Please help

Do not post support requests, bug reports or feature requests. Discuss phpBB here. Non-phpBB related discussion goes in General Discussion!
Anti-Spam Guide
borismagpie
Registered User
Posts: 1
Joined: Sat Jul 10, 2010 5:55 pm

Please help

Post by borismagpie » Sat Jul 10, 2010 6:00 pm

Hi,
First off hope this is in the right place and sorry if its not.
I need some help understanding this http://cichliddiary.wordpress.com/2010/ ... o-be-true/
There has been something going on between a few forums I read and hoping if someone on here could help me understand the link above and comfirm if its all possible.
Many thanks

User avatar
lurttinen
Translator
Posts: 4670
Joined: Tue Sep 21, 2004 12:05 pm
Location: Tampere, Finland
Name: Martti Lokka
Contact:

Re: Please help

Post by lurttinen » Sat Jul 10, 2010 7:04 pm

One thing which is repeated over and over is that you should never use the same password everywhere.
This looks like a good example why. :)

Anything specific in mind about that blog post?
Signature is here

User avatar
Rahber
Former Team Member
Posts: 2720
Joined: Tue Feb 12, 2008 3:39 pm
Location: Pakistan
Name: Rahber
Contact:

Re: Please help

Post by Rahber » Sat Jul 10, 2010 7:05 pm

that is why phpbb have stopped developing/supporting phpbb2, a phpbb3 uses md5 hashing and you can try that yourself it will not be decrypted :) so as long as your are using phpbb3 there is nothing to be worried ;)

User avatar
Phil
Former Team Member
Posts: 10403
Joined: Sat Nov 25, 2006 4:11 am
Name: Phil Crumm
Contact:

Re: Please help

Post by Phil » Sat Jul 10, 2010 7:29 pm

That's not entirely true. phpBB3 uses a (slightly) modified version of phpass for password hashing. The end result is a salted md5 hash -- the benefit here is that such rainbow table lookups (as can be done with common words like "password" with a regular md5 hash) are not possible.
Moving on, with the wind. | My Corner of the Web

User avatar
Noxwizard
Support Team Leader
Support Team Leader
Posts: 10344
Joined: Mon Jun 27, 2005 8:41 pm
Location: Texas, USA
Name: Patrick Webster
Contact:

Re: Please help

Post by Noxwizard » Sat Jul 10, 2010 7:38 pm

There are quite a few possibilities and not much to go on. Here are a few ways someone can gain access to your account, in no particular order:
  1. An easy to guess password (though this has already been ruled out in that blog).
  2. The user's email was compromised, which allows the attacker to either search for the welcome email or request a new one.
  3. You're using wifi on an insecure network (or one with weak encryption) and someone lifts the password off your login request (unless the site is using SSL).
  4. You use the same password on several sites and fall for a phishing tactic.
  5. You use the same password on several sites and an unscrupulous admin is logging all login credentials.
  6. A key logger has found its way on to your machine.
[Support Template] - [Read Before Posting] - [phpBB Knowledge Base]
Do not contact me for private support, please share the question in our forums.

Popp Singh
Registered User
Posts: 317
Joined: Thu Apr 22, 2010 4:31 pm
Contact:

Re: Please help

Post by Popp Singh » Sat Jul 10, 2010 9:56 pm

Its s-meh again .

The second adress in the list of three is one of the adresses that i got an email from saying thanks for your inquiery , an email that i didnt send , in the last spam attack on users here from sam-h . The staff here have copys of the mails and the headers so they could maybe check it out ....... and do something .......and keep us informed .

I`ve met the information minister in / from hamburg and had contact to the ministry several times so i might be able to get more details about the server in hamburg and i can try to get more information through him / them from the people that run it to .

EDIT - Its not just in one of the headers of the spam i got its in all the ones i`ve looked at so far . Wich makes it even more obvious that its our egyptian "friend" . My god the guy is a sthick as two short planks and leaves a trail that a blind man could follow .

