Tuesday, August 23, 2011

HASH TYPE REFERENCE GUIDE

I have seen numerous requests from people new and old asking what type of hash they have. There are many options out there and many algorithms used to create, so I thought it might be helpful to provide a general reference table for people to have when they need. This information can greatly increase your effectiveness in identifying and cracking password hashes. It provides a brief description of each, where you might run into them. I pulled some of this from some old dated references and added what I could. Hope this is helpful to some folks out there…


TYPE
LENGTH
Example
WHERE YOU MIGHT FIND
SUMMARY
DES(Unix)
13 Chars
MvT4cjS8IaLNQ
*nix systems
The first two chars are the actual Salt, while the rest is the actual hash. When cracking it is not necessary to split the two.
Domain Cached Credentials (DCC)
16 Chars
b474d48cdfc4974d86ef4d24904cdd91
windows PCs that are a member of a domain
Uses this algorithm to compute: MD4(MD4(Unicode($pass)).Unicode(strtolower($username)))
MD5
32 Chars (16 Bytes)
c4ca4238a0b923820dcc509a6f75849b
Used all over the place, this is by far the most common hash type
Same as the md5() function in PHP
MD5 (*nix)
34 Chars
$1$12345678$XM4P3PrKBgKNnTaqG9P0T/
*nix systems
The hash starts with the $1$ followed by the actual Salt which ends at the third $ (max of 8 chars), and everything that follows is the actual hash. It is the result of a MD5 process being called 2000 times in a row.
MD5(APR)
37 Chars
$apr1$12345678$auQSX8Mvzt.tdBi4y6Xgj.
*nix systems
This is the same as above MD5(*nix), but with a prefix of $apr$salt$hash format instead of the $1$ prefix used above.
MD5(phpBB3)
34 Chars
$H$9123456785DAERgALpsri.D9z3ht120
phpBB forums v3.x
Again, similar to the MD5(*nix) with a prefix of $H$ and no third $ to indicate the end of the salt. The prefix is followed by a random digit which is then followed by the salt (up to 8 chars) followed by the actual hash
MD5(Wordpress)
34 Chars
$P$B123456780BhGFYSlUqGyE6ErKErL01
Wordpress
Hash begins with $P$ followed by random char, then salt (max 8 chars), and the then the actual hash. MD5 loop is run 8192 times.
md5($pass.$salt)
32 Chars (16 Bytes)
6f04f0d75f6870858bae14ac0b6d9f73:1234
Used in WB News, Joomla version 1.0.13 and higher.
The “:” is a common symbol used in hashing to separate the actual hash from the salt. You need to use the Salt to crack the password hash, which may or may not need to be manually separated depending on what tools you use.
md5($salt.$pass)
32 Chars (16 Bytes)
f190ce9ac8445d249747cab7be43f7d5:12
osCommerce, AEF, Gallery and other CMS types
See above
md5(md5($pass))
32 Chars
28c8edde3d61a0411511d3b1866f0636
Used in e107, DLE, AVE, Diferior, Koobi and other CMS
You can treat this as a standard MD5 from a cracking point of view
md5(md5($pass).$salt)
32 Chars (16 Bytes)
6011527690eddca23580955c216b1fd2:wQ6
Used in vBulletin, IceBB
Uses salt, so may require special handling of salt depending on what you use for cracking, otherwise treat as normal MD5
md5(md5($salt).md5($pass))
32 Chars (16 Bytes)
81f87275dd805aa018df8befe09fe9f8:wH6_S
Used in IPB.
See above
md5(md5($salt).$pass)
32 Chars (16 Bytes)
816a14db44578f516cbaef25bd8d8296:1234
Used in MyBB.
See above
md5($salt.$pass.$salt)
32 Chars (16 Bytes)
a3bc9e11fddf4fef4deea11e33668eab:1234
Used in TBDev.
See above
md5($salt.md5($salt.$pass))
32 Chars (16 Bytes)
1d715e52285e5a6b546e442792652c8a:1234
Used in DLP
See above
MySQL <=4
16 Chars (8 Bytes)
606717496665bcba
MySQL<=4
The hash consists of two DWORDs, each not exceeding the value of 0x7fffffff
MySQL >=5
40 Chars (20 Bytes)
*E6CC90B878B948C35E92B003C792C46C58C4AF40
MySQL >=5
Uses the “SHA-1(SHA-1($pass))” algorithm to compute. The asterisk is often seen in the database but not actually used for cracking or by the programs.
RAdmin v2.x
32 Chars
(16 Bytes)
5e32cceaafed5cc80866737dfb212d7f
Used in the application Remote Administrator v2.x.
The password is padded with zeros to the length of 100 bytes, then that entire string is hashed with the MD5 algorithm.
SHA-1
40 Chars (20 Bytes)
356a192b7913b04c54574d18c28d46e6395428ab
Very commonly used in forum and CMS applications
Same as the sha1() function in PHP
sha1(strtolower($username).$pass)
40 Chars (20 Bytes)
Admin:6c7ca345f63f835cb353ff15bd6c5e052ec08e7a
Used in SMF
sha1($salt.sha1($salt.sha1($pass)))
40 Chars (20 Bytes)
cd37bfbf68d198d11d39a67158c0c9cddf34573b:1234
Used in Woltlab BB.
SHA-256(Unix)
55 Chars
$5$12345678$jBWLgeYZbSvREnuBr5s3gp13vqi
*nix systems
Prefix is $5$ followed by Salt which is up to 8 char in length followed by the actual Hash.
$5$Salt$Hash and is a result of the SHA-256 algorithm being run 5000 times.
SHA-512(Unix)
98 Chars
$6$12345678$U6Yv5E1lWn6mEESzKen42o6rbEm
*nix systems
Same as above although the prefix is $6$Salt$Hash instead of a five like above, and is result of the SHA-512 algorithm being run 5000 times.


If you are interested in an online hash type analyzer then you can check out a project that Join7 is working on. It is still in testing and the site under some construction in certain areas as he works to develop more applications and options. You can find it here: http://join7.koolserve.com/ He also has developed an automated SQL column counter as well as a Hash lookup/cracking service (which is still under major development last I checked). I hope you enjoy this share and until next time, Enjoy!

No comments:

Post a Comment