The time now is Fri 15 Jan 2021, 14:30
All times are UTC - 4 |
Author |
Message |
Barkin

Joined: 12 Aug 2011 Posts: 830
|
Posted: Mon 05 Nov 2012, 15:15 Post subject:
Need script that generates password using MD5sum [solved] |
|
I’m trying produce a program to automate my version of creating passwords which uses the MD5sum function twice.
I create a password for an encrypted file which is derived from the file_name using the following formula …
MD5(MD5(file_name+string1)string2)
i.e. the hexadecimal result of MD5(file_name+string1) is treated as text string, appended with string2, then a MD5 is calculated of that concatenated string, e.g. …
file_name = “secret”
String 1 = “puppy”
String 2 = “Linux”
MD5(MD5(file_name+string1)string2)
=> MD5(MD5(secretpuppy)Linux)
=> MD5(34b89fb99e33b530fb8719728db4618bLinux)
=> fe2849a306625b1d2b08c05c712365b2
i.e. the password for file called “secret” is “fe2849a306625b1d2b08c05c712365b2”
I know it is possible to calculate MD5 from the CLI in puppy , http://puppylinux.org/wikka/md5sum but don’t know how to write a script to automate the above process.
[ PS
as a final twist I would like to substitute the first and last characters of the final MD5 with the upper case letters “A” and “Z” , giving "Ae2849a306625b1d2b08c05c712365bZ" , but that’s optional ]
Last edited by Barkin on Sat 17 Nov 2012, 01:12; edited 1 time in total
|
Back to top
|
|
 |
SFR

Joined: 26 Oct 2011 Posts: 1802
|
Posted: Mon 05 Nov 2012, 16:33 Post subject:
|
|
Hey Barkin.
Could be something like this?
Code: | #! /bin/bash
MYNAME="$(basename $(readlink -e $0))"
[ "$#" -lt 3 ] && echo -e "Usage:\n$MYNAME <filename> <string1> <string2>" && exit 1
file_name="$1"
string1="$2"
string2="$3"
THE_SUM=$(echo -n "$(echo -n "$file_name$string1" | md5sum | cut -f1 -d ' ')$string2" | md5sum | cut -f1 -d ' ')
# And the final (optional) twist ;)
THE_TWISTED_SUM="A${THE_SUM:1:30}Z"
echo "$THE_TWISTED_SUM" |
You can call this script from a terminal, eg: script_name secret puppy Linux
Greetings!
_________________ [O]bdurate [R]ules [D]estroy [E]nthusiastic [R]ebels => [C]reative [H]umans [A]lways [O]pen [S]ource
Omnia mea mecum porto.
|
Back to top
|
|
 |
Barkin

Joined: 12 Aug 2011 Posts: 830
|
Posted: Mon 05 Nov 2012, 17:51 Post subject:
|
|
SFR wrote: | Hey Barkin.
Could be something like this?
|
Thanks SFR,
my idea was to include the string1 and string2 as data in the program, rather than having them as variables which are given when the script is executed, ( the function of the script is to check I’ve not made errors when imputing string1 and string2 ).
So the only variable would be the file_name: just give the script the file_name and have it work out the result for fixed values of string1 and string2, as a check that the result I calculated manually is correct.
BTW I’m a complete novice at this , how do you get a bash scrip to run from the command line ?. I made a text file and made it executable, opened a terminal in the same directory, but no joy ( I don’t know anything about the syntax ).
Last edited by Barkin on Mon 05 Nov 2012, 18:10; edited 1 time in total
|
Back to top
|
|
 |
SFR

