قالب وردپرس درنا توس
Home / Tips and Tricks / Use hash identifiers to determine hash types for cracking passwords. «Null Byte :: WonderHowTo

Use hash identifiers to determine hash types for cracking passwords. «Null Byte :: WonderHowTo



Hashes are often used to store sensitive information such as credentials to avoid storing them in plain text. With tools like Hashcat it is possible to crack these hashes, but only if we know the algorithm used to generate the hash. With a tool called Hash Identifier, we can easily fingerprint all hashes to find the right Hashcat password retrieval mode.

In addition to cracking hashes, Hash Identifier is also useful for identifying which hashing algorithm is used Specify a checksum value for a download. And it can be used to determine to which program a hash file or hash value may belong, e.g. For example, an SQL database or other vendor-specific format.

What is a hash and how is it cracked?

They are usually stored as hashes so that hackers can not read passwords in plain text. A hash function turns the readable passwords into jumbled letters and numbers that should not be regressed.

But two or more of the same passwords that use the same hash function have the same hash, so one could use this hashing function to determine the hashes for an entire password list and then use that data to determine the appropriate password. And that's exactly what many password-cracking tools do.

Hashes are better than saving a password in plain text, but they can still be cracked if a good rule or password list is used with Hashcat or another cracking program. But you can not just put Hashcat on a hash and expect it to work. Imagine Hashcat as a drill with many bits of different sizes. For any kind of hash we want to crack, we need to append another "bit" to Hashcat by setting it to the correct mode to attack the target hash.

Which hashes are supported?

There is currently a large amount of hashes that Hashcat can crack. The list of supported hashes is quite extensive on the GitHub hash ID repository.

  Supported encryption formats:

ADLER-32
CRC-16
CRC-16-CCITT
CRC-32
CRC 32B
DES (Unix)
Domain cached credentials
FCS-16
GHASH 32-3
GHASH 32-5
GOST R 34.11-94
Haval-128
Haval-160
Haval-192 110080
Haval-224 114080
Haval-256
Line II C4
MD2
MD4
MD5
MD5 ($ pass $ Salt) - Joomla
MD5 (APR)
MD5 (half)
MD5 (HMAC (WordPress))
MD5 (middle)
MD5 (phpBB3)
MD5 (Unix)
MD5 (WordPress)
MySQL
MySQL 160bit - SHA-1 (SHA-1 ($ pass))
MySQL5 - SHA-1 (SHA-1 ($ pass))
NTLM
RAdmin v2.x.
RipeMD-128
RipeMD-160
RipeMD-256
RIPEMD-320
SAM - (LM_hash: NT_hash)
SHA-1
SHA-1 (Django)
SHA-1 (mangoes)
SHA-224
SHA-256
SHA-256 (Django)
SHA-384
SHA-384 (Django)
SHA-512
Snefru-128
Snefru-256
Tiger 128
Tiger 160
Tiger 192
XOR 32
whirlpool

And more ... 

What you need

To follow this guide, you must install Python3 on your computer (cross-platform). So go ahead, if you have not already done so. You also need Hashcat, which you can download by updating apt install hashcat after updating your computer with apt update and apt upgrade .

If you want to generate your own hashes to try cracking, you can do so with the format echo -n PLAINTEXT | do (HASHTYPE) sum . To create a SHA1 hash of the word " nullbyte ", I would use the following command.

  ~ $ echo -n nullbyte | sha1sum

32c0ced56f1fe08583bdb079d85a35a81995018c - 

Step 1: Download and Install the Hash Identifier

Installing the Python script is very simple. To start, open a terminal window and run the following command:

  ~ $ git clone https://github.com/blackploit/hash-identifier.git

Cloning into & # 39; hash identifier & # 39; ...
remote: list objects: 21, done.
remote: Total 21 (delta 0), reused 0 (delta 0), pack-reused 21
Unpack objects: 100% (21/21), done. 

Then navigate to cd hash ID and list its contents with ls .

  ~ $ cd hash ID
~ / hash-identifier $ ls

hash-id.py README.md screenshots 

You should see a file named hash-id.py that you can start with the following command.

