3

I need to authenticate against another programs user credentials to allow access to a second tie-in system. I am having trouble figuring out what hashing algorithm is being used by the first program in order to create a connection to it. I have the following hashes from throwing around test passwords.

HASH                           | PLAIN TEXT
F3d2427323a202034686f736973616 | password
F2c2737616d6f7270686f736973616 | abc

I do know that the passwords are not case sensative, which likely means that the first program is converting the plain text to all upper or all lower case.

Can anyone identify these hashes?

WhoaItsAFactorial
  • 133
  • 4

2 Answers2

12

This is not one of the standard cryptographic hash functions. There is also some sort of encoding which includes things other than the hash, because both strings end with the same sequence '686f736973616'.

In fact it looks to partially be the direct encoding of ASCII strings, possibly truncated. Ignoring the leading 'F' and the final '6' (are you sure the values are not truncated when you display them ?), your examples map to =$'2: 4hosisa and ,'7amorphosisa respectively, which look suspiciously non-random to me.

Looking at it more closely, I notice that this so-called "hash" is just a byte-wise XOR. Namely, it seems to go thus:

  • Convert the password to lowercase.
  • Pad the password to 14 characters by appending spaces.
  • XOR the encoding of the password with the encoding of: metamorphosisa
  • XOR each resulting byte with 0x20 (the ASCII encoding of a space).
  • Convert the result into hexadecimal.
  • Put a 'F' at the beginning and a '6' at the end.

I.e. not a hash at all, rather one of the weakest forms of homemade encryption.

Thomas Pornin
  • 320,799
  • 57
  • 780
  • 949
  • At least it isn't just Rot13... not that it's a whole lot better, but I still think the Rot13 that I saw in production code once was the worst home grown system I've seen. – AJ Henderson Feb 07 '13 at 17:27
  • So, this is now 5 years later. But you absolutely nailed this. Fun fact, not only is this terrible homemade encryption, it is what "encrypts" the passwords of a major Electronic Medical Record System. At least there isn't sensitive information behind these passwords, or the ability to order prescriptions as a doctor, or anything like that. – WhoaItsAFactorial Mar 08 '18 at 01:09
1

Knowing Hash Algorithm from Hashed String one of the answers to this question has a tool, called Hash Identifier that you could try to use and identify the hash. hope fully this helps.Sorry don't have enough rep to just add a comment.

Community
  • 1
dudebrobro
  • 673
  • 3
  • 7