Intro

This is a work in progress page of tips and tricks that might be handy for those learning or using MDXfind. Most of the content was collated from using it, Royce William’s post on MDXfind and hassling hops and s3in!c on the hashes.org discord server for usage tips. Credit to waffle and hops for all the dev work.

Basic Usage Using STDIN

MDXfind’s strength is its ability to run wordlists against lists of mixed hashes / lists of unknown hashes. Got a bunch of 32hex hashes but no idea what they are? Let MDXfind do the hard work for you. When running mixed lists of unknown algo’s, it’s always worth running it with mdsplit to save the hassle of parsing it out later.

cat mixedhashes.list | ./mdxfind.static -h 'ALL' -h '!salt,!user,!md5x' wordlist.txt | ./mdsplit.static mixedhashes.list

This command runs a mixed file of hashes through all algorithms known to MDXfind apart from those requiring salts, usernames and internally iterated hashes like SHA1(MD5(MD5($pass)).

Running MDXFind From a File

Alternatively, if you want to run it from a file instead of STDIN.

./mdxfind.static -h ALL -h '!salt,!user,!md5x' -f mixedhashes.list wordlist.txt > results.file

This means that if you get bored waiting for results, are working from a shared network drive or want to quickly kill the process, you’ve still got all those delicious founds saved to a file.

Running salted hashes with MDXfind

In the cases where you’ve got salted hashes where the salt is not part of the hashes (for example MD5SALT). You will need to give MDXfind a salt file. This is provided using the -s switch command. A quick oneliner to separate the salts from the hashes.

cat vbulletin-hashes.txt | cut -f 2 -d ":" | sort -u > salts.txt
 cat vbulletin-hashes.txt | ./mdxfind -h 'MD5SALT' -s salts.txt wordlist.txt | ./mdsplit.static vbulletin-hashes.txt

Generating Example Hashes

MDXfind has the option to generate hashed examples of a plaintext. This can be helpful when trying to work out if a hash has been truncated, or if you are identifying which specific variation of a hash you might be trying to crack.

echo -n 'Password' | ./mdxfind.static -h 'MYSQL' -h '!salt,!user' -z -f /dev/null -i 5 stdin 2>&1
MYSQL3x01 2f18d4d923ccae07:Password
MYSQL3x02 6c570ef02890ea40:Password
MYSQL3x03 6aa0bd3f0e7cfb70:Password
MYSQL3x04 2fe7115b6128d301:Password
MYSQL3x05 577828bc229cf0ea:Password

It can help you hash a known plaintext, so you can compare and identify the algorithm.

Example 32hex and Plaintext Pair

8be3c943b1609fffbfc51aad666d0a04:Password

Generating Candidates And Grepping The Output

echo -n 'Password' | ./mdxfind.static -h 'ALL' -h '!salt,!user,!md5x' -z -f /dev/null -i 5 stdin 2>&1 | grep '8be3c943b1609fffbfc51aad666d0a04'

Example Output

SHA1x01 8be3c943b1609fffbfc51aad666d0a04adf83c9d:Password

Truncated SHA1 identified.


Pausing MDXfind

MDXfind consuming all your cores ? Need to pause it but don’t want to loose all your progress ? This command is for you.

Ctrl-Z

Resuming MDXfind

To bring that suspended MDXfind session back, you can use the fg command to continue it in the current shell window and watch those cracked hashes continue to roll in.

Killing MDXfind without losing STDOUT

Maybe you’ve got to shutdown, or maybe you’ve just decided you don’t feel like waiting till 2am for this current run to finish. If you are outputting STDOUT straight into mdsplit, you can kill the MDXfind process rather than wait till it reaches its 500k buffer size. This still allows the founds to be parsed to mdsplit without losing them.

ps aux | grep mdxfind
sudo kill -9 PIDOFMDXFIND

MDXfind to Hashes.org Format

Now that you’ve found a bunch of hashes using the tips and instructions above, you might want to upload them to Hashes.org so you can jump up the leader board 😉. The following reference table can be used to help you figure out the algo you need to provide, against the ones described in MDXfind. As a

MDXfind Algo Hashes.org Format
MD4x01 MD4
MD5MD5PASSSHA1x01 MD5(MD5(PLAIN)PLAINSHA1(PLAIN))
MD4UTF16MD5x01 NTLMMD5
HAV128_4MD5x01 HAVAL128-4MD5
HAVA128_4x01 HAVAL128-4
MD2MD5x01 MD2MD5
MD4MD5x01 MD4MD5
MD4SQL3x01 MD4MYSQL3
MD5-1xSHA1MD5pSHA1px01 MD5(SHA1MD5(PLAIN)SHA1(PLAIN))
MD5-1xSHA1MD5x01 MD5(SHA1MD5(PLAIN))
MD5SQL5 MD5MYSQL5TOT
MD5SHA1PASSMD5PASSSHA1PASS MD5(SHA1(PLAIN)MD5(PLAIN)SHA1(PLAIN))
MD5RAW MD5RAW(MD5(PLAIN))
MD5PASSSHA1MD5 MD5(PLAINSHA1MD5(PLAIN))

Where To Download MDXfind

Download MDXfind