Zoklet.net

Go Back   Zoklet.net > Technology > Technophiles and Technophiliacs

Reply
 
Thread Tools
  #1  
Old 12-22-2009, 03:27 PM
Ambix Ambix is offline
New Arrival
 
Join Date: Dec 2009
Thanks: 0
Thanked 0 Times in 0 Posts
Default How does one obtain a users password hash on a phpbb3 forum?

Simply put I need to script kiddy my way in to a friend's forum account so I can register him for a shitty card game tournament. This normally wouldn't be such a big screaming problem but dude is out of the country and uncontactable.

I'm not too code savvy but I googled for a bit and figured the easiest way is to run the password hash through something like hydra, but i'll be bumfucked if I could find out how to actually obtain the hash file for his password.

Any help available?

....and if there is an easier way to do this i'm open to suggestions. I Don't really give a flying tinwhistle shit about the methods since this is a one time thing.
Reply With Quote
  #2  
Old 12-22-2009, 03:36 PM
Raziel Raziel is offline
Count
 
Join Date: Apr 2009
Thanks: 3
Thanked 137 Times in 104 Posts
Send a message via MSN to Raziel Send a message via Skype™ to Raziel
Default Re: How does one obtain a users password hash on a phpbb3 forum?

Get the forum database. Otherwise, good luck.



Try the 'forgot password' function and check his email.
Reply With Quote
  #3  
Old 12-22-2009, 03:42 PM
Ambix Ambix is offline
New Arrival
 
Join Date: Dec 2009
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: How does one obtain a users password hash on a phpbb3 forum?

Quote:
Originally Posted by Raziel View Post
Get the forum database. Otherwise, good luck.



Try the 'forgot password' function and check his email.
I haven't the slightest idea what "get the forum database" means.

....and if I had access to his email account I wouldn't need to resort to asking in this forum.

I may not be able to launch a nuclear missle by whistling in to a cell phone but i don't suffer from DOWN SYNDROME.
Reply With Quote
  #4  
Old 12-22-2009, 03:49 PM
Ambix Ambix is offline
New Arrival
 
Join Date: Dec 2009
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: How does one obtain a users password hash on a phpbb3 forum?

Quote:
Originally Posted by 1337 View Post
If he saves a cookie so he doesn't get logged off it saves a password hash. Is that the same password hash that would be in the database?
I don't have access to his computer locally and i'm not interested in cracking an admin account.
Reply With Quote
  #5  
Old 12-22-2009, 03:50 PM
abc abc is offline
Member
 
Join Date: May 2009
Location: Europe
Thanks: 106
Thanked 36 Times in 22 Posts
Default Re: How does one obtain a users password hash on a phpbb3 forum?

It doesn't work that way. First, any web community worth its salt is not going to store passwords into user databases. If they do, they deserve to be hacked.

Second, passwords are usually hashed and salted. It's easy to convert the password to hash but you can't do the other way around because when you log in, your password is converted to hash and compared to the hash in the database. If they match, the system will let you in. Hashes are never converted to passwords! Even if you somehow, magically, get a database you won't be able to get any use out of it.
Reply With Quote
  #6  
Old 12-22-2009, 03:53 PM
Ambix Ambix is offline
New Arrival
 
Join Date: Dec 2009
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: How does one obtain a users password hash on a phpbb3 forum?

Quote:
Originally Posted by abc View Post
It doesn't work that way. First, any web community worth its salt is not going to store passwords into user databases. If they do, they deserve to be hacked.

Second, passwords are usually hashed and salted. It's easy to convert the password to hash but you can't do the other way around because when you log in, your password is converted to hash and compared to the hash in the database. If they match, the system will let you in. Hashes are never converted to passwords! Even if you somehow, magically, get a database you won't be able to get any use out of it.
bleh....

How exactly should I go about grabbing my friends forum password then?