  ~ / hash-identifier $ python3 hash-id.py

################################################## #######################
# __ __ __ ______ _____ #
# /   /   /  /  __ _  /  _ ` #
#    _   __ ____    ___  / _ /   /        #
#   _  / & # 39; __ ` /, __    _`            #
#      /  _   _ /  __, `       _   __    _   #
#   _   _   ___  _  /  ____ /   _   _  /  _____    ____ / #
#  / _ /  / _ /  / __ /  / _ /  / ___ /  / _ /  / _ /  / _____ /  / ___ / v1.2 #
# By Zion3R #
# www.Blackploit.com #
# Root@Blackploit.com #
################################################## #######################
--------------------------------------------------
HASH: 

Step 2: Unknown Hashes for Fingerprints

To try the hash ID, we try to create the following five unknown hashes for fingerprints.

  hash 1: 7196759210defdc0
Hash 2: 1bbb234c81ef04a1c2f441253952a556276669d7fc9d1ee765bd4b18f796699d (256)
Hash 3: 32c0ced56f1fe08583bdb079d85a35a81995018c (1)
Hash 4: 753b27807b690ef889a259f3b219e024bf5c6c33c8d56116943d9285a0b55b2050981f29e6fafa660428c48d7db3c4bd2e8dd48f87c8e90bde5e0c82ed23be10
Hash 5: 5f804b61f8dcf70044ad8c1385e946a8 (md5) 

First, enter the first value in the waiting hash ID prompt. As you can see, it provides a quick ID as a MySQL hash. This is the one we try to crack so we can come back to it later.

  HASH: 7196759210defdc0

Possible hashes:
[+] MySQL
[+] MD5 (middle)

Least possible hashes:
[+] MD5 (Half) 

Our second hash, see below, is identified as SHA256 hash, with Haval256 being another option.

  HASH: 1bbb234c81ef04a1c2f441253952a556276669d7fc9d1ee7656646669d7f7fc

Possible hashes:
[+] SHA-256
[+] Haval-256

Least possible hashes:
[+] GOST R 34.11-94
[+] RipeMD-256
[+] SNEFRU-256
[+] SHA-256 (HMAC)
[+] Haval-256 (HMAC)
[+] RipeMD-256 (HMAC)
[+] SNEFRU-256 (HMAC)
[+] SHA-256 (md5 ($ pass))
[+] SHA-256 (sha1 ($ pass)) 

Our third hash is identified as SHA1:

  HASH: 32c0ced56f1fe08583bdb079d85a35a81995018c

Possible hashes:
[+] SHA-1
[+] MySQL5 - SHA-1 (SHA-1 ($ pass))

Least possible hashes:
[+] Tiger-160
[+] Haval-160
[+] RipeMD-160
[+] SHA-1 (HMAC)
[+] Tiger-160 (HMAC)
[+] RipeMD-160 (HMAC)
[+] Haval-160 (HMAC)
[+] SHA-1 (MaNGOS)
[+] SHA-1 (MaNGOS2)
[+] sha1 ($ pass $ Salt)
[+] sha1 ($ salt. $ Pass)
[+] sha1 ($ salt.md5 ($ pass))
[+] sha1 ($ salt.md5 ($ pass). $ Salt)
[+] sha1 ($ salt.sha1 ($ pass))
[+] sha1 ($ salt.sha1 ($ salt.sha1 ($ pass))
[+] sha1 ($ username. $ Pass)
[+] sha1 ($ username. $ Pass. $ Salt)
[+] sha1 (md5 ($ pass))
[+] sha1 (md5 ($ pass). $ Salt)
[+] sha1 (md5 (sha1 ($ pass))
[+] sha1 (sha1 ($ pass))
[+] sha1 (sha1 ($ pass). $ Salt)
[+] sha1 (sha1 ($ pass) .substr ($ pass, 0.3))
[+] sha1 (sha1 ($ salt. $ Pass))
[+] sha1 (sha1 (sha1 ($ pass))
[+] sha1 (strtolower ($ username). $ Pass) 

