viernes, 8 de junio de 2012

Leak Linkedin English



Download the dump file from http://bit.ly/KGTusG and execute the code below, based upon https://gist.github.com/2884354, with a second test to find unknown hashes.

It seems that linkedin does not salt the stored password, allowing dictionary and rainbow table attacks.

The file has 6.5 million hashes, with a half of them "tagged" with 000000 at the beginning. If you try common passwords they are found.

The author original logic is to verify hashing the password and replacing the first six chars with 0. I've added looking for untagged hashes too.

Asi que, a ejecutar y cambiar el password si hace falta.
Please add a comment below if you find your linkedin password and if its not used in any other account, the better. If is does not reveal anything about your password schema, please write it down too.


"""
Check if your password is in the linkedin password dump.
You'll need to download the dump from here: http://bit.ly/KGTusG and unzip it to combo_not.txt
"""

import hashlib
import getpass

pw = getpass.getpass('Enter your LinkedIn password: ')
sha1 = hashlib.sha1(pw).hexdigest()
hash = '00000' + sha1[5:]

found = False
with open('combo_not.txt') as f:
    for i, line in enumerate(f):
        h = line.strip()
        if hash == h:
            print "Found it decrypted on line %d" % i
            found = True
        if sha1 == h:
            print "Found it but encrypted on line %d" % i
if not found:
    print "password %s not found" % (pw)



Here there is an analysis:

http://cyberarms.wordpress.com/2012/06/07/analysis-of-passwords-dumped-from-linkedin/

No hay comentarios:

Publicar un comentario