....and out of curiosity what exactly is hydra even used for then?
Reply With Quote
  #7  
Old 12-22-2009, 03:55 PM
Raziel Raziel is offline
Count
 
Join Date: Apr 2009
Thanks: 3
Thanked 137 Times in 104 Posts
Send a message via MSN to Raziel Send a message via Skype™ to Raziel
Default Re: How does one obtain a users password hash on a phpbb3 forum?

Quote:
Originally Posted by Ambix View Post
I may not be able to launch a nuclear missle by whistling in to a cell phone but i don't suffer from DOWN SYNDROME.
That's nice.
Quote:
Originally Posted by Ambix View Post
I haven't the slightest idea what "get the forum database" means.
Most web applications(in this case a forum) run use databases to store their dynamic information. Like posts,user information and password hashes.

However to obtain this database you'd need to get access to the website administration software.

This, is not gonna happen, do you have access to your 'friends' computer?
Try one of these. http://nirsoft.net/password_recovery_tools.html

EDIT: Too slow
Reply With Quote
  #8  
Old 12-22-2009, 03:58 PM
Raziel Raziel is offline
Count
 
Join Date: Apr 2009
Thanks: 3
Thanked 137 Times in 104 Posts
Send a message via MSN to Raziel Send a message via Skype™ to Raziel
Default Re: How does one obtain a users password hash on a phpbb3 forum?

Quote:
Originally Posted by abc View Post
Even if you somehow, magically, get a database you won't be able to get any use out of it.
Some custom and regular applications don't salt(moodle for one), This is not the case with phpbb3 though.


http://gdataonline.com works great for unsalted hashes.
Reply With Quote
  #9  
Old 12-22-2009, 05:14 PM
Ambix Ambix is offline
New Arrival
 
Join Date: Dec 2009
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: How does one obtain a users password hash on a phpbb3 forum?

fuck it.

This is too irritating.
Reply With Quote
  #10  
Old 12-22-2009, 05:25 PM
optl optl is offline
Knight
 
Join Date: Jun 2009
Location: Just outside Washington DC
Thanks: 63
Thanked 47 Times in 40 Posts
Default Re: How does one obtain a users password hash on a phpbb3 forum?

Obtain his password hash, either by accessing the forums DB or stealing your friends cookies. Then brute force the hash; which probably won't work.
Reply With Quote
  #11  
Old 12-22-2009, 06:27 PM
easy-e easy-e is offline
Serf
 
Join Date: Nov 2009
Location: Seattle, WA
Thanks: 1
Thanked 3 Times in 2 Posts
Default Re: How does one obtain a users password hash on a phpbb3 forum?

If you don't have access to his computer, put a keylogger on your computer and get him to log in on your computer. It sounds stupid and easy...because it really is that easy.
Reply With Quote
  #12  
Old 12-22-2009, 10:09 PM
Ambix Ambix is offline
New Arrival
 
Join Date: Dec 2009
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: How does one obtain a users password hash on a phpbb3 forum?

Quote:
Originally Posted by easy-e View Post
If you don't have access to his computer, put a keylogger on your computer and get him to log in on your computer. It sounds stupid and easy...because it really is that easy.
It's mind boggling how bad your reading comprehension is.

Quote:
Originally Posted by ambix
This normally wouldn't be such a big screaming problem but dude is out of the country and uncontactable.
Reply With Quote
  #13  
Old 12-23-2009, 12:29 AM
SexyWoodenSpoon SexyWoodenSpoon is offline
Member
 
Join Date: Jun 2009
Location: Scotland
Thanks: 76
Thanked 72 Times in 52 Posts
Default Re: How does one obtain a users password hash on a phpbb3 forum?

Quote:
Originally Posted by Ambix View Post
Simply put I need to script kiddy my way in to a friend's forum account so I can register him for a shitty card game tournament. This normally wouldn't be such a big screaming problem but dude is out of the country and uncontactable.

I'm not too code savvy but I googled for a bit and figured the easiest way is to run the password hash through something like hydra, but i'll be bumfucked if I could find out how to actually obtain the hash file for his password.

Any help available?