And our fourth hash is identified as SHA512:

Possible hashes:
[+] SHA-512
[+] Jacuzzi

Least possible hashes:
[+] SHA-512 (HMAC)
[+] Whirlpool (HMAC)

Finally, our last hash is identified as MD5:

  HASH: 5f804b61f8dcf70044ad8c1385e946a8

Possible hashes:
[+] MD5
[+] Domain cached credentials - MD4 (MD4 (($ pass)). (Strtolower ($ username))

Least possible hashes:
[+] RAdmin v2.x
[+] NTLM
[+] MD4
[+] MD2
[+] MD5 (HMAC)
[+] MD4 (HMAC)
[+] MD2 (HMAC)
[+] MD5 (HMAC (WordPress))
[+] Haval-128
[+] Haval-128 (HMAC)
[+] RipeMD-128
[+] RipeMD-128 (HMAC)
[+] SNEFRU-128
[+] SNEFRU-128 (HMAC)
[+] Tiger-128
[+] Tiger 128 (HMAC)
[+] md5 ($ pass. $ Salt)
[+] md5 ($ salt. $ Pass)
[+] md5 ($ salt. $ Pass. $ Salt)
[+] md5 ($ salt. $ Pass. $ Username)
[+] md5 ($ salt.md5 ($ pass))
[+] md5 ($ salt.md5 ($ pass))
[+] md5 ($ salt.md5 ($ pass. $ Salt))
[+] md5 ($ salt.md5 ($ pass. $ Salt))
[+] md5 ($ salt.md5 ($ salt. $ Pass))
[+] md5 ($ salt.md5 (md5 ($ pass). $ Salt))
[+] md5 ($ username.0. $ Pass)
[+] md5 ($ username.LF. $ Pass)
[+] md5 ($ username.md5 ($ pass). $ Salt)
[+] md5 (md5 ($ pass))
[+] md5 (md5 ($ pass). $ Salt)
[+] md5 (md5 ($ pass) .md5 ($ salt))
[+] md5 (md5 ($ salt). $ Pass)
[+] md5 (md5 ($ salt) .md5 ($ pass))
[+] md5 (md5 ($ username. $ Pass). $ Salt)
[+] md5 (md5 (md5 ($ pass))
[+] md5 (md5 (md5 (md5 ($ pass)))
[+] md5 (md5 (md5 (md5 (md5 ($ pass))))
[+] md5 (sha1 ($ pass))
[+] md5 (sha1 (md5 ($ pass))
[+] md5 (sha1 (md5 (sha1 ($ pass)))
[+] md5 (strtoupper (md5 ($ pass))) 

That was easy, but the next step is to attack those hashes by casting the identified hash type into a hashcat mode number.

Step 3: Look Up Hashcat Hash Modes

To look up a hash mode, see the full list of Hashcat-supported hash types on the Hashcat sample page. A shortened list of the most popular hashes can be found below.

  hash-mode hash-name Example
0 MD5 8743b52063cd84097a65d1633f5c74f5
10 md5 ($ pass. $ Salt) 01dfae6e5d4d90d9892622325959afbe: 7050461
20 md5 ($ salt. $ Pass) f0fda58630310a6dd91a7d8f0a4ceda2: 4225637426
30 md5 (utf16le ($ pass). $ Salt) b31d032cfdcf47a399990a71e43c5d2a: 144816
40 md5 ($ salt.utf16le ($ pass)) d63d0e21fdc05f618d55ef306c54af82: 13288442151473
50 HMAC-MD5 (key = $ pass) fc741db0a2968c39d9c2a5cc75b05370: 1234
60 HMAC-MD5 (key = $ salt) bfd280436f45fa38eaacac3b00518f29: 1234
100 SHA1 b89eaac7e61417341b710b727768294d0e6a277b
110 sha1 ($ pass. $ Salt) 2fc5a684737ce1bf7b3b239df432416e0dd07357: 2014
120 sha1 ($ salt. $ Pass) cac35ec206d868b7d7cb0b55f31d9425b075082b: 5363620024
130 sha1 (utf16le ($ pass). $ Salt) c57f6ac1b71f45a07dbd91a59fa47c23abcd87c2: 631225
140 sha1 ($ salt.utf16le ($ pass)) 5db61e4cd8776c7969cfd62456da639a4c87683a: 8763434884872
150 HMAC-SHA1 (key = $ pass) c898896f3f70f61bc3fb19bef222aa860e5ea717: 1234
160 HMAC-SHA1 (key = $ salt) d89c92b4400b15c39e462a8caa939ab40c3aeeea: 1234
200 MySQL323 1EAFFED54F552AA5
300 MySQL4.1 / MySQL5 fcf7c1b8749cf99d88e5f34271d636178fb5d130 

