hashcat Forum
"Removing salt" from hash - Printable Version

+- hashcat Forum (https://hashcat.net/forum)
+-- Forum: Misc (https://hashcat.net/forum/forum-15.html)
+--- Forum: General Talk (https://hashcat.net/forum/forum-33.html)
+--- Thread: "Removing salt" from hash (/thread-9584.html)



"Removing salt" from hash - HCP - 10-22-2020

Hi,

Helping an acquaintance (who is not very tech savvy) try to recover a password to a .RAR file. I believe he has sought help from other online sources and has told me that someone has contacted him and said that they've successfully cracked the hash by "removing the salt" from the hash which my acquaintance extracted using rar2john.

This third party (scammer imo) is now asking for payment before handing over the supposed password.

I've tried to convince my acquaintance that removing the salt from the hash will render it useless and mean that it is impossible to crack the correct password and that this other person is a scammer talking complete nonsense.

Would appreciate someone else confirming that removing/ignoring the salt will effectively break the extracted hash making password recovery impossible. I mean, if you didn't need the salt, why bother to extract it in the first place? Right?

Thanks in advance.

Regards,
HCP


RE: "Removing salt" from hash - philsmd - 10-22-2020

yeah, I'm with you that technically it doesn't make any sense.

It's good that you are very careful and alerted.

The problem sometimes could also be a matter of not native speakers, a language/understanding problem or similar. So it's for sure important to get some proof and further explanation of what they mean by that "salt" thing etc.

I don't want to influence you at all and yeah it's probably good to stay away from any such "service" or people with that kind of unprofessional answers/demands/replies/offers etc... but on the other hand I also had experience several cases where a similar statement just meant for them that they cracked your specific hash from a huge list of uncracked hashes (so basically instead of "we cracked your hash", they said something like "the hash was removed", which doesn't technically make any sense). What I want to emphasize here is that in theory, and the best case for the algorithm to be secure, every hash has an unique salt... if you crack a hash, the "salt is removed" (and HASH too) from your list of uncracked or still-to-be-cracked hashes. So this could be an explanation for using this term... but yeah, you would never speak like this with somebody you offer a hash cracking service ! that's not professional. You would just say that you were "successful in recovery the password for your hash" (or similar).

So yeah, it's important to double-check and probably also refrain from any payment and be cautious from any (further, similar) "scam attempts" (sometimes they try to use a little different method, if they find out you are eager but not yet willing to pay !)... without trust and evidence/proof of a crack (and this is very difficult when you deal with hashes, it's difficult to do this... there are some 3rd party services, like a escrow service, but it's still flawed , because on the other hand it's also difficult to proof something without revealing the thing) ... but also to maybe consider only dealing with trusted parties / professionals (local business, services, friends you trust) next time or even MUCH better try to crack the hashes yourself (sometimes it's not that difficult, but it depends on how long/random the password is and how much you know/remember about the password).


I think there could be one thing you could do.... if we deal with RAR files, sometimes important data is encrypted: now you could ask your acquaintance/friend what he remembers about the content of the files and maybe use this to your advantage... i.e. ask the "cracker"/scammer to open the archive and send you the first sentences of the file xyz.txt or something like this (here it also depends whether the file list was encrypted too, so do not get scammed here... make sure what YOU are able to see and what YOU can not see, the "cracker"/scammer could only see MORE if s/he has the correct password, that's one possible proof).

Of course you could say, this "test" is not something that we want to do because of senitive data... but at the end, the "cracker" could see the file list and content if s/he has the RAR file.

Of course if they do not have the file, but only the hash, it's a little bit different... now they could ask you to send the full rar file and they will show you what is inside as a proof.... professional/experience crackers also manage to reveal the data also without the original file (or at least part of the decrypted data which could be enough as a hard proof, but it's more difficult, this also depends a lot on the RAR file type and options like header encryption etc)... but as you can see there could be some ways....

Anyway, it's good that you are careful and alerted here and I agree, it's difficult to find a perfect solution for this situation.

What is sure is that the removing of the salt is NOT technically possible (but could be a language problem). You need some hard evidence that the password was found for sure. that's why I do NOT recommend and do also not participate in any such "crack my hash" activity/services... we of course suggest cracking the hashes yourself (but I know there could be many reasons why not everyone can do/affort it).

I think it's important to clarify the situation first and ask them how they normally proof that they found the password and what they exactly mean by "revoving the salt" and come up with your own suggestion what they should deliver BEFORE any payment.