Hi

Is it somehow possible to reverse engineer md5 hashes ?
I mean, i just found http://md5.rednoize.com and i wondered how this site works. It seems that this site can reverse engineer md5 hashes, like passwords and such.

Is it somehow possible to reverse engineer md5 hashes ?No, but you can use brute force (if you got the time).

It seems that this site can reverse engineer md5 hashes, like passwords and such.It seems to me that they just got a large database of 'messages' and their hashes.

- petter

I'm not seeing how you call this reverse MD5 hashing. It is only hashing, not reversing.

EDIT: Added info...
I just searched out a bunch of sites that claim to reverse MD5 hashes. Every one uses JavaScript to fake the attempt at reversing. In short, it's a scam.

MD5 hash is not encryption algorithm, but ots a hashing algorithm. There is infinite amount of source inputs possible, but there is only 2^128 unique MD5 hashes, so it is absolutely possible to have two inputs, that generate identical MD5 hashes. There is no way to obtain original input having hash, it is also quite hard to compose a message with given hash. One of ways to get original text (used for i.e. password cracking) is brute force attack. Attacker creates every possible input, calculates its hash, and compares with given one. If hashes match, it is highly possible (but not 100%), that tested input is searched one. But brute force attack is veeeery time consuming (depending on length of a password, but it took 2 days on my machine for 8 characters). Lots of websites offer MD5 (and other hashes) cracking service, but they do not try to brute force every submitted password. They use technique called Rainbow Crack (or some similar). It uses precalculated, very large tables (often more than 200GBs in size for ~15 characters long passwords), and perform lookup in such a table. However, creating such a table takes weeks, months, or even years.

@Peeyarwey: using JavaScript is not necessarily a scam, maybe they just use JS to get hash submitted. Then some application performs a lookup, and email cracked passwords back to submitter.

Cheers,
Hob

@Peeyarwey: using JavaScript is not necessarily a scam, maybe they just use JS to get hash submitted. Then some application performs a lookup, and email cracked passwords back to submitter.
What I found was not JavaScript attempting to submit the information. It was simply JavaScript to display text saying "Searching..." There is no submission of any form whatsoever.

Scam was the word on the tip of my tongue. Fake would have been better applied.

What I found was not JavaScript attempting to submit the information. It was simply JavaScript to display text saying "Searching..." There is no submission of any form whatsoever.

Maybe thats why I never got any email from some services I submitted hashes to. It did not come to my mind to look into HTML source :mad:

Hob

There is no submission of any form whatsoever.
Well, it seems to me (again) that they're using some AJAX stuff in there somewhere...

- petter

Ah yes. I had forgotten about the AJAX being called from JavaScript. But, I have seen some that don't use AJAX either.

Realize that for any hashing mdhodology which uses a key of N bits in size. A duplicate (non specified key) and always be generated if there are N bits of differential.