.

Hash Help

<<

Seen

User avatar

Full Member
Full Member

Posts: 137

Joined: Mon Aug 30, 2010 1:05 am

Post Sat Aug 04, 2012 12:29 am

Hash Help

Can anyone help me with this hash?  I was trying to check the strength of the hashing algorithm my friend uses on his site, and it must be amazing because JTR can't crack it ;)

This hash is supposed to be "password"

04c2bb68c40e147048aeaf319ff00c3a609bd50f

And here is the salt:

d5f58c19ade4233e3eb2478c489ebd171992f514

JTR recognizes it as raw-sha, but I went through all the formats and it couldn't crack it.

Can anyone else crack this?  Am I doing something wrong?

Thanks
Sec+, eCPPT
<<

unicityd

User avatar

Full Member
Full Member

Posts: 170

Joined: Wed Sep 03, 2008 5:33 pm

Post Sat Aug 04, 2012 1:03 am

Re: Hash Help

It's now raw SHA.  It could be some form of salted SHA, but I tried hashing it a few different ways (salt in front, salt in back, etc) and it didn't match up for me. 

The solution is to either get the code or to spend some time exhausting the possibilities. 
BS in IT, CISSP, MS in IS Management (in progress)
<<

Seen

User avatar

Full Member
Full Member

Posts: 137

Joined: Mon Aug 30, 2010 1:05 am

Post Sat Aug 04, 2012 5:06 pm

Re: Hash Help

Thanks, as long as you and I can't crack it easily, I'm going to tell him it's secure  :)  For now anyway.
Sec+, eCPPT
<<

unicityd

User avatar

Full Member
Full Member

Posts: 170

Joined: Wed Sep 03, 2008 5:33 pm

Post Sat Aug 04, 2012 6:09 pm

Re: Hash Help

I wouldn't say its secure; it's just obscure.  I only spent about 5 or 10 minutes on it.  Someone who is willing to put in more time may figure it out.  And if someone gets a hold of the source code, they won't have to figure it out.

Your friend should just use scrypt, bcrypt, or PBKDF2 and not try to roll his own crypto implementation.
BS in IT, CISSP, MS in IS Management (in progress)
<<

dynamik

Recruiters
Recruiters

Posts: 1119

Joined: Sun Nov 09, 2008 11:00 am

Location: Mile High City

Post Sat Aug 04, 2012 6:10 pm

Re: Hash Help

Why don't you just ask him what he's using? Is this supposed to be a custom algorithm? You shouldn't assume something's secure just because it's not recognized by a tool.

The plaintext with the salt doesn't match the output of any of these algorithms: http://www.insidepro.com/hashes.php/ He could performing multiple passes and/or using multiple algorithms though.
The day you stop learning is the day you start becoming obsolete.
<<

unicityd

User avatar

Full Member
Full Member

Posts: 170

Joined: Wed Sep 03, 2008 5:33 pm

Post Sat Aug 04, 2012 11:11 pm

Re: Hash Help

The site you just linked is pretty awesome.
BS in IT, CISSP, MS in IS Management (in progress)
<<

Seen

User avatar

Full Member
Full Member

Posts: 137

Joined: Mon Aug 30, 2010 1:05 am

Post Sun Aug 05, 2012 12:29 pm

Re: Hash Help

ajohnson wrote:Why don't you just ask him what he's using? Is this supposed to be a custom algorithm? You shouldn't assume something's secure just because it's not recognized by a tool.


He doesn't know what algorithm he's using, someone else handled making the site.  And I'm not assuming it's secure, I'm just going to finish testing the rest of the site and THEN go back to the hash.
Sec+, eCPPT
<<

unicityd

User avatar

Full Member
Full Member

Posts: 170

Joined: Wed Sep 03, 2008 5:33 pm

Post Sun Aug 05, 2012 1:47 pm

Re: Hash Help

If it's his site, can't you look at the code?
BS in IT, CISSP, MS in IS Management (in progress)
<<

dynamik

Recruiters
Recruiters

Posts: 1119

Joined: Sun Nov 09, 2008 11:00 am

Location: Mile High City

Post Mon Aug 06, 2012 2:35 am

Re: Hash Help

unicityd wrote:The site you just linked is pretty awesome.


Completely random Google find. I was impressed and bookmarked it as well :)

Seen wrote:He doesn't know what algorithm he's using, someone else handled making the site.  And I'm not assuming it's secure, I'm just going to finish testing the rest of the site and THEN go back to the hash.


I wasn't trying to be rude, so I'm sorry if I came off like that. This review you're doing just seems to have unnecessary unknowns in it. Like Unicityd said, just review the code.
The day you stop learning is the day you start becoming obsolete.
<<

Seen

User avatar

Full Member
Full Member

Posts: 137

Joined: Mon Aug 30, 2010 1:05 am

Post Mon Aug 06, 2012 3:00 pm

Re: Hash Help

I didn't take it as rude.  The guy who designed the site is an ass.  I found a way to bypass the login to the database a month ago, and it took him a month to fix it!  So he's not really good about getting back to my friend or me.  In his defense, he probably realizes once he gives us all this stuff, he's going to get fired!

So right now the plan is just to make a list of all the problems and things we need and hopefully get it eventually so someone else can handle the site.
Sec+, eCPPT
<<

unicityd

User avatar

Full Member
Full Member

Posts: 170

Joined: Wed Sep 03, 2008 5:33 pm

Post Mon Aug 06, 2012 6:02 pm

Re: Hash Help

That's a recipe for disaster.  Does your friend have access to the site or is this guy the only admin?

There's no point in continuing to work with someone who is "an ass", does shoddy work and is unresponsive.  Get control of the site and hire someone else. 
BS in IT, CISSP, MS in IS Management (in progress)
<<

Seen

User avatar

Full Member
Full Member

Posts: 137

Joined: Mon Aug 30, 2010 1:05 am

Post Tue Aug 07, 2012 12:08 pm

Re: Hash Help

unicityd wrote:There's no point in continuing to work with someone who is "an ass", does shoddy work and is unresponsive.  Get control of the site and hire someone else. 


I'm on it, that's why I'm doing this test.  Figuring out what works and what doesn't, what we can reuse and what we need to get rid of.  Once that's done, then we'll have a better understanding of what we need the new admin to be able to do.
Sec+, eCPPT

Return to Other

Who is online

Users browsing this forum: No registered users and 1 guest

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software