Joined: 26 Oct 2011 Posts: 1802
|
Posted: Mon 05 Nov 2012, 18:09 Post subject:
|
|
Barkin wrote: | my idea was to include the string1 and string2 as data in the program, rather than having them as variables which are given when the script is executed, ( the function of the script is to check I’ve not made errors when imputing string1 and string2 ).
So the only variable would be the file_name: just give the script the file_name and have it work out the result for fixed values of string1 and string2, as a check that the result I calculated manually is correct. |
Ok, so it'll be like this:
Code: | #! /bin/bash
MYNAME="$(basename $(readlink -e $0))"
[ "$#" -lt 1 ] && echo -e "Usage:\n$MYNAME <filename>" && exit 1
file_name="$1"
string1="puppy"
string2="Linux"
THE_SUM=$(echo -n "$(echo -n "$file_name$string1" | md5sum | cut -f1 -d ' ')$string2" | md5sum | cut -f1 -d ' ')
# And the final (optional) twist ;)
THE_TWISTED_SUM="A${THE_SUM:1:30}Z"
echo "$THE_TWISTED_SUM" |
Barkin wrote: | BTW I’m a complete novice at this , how do you get a bash scrip to run from the command line. I made a text file and made it executable, opened a terminal in the same directory, but no joy ( I don’t know anything about the syntax ). |
Did you put "./" (without quotes) before the name of the scirpt?
If you're trying to run a script that is not located in one of the usual dirs for binaries (/bin or /usr/bin or /sbin etc.; you can see the full list by echo $PATH) then you have to provide full path to the script or, if you are already in the directory where the script is, it's enough:
PS. And don't put spaces in the filename of the script.
Greetings!
_________________ [O]bdurate [R]ules [D]estroy [E]nthusiastic [R]ebels => [C]reative [H]umans [A]lways [O]pen [S]ource
Omnia mea mecum porto.
|
Back to top
|
|
 |
Barkin

Joined: 12 Aug 2011 Posts: 830
|
Posted: Mon 05 Nov 2012, 18:19 Post subject:
|
|
SFR wrote: | Did you put "./" (without quotes) before the name of the scirpt? |
No, that's where I was going wrong ...
Thanks very much SFR : it would have taken me a month of Sundays to work that out myself.
Description |
screengrab |
Filesize |
4.47 KB |
Viewed |
791 Time(s) |

|
|
Back to top
|
|
 |
Barkin

Joined: 12 Aug 2011 Posts: 830
|
Posted: Mon 05 Nov 2012, 20:14 Post subject:
|
|
New and improved encryption method , convert everything into md5s but treat md5s as strings
and add a sort of shuffle, e.g. ...
secret
5ebe2294ecd0e0f08eab7690d2a6ee69
puppy
9095eae491e5c0c17a2ef89477393ec4
Linux
edc9f0a5a5d57797bf68e37364743831
secretpuppy
5ebe2294ecd0e0f08eab7690d2a6ee699095eae491e5c0c17a2ef89477393ec4
md5(secretpuppy)
67a2d6c8963c9e1418fc295d44082c6e
Least significant half of md5(secretpuppy)
18fc295d44082c6e
Least significant half of Linux
bf68e37364743831
Combine halves to create md5 lookalike
18fc295d44082c6ebf68e37364743831
Do an md5 of the above md5 lookalike
bc81017d8c78f0adcb42187a8b30b282
optional twist
Ac81017d8c78f0adcb42187a8b30b28Z
[ NB: in practice the values for String1 & 2 should not be dictionary words like "puppy" and "Linux", and should be more than 9 characters long.
If possible include upper and lower case characters and some numbers ].
Code: |
#! /bin/bash
MYNAME="$(basename $(readlink -e $0))"
[ "$#" -lt 1 ] && echo -e "Usage:\n$MYNAME <filename>" && exit 1
file_name="$1"
String1="puppy"
String2="Linux"
# make md5 sums of file name , String1 & String2
sumFN="$(echo -n $file_name | md5sum | cut -f1 -d ' ')"
sumS1="$(echo -n $String1 | md5sum | cut -f1 -d ' ')"
sumS2="$(echo -n $String2 | md5sum | cut -f1 -d ' ')"
# note: in this program md5s are treated as strings rather than hexadecimal numbers
# concatenate md5s of the file name and md5 of String1 and make an md5 of this 64 character string
sumFNS1="$(echo -n "$sumFN$sumS1" | md5sum | cut -f1 -d ' ')"
# get the least significant half of the md5(md5(file_name)+md5(String1))
LHsumFNS1="${sumFNS1:16:16}"
# get the least significant half of the md5 of String2
LHsumS2="${sumS2:16:16}"
# concatenate the two least significant half md5s to create a 32 character string
# which only contains hexadecimal characters so it looks like an md5, but isn't, (sneaky),
# then make an md5 of this 32 character string
sumFIN="$(echo -n "$LHsumFNS1$LHsumS2" | md5sum | cut -f1 -d ' ')"
# optional twist, substituting the first and last characters with upper case A & Z (or add what u like)
twisted="A${sumFIN:1:30}Z"
# output results
echo "Final md5 " "$sumFIN"
echo "twisted " "$twisted"
|
 |
Description |
|
Filesize |
5.77 KB |
Viewed |
720 Time(s) |