....and if there is an easier way to do this i'm open to suggestions. I Don't really give a flying tinwhistle shit about the methods since this is a one time thing.
Best thing to do is as Raziel says- get the db. Or at least get access to a certain part. Try some injection.
Quote:
Originally Posted by Raziel View Post
Get the forum database. Otherwise, good luck.



Try the 'forgot password' function and check his email.
The email is a good one, ah the good old days of hacking hotmail.
Quote:
Originally Posted by Ambix View Post
I haven't the slightest idea what "get the forum database" means.

....and if I had access to his email account I wouldn't need to resort to asking in this forum.

I may not be able to launch a nuclear missle by whistling in to a cell phone but i don't suffer from DOWN SYNDROME.
1. Don't get cocky
2. If you have no idea what "get the forum database" means then why are you posting here? Do your research first, then try, then ask.
Quote:
Originally Posted by Ambix View Post
I don't have access to his computer locally and i'm not interested in cracking an admin account.
Locally would be the easiest method (via a keylogger)
Quote:
Originally Posted by abc View Post
It doesn't work that way. First, any web community worth its salt is not going to store passwords into user databases. If they do, they deserve to be hacked.

Second, passwords are usually hashed and salted. It's easy to convert the password to hash but you can't do the other way around because when you log in, your password is converted to hash and compared to the hash in the database. If they match, the system will let you in. Hashes are never converted to passwords! Even if you somehow, magically, get a database you won't be able to get any use out of it.
This ALTHOUGH I have to call your bluff - I've got hundreds of databases with password hashes, all of them can be decoded.


Right first off the system you wish to crack is a bulletin board- so it runs PHP and possibly a MySQL database where all the "shit" is stored. You either:

Gain access to the database and try to decode the password
-OR-
Gain access to the database and alter the email address.

In SQL terms its very simple to do something like this however the SQL will need to be injected as it would be ludicrous for them to allow anyone access.

EDIT: If you're new to this then try getting some webspace with a database and upload phpbb3 to it, the exact version that you wish to... play with. I suppose you could do it locally if you installed PHP and had some sort of DB server. once you've done that check the development notes and bugs list on their site to look for possible weaknesses. Once you've done that screw about with it on your private server until such point you've got something to go on, implement it on the live site and see what happens.

Last edited by SexyWoodenSpoon; 12-23-2009 at 12:33 AM.
Reply With Quote
The following users say "It is so good to hear it!":
Jaguarstrike (12-23-2009)
  #14  
Old 12-23-2009, 08:33 AM
Ambix Ambix is offline
New Arrival
 
Join Date: Dec 2009
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: How does one obtain a users password hash on a phpbb3 forum?

Quote:
Originally Posted by SexyWoodenSpoon View Post
A whole lot of usefull commentary thats too long to quote.
I'm not going to lie.....I had already given up on this but your post was still magnificent.

~respect

Quote:
Originally Posted by SexyWoodenSpoon
2. If you have no idea what "get the forum database" means then why are you posting here? Do your research first, then try, then ask.
I only spent about a half an hour researching before asking, and I still know almost next to nothing about coding or how the internet works. I'm an english major -__-

I only asked out of neccesity and its all moot anyway since the tournament registration is closed.

I needed a quick and lazy way to get what I wanted since I didn't have the time or the understanding of the subject to do it myself.

Last edited by Ambix; 12-23-2009 at 08:39 AM.
Reply With Quote
  #15  
Old 12-23-2009, 05:01 PM
SexyWoodenSpoon SexyWoodenSpoon is offline
Member
 
Join Date: Jun 2009
Location: Scotland
Thanks: 76
Thanked 72 Times in 52 Posts
Default Re: How does one obtain a users password hash on a phpbb3 forum?

Quote:
Originally Posted by Ambix View Post
I'm not going to lie.....I had already given up on this but your post was still magnificent.

~respect



I only spent about a half an hour researching before asking, and I still know almost next to nothing about coding or how the internet works. I'm an english major -__-

I only asked out of neccesity and its all moot anyway since the tournament registration is closed.

