Help needed for identifying the hash type - Printable Version +- hashcat Forum (https://hashcat.net/forum) +-- Forum: Support (https://hashcat.net/forum/forum-3.html) +--- Forum: hashcat (https://hashcat.net/forum/forum-45.html) +--- Thread: Help needed for identifying the hash type (/thread-11397.html) |
Help needed for identifying the hash type - andiaa734 - 04-25-2023 Hi there, i need a little bit help identifying the hash type: $6CJlS7VEVeK2:1:0:99999:7::: JtR says it is (descrypt, traditional crypt(3) [DES 128/128 SSE2-16] Running hashcat with -m 1500 ends up with Token length exception. Any help would be appreciated. RE: Help needed for identifying the hash type - b8vr - 04-25-2023 You need to remove everything after and including the first : as that is JtR style and not hashcat style. I'm a bit unsure of the leading $...... See mode 1500 to see how it should be formatted for hashcat: https://hashcat.net/wiki/doku.php?id=example_hashes RE: Help needed for identifying the hash type - andiaa734 - 04-25-2023 (04-25-2023, 08:59 PM)b8vr Wrote: You need to remove everything after and including the first : as that is JtR style and not hashcat style. I'm a bit unsure of the leading $...... See mode 1500 to see how it should be formatted for hashcat: Thanky you. But I'm still getting Token length exception. I have tried: $6CJlS7VEVeK2:0, 6CJlS7VEVeK2:0 6CJlS7VEVeK2: results in Token encoding exception The Hash is from a system using little endian. can this be the reason? RE: Help needed for identifying the hash type - b8vr - 04-25-2023 Removing everything after and including the first : gives $6CJlS7VEVeK2 Hashcat thinks that everything after the first : is the hash. You should've looked at the link I provided. RE: Help needed for identifying the hash type - andiaa734 - 04-25-2023 (04-25-2023, 11:54 PM)b8vr Wrote: Removing everything after and including the first : gives Oh, sorry. I misunderstood that. Okay, now i tried this but now im getting Token encoding exception? RE: Help needed for identifying the hash type - Snoopy - 04-26-2023 first of all, the starting $6 and the rest seems more to look like a typical mode 1800 -> sha512crypt $6$, SHA512 (Unix) taken from a linux shadow file (but malformed) example entry from a typical shadow file without any data Code: nobody:*:18375:0:99999:7::: as you can see the 99999:7::: part is quite obvious so in my opinion this is something taken from a shadow file and has nothing to to with DES as DES has to be of length 13 RE: Help needed for identifying the hash type - andiaa734 - 04-26-2023 (04-26-2023, 12:44 PM)Snoopy Wrote: first of all, the starting $6 and the rest seems more to look like a typical mode 1800 -> sha512crypt $6$, SHA512 (Unix) taken from a linux shadow file (but malformed) You are right. it is taken from a shadow file. After unsahdow it looks like this: root:$6CJlS7VEVeK2:0:0:root:/:/bin/sh But it doesn't makes it easier. I start to believe that the shadow file was somehow modified. RE: Help needed for identifying the hash type - Snoopy - 04-27-2023 (04-26-2023, 04:25 PM)andiaa734 Wrote:(04-26-2023, 12:44 PM)Snoopy Wrote: first of all, the starting $6 and the rest seems more to look like a typical mode 1800 -> sha512crypt $6$, SHA512 (Unix) taken from a linux shadow file (but malformed) this entry on the other hand looks like taken from a passwd file (this is where the login shells are stored) see -> /bin/sh but i also never saw an entry like that before, looks like some weird kind of malformed merge between a shadow and a passwd file, do you know what kind of linux distribution this was taken from? anyways this hash entry is way to short and you will not be able to recover a pass from that |