|
|
Back to top
|
|
 |
SFR

Joined: 26 Oct 2011 Posts: 1802
|
Posted: Tue 13 Nov 2012, 16:23 Post subject:
|
|
Hey Barkin.
Nice one, I didn't notice before how you've extended the script.
I've been thinking how to increase password's strenght, to go beyond hex digits and AZ twist, and figured out that uuencode could be a good choice to produce a string consisting of upper case alpha + special characters (optional).
Check it out:
Code: | #! /bin/bash
MYNAME="$(basename $0)" # 'readlink' wasn't necessary here, my bad...
[ "$#" -ne 1 ] && echo -e "Usage:\n$MYNAME <filename>" && exit 1
file_name="$1"
String1="puppy"
String2="Linux"
# make md5 sums of file name , String1 & String2
sumFN="$(echo -n $file_name | md5sum | cut -f1 -d ' ')"
sumS1="$(echo -n $String1 | md5sum | cut -f1 -d ' ')"
sumS2="$(echo -n $String2 | md5sum | cut -f1 -d ' ')"
# note: in this program md5s are treated as strings rather than hexadecimal numbers
# concatenate md5s of the file name and md5 of String1 and make an md5 of this 64 character string
sumFNS1="$(echo -n "$sumFN$sumS1" | md5sum | cut -f1 -d ' ')"
# get the least significant half of the md5(md5(file_name)+md5(String1))
LHsumFNS1="${sumFNS1:16:16}"
# get the least significant half of the md5 of String2
LHsumS2="${sumS2:16:16}"
# concatenate the two least significant half md5s to create a 32 character string
# which only contains hexadecimal characters so it looks like an md5, but isn't, (sneaky),
# then make an md5 of this 32 character string
sumFIN="$(echo -n "$LHsumFNS1$LHsumS2" | md5sum | cut -f1 -d ' ')"
# uuencode doubled sumFIN and trim out all digits - they're already present in md5sum
uu_TWIST="$(echo $sumFIN$sumFIN | uuencode - | awk 'NR==2' | tr -d '[:digit:]')"
# Optional, if special characters are not desired:
#uu_TWIST="$(echo $sumFIN$sumFIN | uuencode - | awk 'NR==2' | tr -cd '[:alpha:]')"
# Mix even chars from sumFIN (in reversed order) with first 16 chars from uu_TWIST
MIXED=
for i in {0..15}; do
MIXED="$MIXED""${sumFIN:$((31-$i*2)):1}${uu_TWIST:$i:1}"
done
# optional twist, substituting the first and last characters with upper case A & Z (or add what u like)
#twisted="A${sumFIN:1:30}Z"
twisted="A${MIXED:1:30}Z"
# output results
echo -e "Final md5 \t\t\t" "$sumFIN"
echo -e "UU_twist (alone) \t\t" "$uu_TWIST"
echo -e "Final md5 mixed with UU_twist \t" "$MIXED"
echo -e "twisted \t\t\t" "$twisted" |
Greetings!
Description |
|
Filesize |
89.81 KB |
Viewed |
748 Time(s) |

|
_________________ [O]bdurate [R]ules [D]estroy [E]nthusiastic [R]ebels => [C]reative [H]umans [A]lways [O]pen [S]ource
Omnia mea mecum porto.
|
Back to top
|
|
 |
vovchik

Joined: 23 Oct 2006 Posts: 1538 Location: Ukraine
|
Posted: Tue 13 Nov 2012, 16:47 Post subject:
|
|
Dear guys and gals,
i did this thing some time ago and it works OK:
http://www.murga-linux.com/puppy/viewtopic.php?t=53478
With kind regards,
vovchik
|
Back to top
|
|
 |
Barkin

