1

I have a list of Hashes that are supposed to be hashes of file content (Just the raw text). But i can't seem to get a handle on what Hash function have been used (So i can hash new files in the same manner)

Can anyone see what kind of Hash function was used to give this type of output?

I was told it was MD5, but since there are characters above "f" it dosen't seem right :(

I have tried Hash-identifier, and it gives me some crap and says the most likely is MD5, but not anything else i can use :(

Examples:

399wm0836ohh4w1rhhu880ery7533qt9
054wi5753pdq8j4ikuc800fbd9917te3
783bg3857sdv6o7rbgv383ydg5159mr7
881hm9898azy6k9eyjl602edq9373mt6
277vv2602zei3b2fgbq098izh5954uk1
495zp7659gff7m6xevc551ebj7027km1
302ab9756zig4x5lorf666cfi1209zr2
615yx8433lbr6u4cnog918cxw3328ci1
688dm0114itx6h7arsl288cvm9010ab5
299av6225crl9b2gzdz012mwh9215ss8
028is8768jjf3l6fycw522hvy8335zx5
542nx6379gop9m1vakb347jzf6856fp8
641mm0568kyu1c5gush276hmu5211qj3
826tz9640anp5t1ypgw400jky9225qi3
034kt9219sco5p4edlx236yjd5705hw4
547na4684ydn4p9vgpv932bkb0885nl9
796bi2395xpw2n7astz424luz3447zl8
103cy4052eui0b9smfn559vko1491nf5
143lc7194uzr5m2bhak689gkh8014pn3
430ql5954had6b8zshy462ebe5053pi0
790oq8749vbd7b9ehjv270anl0042nj5
978ag0263fey5n4huek629cau6306vk5
274se7644kzj9t2hbkv732zqy8916ny5
815fu8458ffh5i3dazo827hdu6947el9
635br1898hyd2y9nrkc428lmz8603xb3
290tz7402sns9z6fgmw527mnc7080wk6
412wr3674ugc9n7ypvb691zak1483ll9
575fu8116ugp2u0jqkr686oft6104rk8
999mg2503xma5q8xzun846fvo8838wj2
792zc2774ayp4i0xidh175goa5240eo9
M. Grue
  • 113
  • 5
  • Is this a public website? – cutrightjm Aug 15 '17 at 14:55
  • 2
    "I was told it was MD5, but since there are characters above "f" it dosen't seem right" That's assuming the result of the hash function is represented as a hexadecimal number. There are orther representations, like base64. – S.L. Barth Aug 15 '17 at 15:01
  • 2
    @S.L.Barth True, but since each hash is 32 characters, assuming it's base64 that's 192 bits, MD5 is only 128 bits. – AndrolGenhald Aug 15 '17 at 15:09

1 Answers1

3

Those are DNSSEC NSEC3 hashes.

The possible duplicate that @S.L.Barth suggested includes an answer which references a tool called hashID. Running that tool on your hashes indicates it's DNSSEC NSEC3:

$ hashid 399wm0836ohh4w1rhhu880ery7533qt9
Analyzing '399wm0836ohh4w1rhhu880ery7533qt9'
[+] DNSSEC(NSEC3)
$ hashid 054wi5753pdq8j4ikuc800fbd9917te3
Analyzing '054wi5753pdq8j4ikuc800fbd9917te3'
[+] DNSSEC(NSEC3)
$ hashid 783bg3857sdv6o7rbgv383ydg5159mr7
Analyzing '783bg3857sdv6o7rbgv383ydg5159mr7'
[+] DNSSEC(NSEC3)
$

DNSSEC NSEC3 records are documented in RFC 5155. Appendix A of RFC 5155 includes examples that are homomorphic to yours:

   ; H(example)       = 0p9mhaveqvm6t7vbl5lop2u3t2rp3tom
   ; H(a.example)     = 35mthgpgcu1qg68fab165klnsnk3dpvl
   ; H(ai.example)    = gjeqe526plbf1g8mklp59enfd789njgi
   ; H(ns1.example)   = 2t7b4g4vsa5smi47k61mv5bv1a22bojr
   ; H(ns2.example)   = q04jkcevqvmu85r014c7dkba38o0ji5r
gowenfawr
  • 71,975
  • 17
  • 161
  • 198
  • 1
    The hashes include characters 0-9 a-z, which would be base36, so I'm thinking this is a false positive. RFC 5155 references RFC 4648, which has base32 and base32hex encodings, base32 excludes 0189, base32hex excludes wxyz. – AndrolGenhald Aug 15 '17 at 15:21
  • @AndrolGenhald that's a good point, but I'm still trying to prove or disprove... My quick read of 5155 is that the base32 encoding references are for constituents of the eventual record, and not the record itself. Continuing to dig (ha), DNSSEC is a maze twisty RFCs, all ticking me off. – gowenfawr Aug 15 '17 at 15:33