Detecting Hashing Algorithms
After reading the thread on sla.ckers discussing how to detect which hashing algorithm is being used id and I had a pretty interesting idea. Let’s say you have a password and the hash, but you don’t know which hashing algorithm to run your password file against. That’s especially important before running any sort of time consuming cracking program (less so with time-memory trade off cracking programs like rainbow tables). Anyway, we decided to write a program to help solve this.
If you have the password and the hash, you can input it into hashmaster and get the algorithm used, which can help build a strategy for cracking the entire password file. All that we do is take the plaintext password, apply the various hashing algorithms and compare the results with the hash provided. If they’re the same you have a match. Pretty straight forward. Eventually, we may add optional salts, and many more hashing algorithms and make it more robust. Until then, be gentle.
September 29th, 2007 at 1:26 pm
very cool idea, rsnake! thanks for making it publicly available. fyi - the output hash matching is case-sensitive
September 29th, 2007 at 1:36 pm
Interesting idea, this could be expanded a lot more. How about adding simple decryption schemes (so if a hash is, lets say hex encrypted you still can match it) and you should add (even) more hashing algorithms.
Does the 0.2 indicate this tool will get some updates in the future?
September 29th, 2007 at 1:57 pm
*Read the post, saw the “we are perhaps going to add more stuff in the future” part, so ignore my question.
September 29th, 2007 at 2:10 pm
Yeah cool tool RSnake!
September 29th, 2007 at 2:59 pm
@thornmaker - good point, that’ll need to be fixed, thanks!
@spyware - yup, you’re exactly right, we’ve added quite a few hex versions, and one commonly used hmac version, but that’ll need to be expanded with a bigger library of hash variants. What I’m really worried about is the salts. Right now it’s super fast, but if I had even a two digit salt (pretty common and it’s 64 possibilities per byte) that’s 4096 x all the hashes. So if it’s only one second to run now, it would be around an hour to run the same query. Ouch!
September 29th, 2007 at 4:23 pm
@RSnake who said:
“If you have the password and the hash, you can input it into hashmaster and get the algorithm used, which can help build a strategy for cracking the entire password file…”
How is that? sorry, but if you already have the plaintext that was hashed, why should you use it? which password file are you refering to? since it’s just a hash sum of the plaintext.
September 29th, 2007 at 5:49 pm
@Ronald - sorry if I wasn’t clear. Often times you’ll get a database dump, but won’t get the code that was used to generate the database entries. So you’ll end up with a bunch of hashes, but you won’t know what algo was used to build it. You may, however, know one or more passwords (that you either created or somehow got from other means). Taking the password and applying it to the hash now gives you the algo by iterating over all the algos I have on the list. Make sense?
September 29th, 2007 at 6:46 pm
nice one rsnake!
although if you don’t know the algorithm
it is harder to get the first password.
although if its from a site’s database you
could create an account with a password
you knew and use the hash from that + password.
September 29th, 2007 at 7:00 pm
@fazed - Correct, if you don’t know anything about the hashes ahead of time it’s definitely harder. Although I guess you could take some guesses if you felt like you had a decent chance of getting it right.
Btw, id also pointed out that it only works with numbers and letters. I’ll expand it to work with symbols and special chars in a future rev.
September 29th, 2007 at 8:18 pm
Just one word: Jacksum
September 29th, 2007 at 8:54 pm
Nice work Rsnake. I blogged about it and it definitely help my work to be much more easier.
September 30th, 2007 at 12:49 am
Ah ok, yes. Could come in good use I guess.
September 30th, 2007 at 9:34 pm
Again a good shot with doubt. At the same time if we follow simplicity inimplementationa nd complexity at algorithm level with strong hashes will serve good too.
But overall its an good stuff.
Cheers
October 1st, 2007 at 1:31 am
serversniff.net offers this since years - try “crypto, hash-strings and checksum-strings”.
tom
October 1st, 2007 at 2:31 am
Just a few ideas for future versions:
1) Allow the user to insert only the pass hash, and check the hash algos that may have been used to produce it: the output of an hash function is constant, and using it ( and maybe some other things) you can say for sure what the hash aren’t
2) If only the plaintext is insert, show all the hashes that can be genereted with the implemented hash function
October 1st, 2007 at 8:22 am
i tried this one:
****@neo:~$ echo test | md5sum -
d8e8fca2dc0f896fd7cb4cb0031ba249 -
and it did not work,
October 1st, 2007 at 10:05 am
what about salting?
October 1st, 2007 at 11:31 am
I think it’s also possible to determine the hashing algorithm -without- having the plain-text, or at least decrease the amount of possibilities.
October 1st, 2007 at 2:01 pm
And serversniff is using “Jacksum” as I said.
Nice GPL Java lib. Could be used for an offline tool for cases ,where you don’t have access to the Internet for some reason.
October 2nd, 2007 at 5:45 am
@Spyware
Yes it is, you could first check the size of the string, to rule out a few. Small triage, to be faster.
October 2nd, 2007 at 1:05 pm
@Johannes
$ md5 -s test
MD5 (”test”) = 098f6bcd4621d373cade4e832627b4f6
$ md5
test
d8e8fca2dc0f896fd7cb4cb0031ba249
Depends on how it is called, looks like you’re seeing the EOL char.
October 2nd, 2007 at 1:07 pm
@Johannes - Yah when you use echo without the -n tag you are adding a newline. See the following:
$ echo test |md5
d8e8fca2dc0f896fd7cb4cb0031ba249
$ echo -n test |md5
098f6bcd4621d373cade4e832627b4f6
$ md5 -s "test"
MD5 ("test") = 098f6bcd4621d373cade4e832627b4f6
October 3rd, 2007 at 4:52 am
i used it on a web application today and it works..
October 3rd, 2007 at 6:00 am
A very simple tool that anyone could have coded… but it’s definitely a welcome. Would be looking forward to the upcoming versions for the “RSnake touch”
October 3rd, 2007 at 8:03 am
You aren’t kidding, Bipin - the whole thing from start to finish probably took me an hour (and that includes the time it took me waiting for id to install the hashing modules). Stupidly simple, but also useful.