Posts: 4
Threads: 1
Joined: Apr 2023
Hi there,
i need a little bit help identifying the hash type:
$6CJlS7VEVeK2:1:0:99999:7:::
JtR says it is (descrypt, traditional crypt(3) [DES 128/128 SSE2-16]
Running hashcat with -m 1500 ends up with Token length exception.
Any help would be appreciated.
Posts: 106
Threads: 1
Joined: Apr 2022
You need to remove everything after and including the first : as that is JtR style and not hashcat style. I'm a bit unsure of the leading $...... See mode 1500 to see how it should be formatted for hashcat:
https://hashcat.net/wiki/doku.php?id=example_hashes
Posts: 4
Threads: 1
Joined: Apr 2023
(04-25-2023, 08:59 PM)b8vr Wrote: You need to remove everything after and including the first : as that is JtR style and not hashcat style. I'm a bit unsure of the leading $...... See mode 1500 to see how it should be formatted for hashcat:
https://hashcat.net/wiki/doku.php?id=example_hashes
Thanky you. But I'm still getting Token length exception.
I have tried: $6CJlS7VEVeK2:0, 6CJlS7VEVeK2:0
6CJlS7VEVeK2: results in Token encoding exception
The Hash is from a system using little endian. can this be the reason?
Posts: 106
Threads: 1
Joined: Apr 2022
Removing everything after and including the first : gives
$6CJlS7VEVeK2
Hashcat thinks that everything after the first : is the hash.
You should've looked at the link I provided.
Posts: 4
Threads: 1
Joined: Apr 2023
(04-25-2023, 11:54 PM)b8vr Wrote: Removing everything after and including the first : gives
$6CJlS7VEVeK2
Hashcat thinks that everything after the first : is the hash.
You should've looked at the link I provided.
Oh, sorry. I misunderstood that. Okay, now i tried this but now im getting Token encoding exception?
Posts: 825
Threads: 15
Joined: Sep 2017
first of all, the starting $6 and the rest seems more to look like a typical mode 1800 -> sha512crypt $6$, SHA512 (Unix) taken from a linux shadow file (but malformed)
example entry from a typical shadow file without any data
Code:
nobody:*:18375:0:99999:7:::
as you can see the 99999:7::: part is quite obvious
so in my opinion this is something taken from a shadow file and has nothing to to with DES as DES has to be of length 13
Posts: 4
Threads: 1
Joined: Apr 2023
(04-26-2023, 12:44 PM)Snoopy Wrote: first of all, the starting $6 and the rest seems more to look like a typical mode 1800 -> sha512crypt $6$, SHA512 (Unix) taken from a linux shadow file (but malformed)
example entry from a typical shadow file without any data
Code:
nobody:*:18375:0:99999:7:::
as you can see the 99999:7::: part is quite obvious
so in my opinion this is something taken from a shadow file and has nothing to to with DES as DES has to be of length 13
You are right. it is taken from a shadow file. After unsahdow it looks like this:
root:$6CJlS7VEVeK2:0:0:root:/:/bin/sh
But it doesn't makes it easier. I start to believe that the shadow file was somehow modified.
Posts: 825
Threads: 15
Joined: Sep 2017
(04-26-2023, 04:25 PM)andiaa734 Wrote: (04-26-2023, 12:44 PM)Snoopy Wrote: first of all, the starting $6 and the rest seems more to look like a typical mode 1800 -> sha512crypt $6$, SHA512 (Unix) taken from a linux shadow file (but malformed)
example entry from a typical shadow file without any data
Code:
nobody:*:18375:0:99999:7:::
as you can see the 99999:7::: part is quite obvious
so in my opinion this is something taken from a shadow file and has nothing to to with DES as DES has to be of length 13
You are right. it is taken from a shadow file. After unsahdow it looks like this:
root:$6CJlS7VEVeK2:0:0:root:/:/bin/sh
But it doesn't makes it easier. I start to believe that the shadow file was somehow modified.
this entry on the other hand looks like taken from a passwd file (this is where the login shells are stored) see -> /bin/sh
but i also never saw an entry like that before, looks like some weird kind of malformed merge between a shadow and a passwd file, do you know what kind of linux distribution this was taken from?
anyways this hash entry is way to short and you will not be able to recover a pass from that
