03-20-2013, 03:07 PM
Quote: I've used some hash lists from korelogic's crack me if you can contest, and I've had some minor successes.
cmiyc hashes probably aren't the best starting point, unless you're using the hashes from 2010 or 2011. maybe try your hand at some leaked hashes on pastebin, or one of the larger public leaks like linkedin or stratfor.
Quote:How do encryption engines use salts?
the first thing you have to learn is that hashing is not the same as encryption. the second thing is that it completely depends upon the algorithm. maybe pick one specific algorithm and study how it uses salts. starting simple, md5(pass.salt) appends the salt to the password before hashing it with the md5 algorithm.
Quote:How do you crack hashes when salts are used?
specify the appropriate salted algorithm, and supply your hash string in the appropriate format.
Quote:Do you need to know the salt to crack a hash?
yes. salts are not secret, they are typically part of the hash string itself. if you've lost the salts, never had the salts, or the algorithm uses a shared secret rather than a salt, you'll have to be more clever in your approach.
Quote:How do you tell what type of hash it is by looking at it?
experience. but even then, it can sometimes be impossible to tell just from looking. it helps greatly if you know the origin of the hash.