hashcat Forum Deprecated; Previous versions Old oclHashcat Support v
Noob Question about Hashes

Threaded Mode
Noob Question about Hashes
jimbob57566 Offline
Junior Member
**
Posts: 2
Threads: 1
Joined: Nov 2014
#1
11-16-2014, 02:35 PM
I kinda understand hashes i think, but I haven't got a clue how I'm meant to find them.
If I want to gain access to a specific website I used to have an account for, how do I know what hash to use for an attack. It seems like I'm missing something obvious because no guides seem to mention it at all, they all just assume that I have a hash to crack.

Any help is gratefully received.
Find
epixoip Offline
Legend
******
Posts: 2,936
Threads: 12
Joined: May 2012
#2
11-17-2014, 12:13 AM
Generally you need to have access to the password database to obtain hashes. This generally involves compromising a system at some level. The exception to this is e.g. network protocols (WPA, NetNTLM, Kerberos, etc.) and non-hash formats (MS Office, TrueCrypt, etc.)
Find
_NSAKEY Offline
Junior Member
**
Posts: 13
Threads: 0
Joined: Nov 2014
#3
11-25-2014, 05:11 AM
Once you've actually gotten your hands on a hash or list of hashes, HashTag.py is really good at determining the hash's algorithm. The same guy runs OnlineHashCrack but my personal experience is that HashTag.py is better.
Find
jimbob57566 Offline
Junior Member
**
Posts: 2
Threads: 1
Joined: Nov 2014
#4
11-25-2014, 06:40 PM
Interesting. I had thought that this was a system where you could point it at a login field and it was just try every password possible through aaaaa - zzzzz assuming it knew the username.
Find
epixoip Offline
Legend
******
Posts: 2,936
Threads: 12
Joined: May 2012
#5
11-25-2014, 11:45 PM
(11-25-2014, 05:11 AM)_NSAKEY Wrote: HashTag.py is really good at determining the hash's algorithm.

No, it isn't.
Find
epixoip Offline
Legend
******
Posts: 2,936
Threads: 12
Joined: May 2012
#6
11-25-2014, 11:46 PM
(11-25-2014, 06:40 PM)jimbob57566 Wrote: Interesting. I had thought that this was a system where you could point it at a login field and it was just try every password possible through aaaaa - zzzzz assuming it knew the username.

No. What you are describing is an online brute force attack. Hashcat is for offline attacks.
Find
_NSAKEY Offline
Junior Member
**
Posts: 13
Threads: 0
Joined: Nov 2014
#7
11-26-2014, 04:27 AM
(11-25-2014, 11:45 PM)epixoip Wrote:
(11-25-2014, 05:11 AM)_NSAKEY Wrote: HashTag.py is really good at determining the hash's algorithm.

No, it isn't.

Can you recommend a better solution? HashTag.py hasn't let me down yet, but I'm always open to using something better.
Find
epixoip Offline
Legend
******
Posts: 2,936
Threads: 12
Joined: May 2012
#8
11-26-2014, 07:41 AM
tools like HashTag.py are worthless at best, and at worse are very misleading and may cause you to waste a ton of time.

if the hash has an identifier, then you already know what it is and you don't need some piece of software to tell you what it is.

if the hash doesn't have an identifier, then there is no way to determine what algorithm was used unless you already know in advance what algorithm was used. you can only guess.
Find