EDIT 2 - On the one the owner has both php2 and php3 installed . And its not just those three sites that are compramised . Through the install folder of the one i can get to several other sites . If he has cracked the hashes on the phpbb2 site and the people use the same passwords on the phpbb3 site thats installed at the same adress sam-h has a leap start into getting into the sites where the phpbb3 password hash has been used again . I remember reading about the posibility of saveing the hash of ones own password and then being able to use that to gain entry into the site .

Can anyone here cast more light on this ...... and tell me if what i have said doesnt make sense ...... please ?
What i say is my opinion . If you dont like it or dissagree with it lets talk about it and try to come to an agreement . I`m not to old to learn or change my opinions if they are wrong .

http://www.youtopia.ws

User avatar
darcie
Community Team Member
Community Team Member
Posts: 5541
Joined: Thu Jul 27, 2006 9:52 am
Location: Davis, California
Name: Darcie Griffin
Contact:

Re: Please help

Post by darcie » Sun Jul 11, 2010 12:16 am

oleg-karow wrote:Its s-meh again .

The second adress in the list of three is one of the adresses that i got an email from saying thanks for your inquiery , an email that i didnt send , in the last spam attack on users here from sam-h .
No, this is simply because your spammer targeted the owner of the second site listed also. The two events are not related. As I said before, you received auto-response emails from other sites that you did not email to due to the way the spammer set up an email list. Send a reply email to the group email, and everyone in the group receives it. They were not intending to reply to you.
phpBB on Facebook | Site Rules | Former Community Team leader

User avatar
Noxwizard
Support Team Leader
Support Team Leader
Posts: 10344
Joined: Mon Jun 27, 2005 8:41 pm
Location: Texas, USA
Name: Patrick Webster
Contact:

Re: Please help

Post by Noxwizard » Sun Jul 11, 2010 12:55 am

oleg-karow wrote:I remember reading about the posibility of saveing the hash of ones own password and then being able to use that to gain entry into the site.
Unless you're visiting a site that uses client side hashing without any kind of nonce, then storing a hash won't do you any good.
[Support Template] - [Read Before Posting] - [phpBB Knowledge Base]
Do not contact me for private support, please share the question in our forums.

Popp Singh
Registered User
Posts: 317
Joined: Thu Apr 22, 2010 4:31 pm
Contact:

Re: Please help

Post by Popp Singh » Sun Jul 11, 2010 10:21 am

OK thanks .

So what happens to passwords from phpbb2 when one updates to phpbb3 ? Do they get transfered directly = they are still the same or does the update unhash them and then rehash them in another hash ? = all one would have to do is compare hashes before and after update to have a good start to cracking the second hash or try the unhashed php2 hashes to enter the phpbb3 sites or take the instaler / updater apart and use that to crack the new hashes ?

What about this idea ? ---->

The hashes from phpbb2 are easy to crack . The cracker cracks one from the administrator on the phpbb2 site , gets the database , and then uses it to get databases from the phpbb3 sites .The cracker then looks at the databases and the other ones from the other sites that one can see if one looks at those three adresses and gets email adresses , user names and passwords . He adds the email adresses to his mailing list ., ( maybe he screwed things up and the mailing list is his private one and he didnt mean to use it so openly to send emails ? ) , he uses the passwords to get into other websites and post in other peoples names and to spoof emails from those adresses to others . The doors would then be wide open .

Again if that doesnt make sense please explain . Thanks .
What i say is my opinion . If you dont like it or dissagree with it lets talk about it and try to come to an agreement . I`m not to old to learn or change my opinions if they are wrong .

http://www.youtopia.ws

User avatar
Lastof
Registered User
Posts: 743
Joined: Fri Feb 13, 2004 7:29 pm
Location: UK
Contact:

Re: Please help

Post by Lastof » Sun Jul 11, 2010 10:49 am

oleg-karow wrote:OK thanks .
So what happens to passwords from phpbb2 when one updates to phpbb3 ? Do they get transfered directly = they are still the same or does the update unhash them and then rehash them in another hash ? = all one would have to do is compare hashes before and after update to have a good start to cracking the second hash or try the unhashed php2 hashes to enter the phpbb3 sites or take the instaler / updater apart and use that to crack the new hashes ?
There is no such thing as "unhash"ing. The whole concept of a hash is that it is a one way process. The way they "crack" hashed passwords is to compare it to a list of precalculated hashes, and hope that it is one of them.

