2012-06-07

Guts of the password hash checker

A few folks asked how I put together the password hash checker yesterday. Understand that I was sick and in bed most of the day, and did most of this from my Motorola Droid 4. It was really ugly. A local KC2600'er found a link to the hash dump on a shady Russian website. If you really want the dump of hashes and haven't found it yet, look for combo_not.zip and/or combo_not.txt. I downloaded the file via wget on one of my OpenBSD web servers. The text file was likely made from a Windows environment because it has telltale CR/LF line breaks. The first thing I did was fix the line breaks with sed. This cute little one-liner replaces all CR/LF line breaks with traditional UNIX line breaks so that command-line wizardry will work on it.
sed -i "" 's/.$//' combo_not.txt
Then, I figured I should cram it all into MySQL to make queries against the data less of a pain in the ass. I created a database and user named lihash, then created the DB with only an auto-incrementing ID and a hash column:
create table lihash (id int primary key auto_increment, hash varchar(40));
And then I used some more sed stuff to turn each hash into an "insert" line for MySQL. Here's what the output looks like (limited to the first 10 lines with head):
$ sed 's/^/insert into lihash values (NULL,"/;s/$/");/' combo_not.txt | head
insert into lihash values (NULL,"000000a94d47b9ca82c58a3b092a50263b40f66e");
insert into lihash values (NULL,"000000a9876203148923f97c6f1a0635472e1e38");
insert into lihash values (NULL,"000000a9bf60e7f17fcac444a54791af780743a3");
insert into lihash values (NULL,"000000a97e734e7ed9766d1ce08ebc68d3e93ab2");
insert into lihash values (NULL,"000000a9b4b1b3497aac51e212ac9efdb00e7f4e");
insert into lihash values (NULL,"000000a9affc26ed1b0ef2956825e85f9a2567ff");
insert into lihash values (NULL,"000000a93c829bab8c40f805bd3adec3302edf06");
insert into lihash values (NULL,"000000a9e3686034e4f7a1f5b8d6de92679dba5c");
insert into lihash values (NULL,"000000a966dd229cbdd0c4ccc524f0aff6c0fc31");
insert into lihash values (NULL,"000000a9317a995cb16dec71edf0d3aa4b918de6");
With that looking all fine and proper, I piped all that straight into MySQL.
$ sed 's/^/insert into lihash values (NULL,"/;s/$/");/' combo_not.txt | mysql lihash
It took several minutes to munch through the data and created many megabytes of MySQL binary logs. While that was processing, I scoured the web looking for a decent javascript SHA-1 hashing method so that I didn't have to worry about handling peoples' passwords via my site. You can simply view the source of this page to see how that works. It was mostly copypasta. Finally, there's the PHP that drives it on the back-end. You can see the PHP Source HERE. When I was testing, I had it displaying the hash that was passed. I got rid of that part to keep XSS shenanigans at bay. I'm probably doing all sorts of things wrong with the SQL queries, but I copied some of that database code from another project on that server (I was using a phone for this, remember?)

blog comments powered by Disqus