood. Best regards, Ruud Kerstens -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] OverbyteIcsPingTst
Thanks guys, Modifying ESET wasn't an option on my case, I have just made another way around and solved the problem. Anyway, Is it possible to make PingTst to work as windows CMD? - daniel - Original Message - From: "Francois PIETTE" To: "ICS support mailing" Sent: Saturday, November 21, 2009 11:55 AM Subject: Re: [twsocket] OverbyteIcsPingTst The ESET firewall can be configure per application. Yes, I can be configured but, Don't you think PingTest should also work if CMD does? Obviously ESET has been designed to permit network acces per program. This issue is not a problem with ICS, it is solely a problem with ESET configuration. And this is not a special case for ESET, almost ALL security products checking network access will behave the same: At first the block almost everything. The user has to selectively unblock what he really use. This is the only way a security product can catch an unwanted program to acces the network. -- francois.pie...@overbyte.be The author of the freeware multi-tier middleware MidWare The author of the freeware Internet Component Suite (ICS) http://www.overbyte.be -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] OverbyteIcsPingTst
The ESET firewall can be configure per application. Yes, I can be configured but, Don't you think PingTest should also work if CMD does? Obviously ESET has been designed to permit network acces per program. This issue is not a problem with ICS, it is solely a problem with ESET configuration. And this is not a special case for ESET, almost ALL security products checking network access will behave the same: At first the block almost everything. The user has to selectively unblock what he really use. This is the only way a security product can catch an unwanted program to acces the network. -- francois.pie...@overbyte.be The author of the freeware multi-tier middleware MidWare The author of the freeware Internet Component Suite (ICS) http://www.overbyte.be -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