Joined: 12 Aug 2011 Posts: 830
|
Posted: Tue 13 Nov 2012, 18:40 Post subject:
|
|
Re: SFR
The uuencode really obfuscates matters, which is a good thing, (the computer equivalent of Latin :¬).
but there’s no way I could do that manually, e.g. if I had to read files I’d encrypted using a borrowed / public computer which only had Windows OS.
I have MD5 calculators which work in-browser so can be used on any OS which has an internet browser which has javascript. So simple MD5 manipulations I could perform on any computer, even if I didn’t have access to the internet.
Reading up on this I’ve discovered adding computational effort is the secret to making encryption keys difficult to crack , see PBKDF2 ... https://en.wikipedia.org/wiki/PBKDF2 )
So some sort of iterative process where the output is recycled as the input thousands of times, (again I couldn't do this manually).
The new added twist I thought of was rotating the characters of the salt, e.g. “puppy” ...
MD5(MD5(MD5(MD5(MD5(MD5(MD5(secretpuppy)ypupp)pypup)ppypu)uppyp)puppy)ypupp)
the iterations are not limited by the length of the string “puppy”, (or its 32 character MD5), the rotation of the characters just loops round back to the starting position.
Re: vovchik
The output of bpwgen produces different results for the same input string. If I remembered my passphrase was derived from "i love my cat" putting that string into bpwgen would probably not return the encrypted version actually I used as a password, ( maybe successful match achieved after repeated tries of bpwgen ).
 |
Description |
Screengrab of console showing different bpwgen results for constant input string |
Filesize |
7.31 KB |
Viewed |
750 Time(s) |

|
|
Back to top
|
|
 |
vovchik

Joined: 23 Oct 2006 Posts: 1538 Location: Ukraine
|
Posted: Wed 14 Nov 2012, 04:22 Post subject:
|
|
Dear Barkin,
You can change my source for bpwgen not to use randimizing or try my md5.bac, which does maybe what you are after: http://www.basic-converter.org/md5.bac.html.
With kind regards,
vovchik
PS. Should I post a binary?
|
Back to top
|
|
 |
Barkin

Joined: 12 Aug 2011 Posts: 830
|
Posted: Wed 14 Nov 2012, 09:54 Post subject:
|
|
Thanks for that: I didn't know an MD5 function could be called by a BASIC program.
|
Back to top
|
|
 |
SFR

Joined: 26 Oct 2011 Posts: 1802
|
Posted: Wed 14 Nov 2012, 17:39 Post subject:
|
|
I have bpwgen in my collection since a year maybe...and completely forgot about it!
Thanks for reminding me, really cool app, i love all kind of 1337 G3n=R@+0r$.
(I have the other one too).
Barkin wrote: | The new added twist I thought of was rotating the characters of the salt, e.g. “puppy” ...
MD5(MD5(MD5(MD5(MD5(MD5(MD5(secretpuppy)ypupp)pypup)ppypu)uppyp)puppy)ypupp)
the iterations are not limited by the length of the string “puppy”, (or its 32 character MD5), the rotation of the characters just loops round back to the starting position. |
I don't clearly understand, so the limit will be fixed or 'String's_Lenght +1' ?
Anyway, I was tinkering a little on this subject and ended up with this (I made it stand alone); it covers options no.1 (fixed iterations):
Code: | #! /bin/bash
MYNAME=`basename $0`
[ "$#" -ne 3 ] && echo -e "Usage:\n$MYNAME <pass> <salt> <iterations>" && exit 1
[ "`echo "$3" | tr -cd '[:digit:]'`" = "" ] && echo "Bad parameter: <iterations>" && exit 1
PASS="$1"
SALT="$2"
ITERATIONS="$3"
LENGHT=${#SALT}
MD5=`echo -n "$PASS$SALT" | md5sum | cut -f1 -d ' '`
echo -e "01:"$PASS$SALT "\t\t\t\t\t->" $MD5
for i in `seq -w 2 $ITERATIONS`; do
SALT="${SALT:$(($LENGHT-1)):1}${SALT:0:$(($LENGHT-1))}" # ROR the string
echo -n $i":"$MD5
MD5=`echo -n "$MD5$SALT" | md5sum | cut -f1 -d ' '`
echo -e $SALT "\t->" $MD5
done |
But on the other hand, such a twist also wouldn't be so easy to perform manually, would it?
Greetings!
Description |
|
Filesize |
37.14 KB |
Viewed |
631 Time(s) |

|
_________________ [O]bdurate [R]ules [D]estroy [E]nthusiastic [R]ebels => [C]reative [H]umans [A]lways [O]pen [S]ource
Omnia mea mecum porto.
|
Back to top
|
|
 |
Barkin

