[geeks] Encrypted hash question
James Braid
jamesb at loreland.org
Wed Jun 16 12:48:36 CDT 2004
Bill Bradford wrote:
> On Wed, Jun 16, 2004 at 12:13:13PM -0500, Jonathan C. Patschke wrote:
>>>However, these aren't MD5 hashes, and the "John the Ripper" password
>>>cracker wont' recognize them either when I plug them into a password
>>>file.
>>>INSERT INTO user_password VALUES ('administrator','iiQ4AxZsPtUZ3r00');
>>>INSERT INTO user_password VALUES ('operator','7ePNxD3QNoHP9r00');
>>
>>I seem to remember MySQL using SHA1 hashes.
>
>
> AHA. Thanks.
They dont "look right" for SHA1; a standard SHA1 160-bit hash is
normally 40 characters long when stored as a plain text string (and only
has hex digits in it). But the application could have munged them or
something. Maybe they are weirdly crypt()'d or something.
>>Is there a reason why, if you can confirm the hashing algorithm used,
>>you cannot just plop in your own hashed value from a known password?
>
>
> I dont have the MySQL administrator password for that system. I guess
> I *could* stop everything and drop in a replacement database (after munging
> it on another box), but I want to avoid that if possible.
It's easy to reset MySQL account passwords:
http://dev.mysql.com/doc/mysql/en/Resetting_permissions.html
If you have the source for the app it should be easy enough to find how
it stores the passwords, and then change the app's password once you
have the root pw for MySQL.
Cheers, James
More information about the geeks
mailing list