Is it possible to detect hash function of a hash if I don't have access to PHP code? I know that if a hash is some kind of MD5, but I don't know if there is salt etc.
Asked
Active
Viewed 8,615 times
2
-
1Normally if a password is salted, the unique salt is stored alongside the password. Where is your "hash" from? – JonnyWizz Nov 13 '15 at 13:29
-
@StackzOfZtuff After answering I saw your comment. I think you are right, this is a duplicate – Joe Nov 13 '15 at 13:42
1 Answers
3
Some tools make a educated guess regarding the encryption and salt type but there are numerous types of encryption schemes, some so closely related that the hashes nearly looks the same.
Take for example the following hash (altered to protect the google dork): 0000000B84FF762C88DG6E16F324269EFCA186FA
If I ask a classic such as John the Ripper to crack it without specifying what type, I get the following response: Warning: detected hash type "raw-sha1", but the string is also recognized as "raw-sha1-linkedin" Warning: detected hash type "raw-sha1", but the string is also recognized as "raw-sha" Warning: detected hash type "raw-sha1", but the string is also recognized as "raw-sha1-ng"
Thus, John will run and try to crack the password as "raw-sha1" but it could be wrong.
If I input the same hash into hashcat-plus, it complains about the hash length and ask that I specify a hash type. All well and good I suggest SHA1 but there are also numerous permutations available that could mean a endless amount of time wasted if you choose wrong. E.g. Hashcat gives the following options for SHA1
100 = SHA1 110 = sha1($pass.$salt) 120 = sha1($salt.$pass) 130 = sha1(unicode($pass).$salt) 140 = sha1($salt.unicode($pass))
Searched around and found some interesting tools to find the encryption type and they can be broken down into two categories namely with source / binary available and without any source binary.
Finding the encryption type through reverse engineering can be achieved via tools such as:
http://www.autistici.org/ratsoul/iss.html - A plugin for immunity debugger that identifies common encryption or encoding functions / structures etc.
http://aluigi.altervista.org/mytoolz.htm#signsrch - is the binary version of the immunity plugin version
http://www.hexblog.com/?p=27 - a plugin for OllyDbg to determine the type of encryption
https://www.hex-rays.com/products/ida/tech/flirt/index.shtml - a plugin for IDA Pro to determine standard called libraries, could be used to identify encryption libraries
Then there is the "educated" guess script:
http://code.google.com/p/hash-identifier/ is a script that compares various attributes such as length, contained char types etc to produce a possible hash type used. Seems to be included in Backtrack5 standard.
And the websites that allow for manual verification such as:
http://www.insidepro.com/hashes.php - Allows you to enter a password and compare the hash to your example hash
http://forum.insidepro.com/viewtopic.php?t=8225 - Lists various encrypted hashes to allow for a manual comparison
So basically it seems that without prior knowledge of the hash used, with no source / binary available to reverse engineer, you are basically left with serious guess work. And to add a little pressure, choose carefully since choosing the wrong hash can lead to a LOT of wasted time!
Joe
- 1,214
- 1
- 11
- 16