Is there a way to find what type of encryption/encoding is being used? For example, I am testing a web application which stores the password in the database in an encrypted format."azOwKPoUYP4=" is the encrypted string of "admin"How do i determine what hashing or encryption is being used?
-
By finding the block length and pattern there is a possibility to find which encryption is used. – user3315780 Nov 21 '14 at 11:45
2 Answers
The general answer is: do some reverse-engineering on the application. This notion of "reverse-engineering" is rather large; it includes:
- Reading the documentation (if any) or other design notes accompanying the application.
- Talking with the developers who built that application (it is amazing what people will say after two or three pints).
- Going through the source code, if available. From an attacker's point of view, source code can often be obtained by going through the dumpsters outside of the developer's offices, to look for discarded hard disks or backup tapes.
- Making test cases yourself: register on the application with a password that you know, and see what it becomes in the database. In particular, test whether changing your password several times and getting back to the first one brings you back to the same stored value, or another one. Also, test if two distinct users with the same password have the same stored value.
- Disassembling the application binaries. This is especially simple with Java bytecode and .NET assemblies (for the latter, I have used ILSpy with success).
Without such reverse-engineering, you are back to guessing, a method whose efficiency is questionable. In your case, the sample you show looks like the Base64 encoding of a binary value of length 8 bytes (6b 33 b0 28 fa 14 60 fe
, specifically). This suggests an algorithm that produces 64 bits, maybe a variant of the traditional DES-based hashing but without the salt.
Be mindful that a password can be encrypted, but, much more often, it is hashed; sometimes, it is MACed. These are very distinct notions and you will find a lot of documentation that is very confusing and confused on this subject. So, as a reading guide:
Encryption: using a key, transform some input data into another format that is unreadable to anybody except those who know the key; with the key, the transformation can be reversed (this is called "decryption"), yielding back the original value.
Hashing: mash and mix the input data into a fixed-length output. There is no key; the function is deterministic and public, and everybody can apply it. Hashing is not reversible; if the hash function is good, then the only method to find the original input (or at least a matching input) is luck (you try inputs until you find the right one).
MAC: somewhat equivalent to a "hashing with key". You need the key to compute it; but even with the key, it is not reversible. A MAC is to be verified, not "decrypted".
- 168,808
- 28
- 337
- 475
Tools to see it:
PEiD with the Krypto Analyzer (KANAL) plugin
Keygener Assistant
IDA Pro with the Findcrypt
OllyDbg with the SnD Crypto
x3chun's Crypto Searcher
Hash & Crypto Detector (HCD)
Draft Crypto Analyzer (DRACA)
To know how to run linux tools learn bfcrypt - Crypto scanner
- 170
- 6
-
3-1 This does not answer the question. None of these tools will tell you what algorithm was used to encrypt a given binary blob. – RoraΖ Nov 21 '14 at 12:12