Trying to understand what I'm doing. SHA1. sha1($pass.$salt)

[beachtrip]

So I've been trying to use JTR to crack a text file I've created that contains the follow:

Code:

iamUser:3####7C7#C318F5####40#B####C42####AC##05E######26

username:hash

Now reading the Wiki is states:

Due to its architecture, only XXX($pass.$salt) algorithms can be implemented. Algorithms using the opposite XXX($salt.$pass) can not be implemented.

Now I'm guessing the username is the "salt" so to be able to use oclHashcat-lite I need to reverse the text file?

This is JTR output: salted SHA-1 [128/128 SSE2 intrinsics 8x]

I'm really lost so I'm trying to put things together. Sorry if this is a stupid question.

Thanks,
Beach

[epixoip]

sha1(pass.salt) and sha1(salt.pass) are two different algorithms. if you need sha1(salt.pass) then you cannot use lite.

but if you have a hash in user:hash format, what leads you to believe it is a salted algorithm? are you sure the password is salted with the username? if so, are you positive the algorithm is sha1(pass.salt)?

[beachtrip]

Wow! Thanks for the quick response. I'm using this tutorial:
http://www.hackmac.org/tutorials/decrypt...passwords/ on a VM of my old computer.

The tutorial says JTR should report "Loaded 1 password hash (Mac OS X 10.4+ salted SHA1 [32/64]"

[epixoip]

oh, osx 10.4 hashes, ok. so in that case, you will need to do a little work to use hashcat with this algorithm.

the algorithm is sha1(salt.pass), and the salt is a four-byte hex salt prepended to the hash string.

consider the example hash A320163F1E6DB42C3949F7E232888ACC7DB7A0A17E493DBA with a password of "test". the first eight characters are the salt, and the remaining 40 chars are the sha1 hash.

Code:

epixoip@db:~/hashcat-0.43$ printf "\xA3\x20\x16\x3Ftest" | sha1sum
1e6db42c3949f7e232888acc7db7a0a17e493dba

hashcat requires hashes to be in hashalt format, so you just take the first eight chars and move them to the end of the hash, separating it with a colon.

1E6DB42C3949F7E232888ACC7DB7A0A17E493DBA:A320163F

you can then use hashcat or pluscat to crack this hash using -m 120 --hex-salt. you will not be able to use litecat.

Code:

epixoip@db:~/hashcat-0.43$ echo 1E6DB42C3949F7E232888ACC7DB7A0A17E493DBA:A320163F >test
epixoip@db:~/hashcat-0.43$ ./hashcat-cli64.bin -m 120 --hex-salt test -a 3 test

[epixoip]

actually i just realized you said you were using a vm, in that case you wouldn't be able to use litecat or pluscat anyway. you can only use hashcat.

[beachtrip]

actually i just realized you said you were using a vm, in that case you wouldn't be able to use litecat or pluscat anyway. you can only use hashcat.

Before I sold my 10.4 machine I converted it into a VM. I have my desktop running OSX and Windows. I've just installed a drive to install Ubuntu on to. That machine has 2x GTX460 and a GTX670

oh, osx 10.4 hashes, ok. so in that case, you will need to do a little work to use hashcat with this algorithm.

the algorithm is sha1(salt.pass), and the salt is a four-byte hex salt prepended to the hash string.

consider the example hash A320163F1E6DB42C3949F7E232888ACC7DB7A0A17E493DBA with a password of "test". the first eight characters are the salt, and the remaining 40 chars are the sha1 hash.

Code:

epixoip@db:~/hashcat-0.43$ printf "\xA3\x20\x16\x3Ftest" | sha1sum
1e6db42c3949f7e232888acc7db7a0a17e493dba

hashcat requires hashes to be in hashalt format, so you just take the first eight chars and move them to the end of the hash, separating it with a colon.

1E6DB42C3949F7E232888ACC7DB7A0A17E493DBA:A320163F

you can then use hashcat or pluscat to crack this hash using -m 120 --hex-salt. you will not be able to use litecat.

Code:

epixoip@db:~/hashcat-0.43$ echo 1E6DB42C3949F7E232888ACC7DB7A0A17E493DBA:A320163F >test
epixoip@db:~/hashcat-0.43$ ./hashcat-cli64.bin -m 120 --hex-salt test -a 3 test

Wow. Thanks a lot for all the help. I'll give this a try today and report back.