Above are two examples that may match our first hash (7196759210defdc0) from the previous step. At a glance, the mode 200 "MySQL323" seems to be the best match, but we can confirm this by going through the example's hash identifier.

  HASH: 1EAFFED54F552AA5

Possible hashes:
[+] MySQL
[+] MD5 (middle)

Least possible hashes:
[+] MD5 (Half) 

It exactly matches our example hash:

  HASH: 7196759210defdc0

Possible hashes:
[+] MySQL
[+] MD5 (middle)

Least possible hashes:
[+] MD5 (Half) 

If we run the other possibly matching MySQL hash type, mode 300, we can see that it does not match the fingerprint of our unknown example.

  HASH: fcf7c1b8749cf99d88e5f34271d636178fb5d130

Possible hashes:
[+] SHA-1
[+] MySQL5 - SHA-1 (SHA-1 ($ pass))

Least possible hashes:
[+] Tiger-160
[+] Haval-160
[+] RipeMD-160
[+] SHA-1 (HMAC)
[+] Tiger-160 (HMAC)
[+] RipeMD-160 (HMAC)
[+] Haval-160 (HMAC)
[+] SHA-1 (MaNGOS)
[+] SHA-1 (MaNGOS2)
[+] sha1 ($ pass $ Salt)
[+] sha1 ($ salt. $ Pass)
[+] sha1 ($ salt.md5 ($ pass))
[+] sha1 ($ salt.md5 ($ pass). $ Salt)
[+] sha1 ($ salt.sha1 ($ pass))
[+] sha1 ($ salt.sha1 ($ salt.sha1 ($ pass))
[+] sha1 ($ username. $ Pass)
[+] sha1 ($ username. $ Pass. $ Salt)
[+] sha1 (md5 ($ pass))
[+] sha1 (md5 ($ pass). $ Salt)
[+] sha1 (md5 (sha1 ($ pass))
[+] sha1 (sha1 ($ pass))
[+] sha1 (sha1 ($ pass). $ Salt)
[+] sha1 (sha1 ($ pass) .substr ($ pass, 0.3))
[+] sha1 (sha1 ($ salt. $ Pass))
[+] sha1 (sha1 (sha1 ($ pass))
[+] sha1 (strtolower ($ username). $ Pass) 

This shows that we have the right Hashcat mode number 200 for our hashtag attack

[19459035identifizierthaben] Step 4: Attacking the Hashs with Hashcat

Once we know the mode to use by identifying the hash, we can attack it with Hashcat. For this to work, we need to create a dictionary file with passwords that Hashcat then uses to attack the hash. There are many available online lists like RockYou, but in this case we'll create one called example.dict to make some password estimates.

If you are still in the hash identifier tool, click . Control-C first on your keyboard. Then create and open a file in nano by typing:

  ~ / hash-identifier $ nano example.dict 

After adding some password rates that contain the word "hashcat" for this example, press She . Exit Control-X then Y and confirm the file name. We can now use this file along with the mode we've discovered as a list of plain-text guesses to crack the hash. The basic formula we will use looks like this:

  sudo hashcat -m MODE_NUMBER -a 0 HASH_VALUE example.dict 

If we match them with our hash of 7196759210defdc0 (the "HASH_VALUE" In our mode of 200 ("MODE_NUMBER"), the results should look like this. If you are using an older system such as the one I am using, you may need to use the command – force .

