08-05-2022, 11:41 PM
I am trying to figure out how to audit hashes created by codimd open source software. Does anyone have any suggestions about re-formatting the password hashes for hashcat input?
Based on the code it looks like they are using NMP Scrypt.kdf
e.g. https://github.com/hackmdio/codimd/blob/...ls/user.js
For example I created a local installation of codimd and created a few user accounts with password lower case "a". The corresponding password hashes are stored in the database user table.
736372797074000e00000008000000011ebbfa9c2fd52e92f40903bc74ca18c54713990e72e789779e099f635faf42fea5e77289edfaf53a861aa55bd1db8d7f7c0cadcaf2cdc940210635115b1804554a1956c7e6616d78846c458e55800d3b
736372797074000e00000008000000018fb85c39632adb2ba7d599adccb839f37cced14770f1e6a45e7bee8a240a6d7e4c7e2033b74c8a19445553e46ed9bbfe5c446798ea47962380f5293d27ce5c6fcfb7d3b46530642845a7efd0d7837e21
Is anyone familiar with how this application salts passwords or where it stores the salt?
Does anyone have any ideas about how to wrangle this hash into a format that will be accepted as input for hashcat. I think the closest mode may be 8900.
Thanks in advance for any advice or suggestions on this.
Based on the code it looks like they are using NMP Scrypt.kdf
e.g. https://github.com/hackmdio/codimd/blob/...ls/user.js
For example I created a local installation of codimd and created a few user accounts with password lower case "a". The corresponding password hashes are stored in the database user table.
736372797074000e00000008000000011ebbfa9c2fd52e92f40903bc74ca18c54713990e72e789779e099f635faf42fea5e77289edfaf53a861aa55bd1db8d7f7c0cadcaf2cdc940210635115b1804554a1956c7e6616d78846c458e55800d3b
736372797074000e00000008000000018fb85c39632adb2ba7d599adccb839f37cced14770f1e6a45e7bee8a240a6d7e4c7e2033b74c8a19445553e46ed9bbfe5c446798ea47962380f5293d27ce5c6fcfb7d3b46530642845a7efd0d7837e21
Is anyone familiar with how this application salts passwords or where it stores the salt?
Does anyone have any ideas about how to wrangle this hash into a format that will be accepted as input for hashcat. I think the closest mode may be 8900.
- It seems that I will need to base64 the salt and digest. Based on the code, I believe the current format is hex. I'm not sure if I will have to convert to binary before base64 encoding or not.
- I am also unsure of where the separation is between the salt and digest. It seems like "736372797074000e0000000800000001" is a repeated prefix so maybe it is the salt?
- I'm still trying to figure out how to determine the P,n,r for 8900 format e.g. SCRYPT:1024:1:1:
Thanks in advance for any advice or suggestions on this.