Trouble finding attacking hash format
#1
Hi,
I'm analyzing the password algorithm used by an open source CMS system. I've searched the wiki and studied the help information but can't find the hash format to use.

I know the algo is SHA256 computed on plaintext+salt.

Here's the actual implementation in the source in c#:
     
Code:
        static string GeneratePasswordHash(string password, byte[] salt)
        {
            using (var algorithm = new SHA256Managed())
            {
                byte[] plainText = Encoding.UTF8.GetBytes(password);
                byte[] arr = new byte[plainText.Length + salt.Length];
                plainText.CopyTo(arr, 0);
                salt.CopyTo(arr, plainText.Length);
                return Convert.ToBase64String(algorithm.ComputeHash(arr));
            }
        }

       static byte[] GenerateHashSalt()
        {
            using (var cs = new RNGCryptoServiceProvider())
            {
                var salt = new byte[24];
                cs.GetBytes(salt);
                return salt;
            }
        }


Usage would be 
string passwordHash = GeneratePasswordHash("1234", GenerateHashSalt());

I've created a new user in the CMS with the password "1234".

I would expect the hash mode is 1410 sha256($hash.$salt)
When I try to run hashcat using a simple wordlist it gives me a hash encoding exception

Code:
> hashcat64.exe -a 0 -m 1410 c:\Temp\myhashes.txt c:\Temp\dict.txt
...
Hashfile 'c:\Temp\myhashes.txt' on line 1: Hash-encoding exception
No hashes loaded

I've tried these formats but I keep getting a format exception:

$hash.$salt
hash : salt

What am I doing wrong here? 

Cheers


Messages In This Thread
Trouble finding attacking hash format - by Fuzzer - 06-09-2018, 07:16 AM