Joined: 12 Aug 2011 Posts: 830
|
Posted: Wed 14 Nov 2012, 20:49 Post subject:
|
|
SFR wrote: | I don't clearly understand, so the limit will be fixed or 'String's_Lenght +1' ?
Anyway, I was tinkering a little on this subject and ended up with this (I made it stand alone); it covers options no.1 (fixed iterations): |
That’s exactly what I had in mind, excellent, the iterations are not limited by the salt string length. I only used the short word “puppy” as a salt as it was easier to show that rotation twist just keeps rotating. I’ve tweaked your code to convert the password (file_name) and salt into MD5, and only output the final result as 100's - 1000's iterations are required for good security, (as many iterations that can be done in about a second is a practical compromise) ...
Quote: | Apple's iOS 3 uses 2,000 iterations and iOS 4 uses 10,000 | https://en.wikipedia.org/wiki/PBKDF2#BlackBerry_vulnerability
Code: | #! /bin/bash
MYNAME=`basename $0`
[ "$#" -ne 3 ] && echo -e "Usage:\n$MYNAME <pass> <salt> <iterations>" && exit 1
[ "`echo "$3" | tr -cd '[:digit:]'`" = "" ] && echo "Bad parameter: <iterations>" && exit 1
# go the whole hog and convert pass and salt into their MD5 sums
PASS="$(echo -n $1 | md5sum | cut -f1 -d ' ')"
SALT="$(echo -n $2 | md5sum | cut -f1 -d ' ')"
ITERATIONS="$3"
LENGHT=${#SALT}
MD5=`echo -n "$PASS$SALT" | md5sum | cut -f1 -d ' '`
echo -e "Please wait, this may take some time, (a few seconds per thousand iterations)"
for i in `seq -w 2 $ITERATIONS`; do
SALT="${SALT:$(($LENGHT-1)):1}${SALT:0:$(($LENGHT-1))}" # ROR the string
MD5=`echo -n "$MD5$SALT" | md5sum | cut -f1 -d ' '`
done
# just print final MD5 sum ( rather than the 100's or 1000's of intermediate MD5s )
echo $MD5 |
SFR wrote: | But on the other hand, such a twist also wouldn't be so easy to perform manually, would it? |
Yes, it would even be difficult for the computer to do 1000's of iterations, that’s the point : making the process “computationally expensive” makes cracking the encryption it much more time-consuming, hopefully impractical amount of time is required. The simpler encryption method I described at the start of this thread is crackable in tens of days (off-line) if the method is known by the cracker and single dictionary words have been used as the salts. Incorporating a thousand iterations extends that time to decades , even if single dictionary words are used as salts, (which is not a good idea).
[ a dictionary crack , (trying all of the approx 200,000 words in in a standard dictionary), takes a few seconds , same time for precomputed (unsalted) MD5s of single dictionary words, see attached screengrab from http://www.md5decrypter.co.uk/ ].
Description |
Screengrab of output of rotmd5t, tweaked version of rotmd5. |
Filesize |
2.77 KB |
Viewed |
628 Time(s) |

|
Description |
screengrab from http://www.md5decrypter.co.uk/ |
Filesize |
10.68 KB |
Viewed |
617 Time(s) |

|
|
Back to top
|
|
 |
Barkin

Joined: 12 Aug 2011 Posts: 830
|
Posted: Sun 18 Nov 2012, 00:34 Post subject:
|
|
nakedsecurity.sophos.com wrote: | You simply must use many iterations of your chosen hash, to slow down crackers by making brute-force attacks harder by a factor as big as the number of iterations. | http://nakedsecurity.sophos.com/2012/11/15/cracked-passwords-from-alleged-egyptian-hacker-adobe-breachegyptian-hacker-allegedly-breached-adobe-leaked/
|
Back to top
|
|
 |
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum You cannot attach files in this forum You can download files in this forum
|
Powered by phpBB © 2001, 2005 phpBB Group
|