Introduction
WordPress versions equal or greater than v2.5 use a salted hash to prevent Rainbow Table attacks, based on the work by Solar Designer. Previous releases (v2.4 and below) use an MD5 unsalted hash. To verify a salted hash is used, you can check the contents of the wp-includes\class-phpass.php file. The hash is stored in the MySQL database, inside the wp_users table. If you're able to crack the hash, then you can simply log in to the /wp-admin/ page with the correct password and administer the website. Alternatively, it is common to discover that people re-use passwords in other locations, so the plain-text password may be used for the cPanel installation or the MySQL database root user. Technique There are a few tools out there which support PHPass salt and hash. One example is hashcat, which can be downloaded from http://hashcat.net/hashcat/. The software comes pre-compiled, with versions for both 32bit and amd64 architectures, and Windows and Linux binaries. There is also the optional GUI which can be downloaded from http://hashcat.net/hashcat-gui/ In our example, we are running a Linux operating system. So lets say you've managed to recover the admin hash from the wp_users table, which in our example is: $P$BNCFzhkOgblRnMahSc8aRW.2O2oCYZ0 Create an empty text file and paste the hash into the document and save the file as 'hash.txt'. Next, run hashcat with '-m 400' which is the PHPass / WordPress cipher mode and provide a suitable dictionary file. Note: the .bin extension is for Linux operating system. Use the .exe files for execution under Windows. $ ./hashcat-cli64.bin -m 400 hash.txt /usr/share/dict/cracklib-small Initializing hashcat v0.43 by atom with 8 threads and 32mb segment-size... Added hashes from file hash.txt: 1 (1 salts) Activating quick-digest mode for single-hash with salt NOTE: press enter for status-screen $P$BNCFzhkOgblRnMahSc8aRW.2O2oCYZ0:aaron All hashes have been recovered The example hash password is 'aaron' – we can then login to /wp-admin/ as 'admin' with password 'aaron' It is worth noting that hashcat supports dictionary, bruteforce, hybrid and other modes. Use the '--help' switch for further information. |
Archives
September 2017
Categories
All
|
|
|