I have seen numerous requests from people new and old asking what type of hash they have. There are many options out there and many algorithms used to create, so I thought it might be helpful to provide a general reference table for people to have when they need. This information can greatly increase your effectiveness in identifying and cracking password hashes. It provides a brief description of each, where you might run into them. I pulled some of this from some old dated references and added what I could. Hope this is helpful to some folks out there…
TYPE | LENGTH | Example | WHERE YOU MIGHT FIND | SUMMARY |
DES(Unix) | 13 Chars | MvT4cjS8IaLNQ | *nix systems | The first two chars are the actual Salt, while the rest is the actual hash. When cracking it is not necessary to split the two. |
Domain Cached Credentials (DCC) | 16 Chars | b474d48cdfc4974d86ef4d24904cdd91 | windows PCs that are a member of a domain | Uses this algorithm to compute: MD4(MD4(Unicode($pass)).Unicode(strtolower($username))) |
MD5 | 32 Chars (16 Bytes) | c4ca4238a0b923820dcc509a6f75849b | Used all over the place, this is by far the most common hash type | Same as the md5() function in PHP |
MD5 (*nix) | 34 Chars | $1$12345678$XM4P3PrKBgKNnTaqG9P0T/ | *nix systems | The hash starts with the $1$ followed by the actual Salt which ends at the third $ (max of 8 chars), and everything that follows is the actual hash. It is the result of a MD5 process being called 2000 times in a row. |
MD5(APR) | 37 Chars | $apr1$12345678$auQSX8Mvzt.tdBi4y6Xgj. | *nix systems | This is the same as above MD5(*nix), but with a prefix of $apr$salt$hash format instead of the $1$ prefix used above. |
MD5(phpBB3) | 34 Chars | $H$9123456785DAERgALpsri.D9z3ht120 | phpBB forums v3.x | Again, similar to the MD5(*nix) with a prefix of $H$ and no third $ to indicate the end of the salt. The prefix is followed by a random digit which is then followed by the salt (up to 8 chars) followed by the actual hash |
MD5(Wordpress) | 34 Chars | $P$B123456780BhGFYSlUqGyE6ErKErL01 | Wordpress | Hash begins with $P$ followed by random char, then salt (max 8 chars), and the then the actual hash. MD5 loop is run 8192 times. |
md5($pass.$salt) | 32 Chars (16 Bytes) | 6f04f0d75f6870858bae14ac0b6d9f73:1234 | Used in WB News, Joomla version 1.0.13 and higher. | The “:” is a common symbol used in hashing to separate the actual hash from the salt. You need to use the Salt to crack the password hash, which may or may not need to be manually separated depending on what tools you use. |
md5($salt.$pass) | 32 Chars (16 Bytes) | f190ce9ac8445d249747cab7be43f7d5:12 | osCommerce, AEF, Gallery and other CMS types | See above |
md5(md5($pass)) | 32 Chars | 28c8edde3d61a0411511d3b1866f0636 | Used in e107, DLE, AVE, Diferior, Koobi and other CMS | You can treat this as a standard MD5 from a cracking point of view |
md5(md5($pass).$salt) | 32 Chars (16 Bytes) | 6011527690eddca23580955c216b1fd2:wQ6 | Used in vBulletin, IceBB | Uses salt, so may require special handling of salt depending on what you use for cracking, otherwise treat as normal MD5 |
md5(md5($salt).md5($pass)) | 32 Chars (16 Bytes) | 81f87275dd805aa018df8befe09fe9f8:wH6_S | Used in IPB. | See above |
md5(md5($salt).$pass) | 32 Chars (16 Bytes) | 816a14db44578f516cbaef25bd8d8296:1234 | Used in MyBB. | See above |
md5($salt.$pass.$salt) | 32 Chars (16 Bytes) | a3bc9e11fddf4fef4deea11e33668eab:1234 | Used in TBDev. | See above |
md5($salt.md5($salt.$pass)) | 32 Chars (16 Bytes) | 1d715e52285e5a6b546e442792652c8a:1234 | Used in DLP | See above |
MySQL <=4 | 16 Chars (8 Bytes) | 606717496665bcba | MySQL<=4 | The hash consists of two DWORDs, each not exceeding the value of 0x7fffffff |
MySQL >=5 | 40 Chars (20 Bytes) | *E6CC90B878B948C35E92B003C792C46C58C4AF40 | MySQL >=5 | Uses the “SHA-1(SHA-1($pass))” algorithm to compute. The asterisk is often seen in the database but not actually used for cracking or by the programs. |
RAdmin v2.x | 32 Chars (16 Bytes) | 5e32cceaafed5cc80866737dfb212d7f | Used in the application Remote Administrator v2.x. | The password is padded with zeros to the length of 100 bytes, then that entire string is hashed with the MD5 algorithm. |
SHA-1 | 40 Chars (20 Bytes) | 356a192b7913b04c54574d18c28d46e6395428ab | Very commonly used in forum and CMS applications | Same as the sha1() function in PHP |
sha1(strtolower($username).$pass) | 40 Chars (20 Bytes) | Admin:6c7ca345f63f835cb353ff15bd6c5e052ec08e7a | Used in SMF | … |
sha1($salt.sha1($salt.sha1($pass))) | 40 Chars (20 Bytes) | cd37bfbf68d198d11d39a67158c0c9cddf34573b:1234 | Used in Woltlab BB. | … |
SHA-256(Unix) | 55 Chars | $5$12345678$jBWLgeYZbSvREnuBr5s3gp13vqi | *nix systems | Prefix is $5$ followed by Salt which is up to 8 char in length followed by the actual Hash. $5$Salt$Hash and is a result of the SHA-256 algorithm being run 5000 times. |
SHA-512(Unix) | 98 Chars | $6$12345678$U6Yv5E1lWn6mEESzKen42o6rbEm | *nix systems | Same as above although the prefix is $6$Salt$Hash instead of a five like above, and is result of the SHA-512 algorithm being run 5000 times. |
If you are interested in an online hash type analyzer then you can check out a project that Join7 is working on. It is still in testing and the site under some construction in certain areas as he works to develop more applications and options. You can find it here: http://join7.koolserve.com/ He also has developed an automated SQL column counter as well as a Hash lookup/cracking service (which is still under major development last I checked). I hope you enjoy this share and until next time, Enjoy!
No comments:
Post a Comment