identifing hash type
#1
I want to preface this with saying I've read the forum rules and I'm trying my best to comply with them. I'm not asking anyone to crack hashes for me, and I've no intention of posting any un-masked hashes on here.

I work as a pentester and I'm completing an audit of a third-party site for my employer. In the course of the audit my team managed to pull several password hashes from an MSSQL database using SQL injection. We're now trying to crack those hashes, but they don't fit any format I've ever seen.

The hashes are all 9-23 characters in length, alpha-numeric, mixed case, and contain hyphens and underscores. Our first guess was there was some sort of base64 encoding going on, but that doesn't fit with the hyphens and underscores.

Does anyone have any insight into mssql hashing methods, and what this might be? The hashes aren't long enough to be any of the typical mssql methods, and I can't explain the variable length.
#2
You can try to replace hyphens and underscore by + and /
#3
I doubt this will work. But Mem5 is kind of right because there's different base64 encodings floating around. Some of them are written in reverse order, some are not. Are those hashes from the MSSQL User table or from some 3rd party application storing user hashes inside a normal SQL Table? If from 3rd party, just lookup the code to see how they are generated.
#4
(11-10-2015, 09:58 AM)atom Wrote: I doubt this will work. But Mem5 is kind of right because there's different base64 encodings floating around. Some of them are written in reverse order, some are not. Are those hashes from the MSSQL User table or from some 3rd party application storing user hashes inside a normal SQL Table? If from 3rd party, just lookup the code to see how they are generated.


It's the third party app storing the hashes. I don't think they're going to let me get a look at the code. We've contracted the vendor to build this app for our organization, and we got their permission to test it, so it's all legit, but the vendor isn't exactly happy about getting a security assessment. They'd rather we just take their word that everything is secure and don't look too closely. We haven't let them know we were able to pull hashes yet. Cracking the hashes would make a nice little cherry on top of the audit report, but even without them we've got plenty of findings.