hashcat Forum
Trying to understand what I'm doing. SHA1. sha1($pass.$salt) - Printable Version

+- hashcat Forum (https://hashcat.net/forum)
+-- Forum: Deprecated; Ancient Versions (https://hashcat.net/forum/forum-46.html)
+--- Forum: Very old oclHashcat-lite Support (https://hashcat.net/forum/forum-22.html)
+--- Thread: Trying to understand what I'm doing. SHA1. sha1($pass.$salt) (/thread-2177.html)



Trying to understand what I'm doing. SHA1. sha1($pass.$salt) - beachtrip - 03-27-2013

So I've been trying to use JTR to crack a text file I've created that contains the follow:
Code:
iamUser:3####7C7#C318F5####40#B####C42####AC##05E######26

username:hash

Now reading the Wiki is states:
Quote:Due to its architecture, only XXX($pass.$salt) algorithms can be implemented. Algorithms using the opposite XXX($salt.$pass) can not be implemented.

Now I'm guessing the username is the "salt" so to be able to use oclHashcat-lite I need to reverse the text file?

This is JTR output: salted SHA-1 [128/128 SSE2 intrinsics 8x]

I'm really lost so I'm trying to put things together. Sorry if this is a stupid question.

Thanks,
Beach


RE: Trying to understand what I'm doing. SHA1. sha1($pass.$salt) - epixoip - 03-27-2013

sha1(pass.salt) and sha1(salt.pass) are two different algorithms. if you need sha1(salt.pass) then you cannot use lite.

but if you have a hash in user:hash format, what leads you to believe it is a salted algorithm? are you sure the password is salted with the username? if so, are you positive the algorithm is sha1(pass.salt)?


RE: Trying to understand what I'm doing. SHA1. sha1($pass.$salt) - beachtrip - 03-27-2013

Wow! Thanks for the quick response. I'm using this tutorial:
http://www.hackmac.org/tutorials/decrypt-os-x-user-account-passwords/ on a VM of my old computer.

The tutorial says JTR should report "Loaded 1 password hash (Mac OS X 10.4+ salted SHA1 [32/64]"


RE: Trying to understand what I'm doing. SHA1. sha1($pass.$salt) - epixoip - 03-27-2013

oh, osx 10.4 hashes, ok. so in that case, you will need to do a little work to use hashcat with this algorithm.

the algorithm is sha1(salt.pass), and the salt is a four-byte hex salt prepended to the hash string.

consider the example hash A320163F1E6DB42C3949F7E232888ACC7DB7A0A17E493DBA with a password of "test". the first eight characters are the salt, and the remaining 40 chars are the sha1 hash.

Code:
epixoip@db:~/hashcat-0.43$ printf "\xA3\x20\x16\x3Ftest" | sha1sum
1e6db42c3949f7e232888acc7db7a0a17e493dba

hashcat requires hashes to be in hashConfusedalt format, so you just take the first eight chars and move them to the end of the hash, separating it with a colon.

1E6DB42C3949F7E232888ACC7DB7A0A17E493DBA:A320163F

you can then use hashcat or pluscat to crack this hash using -m 120 --hex-salt. you will not be able to use litecat.

Code:
epixoip@db:~/hashcat-0.43$ echo 1E6DB42C3949F7E232888ACC7DB7A0A17E493DBA:A320163F >test
epixoip@db:~/hashcat-0.43$ ./hashcat-cli64.bin -m 120 --hex-salt test -a 3 test



RE: Trying to understand what I'm doing. SHA1. sha1($pass.$salt) - epixoip - 03-27-2013

actually i just realized you said you were using a vm, in that case you wouldn't be able to use litecat or pluscat anyway. you can only use hashcat.


RE: Trying to understand what I'm doing. SHA1. sha1($pass.$salt) - beachtrip - 03-27-2013

(03-27-2013, 08:15 AM)epixoip Wrote: actually i just realized you said you were using a vm, in that case you wouldn't be able to use litecat or pluscat anyway. you can only use hashcat.

Before I sold my 10.4 machine I converted it into a VM. I have my desktop running OSX and Windows. I've just installed a drive to install Ubuntu on to. That machine has 2x GTX460 and a GTX670

(03-27-2013, 08:05 AM)epixoip Wrote: oh, osx 10.4 hashes, ok. so in that case, you will need to do a little work to use hashcat with this algorithm.

the algorithm is sha1(salt.pass), and the salt is a four-byte hex salt prepended to the hash string.

consider the example hash A320163F1E6DB42C3949F7E232888ACC7DB7A0A17E493DBA with a password of "test". the first eight characters are the salt, and the remaining 40 chars are the sha1 hash.

Code:
epixoip@db:~/hashcat-0.43$ printf "\xA3\x20\x16\x3Ftest" | sha1sum
1e6db42c3949f7e232888acc7db7a0a17e493dba

hashcat requires hashes to be in hashConfusedalt format, so you just take the first eight chars and move them to the end of the hash, separating it with a colon.

1E6DB42C3949F7E232888ACC7DB7A0A17E493DBA:A320163F

you can then use hashcat or pluscat to crack this hash using -m 120 --hex-salt. you will not be able to use litecat.

Code:
epixoip@db:~/hashcat-0.43$ echo 1E6DB42C3949F7E232888ACC7DB7A0A17E493DBA:A320163F >test
epixoip@db:~/hashcat-0.43$ ./hashcat-cli64.bin -m 120 --hex-salt test -a 3 test

Wow. Thanks a lot for all the help. I'll give this a try today and report back.