0

Let's say I have the following MD5 hashed password:

bec0932119f0b0dd192c3bb5e5984eec

If I know that the original password was salted and hashed and know that instead of typical salt it was just wrapped in 'flag{}' before MD5 summing it.

How may I decrypt MD5 in this case?

kelalaka
  • 5,064
  • 5
  • 27
  • 44
  • Note: I know this could be solved via brute force but is there any other solution? –  Oct 20 '20 at 11:11
  • There is no "easy calculate" available just brute force, sorry. As others commented as well: MD5 is hashing and not en-/decryption. – Michael Fehr Oct 20 '20 at 11:52
  • at least can I know the lengh? –  Oct 20 '20 at 12:02
  • The length of what? If you mean the length of the "original password" the answer is simple: no way as it is the nature of a hash algorithm to calculate a value with specified length regardless of the input length. Your brute force attack has to start with "a" and increasing... – Michael Fehr Oct 20 '20 at 12:05
  • 1
    Does this answer your question? [Is it possible to decrypt MD5 hashes?](https://stackoverflow.com/questions/1240852/is-it-possible-to-decrypt-md5-hashes) (Knowing how the value is salted has no impact on this question. It is exactly as difficult as finding the unsalted preimage.) – Rob Napier Oct 20 '20 at 19:19

2 Answers2

4

The other answer is not correct in the definition of what you are trying. Let's begin with the formal definitions of Cryptographical hash functions' required resistances. The below from Cryptographic Hash-Function Basics: Definitions, Implications, and Separations for Preimage Resistance, Second-Preimage Resistance, and Collision Resistance by P. Rogaway and T. Shrimpton;

  • preimage-resistance — for essentially all pre-specified outputs, it is computationally infeasible to find any input which hashes to that output, i.e., to find any preimage x' such that h(x') = y when given any y for which a corresponding input is not known.
  • 2nd-preimage resistance, weak-collision — it is computationally infeasible to find any second input which has the same output as any specified input, i.e., given x, to find a 2nd-preimage x' != x such that h(x) = h(x').
  • collision resistance, strong-collision — it is computationally infeasible to find any two distinct inputs x, x' which hash to the same output, i.e., such that h(x) = h(x').

Collisions and password cracking is not related. Actually, you are trying to find a pre-image that works with the given hash value and the salt. The cost of generic pre-image attacks is O(2^n) in the case of MD5 n=128 that is O(2^128). There is a pre-image attack on the MD5 that is better than the generic with a cost of 2^123.4

As pointed above, MD5 is no longer cryptographically secure since its collision resistance is broken, even SHA-1 is no longer secure.

hashing is not encryption/decryption. That is really a long story here a short answer, Encryption is reversible but hashes are not ( consider the pigeonhole principle, and see one-way functions) [ minor note block cipher mode of operation like the CTR mode doesn't requires a PRP it can work with PRF and it is designed in this way]...

What can you do?

  • First, use the John the Ripper password cracker.

    If not found, then

  • Build a fast pre-image attack on the MD5 up to some limit according to your budget. hashcat is a very powerful tool that you can benefit from it to build it. Here a hashcat performance;

    hashcat with Nvidia RTX 3090 one can search for 65322.5 MH/s (Mega Hashes/ Seconds). That is 2^16 MH/s. The calculations - time, device cost, electricity costs - can be done according to target search space if known.

kelalaka
  • 5,064
  • 5
  • 27
  • 44
1

MD5 is a hash function, you cannot really decrypt the result (plz search difference between hash and decryption).

However - you may try to find a collision - an input giving the same hash. With some probability it will match the original input. Cryptographic hash functions are designed to be very difficult (unfeasible) to find a collision, however for the MD5 it is not valid anymore (that's why MD5 is considered as not safe to use)

You may check the resources Vlastimil Klima: Tunnels in Hash Functions: MD5 Collisions Within a Minute, there are some more references and tools linked related to the latest Tunnel attack.

gusto2
  • 11,210
  • 2
  • 17
  • 36
  • Hi, I can't find a program / website to help me. (Tried to write mine as well and faild) I want to give a program a possible list of inputs for each char and the word length and to start testing –  Oct 20 '20 at 11:38
  • for example If I give it flag{} with length of 3 I want it to try flag{3a4}, flag{12a} –  Oct 20 '20 at 11:38
  • 2
    @Dan: This attack will find an "equivalent" password, i.e. one that works just as well as the original password because it has the same hash. It won't necessarily find the original password. – President James K. Polk Oct 20 '20 at 12:09
  • @dan The link I posted there's as well an app, but it helps to find an equivalent input (an input resulting to the same hash value). If you are really looking for the original password, the bruteforce is your only option. You can write your own app too. `Tried to write mine as well and faild` well, try harder, fail again better next time. – gusto2 Oct 20 '20 at 12:37
  • Please see my answer about finding a pre-image on the hash functions. Collisions are not related to password cracking. I've put the formal definitions.. – kelalaka Oct 20 '20 at 19:21