  ~ / hash-identifier $ sudo hashcat -m 200 -a 0 7196759210defdc0 example.dict --force

hashcat (v5.1.0) starts ...

OpenCL Platform # 1: The pocl project
===================================
* Device 1: pthread Intel (R) Core (TM) 2 Duo CPU E7500 at 2.93 GHz, allocatable to 1024/3639 MB, 2MCU

/usr/share/hashcat/OpenCL/m00200_a0-optimized.cl: The pure OpenCL kernel was not found and uses the optimized OpenCL kernel
Hashes: 1 digest; 1 unique digestion, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 revolutions
Rules: 1

Applicable optimizers:
* Optimized kernel
* Zero byte
* Do not go through
* Single hash
* Single-salt

Password length at least: 0
Maximum password length: 31

Watchdog: Hardware monitoring interface not found on your system.
Watchdog: Temperature stop trigger deactivated.
Watchdog: Temperature hold trigger deactivated.

* Device 1: build_opts & # 39; -I / usr / share / hashcat / OpenCL-D VENDOR_ID = 64 -D CUDA_ARCH = 0 -D-AMD_ROCM = 0 -D-VECT_SIZE = 4 -D DEVICE_TYPE = 2 -D DGST_R0 = 0 - D DGST_R1 = 1 -D DGST_R2 = 2 -D DGST_R3 = 3 -D DGST_ELEM = 4 -D KERN_TYPE = 200 -D _unroll & # 39;
* Device 1: Kernel m00200_a0-optimized.44d10a8c.kernel not found in the cache! The construction may take a while ...
Hits in the dictionary cache:
* Filename ..: example.dict
* Passwords: 17
* Bytes .....: 76
* Keyspace ..: 17

Device 1: Autotuning the kernel to 1024
Device 1: autotuning the kernel loops to 1
[s] tate [p] ause [r] esume [b] ypass [c] heckpoint [q] uit => The word list or mask you are using is too small.
This means that hashcat can not use the full parallel performance of your devices.
If you stop working, your cracking speed will decrease.
For tips on providing more information, see: https://hashcat.net/faq/morework

Approaching the final key area - workload adjusted.

7196759210defdc0: hashcat

Session ..........: hashcat
Status ...........: Broken
Hash.Type ........: MySQL323
Hash.Target ...: 7196759210defdc0
Time.Started .....: Mon Dec 9 17:00:25 2019 (0 secs)
Time.Estimated ...: Mon Dec 9 17:00:25 2019 (0 secs)
Guess.Base .......: File (example.dict)
Guess.Queue ......: 1/1 (100.00%)
Speed.Dev. # 1 .....: 0 H / s (0.03 ms)
Recovered ........: 1/1 (100.00%) digests, 1/1 (100.00%) salts
Progress .........: 17/17 (100.00%)
Rejected .........: 0/17 (0.00%)
Restore.Point ....: 0/17 (0.00%)
Candidates. # 1 ....: wow -> again
HWMon.Dev. # 1 .....: N / A

Started: Monday, December 9th 17:00:17 pm 2019
Stopped: Mon Dec 9 17:00:27 2019 

Let's go! We get the output of 7196759210defdc0: hashcat which means we found the value of the MySQL323 hash as the word "hashcat" by comparing it to all the words in the example.dict file.

Identifier facilitates identification of fingerprint hashes

If you are dealing with an unknown type of hash, you must first identify it correctly to make it useful. Although Hash Identifier is not a perfect tool, you can easily identify most hashes and distinguish between different types of common and similar-looking hashes that have a different mode in Hashcat. Although the hash ID is not sure what kind of hash you are dealing with, you can use the example hashes response from the Hashcat Web site to verify that you've found the right hash.

I hope you liked this Guide to the fingerprint of unknown hashes! If you have questions about this hash cracking and identification tutorial or have a comment, please contact me at Twitter @KodyKinzie .

Do Not Miss: Detecting When a Device Is Nearby with the ESP8266 Friend Detector

Cover Picture by Kody / Null Byte




Source link