EH-Net

Can anyone help me with this hash?  I was trying to check the strength of the hashing algorithm my friend uses on his site, and it must be amazing because JTR can't crack it ;)

This hash is supposed to be "password"

04c2bb68c40e147048aeaf319ff00c3a609bd50f

And here is the salt:

d5f58c19ade4233e3eb2478c489ebd171992f514

JTR recognizes it as raw-sha, but I went through all the formats and it couldn't crack it.

Can anyone else crack this?  Am I doing something wrong?

Thanks

It's now raw SHA.  It could be some form of salted SHA, but I tried hashing it a few different ways (salt in front, salt in back, etc) and it didn't match up for me. 

The solution is to either get the code or to spend some time exhausting the possibilities. 

Thanks, as long as you and I can't crack it easily, I'm going to tell him it's secure  :)  For now anyway.

I wouldn't say its secure; it's just obscure.  I only spent about 5 or 10 minutes on it.  Someone who is willing to put in more time may figure it out.  And if someone gets a hold of the source code, they won't have to figure it out.

Your friend should just use scrypt, bcrypt, or PBKDF2 and not try to roll his own crypto implementation.

Why don't you just ask him what he's using? Is this supposed to be a custom algorithm? You shouldn't assume something's secure just because it's not recognized by a tool.

The plaintext with the salt doesn't match the output of any of these algorithms: http://www.insidepro.com/hashes.php/ He could performing multiple passes and/or using multiple algorithms though.

The site you just linked is pretty awesome.

He doesn't know what algorithm he's using, someone else handled making the site.  And I'm not assuming it's secure, I'm just going to finish testing the rest of the site and THEN go back to the hash.

If it's his site, can't you look at the code?

Completely random Google find. I was impressed and bookmarked it as well :)


I wasn't trying to be rude, so I'm sorry if I came off like that. This review you're doing just seems to have unnecessary unknowns in it. Like Unicityd said, just review the code.

I didn't take it as rude.  The guy who designed the site is an ass.  I found a way to bypass the login to the database a month ago, and it took him a month to fix it!  So he's not really good about getting back to my friend or me.  In his defense, he probably realizes once he gives us all this stuff, he's going to get fired!

So right now the plan is just to make a list of all the problems and things we need and hopefully get it eventually so someone else can handle the site.

That's a recipe for disaster.  Does your friend have access to the site or is this guy the only admin?

There's no point in continuing to work with someone who is "an ass", does shoddy work and is unresponsive.  Get control of the site and hire someone else. 

I'm on it, that's why I'm doing this test.  Figuring out what works and what doesn't, what we can reuse and what we need to get rid of.  Once that's done, then we'll have a better understanding of what we need the new admin to be able to do.