I needed a quick and lazy way to get what I wanted since I didn't have the time or the understanding of the subject to do it myself.
Quick & lazy =/= getting what you want. Anyone who has ever cracked / hacked / broken into any website has done so from experience - which is not quick easy or cheap.

That's the problem now a days - too many kids want to click a button and melt the system.
Reply With Quote
  #16  
Old 12-23-2009, 07:29 PM
Ambix Ambix is offline
New Arrival
 
Join Date: Dec 2009
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: How does one obtain a users password hash on a phpbb3 forum?

Quote:
Originally Posted by SexyWoodenSpoon View Post
Quick & lazy =/= getting what you want. Anyone who has ever cracked / hacked / broken into any website has done so from experience - which is not quick easy or cheap.

That's the problem now a days - too many kids want to click a button and melt the system.
In this particular instance quick and easy IS what I wanted.

I didn't want to melt systems....I just wanted my friend registered for a shitty online card game tournament.

If it had happened the way I wanted it to, I would have skipped merrily onward probably never attempting to learn anything about programming again.
Reply With Quote
  #17  
Old 12-23-2009, 08:54 PM
SexyWoodenSpoon SexyWoodenSpoon is offline
Member
 
Join Date: Jun 2009
Location: Scotland
Thanks: 76
Thanked 72 Times in 52 Posts
Default Re: How does one obtain a users password hash on a phpbb3 forum?

Quote:
Originally Posted by Ambix View Post
In this particular instance quick and easy IS what I wanted.

I didn't want to melt systems....I just wanted my friend registered for a shitty online card game tournament.

If it had happened the way I wanted it to, I would have skipped merrily onward probably never attempting to learn anything about programming again.
You obviously didn't get what I meant. To do the things you want to do - you need knowledge, skills and experience.

A quick google search shows multiple security threats for varying versions of phpbb. A further 10 minutes researching HOW to inject this phpbb version and then amalgamating it into the one solution takes a few minutes (including writing the injection code)... yada yada yada.

When I said that there are too many kids wanting to melt the system with a click of a button what I meant was that there are too many of you guys that expect everything to be 2 minutes work and an easy task.
Reply With Quote
  #18  
Old 12-23-2009, 09:07 PM
Ambix Ambix is offline
New Arrival
 
Join Date: Dec 2009
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: How does one obtain a users password hash on a phpbb3 forum?

Quote:
Originally Posted by SexyWoodenSpoon View Post
You obviously didn't get what I meant. To do the things you want to do - you need knowledge, skills and experience.

A quick google search shows multiple security threats for varying versions of phpbb. A further 10 minutes researching HOW to inject this phpbb version and then amalgamating it into the one solution takes a few minutes (including writing the injection code)... yada yada yada.

When I said that there are too many kids wanting to melt the system with a click of a button what I meant was that there are too many of you guys that expect everything to be 2 minutes work and an easy task.
No I got what you meant, I just didn't expect REAL applications of hacking to be the work of 2 minutes...

What I meant was that I'd be pretty suprised if there was no way to automate simple things like this. There don't appear to be too many variables involved, but what would I know.







....and as a side note I did look for vulnerabilities in the original googling and none exist for phpbb3 3.0.4 which was the version I was looking for......but again what would I know. I probably just didn't look hard enough.

Last edited by Ambix; 12-23-2009 at 09:10 PM.
Reply With Quote
  #19  
Old 12-23-2009, 09:53 PM
SexyWoodenSpoon SexyWoodenSpoon is offline
Member
 
Join Date: Jun 2009
Location: Scotland
Thanks: 76
Thanked 72 Times in 52 Posts
Default Re: How does one obtain a users password hash on a phpbb3 forum?

Quote:
Originally Posted by Ambix View Post
No I got what you meant, I just didn't expect REAL applications of hacking to be the work of 2 minutes...

What I meant was that I'd be pretty suprised if there was no way to automate simple things like this. There don't appear to be too many variables involved, but what would I know.







