OSX bash script to brute-force/loop MD5 hash to find Salt if I know the Password?

Question

I have a salted MD5 hash: 896501b1d2ed4ec4e2d3a6c69a672152 from my password which is: 123321

I have tested and created few user accounts on other websites with the same password: 123321 and in there mySQL I see the same MD5 hash 896501b1d2ed4ec4e2d3a6c69a672152

This confirms the Salt is same even using different username, different signup date, etc.

Below I have setup a simple (2 char) Salt Find Test Case where I know the Salt+Password and the Script will find the Salt:

Setup Test details:
Salt = 'Ac'
Password = '123321'
Salted password = 'Ac123321'
Hash of Salted pass = 'b60639eef9d7e85eab35e16f6d1ba6d6'

Using this code below I can find this Salt above:

#!/bin/bash

hashtofind=b60639eef9d7e85eab35e16f6d1ba6d6    
password=123321
counter=0

for i in $(seq 48 122); do
    counter=$((counter+1))
    salt=$(printf "\\$(printf %o $i)")
    saltedpass=$(printf "\\$(printf %o $i)$password")
    hashtocheck=$(echo -n "$saltedpass" | md5)
    echo "$counter"
    if [ $hashtocheck = $hashtofind ]; then
        echo "Found HASH!"
        echo "hashtofind: $hashtofind"
        echo "saltedpass: $hashtocheck"
        echo "SALT: $salt"
        echo "password: $password"
        echo "Salt+Password: $saltedpass"
        exit 1
    fi
done

for i in $(seq 48 122); do
    for j in $(seq 48 122); do
        counter=$((counter+1))
        salt=$(printf "\\$(printf %o $i)\\$(printf %o $j)")
        saltedpass=$(printf "\\$(printf %o $i)\\$(printf %o $j)$password")
        hashtocheck=$(echo -n "$saltedpass" | md5)
        echo "$counter"
        if [ $hashtocheck = $hashtofind ]; then
            echo "Found HASH!"
            echo "hashtofind: $hashtofind"
            echo "saltedpass: $hashtocheck"
            echo "SALT: $salt"
            echo "password: $password"
            echo "Salt+Password: $saltedpass"
            exit 1
        fi
    done
done

for i in $(seq 48 122); do
    for j in $(seq 48 122); do
        for k in $(seq 48 122); do
            counter=$((counter+1))
            salt=$(printf "\\$(printf %o $i)\\$(printf %o $j)\\$(printf %o $k)")
            saltedpass=$(printf "\\$(printf %o $i)\\$(printf %o $j)\\$(printf %o $k)$password")
            hashtocheck=$(echo -n "$saltedpass" | md5)
            echo "$counter"
            if [ $hashtocheck = $hashtofind ]; then
                echo "Found HASH!"
                echo "hashtofind: $hashtofind"
                echo "saltedpass: $hashtocheck"
                echo "SALT: $salt"
                echo "password: $password"
                echo "Salt+Password: $saltedpass"
                exit 1
            fi
        done
    done
done

This code gives result in 10 seconds:

1398
1399
1400
1401
1402
Found HASH!
hashtofind: b60639eef9d7e85eab35e16f6d1ba6d6
saltedpass: b60639eef9d7e85eab35e16f6d1ba6d6
SALT: Ac
password: 123321
Salt+Password: Ac123321

The Salt I need originally is longer than 2 chars.

Question: Is there any method to run this process faster except running multi terminal/shell consoles?

Answer 1

in there [sic] mySQL I see the same MD5 hash

The salt is not secret information; that is to say, not any more secret than the hash.

If you have access to the MySQL database which stores the hashed passwords, that same database should be storing the salts. It has to; the salts are essential for verifying the passwords.

In classical non-shadowed Unix password files, everyone plainly sees the salts along with the hashes. Both are equally public information, stored together in the same field.

If no salts are stored in any fields of the database, that suggests that the website is using some fixed salt for all passwords, which is quite bad. That is also consistent with the fact that you're seeing the same hash in different databases. The software is almost certainly using a "static salt".

You don't have to reverse the salt to prove this: the probability is vanishingly small that random salts are being used in accordance with best practices, yet the hashes are coming out the same.

Anyway can do the search faster by writing the entire cracker in a compiled programming language, with a decently fast hashing function. A lot of the script's time is spent just launching processes and interpreting the shell syntax.

Brute forcing a two-character salt with a known pw/hash pair should be instantaneous.

(On that topic, we shouldn't be using two-character salts at all, let alone two-character salts that are static.)

Answer 2

John the ripper is sophisticated tool designed exactly for this kind of tasks. Place you hash in a fake-password file:

→ cat input 
username:b60639eef9d7e85eab35e16f6d1ba6d6

Assuming using 2 ascii chars as seed:

→ john --format=raw-md5 input --mask=?a?a123321 
Created directory: /home/juergen/.john
Loaded 1 password hash (Raw-MD5 [MD5 128/128 AVX 12x])
Warning: poor OpenMP scalability for this hash type, consider --fork=4
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
Ac123321         (username)
1g 0:00:00:00  16.66g/s 150416p/s 150416c/s 150416C/s   123321..~~123321
Use the "--show" option to display all of the cracked passwords reliably
Session completed