When updating from phpBB2 to phpBB3 the password is kept as the same hash until the user logs in, and then updated to the new method.

The new method is more secure because it uses salting. http://www.phpbb.com/kb/article/differe ... d-hashing/ explains it a little more.
What about this idea ? ---->

The hashes from phpbb2 are easy to crack . The cracker cracks one from the administrator on the phpbb2 site , gets the database , and then uses it to get databases from the phpbb3 sites .The cracker then looks at the databases and the other ones from the other sites that one can see if one looks at those three adresses and gets email adresses , user names and passwords . He adds the email adresses to his mailing list ., ( maybe he screwed things up and the mailing list is his private one and he didnt mean to use it so openly to send emails ? ) , he uses the passwords to get into other websites and post in other peoples names and to spoof emails from those adresses to others . The doors would then be wide open .

Again if that doesnt make sense please explain . Thanks .
I'm having trouble following this idea...
The hashes from phpbb2 are easy to crack . The cracker cracks one from the administrator on the phpbb2 site , gets the database
Ok, so, assuming that a phpbb2 site is compromised, and the cracker gets the database.
and then uses it to get databases from the phpbb3 sites
I don't see how this is an easy step to make... How is he getting the databases from other sites?

After that, I struggle to follow even more. Could you try to explain it more clearly?
Last edited by Lastof on 04 May 2011, 00:00, edited -1 times in total
----------------------------------------------------------------------------------------------------------------------------------------
Image
Look, I'm officially not a bug!!

User avatar
Lumpy Burgertushie
Registered User
Posts: 66734
Joined: Mon May 02, 2005 3:11 am
Contact:

Re: Please help

Post by Lumpy Burgertushie » Sun Jul 11, 2010 1:02 pm

how did you come to the conclusion that phpbb2 passwords were/are easy to crack?

only by brute force comparing to a known list of hashes and I wouldn't call that particularly easy.

and that works only for those that used really easy to guess passwords.

robert
I'm baaaaaccckkkk. still doing work on donation basis. PM your needs.

Premium phpBB 3.2 Styles by PlanetStyles.net

If a tree falls in the forest and nobody is there, does it make a sound?

User avatar
Noxwizard
Support Team Leader
Support Team Leader
Posts: 10344
Joined: Mon Jun 27, 2005 8:41 pm
Location: Texas, USA
Name: Patrick Webster
Contact:

Re: Please help

Post by Noxwizard » Sun Jul 11, 2010 4:49 pm

oleg-karow wrote:all one would have to do is compare hashes before and after update to have a good start to cracking the second hash or try the unhashed php2 hashes to enter the phpbb3 sites or take the instaler / updater apart and use that to crack the new hashes ?
As was stated, the upgrader doesn't modify the hashes, it simply flags them for updating on the next login. However, knowing a before and after won't help either. Each time you run phpbb_hash() on a plaintext string, the hash is different, even for the same plaintext.

oleg-karow wrote:What about this idea ? ---->

The hashes from phpbb2 are easy to crack . The cracker cracks one from the administrator on the phpbb2 site , gets the database , and then uses it to get databases from the phpbb3 sites .The cracker then looks at the databases and the other ones from the other sites that one can see if one looks at those three adresses and gets email adresses , user names and passwords . He adds the email adresses to his mailing list ., ( maybe he screwed things up and the mailing list is his private one and he didnt mean to use it so openly to send emails ? ) , he uses the passwords to get into other websites and post in other peoples names and to spoof emails from those adresses to others . The doors would then be wide open .

Again if that doesnt make sense please explain . Thanks .
How exactly did this go from losing a password to sending emails? The blog post was about someone's login being compromised.

