Overview
This article is a brief overview of using HashCat to recover a Postgres 8.4 password.
Hash Format
The format for Postgres is md5(secret || username) where || denotes string concatenation.
HashCat
HashCat as a tool is more traditionally associated with oclHashCat-lite and oclHashCat-plus, which delegates the work to the GPU, significantly increasing the cracking speed.
At this point, I am using HashCat because of it's simplicity and flexibility in attack modes and hashing algorithms, however, most of what is written here could be translated for a suitably configured oclHashCat-lite and run on the GPU.
Retrieving the Hashes
In Postgres, if you have read access to pg_roles, you can simply use:
SELECT username,passwd FROM pg_roles;
This will show you a result like:
usename | passwd | -------------+-------------------------------------+ postgres | md50f7e63611a98a9936285c7d609b044da |
The field "md50f7e63611a98a9936285c7d609b044da" is the md5 hash. Simply strip it down to just the hash (removing the "md5" from the front to), and that is what you're attacking.
Using HashCat
If you download HashCat from their site, you'll likely be able to follow these instructions exactly, but these instructions were written using HashCat v0.42.
First, you must make a hash file:
echo 0f7e63611a98a9936285c7d609b044da:postgres > hashfile
Then you may run HashCat:
./hashcat-cli32.bin -m 10 hashfile -a 3 ?a?a?a?a?a?a
The flags we're using are as follows:
- -m 10 : Use the hashing scheme md5(pass.salt)
- -a 3 : Use the brute-force attack mode.
- ?a?a?a?a?a?a?a : Search all passwords up to 7 characters from the character set [a-zA-Z0-9] + symbols.
Results?
Mine is still running vs. a password of my choosing, but after around 10 minutes, HashCat reported that it was now trying to crack all 6-character passwords and would take on the order of 16 hours to try them all.
HashCat's current status is that it's trying 12.22M words on my CPU every second. I'll update this blog when real results are found. I suspect at this rate, I'll give up after a couple of days, as all 7 character passwords will take on the order of 2 months.
Update
Having finished running HashCat on my machine with the above arguments, the search finished after a full 15 hours, however, it did not find the password, as it was longer than 6 chars. For this experiment, I mainly wanted to confirm that I could get HashCat to run and attempt to crack a password. The hash given above is for a *very* long password, that actually has more entropy than an MD5 hash!