Cracking Postgres Password Hashes with MDCrack
As far as I’m aware there are aren’t many good password crackers around for PostgreSQL database password hashes. Here are a few notes on how to crack postgres password hashes quickly using MDCrack. Even though MDCrack is a Windows program, it works well enough under WINE for our purposes. Linux users can therefore benefit from its impressive cracking speeds.
Where are the Hashes Kept?
Postgres keeps MD5-based password hashes for database-level users in the pg_shadow table. You need to be the database superuser to read this table (usually called “postgres” or “pgsql”). First log into the database. If you’ve gained local access to the Postgres server (e.g. via SSH), you’ll probably find that you don’t need a password to log in. You will need a username and the name of a database, though. The database “template1” always exists:
$ psql -U postgres template1
Then list the hashes:
# select usename, passwd from pg_shadow; usename | passwd ------------------+------------------------------------- testuser | md5fabb6d7172aadfda4753bf0507ed4396
...
The passwd field in this table is MD5(password || username) – where || denotes concatenation. In this example the passwd field for testuser contains “md5” || MD5(m4gictestuser).
Cracking Hashes
Download the latest version of MDCrack. If you’re running Linux, then run it under WINE. You’ll need to tell MDCrack to append the username to the end of each candidate password:
$ wine MDCrack-sse.exe --algorithm=MD5 --append=testuser fabb6d7172aadfda4753bf0507ed4396 System / Starting MDCrack v1.8(3) System / Running as MDCrack-sse.exe --algorithm=MD5 --append=testuser fabb6d7172aadfda4753bf0507ed4396 System / Charset is: abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ System / Detected processor(s): 2 x unknown | 3D-Now | MMX | SSE | SSE2 System / Target hash: fabb6d7172aadfda4753bf0507ed4396 System / >> Using MD5 cores: maximal candidate/user salt size: 16/54 bytes Info / Press ESC for available runtime shortcuts (Ctrl-c to quit) Info / Thread #0: >> Using Core 2 Info / Thread #1: >> Using Core 2 Info / Thread #0: Candidate size: 1 ( + user salt: 8 ) Info / Thread #1: Candidate size: 1 ( + user salt: 8 ) Info / Thread #0: Candidate size: 2 ( + user salt: 8 ) Info / Thread #1: Candidate size: 2 ( + user salt: 8 ) Info / Thread #0: Candidate size: 3 ( + user salt: 8 ) Info / Thread #1: Candidate size: 3 ( + user salt: 8 ) Info / Thread #0: Candidate size: 4 ( + user salt: 8 ) Info / Thread #1: Candidate size: 4 ( + user salt: 8 ) Info / Thread #1: Candidate size: 5 ( + user salt: 8 ) Info / Thread #0: Candidate size: 5 ( + user salt: 8 ) ----------------------------------------------------------/ Thread #0 (Success) ---- System / Thread #0: Collision found: m4gictestuser ...
Performance
When running under WINE MDCrack can rattle through nearly 20 million passwords per second on a (dual core) AMDx2 4200+. It automatically utilises both processors.
$ wine MDCrack-sse.exe --benchmark System / Starting MDCrack v1.8(3) System / Running as MDCrack-sse.exe --benchmark System / Detected processor(s): 2 x 2.15 Ghz unknown | 3D-Now | MMX | SSE | SSE2 Warning/ Please wait, this benchmark should last around 1min 45s Info / Press Ctrl-c to skip a test ---------------------------------------------------------------/ MD4 / DH / 2 Threads --------------------- Info / Benchmarking ( pass #1 )... 33 178 408 ( 3.32e+007 ) h/s. ---------------------------------------------------------------/ MD5 / DH / 2 Threads --------------------- Info / Benchmarking ( pass #1 )... 19 703 399 ( 1.97e+007 ) h/s. ...
Leave a Reply
You must be logged in to post a comment.