hashcat Forum
Help identifying this hash - Printable Version

+- hashcat Forum (https://hashcat.net/forum)
+-- Forum: Misc (https://hashcat.net/forum/forum-15.html)
+--- Forum: General Talk (https://hashcat.net/forum/forum-33.html)
+--- Thread: Help identifying this hash (/thread-7754.html)



Help identifying this hash - droidman85 - 08-19-2018

AAwNPRQr6WHvftdOQER0IRhMlF00ZMGDI6B4F61u757TrRq2bl1w8ccKjYn5xplrVg==:47985d96-8a98-4a81-b4cf-b0c56da6a8ed
(AspNetUsers)
So the main hash has 68 chars and the rest im not sure it is the salt.
tried the PBKDF2 algos but all failed the lenght of the hashes

thanks in advance


RE: Help identifying this hash - DanielG - 08-20-2018

You mention AspNetUsers which lead me to https://msdn.microsoft.com/en-us/magazine/dn818488.aspx. This mentions that next to the passwordhash a SecurityStamp GUID is stored. The part you posted after the : is a GUID and unlikely a salt.

On https://www.blinkingcaret.com/2017/11/29/asp-net-identity-passwordhash/ this base64 format is explained.

It looks like your Base64 encoded data is partly the salt and partly the PBKDF2 hash. First byte is for version (yours is Version 2) Next 16 bytes are the salt and the rest is the hash (PBKDF2 with HMAC-SHA1, 128-bit salt, 256-bit subkey, 1000 iterations.)


RE: Help identifying this hash - droidman85 - 08-20-2018

(08-20-2018, 08:51 AM)DanielG Wrote: You mention AspNetUsers which lead me to https://msdn.microsoft.com/en-us/magazine/dn818488.aspx. This mentions that next to the passwordhash a SecurityStamp GUID is stored. The part you posted after the : is a GUID and unlikely a salt.

On https://www.blinkingcaret.com/2017/11/29/asp-net-identity-passwordhash/ this base64 format is explained.

It looks like your Base64 encoded data is partly the salt and partly the PBKDF2 hash. First byte is for version (yours is Version 2) Next 16 bytes are the salt and the rest is the hash (PBKDF2 with HMAC-SHA1, 128-bit salt, 256-bit subkey, 1000 iterations.)

Thanks a lot for the help, so i converted the hash
if i remove the spaces from the result it gives me a 98 char string that now looks a lot more like a hash
so i got this
c23298d9e1113e87aad9e034293c7ce11f745cd94d0f7abb383fe3f44d7d33c9:dae3aa8c6340be5c8810463d252d16ee
i removed the 00 from the start of the hash, i tried to crack it on the latest version of hashcat and all PBKDF2 versions give me error on the separator, i see that this might be a problem with the hash length, so i added the 00
00c23298d9e1113e87aad9e034293c7ce11f745cd94d0f7abb383fe3f44d7d33c9:dae3aa8c6340be5c8810463d252d16ee
still the program is not picking up the hash
did i do something wrong ?


RE: Help identifying this hash - droidman85 - 08-20-2018

i think that i need to pass them back to base64 and add sha1:1000:hashConfusedalt
i got it to work at least it is doing it Big Grin