....and as a side note I did look for vulnerabilities in the original googling and none exist for phpbb3 3.0.4 which was the version I was looking for......but again what would I know. I probably just didn't look hard enough.
There is a reason why we don't automate it. Every IT guy you will ever meet (including me to a certain degree) is doing himself / herself out of a job. Every time something is automated, it removes the need for us.

So in essence if, say, myself were to automate the process and remove the hassle then RELEASE it to mass market, our skills would go out the window and there would be no effort involved. Anyone can hack any system with an automated program, it takes the skills of the pro's to write it.
Reply With Quote
  #20  
Old 12-25-2009, 09:33 AM
v0x v0x is offline
Baron
 
Join Date: Apr 2009
Location: ████
Thanks: 80
Thanked 160 Times in 104 Posts
Default Re: How does one obtain a users password hash on a phpbb3 forum?

Quote:
Originally Posted by SexyWoodenSpoon View Post
Quick & lazy =/= getting what you want. Anyone who has ever cracked / hacked / broken into any website has done so from experience - which is not quick easy or cheap.

That's the problem now a days - too many kids want to click a button and melt the system.
Fucking this.
__________________
Do you want to turn on Sticky Keys?
Reply With Quote
  #21  
Old 12-25-2009, 01:14 PM
Raziel Raziel is offline
Count
 
Join Date: Apr 2009
Thanks: 3
Thanked 137 Times in 104 Posts
Send a message via MSN to Raziel Send a message via Skype™ to Raziel
Default Re: How does one obtain a users password hash on a phpbb3 forum?

Quote:
Originally Posted by v0x View Post
Fucking this.
Making the word 'this' bold confuses me for some reason...
Reply With Quote
  #22  
Old 12-25-2009, 09:04 PM
olive olive is offline
Regular
 
Join Date: Dec 2009
Thanks: 3
Thanked 10 Times in 8 Posts
Default Re: How does one obtain a users password hash on a phpbb3 forum?

Quote:
Originally Posted by Ambix View Post
....and if I had access to his email account I wouldn't need to resort to asking in this forum.
use the 'forgot password' on the email account and then on the forum account then? If you know him fairly well you should be able to figure out the security questions, if it doesn't just link to another email that is.
Reply With Quote
  #23  
Old 12-28-2009, 01:49 PM
coolstorybro coolstorybro is offline
Peasant
 
Join Date: Jun 2009
Location: England, United States of Euro
Thanks: 7
Thanked 3 Times in 3 Posts
Default Re: How does one obtain a users password hash on a phpbb3 forum?

Quote:
Originally Posted by Raziel View Post
Get the...database
lol min post
__________________
Ox29A confessions
23:07 -!- ^ is now known as He
23:07 * He ^ craves big black penises
Reply With Quote
  #24  
Old 12-28-2009, 06:44 PM
a334jv2df's Avatar
a334jv2df a334jv2df is offline
Duke
 
Join Date: Jan 2009
Thanks: 657
Thanked 739 Times in 514 Posts
Send a message via ICQ to a334jv2df Send a message via AIM to a334jv2df Send a message via Yahoo to a334jv2df
Default Re: How does one obtain a users password hash on a phpbb3 forum?

Quote:
Originally Posted by Ambix View Post
No I got what you meant, I just didn't expect REAL applications of hacking to be the work of 2 minutes...

What I meant was that I'd be pretty suprised if there was no way to automate simple things like this. There don't appear to be too many variables involved, but what would I know.







....and as a side note I did look for vulnerabilities in the original googling and none exist for phpbb3 3.0.4 which was the version I was looking for......but again what would I know. I probably just didn't look hard enough.
Protip: Don't bash people for their reading comprehension skills when you have the writing facilities of a 3 year old and the computing know-how of my left toe
Reply With Quote
The following users say "It is so good to hear it!":
SexyWoodenSpoon (12-28-2009)
  #25  
Old 12-31-2009, 03:29 PM
padam padam is offline
Member
 
Join Date: Dec 2009
Thanks: 0
Thanked 3 Times in 3 Posts
Default Re: How does one obtain a users password hash on a phpbb3 forum?

