Google as a password cracker

posted Nov 26th 2007 10:15am by Will O'Brien
filed under: misc hacks

Usually we’re into hardware hacks, but once in a while I run across something that’s just too good. [Steven]’s blog was cracked a while back, and while he was doing forensics, he was trying to crack the md5 hashed password for the unauthorized account. Eventually he slapped the hash into Google, and guess that it was ‘Anthony’ based on the results that came up. Thanks to [gr] for pointing it out.
(Yes, I know it was on Slashdot a few days ago, but I don’t care.)

Comments [24]

tagged: cracker, hacked, haha, password

Reader Comments

And this is why you should salt your hashes.

Posted at 11:20 am on Nov 26th, 2007 by Jeroen Domburg

That is cool… and scary… simultaneously. I’ll have to try that next time I hack Microsoft. :-P

Posted at 11:43 am on Nov 26th, 2007 by Skyler Orlando

Not to mention ketchup and tabasco sauce.

Posted at 12:24 pm on Nov 26th, 2007 by thermald

This is only useful if Google has at one point indexed a hash and its decrypted counter-part (which is highly unlikely), and if you can actually get your hands on the hash in the first place! Your better off using a reverse MD5 database utility like this one: md5.benramsey.com

Posted at 2:06 pm on Nov 26th, 2007 by Joe

This is equivalent to saying, look my name is in google!

Nothing really special about it and there are much better tools for doing it.

Now if google included a reverse lookup for md5 that would be something to talk about.

Posted at 3:47 pm on Nov 26th, 2007 by Matt

Actually, this is more effective than you would think–it worked for me in a test situation 15 times out of 20.

Posted at 4:25 pm on Nov 26th, 2007 by Jason

thats pretty interesting, i was looking for a similar hash to decrypt, i’m not sure if it’s md5, but I wish i thought of it.

Posted at 4:53 pm on Nov 26th, 2007 by sean

You know, google tracks every search.

Posted at 5:30 pm on Nov 26th, 2007 by ???

so , it s nice what i m saying , i already test it, but it doesn’t work every time, if it’s stored in some pages we can say it but not every time
i think that i will speak about that in my blog if u wanna let a comment :
http://amedupirate.c.la

Posted at 5:51 pm on Nov 26th, 2007 by errabbaa

http://en.wikipedia.org/wiki/MD5#_note-5

http://www.lightbluetouchpaper.org/2007/11/16/google-as-a-password-cracker/

Posted at 7:59 pm on Nov 26th, 2007 by FRODUS

ya… This just goes to show that you should definetly salt your hashes, but some people are just too stupid / lazy to do so.

Posted at 9:26 pm on Nov 26th, 2007 by Jordan

Even better. You can take a password, hash it, then search google for the hash to find out if other admins have used it as a password :D

Posted at 11:57 pm on Nov 26th, 2007 by cde

If this works on production site or database then the people there must be morons.

It’s the equivalent of having your password guessed by a human..literally. Hash tables work on the same model. They don’t actually attack the algorithm just the lack of creativity by a user base.

Posted at 12:03 am on Nov 27th, 2007 by TJhooker

That’s why you have to add some “custom” encryption and not rely on built in functions…
Simply reading/translating a sha1 or md5 takes 0.0002 seconds and about 5 lines of code…

Posted at 4:53 am on Nov 27th, 2007 by NNM

So if I googlefight MD5 hashes, I could check which passwords are used more often? I understand it wouldn’t be very accurate because people salt their hashes and stuff, but with googlefight, how convenient is that!

Posted at 11:33 am on Nov 27th, 2007 by samodelkin

I think this is something people tend to be interested in check out try a MD5 here
http://us.md5.crysm.net/

Posted at 2:07 pm on Nov 28th, 2007 by beatnik

hi,I dont know much about hashes and i got a question: i got this hash “JR:1003:aad3b435b51404eeaad3b435b51404ee:37c088d8d1e18c245c25483c5fd5314d/empty/:
How can i know if is ntlm or md5? and if is ntlm there is a way to convert it in md5? thanks for the help

Posted at 7:40 pm on Nov 28th, 2007 by Asi

While using Google to crack MD5 passwords is interesting and useful, I don’t think it’s really worth posting about. I thought this use of Google was obvious; I’ve done it myself a few times.

Posted at 11:17 pm on Nov 28th, 2007 by Angus

hmm lets hash a password

http://www.zappersoftware.com/Help/md5.php

take hash pop it into Google and trys it….

op my password looks good, not in Google.

I would think this only works for a dictionary of common words. Trick is add #’s to your passwords people. Lets be smart.

Posted at 2:13 am on Nov 30th, 2007 by xoomthemodder

I wrote this site http://www.md5crack.com to do this with relative ease. check it out

Posted at 12:55 am on Dec 1st, 2007 by dubayou

Uhmm.. what is an md5 hash?

Posted at 8:14 pm on Dec 3rd, 2007 by infin8

Funny, when I $ `echo anthony | md5sum`, I get “e4ea5477492b160a8d7aeac1fb16d107 -”

Posted at 9:55 pm on Dec 15th, 2007 by Billy

Hello. I am woman. Could you help me, that I find out password of Admin of one forum? I am from Croatia and in one Forum, they behave very very unfair to me. So, now I want to log myself as Admin, and do one little funny revenge to them. Could you tell me what is the way for doing that? Thank you. Some Trojan program, or something similar?

Posted at 12:24 am on Jan 3rd, 2008 by Kristina Horvat

Could you please move my surname? :)

Posted at 1:18 am on Jan 3rd, 2008 by Kristina

Google as a password cracker

Recent Posts

Reader Comments

Leave a Reply

Hacks

Resources

RSS newsfeeds

Most commented on (30 days)

Recent comments