Cracking Wordpress Password Hashes with Hashcat

Edit: Joomla Hashes Cracked at Bottom

I got these from a working Wordpress site (v. 3.5.1) I used in a MPICT class by @Mark_DuBois

First I made some test users in the Wordpress administration page:

The site uses CPanel, which can be used to get to phpMyAdmin:

I got the password hashes from the wp_users table:

I started cracking them with Hashcat, using a dictionary of the top 500,000 passworde from RockYou:

The four hashes were all cracked in about 4 minutes:

Cracking Joomla Hashes

I used the Joomla administration panel to create some test users:

I used CPanel to open phpMyAdmin, and exported the password hashes from the users table:

Those hashes are really long, but they are just MD5 with a 16-byte salt, which is pathetic.

They crack in 1.1 seconds:

Cracking Hashes

More information here:


Posted 6-18-13 4:30 pm by Sam Bowne
Joomla crack added 11:24 am 6-19-13