1

So, I have this old program currently in use, as i have access to the database i have adopted all data i need except the user passwords..

Now users will provide me with the plain text password and have to hash them before matching them with those in the database

I have access to the binary version and can generate hash from any text

Am sure only the password text is used when hashing because different usernames with the same password gets the same hash.

A hash is of fix length regardless of the password text.

I have already tried all popular hashing algorithms but no provided hash match the the value this program creates.

Yes i could decompile this program and peek.. but it may probably be illegal, or imposible

konzo
  • 123
  • 4
  • 1
    Could just be that it's using a fixed salt (sometimes called a pepper) for all entries. Might be worth hashing a few common words and then putting the hashes through John the Ripper or Hashcat in brute force mode to see if you get a common string inserted to the text - this may take a very long time, depending on the length of the fixed salt. – Matthew Mar 11 '16 at 10:16
  • Are you migrating users from an old system to a new system? If so, you may wish to have them authenticate against the old system, and then generate a new password for their account in the new system. Is there a reason you would actually need to reverse engineer the algorithm used? – nyxgeek Mar 11 '16 at 16:52
  • That sound good as finding the algorithm or the salt is tedious.. but how should i implement it? i thinking that i should setup a proxy to capture their password that detect if they were authenticated successfully then reuse that password in my new system? @paulburkeland – konzo Mar 11 '16 at 17:34

2 Answers2

5

Ultimately, reverse engineering is the most comprehensive method, and it is certainly possible. There is also a dedicated Stack Exchange site for reverse engineering. Arguably, by trying out known passwords and checking the resulting hash values, you have already begun to reverse engineer that piece of binary software. There is nothing qualitatively special to decompilation -- what constitutes reverse engineering is the attempt at understanding, and you have made the first step along that path.

As for legality, it depends a lot on jurisdiction. What is traditionally said is that reverse engineering for interoperability purposes is fair game in Europe (as long as you just use, not publish, your findings) but maybe not in the USA. Laws on that subject tend to change fast, with things like the DMCA, so don't put too much trust in the reliability of the Tradition.

I suggest that you use the binary software to check the password for each user when that user logs in, but then, since you have the password available at that point, rehash it with another, secure and fully specified password-hashing function (say, bcrypt); that new hash will be used to verify further login attempts for that user.

That way, you may gradually move all password hashes to a new system, and after a while you will be able to decommission the old system with the binary piece of hashing. In any case, that old hashing is weak, since it is unsalted (an attacker who can look at the database will be able to speed up attacks a lot through parallelism), so you should build up a transition plan to a safer system.

Community
  • 1
Thomas Pornin
  • 320,799
  • 57
  • 780
  • 949
  • Thanks.. It is Illegal in my country but since the company that made this is out of business, i guess i have not much to worry about. It is funny how i began reverse engineering without realizing. – konzo Mar 11 '16 at 16:17
0

IANAL, but I don't see how this would be illegal. You seem to be the developer in charge of replacing the old software with a newer version that does not share binary, but does share the database (including the password hash). You are not trying to crack the passwords (or if you are, the question whether decompiling is illegal would really not present itself ;) ).

Provided that all other legalities are in order (i.e., your company or yourself own the license to use that software, you own the data, etc. etc.), then it's surely fair use to decompile the hash algorithm, only to see which one it is.

If you find that it is a freely available algorithm (any old standard hash function) with a fixed salt, then you simply go on from there. If it is a "special" hash algorithm, then you can think about whether you re-use it. Then you are faced with the can-of-worms that is the discussion about copyrighting algorithms...

AnoE
  • 2,370
  • 1
  • 8
  • 12
  • 1
    I thought i could be illegal because the licence clearly stated that i should not attempt to reverse.. at first i wanted to identify and use that function but after learning that using fixed salt is not the best option i think i will find another solution – konzo Mar 11 '16 at 16:35
  • Although i have not succeed i appreciate your answer. I dont have enough reputation to up-vote or accept this too as an answer.. i hope you understand – konzo Mar 11 '16 at 16:39