[wp-testers] Wordpress Google MD5 hash crack
PkbCS Contact
contact at pkbcs.com
Wed Nov 21 17:27:31 GMT 2007
@Dan
IF the hacker's only concern is gaining Administrative access, then yes,
that would be the simplest route. However, things are not always that
cut and dry. For example, during my tenure as Systems Admin for XOOPS, I
dealt with hackers targeting specific users. The hacker(s) would obtain
the MD5 hash of the user, crack it, then log in as that user and send
private messages and post as that user on the forum in an attempt to
create fear. Things are not always cut and dry. There are times when a
hacker may not want to just gain admin access.
@Bull3t,
chmod 444
Read by owner
Read by group
Read by everyone.
If I have command line access to the server and IF the server is not
configured properly (more common than you may think), then I can cat
/path/to/wp-config.php and get the contents of that file from the
command line. That is just one method. If the application has any
vulnerabilities, or is configured improperly by the application's admin
(very common), then there are several other methods a hacker could use
to expose the contents of a file.... shell_exec(); anyone?
Again, things are not always what they seem. You have to look beyond the
surface value and look at all possible scenarios. Hackers don't follow
rules and their reasoning behind their actions does not fit into tidy
little boxes. You have to think outside the box in order to stay ahead
of them.
Just my humble opinion based on my experience. Please take it as such.
Bull3t wrote:
> How would someone be able to access wp-config.php? When it is opened in the
> users browser it would be run as PHP...
>
>
> --------------------------------------------
> Bull3t
> http://www.bull3t.me.uk/
>
>
>
>> -----Original Message-----
>> From: wp-testers-bounces at lists.automattic.com [mailto:wp-testers-
>> bounces at lists.automattic.com] On Behalf Of PkbCS Contact
>> Sent: 21 November 2007 16:34
>> To: wp-testers at lists.automattic.com
>> Subject: Re: [wp-testers] Wordpress Google MD5 hash crack
>>
>> Obtaining the MD5 hash is not that difficult. A lot of shared hosts do
>> not protect the web roots of their users properly which makes it a
>> trivial task to obtain the contents of wp-config.php and connect to the
>> user's database and obtain the hash. Simply using word that are not a
>> part of any language will keep you safe against weaker cracking
>> attempts; however, a determined hacker can, and will make use of rainbow
>> tables which have hashes not only for dictionary words, but also huge
>> collections of random alphanumeric and special character strings.
>>
>> So, IF the host is setup properly, IF the application is not vulnerable
>> to queries that can return the admin password hash and IF the hacker is
>> not determined enough to use a rainbow table to crack the hash, then
>> yes, it's nothing to worry about.
>>
>> From what I understand, it's a relatively trivial matter to add a
>> "salt" function that would further protect the MD5 hash. I believe this
>> would be the best solution because the upgrade script could prompt the
>> user for a salt string and the hashes could be converted as part of the
>> upgrade process. Another option is generating the salt string
>> automatically and outputting it for the user to save in a safe place.
>>
>> Bull3t wrote:
>>
>>> You need to know the MD5 hash of the password in the first place and
>>>
> even
>
>>> then it is just luck of the draw, it really isn't that worrying. Just
>>>
> use a
>
>>> password that isn't part of a language?
>>>
>>>
>>> --------------------------------------------
>>> Bull3t
>>> http://www.bull3t.me.uk/
>>>
>>>
>>>
>>>> -----Original Message-----
>>>> From: wp-testers-bounces at lists.automattic.com [mailto:wp-testers-
>>>> bounces at lists.automattic.com] On Behalf Of Pål GD
>>>> Sent: 21 November 2007 13:45
>>>> To: wp-testers at lists.automattic.com
>>>> Subject: Re: [wp-testers] Wordpress Google MD5 hash crack
>>>>
>>>> Cornell Finch wrote:
>>>>
>>>>
>>>>> I know this probably isn't the right place to put this but I don't
>>>>> know where else to submit it:
>>>>>
>>>>> http://www.theregister.co.uk/2007/11/21/google_md5_crack/
>>>>>
>>>>> Is this something we should be worried about?
>>>>>
>>>>> Collin
>>>>>
>>>>>
>>>> Yes, indeed. Wordpress should have been doing salting[1], which I don't
>>>> think they do.
>>>>
>>>> [1] http://en.wikipedia.org/wiki/Salting_(cryptography)
>>>> _______________________________________________
>>>> wp-testers mailing list
>>>> wp-testers at lists.automattic.com
>>>> http://lists.automattic.com/mailman/listinfo/wp-testers
>>>>
>>>> No virus found in this incoming message.
>>>> Checked by AVG Free Edition.
>>>> Version: 7.5.503 / Virus Database: 269.16.2/1143 - Release Date:
>>>>
>>>>
>>> 21/11/2007
>>>
>>>
>>>> 10:01
>>>>
>>>>
>>>>
>>> No virus found in this outgoing message.
>>> Checked by AVG Free Edition.
>>> Version: 7.5.503 / Virus Database: 269.16.2/1143 - Release Date:
>>>
> 21/11/2007
>
>>> 10:01
>>>
>>>
>>> _______________________________________________
>>> wp-testers mailing list
>>> wp-testers at lists.automattic.com
>>> http://lists.automattic.com/mailman/listinfo/wp-testers
>>>
>>>
>>>
>> --
>> Best regards,
>>
>> James Morris
>> PkbCS, LLC
>> contact at pkbcs.com
>> http://pkbcs.com/
>>
>> _______________________________________________
>> wp-testers mailing list
>> wp-testers at lists.automattic.com
>> http://lists.automattic.com/mailman/listinfo/wp-testers
>>
>> No virus found in this incoming message.
>> Checked by AVG Free Edition.
>> Version: 7.5.503 / Virus Database: 269.16.2/1143 - Release Date:
>>
> 21/11/2007
>
>> 10:01
>>
>>
>
> No virus found in this outgoing message.
> Checked by AVG Free Edition.
> Version: 7.5.503 / Virus Database: 269.16.2/1143 - Release Date: 21/11/2007
> 10:01
>
>
> _______________________________________________
> wp-testers mailing list
> wp-testers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-testers
>
>
--
Best regards,
James Morris
PkbCS, LLC
contact at pkbcs.com
http://pkbcs.com/
More information about the wp-testers
mailing list