Cracking Magento passwords for $1


hashcat logo

TL;DR: Find weak passwords on your Magento stores before the bad guys do. If you spend some serious money ($1) on high-performance computing power, you can find easily guessable passwords. Here’s - step by step - how you can check your stores for vulnerable admin accounts.

A password guessing attack (aka “brute force”) has become the most successful attack vector recently. Hackers try zillions of passwords on authenticated pages (/admin, /downloader, /rss) until they hit the jackpot.

Now, you (the admin) can easily find weak passwords, because you have a major advantage over remote attackers: speed. Potential hackers test passwords over HTTP, which is relatively slow. With a botnet and fast servers, at best (worst) they can try a few hundred passwords per second per store. You, on the other hand, have direct database access. With the proper setup (read on!) you can test 4 billion passwords per second.

What is password hashing?

When big companies are hacked, they always say your password is safe because it was stored in an unreadable manner.

What they actually mean is that they stored a hash of your password. Hashing is a one-way algorithm to translate some data (your password) into a unique code. Say, you have password qwerty123. The MD5 hash for this password is 3fc0a7acf087f549ac2b266baf94b8b1. It is not possible to revert this. However, nothing stops you from hashing random passwords and see if they match 3fc0a7acf087f549ac2b266baf94b8b1. You would only have to try enough combinations, starting with aaaaaaaa, then all the way to ZZZZZZZZ (and beyond).

The MD5 method is not a very safe hash, because it is unbelievably fast. A 5-year old PC can compute about 70 megahashes (MH) per second. And a juicy videocard can do 4500 MH per second.

Get the machinery in place

Magento 1 CE uses the fast MD5 hash to store admin passwords. To find weak ones, you need:

Amazon released their P2 GPU servers recently, to jump on the machine learning money wagon. P2 servers happen to be also really good at hashing. Equipped with Nvidia’s Tesla K80 cards, those servers are nothing but hash grinding beasts. The smallest P2 server is still pricey, but for $1, you may tame it for a whole hour.

Boot a p2.xlarge with Amazon EC2. Root disk 8GB is ok. Pick Ubuntu 16.04 AMI. Download keyfile (pem). Run these commands in terminal.

Extract hashes from your Magento stores

Almost ready to start cracking: you just need the password hashes. If you have magerun, you can do this (run on your Magento server):

n98-magerun db:query "select concat(username,':',password) from admin_user where is_active=1" | tail -n +3 | tee maghashes.txt

Now, maghashes.txt contains lines with username:hash:salt like this:

admin:90EFkDlbNgMIVq6oJZfXJ7XrifM4TI80:ToV9inml5MawidrOTCgcKvwSwn1xIApE
backup:ep0NXnY2MeRI9JzXDHefnRdQDyNmhkH7:8M

Copy this file to your hash grinder and start the magic:

scp maghashes.txt ubuntu@<AWS-IP>:/data

# back to your AWS terminal
cd /data/hashcat
./hc -m20 --username -r rules/best64.rule ../maghashes.txt ../phpbb.txt

The One Dollar Challenge

Show all the guessed passwords:

./hc --show --username -m20 ../maghashes.txt

In practice, 10-15% of the admin passwords appears easily guesseable. This is more than I expected. Notable cases are test/test123 and admin/123. Magento 2 forces strong passwords by default, but for anyone still running M1, it’s a good idea to give your admin passwords a boost.

Bonus

MD54,231,000 hashes/sec
PHP’s password_hash()53 hashes/sec
I am the founder of MageReport, a free service to check the security and performance of your store. Get updated on my new posts via Twitter: