+- hashcat Forum (https://hashcat.net/forum)
+-- Forum: Deprecated; Previous versions (https://hashcat.net/forum/forum-29.html)
+--- Forum: Old hashcat Support (https://hashcat.net/forum/forum-20.html)
+--- Thread: ASP.NET Membership Password Hash (/thread-5457.html)
ASP.NET Membership Password Hash - 39pax - 05-16-2016
I am trying to use hashcat with an .NET Membership password hash.
I have a 40 bytes long hashvalue which is sha1 and encoded in base64. Second I have a 128 bytes long salt which seem to be hex values in upper-case.
So first I convert the base64 pw hash:
echo -n "XGO********************B1nA=" | base64 --decode | xxd -ps
which gives me the 40 bytes sha1 hash:
5c******************************1b01d670
The salt is
FC7040D218A2FDEADF7BC1C341CD61D1D246BE570BD2E7D312F4C42BDE7DBEA6B34013D1B7700FAAFEAFEED96CAEF52ACAA6D38FF9FB9E392AD62C0048DC08A0
I then prepare a file with the following format:
FC7040D218A2FDEADF7BC1C341CD61D1D246BE570BD2E7D312F4C42BDE7DBEA6B34013D1B7700FAAFEAFEED96CAEF52ACAA6D38FF9FB9E392AD62C0048DC08A0:5c******************************1b01d670
When I run hashcat with the following command
hashcat -m 140 --hex-salt ./sha1 ../wordlists/rockyou.txt
I get an line length exception
If I pass shorter salts, hashcat excepts the input, so I guess the problem is with the 128byte salt. Maybe the salt is in the wrong format ?
Thanks in advance for any help
RE: ASP.NET Membership Password Hash - atom - 05-16-2016
There's just this: https://hashcat.net/wiki/doku.php?id=frequently_asked_questions#what_is_the_maximum_supported_salt_length
RE: ASP.NET Membership Password Hash - 39pax - 05-16-2016
(05-16-2016, 01:46 PM)atom Wrote: There's just this: https://hashcat.net/wiki/doku.php?id=frequently_asked_questions#what_is_the_maximum_supported_salt_length
I understand, salts for generic hash types have a limit of 31. Pity for me. I found a feature request in the forum from 2012: https://hashcat.net/forum/thread-1752.html. Is there any progress on this ?
RE: ASP.NET Membership Password Hash - atom - 05-19-2016
No, we don't try it. There are better ways to handle large salts, as described on the wiki I linked