As for breaking md5 hashes, they are easier, but not easy. There are of course ways to make it go much faster, you can use things like rainbow crack tables, which vary in size from 1GB to 80GB depending on the complexity of the character set you need. You typically have to generate those on your own as they're far too large to host on a web server, or use P2P systems to get them.

For very weak passwords, yes you can just grind through md5's and get the password in minutes or an hour. For anything remotely complex, the time goes up exponentially as you add numbers, symbols, uppercase, and length to the mix.

You can also have collisions, which is why md5 is being moved away from. Collisions are rare of course, but there is the chance that the password you just cracked wouldn't work on the phpBB3 board.
[Support Template] - [Read Before Posting] - [phpBB Knowledge Base]
Do not contact me for private support, please share the question in our forums.

Popp Singh
Registered User
Posts: 317
Joined: Thu Apr 22, 2010 4:31 pm
Contact:

Re: Please help

Post by Popp Singh » Sun Jul 11, 2010 5:15 pm

Thanks guys . I will explain what i mean , why i think it and what i plan to do as soon as i`m fit to do it . At the moment i`m to tired to think straight .

I understand what a code is = a translation but i`m not sure about a hash . I take it that a hash is a description ? I did googlerise hash , hashes , makeing hashes and a few others but all i got were answers about.......... hashish ............ so can anyone point me at an explenation of what they are , how they are made and how they are checked ......... thats not in to technical jargon please ?

EDIT - What i`ve written in this thread is not off topic but maybe it looks like it untill i explain so please have a little patience . Thanks .
What i say is my opinion . If you dont like it or dissagree with it lets talk about it and try to come to an agreement . I`m not to old to learn or change my opinions if they are wrong .

http://www.youtopia.ws

User avatar
Phil
Former Team Member
Posts: 10403
Joined: Sat Nov 25, 2006 4:11 am
Name: Phil Crumm
Contact:

Re: Please help

Post by Phil » Sun Jul 11, 2010 6:04 pm

There is an article on Wikipedia about this type of hash. To be perfectly honest, though, an explanation about the workings of a cryptographic hash (which is what you're apparently after) is far outside the scope of this discussion and likely to be very technical (much like the Wikipedia article). A hash is, essentially, a fixed-length non-reversible representation of a string, but I'm not sure how that's relevant to the initial post.
Moving on, with the wind. | My Corner of the Web

User avatar
lurttinen
Translator
Posts: 4670
Joined: Tue Sep 21, 2004 12:05 pm
Location: Tampere, Finland
Name: Martti Lokka
Contact:

Re: Please help

Post by lurttinen » Sun Jul 11, 2010 6:28 pm

Basically, what MD5 hash is that you take a string. Say "Bertie rules 4ever" which you then run through calculator and get "4371dc26c0e68903b6c2bbfc91d2b7e5" as result.

This is the hash,
How to reverse it. You need to use rainbow tables, which is basically a huge list of pre-calculated hashes.
You compare that hash with the ones you have in your list and see if it matches something.
Assume the "Bertie rules 4ever" is your password, you would need to have a huge list in your hand. All the combinations for 18 characters long password containing numbers and letter, upper and lowercase.

So yes, plain MD5 can be checked against pre calculated hashes. Things can be made more tough on the attacker. Just like french fries, or any other food, it taste better if you put salt in it.

"Bertie rules 4ever" + ad some salt, "Bertie rules 4ever646/&%/54" which gives you "6f81c4a3a57942c1042a937163d22c0d", a 27 characters long, which makes it even harder to compare because the reference table would be gigantic in size. Even then, all you get is the password and salt, which is not yet the real password.
The salt is a secret. Just like the spices your mum used in that delicious soup. :P

How does a forum compare your password to what it has stored in the database?
You send your password, forum hashes it and compares the value stored in the database.

Size of the string is not limited. You can take a gigabyte file and hash it, but obviously you cannot use hash as you would use winzip or winrar to make files smaller.
You cannot determine the original message from the 32 character output without running it against a list of pre-calculated hashes. (The pre-calculated database would be bigger than anything you wanted to make smaller and save space.)
Signature is here

Post Reply

Return to “phpBB Discussion”