Posts: 6
Threads: 1
Joined: May 2021
Hi guys, I need help identifying a hash. All analyzing methods I tried they show SHA-256 but that doesn't seem to be the case. Because what is being generated by site code is different than all SHA types. Can someone please help me ID it.....
Thank you
Plain string: hellomoto
SHA-256: e47204df44254059b86dd41b5ba9eceae09be42be01ef0d649651602101c316f
Generated by site: de5eb7c3dfbd5216ccf3015d50ccbcdd97c26887bb277409ed71d9e62a6cc57d
Posts: 196
Threads: 0
Joined: Nov 2017
the site can do anything to your input before hashing it. What often happens is that an extra piece of data is prepended or appended, this is commonly referred to as "adding salt". Do you have the 'site code'? If you do then you can see what happens to the data.
Posts: 890
Threads: 15
Joined: Sep 2017
is the generated string by site everytime the same (for same input) or does the string change? if its change, this could be a hint for an automatic generated/added salt like danielg said, if it stays fixed this could mean something like fixed salt or something like double*hashing sha(sha(pw)
can you test same iput -> generated string?
Posts: 6
Threads: 1
Joined: May 2021
@DanielG what do you mean by 'site code' bro?
@Snoopy yes bro it stays fixed for same string each time...
Posts: 890
Threads: 15
Joined: Sep 2017
how did you get the strings generated by the site?
danielg means, if you have access to the site (see above how did you get the generated strings?) you should also have access to the code (php whatever) and there you should see / be able to search how the input-string is handled to compute the result
Posts: 6
Threads: 1
Joined: May 2021
05-07-2021, 12:22 PM
(This post was last modified: 05-07-2021, 12:23 PM by TheStrangler.)
@Snoopy these strings are passes being sent in login request in form of hash....
Plus I just noticed something that hash remains same as long as email is same too but if you change email it changes..
I think they are using using email too in some way maybe as a salt
Posts: 890
Threads: 15
Joined: Sep 2017
well this sounds like "yeah could be"
do you know the "software" used? is it a kind of forum or something similar? for most software like e.g. phpbb the generator for the hash is known (free software) so you know how the string is generated like
sha256($salt.$pass.$salt)
sha256(sha256($pass).$salt)
Posts: 6
Threads: 1
Joined: May 2021
Its not a forum so I dont think it is using a software...Its a site (
https://lastpass*com/)..this code maybe related to hash generation.
var hash = "";
if (res[0].getAttribute("type") == "trueapi") {
hash = SHA256(SHA256(fix_username(g_username) + res[0].getAttribute("type")));
}
if (hash.length != 64) {
send_website_event("multifactorauth", res[0].getAttribute("type"), g_username, "", res[0].getAttribute("challenge"));
counter = 0;
setTimeout(function(){checkMultifactorAuth();}, 250);
} else {
document.getElementById("eventdata5").value = SHA256(hash + res[0].getAttribute("challenge"));
document.getElementById("eventdata3").value = "done";
checkMultifactorAuth();
}
Posts: 890
Threads: 15
Joined: Sep 2017
well given this line
hash = SHA256(SHA256(fix_username(g_username) + res[0].getAttribute("type")));
it is seems to be doubled sha256 and the username (g_username) is processed by another function (fix_username) the output is then appended by the output from res[0].getAttribute("type")
Posts: 6
Threads: 1
Joined: May 2021
but problem with this code is there is no mention of password being used...so there must be something else going on that uses password too.