Quote:
Originally Posted by SexyWoodenSpoon View Post
This ALTHOUGH I have to call your bluff - I've got hundreds of databases with password hashes, all of them can be decoded.
In a reasonable amount of time?

A proper salt can easily multiply the amount of time required by the thousands.
Reply With Quote
  #26  
Old 12-31-2009, 05:30 PM
SexyWoodenSpoon SexyWoodenSpoon is offline
Member
 
Join Date: Jun 2009
Location: Scotland
Thanks: 76
Thanked 72 Times in 52 Posts
Default Re: How does one obtain a users password hash on a phpbb3 forum?

Quote:
Originally Posted by padam View Post
In a reasonable amount of time?

A proper salt can easily multiply the amount of time required by the thousands.
I would say so. Depends on the salt.
Reply With Quote
  #27  
Old 12-31-2009, 06:45 PM
padam padam is offline
Member
 
Join Date: Dec 2009
Thanks: 0
Thanked 3 Times in 3 Posts
Default Re: How does one obtain a users password hash on a phpbb3 forum?

Quote:
Originally Posted by SexyWoodenSpoon View Post
I would say so. Depends on the salt.

fc54b8bc92cfb1cafffbfbabca956c7d

MD5 hash of a 14 character alphanumeric password salted with a 239 character static string.

And that's the absolute _minimum_ protection I would use in any live environment.
Reply With Quote
  #28  
Old 12-31-2009, 10:35 PM
SexyWoodenSpoon SexyWoodenSpoon is offline
Member
 
Join Date: Jun 2009
Location: Scotland
Thanks: 76
Thanked 72 Times in 52 Posts
Default Re: How does one obtain a users password hash on a phpbb3 forum?

Quote:
Originally Posted by padam View Post
fc54b8bc92cfb1cafffbfbabca956c7d

MD5 hash of a 14 character alphanumeric password salted with a 239 character static string.

And that's the absolute _minimum_ protection I would use in any live environment.
Is this a test? haha.
Reply With Quote
  #29  
Old 01-02-2010, 07:16 AM
Auschwitz Nazi Disneyland Auschwitz Nazi Disneyland is offline
Duke
 
Join Date: Apr 2009
Location: the space between stars
Thanks: 3,581
Thanked 1,157 Times in 749 Posts
Default Re: How does one obtain a users password hash on a phpbb3 forum?



From memory, the only way to decode a salted hash is brute force (failing a flaw in the hashing algorithm, but MD5 is pretty clean, except for collisions), and it'll take you a fucking long time.

Go shopping for FPGAs or write some assembler code for your multiple 3D cards if you want ANY chance of getting those passes before you're 80.
Reply With Quote
Reply

Bookmarks

Tags
forum, hash, obtain, password, phpbb3, users

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Kratom and where to obtain it? Treefingers.s Better Living Through Chemistry 0 09-08-2009 05:56 AM
Were could i obtain top of the line Jenkem? Rainycity Better Living Through Chemistry 1 06-04-2009 07:49 PM
Where could i obtain some of these bulbs? Rainycity Generally Speaking 6 04-30-2009 01:04 AM
Where could i obtain an illegal gun in Bc Rainycity Weapons and Combat 1 02-27-2009 10:27 AM


All times are GMT. The time now is 07:08 PM.


Hot Topics
Join our Chatroom!
Users: 8
Messages/minute: 0
Topic: "Only rule: be nice or I'll cut your fucking face off, dumbshit"
Users: 27
Messages/minute: 1.6
Topic: "http://codelove.org :: Below is above in 2 codes 1 love. :: wh..."
Users: 18
Messages/minute: 5
Topic: "http://www.literotica...."
Advertisements
Your ad could go right HERE! Contact us!

Powered by vBulletin® Version 3.8.1
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.