Posts: 4
Threads: 1
Joined: Jul 2013
07-01-2013, 07:37 PM
(This post was last modified: 07-02-2013, 08:14 AM by johnreich.)
Hi, i got these hashes from an ASP classic webapp. I put the password and salt in a file like this: *********96bd14de96149dba8426761fb1be4c2:3898279071
and a dictionary with the correct password: snobben9
i tried
cudaHashcat-plus64.exe -m 120 C:\passcrack\hash.txt C:\passcrack\dict.txt
and
cudaHashcat-plus64.exe -m 110 C:\passcrack\hash.txt C:\passcrack\dict.txt
but both fails to crack the hash, am i doing something wrong?
Thanks in advance for any help
EDIT: censored hash and set correct salt.
Posts: 2,267
Threads: 16
Joined: Feb 2013
(07-01-2013, 07:37 PM)johnreich Wrote: ...am i doing something wrong?
Yes, you post hashes here, while the forum rules clearly say you should NEVER post hashes.
https://hashcat.net/forum/announcement-2.html
BTW: who says that the password is what you claim it is?
Verify it with:
echo -en "[YOURPASS][OPTIONALHEXLIKETHIS:\xaa AFTER OR B4 PASS?]" | sha1sum
Posts: 4
Threads: 1
Joined: Jul 2013
(07-01-2013, 07:48 PM)philsmd Wrote: (07-01-2013, 07:37 PM)johnreich Wrote: ...am i doing something wrong?
Yes, you post hashes here, while the forum rules clearly say you should NEVER post hashes.
https://hashcat.net/forum/announcement-2.html
BTW: who says that the password is what you claim it is?
Verify it with:
echo -en "[YOURPASS][OPTIONALHEXLIKETHIS:\xaa AFTER OR B4 PASS?]" | sha1sum
I'm sorry i should have made its clear that it's my app and it's just a test user, i just wanted to try hashcat for fun. Thats why i know it's the correct password too.
Posts: 2,267
Threads: 16
Joined: Feb 2013
07-01-2013, 08:38 PM
(This post was last modified: 07-01-2013, 08:39 PM by philsmd.)
Again, no reason to post hashes unmasked (but I see you now modified your 1st post, good).
So are you able to generate the *same* hash w/ e.g. sha1sum or an online hash generator?
If you are only able to use windows, maybe this is an option:
http://blog.nfllab.com/archives/152-Win3...-etc..html
... or a simple php/asp script.
Maybe your app does sth. different (or wrongly), maybe the salt is converted somehow? Would you mind share the code snip or at least tell us with which tool/online generator you were able to generate the *same* hash that *hashcat wasn't able to crack?
The idea is, if you know the password and salt, any online sha1 generator or sha1sum tool etc *must* generate that hash, otherwise *you* did sth. wrong in code.
Posts: 4
Threads: 1
Joined: Jul 2013
Sorry for the late reply, you are correct something is wrong. Unfortunately i didn't code the login part and i dont have access to the code since im on vacation atm, hence the playing around with hashcat. I tried to look around at how ASP classic hashes are done but it seems pretty straight up.
What could be going on, hashing is done more than one time? the salt is converted in someway? its stored as numeric.
Posts: 2,267
Threads: 16
Joined: Feb 2013
07-02-2013, 09:29 AM
(This post was last modified: 07-02-2013, 09:30 AM by philsmd.)
The algorithm could use and do literally everything.
I mean, it could iterate a random number of times (and store the number in salt), it could split the salt and prefix/suffix it, append it, suffix it, transform it first etc etc etc
If it is your app, you should be able to check what it does AND know what it does, otherwise there is sth strange happening here.
Our focus should also remain on recovering passwords and not instead blindly guess what an app could possibly do. Of course, sometimes this job also needs to be done, but *not* if it is an app/code under your control.
Furthermore, it seems that before your changes the salt wasn't *at all* numeric (instead it seemed to be (I think) 4 hex chars)... so I am totally confused what you are trying to do here, why you changed the salt format and why one should *crack the algorithm* under his control
Posts: 4
Threads: 1
Joined: Jul 2013
07-02-2013, 11:39 AM
(This post was last modified: 07-02-2013, 11:40 AM by johnreich.)
(07-02-2013, 09:29 AM)philsmd Wrote: The algorithm could use and do literally everything.
I mean, it could iterate a random number of times (and store the number in salt), it could split the salt and prefix/suffix it, append it, suffix it, transform it first etc etc etc
If it is your app, you should be able to check what it does AND know what it does, otherwise there is sth strange happening here.
Our focus should also remain on recovering passwords and not instead blindly guess what an app could possibly do. Of course, sometimes this job also needs to be done, but *not* if it is an app/code under your control.
Furthermore, it seems that before your changes the salt wasn't *at all* numeric (instead it seemed to be (I think) 4 hex chars)... so I am totally confused what you are trying to do here, why you changed the salt format and why one should *crack the algorithm* under his control
Sorry my head is in vacation mode, the first paste was from when i had tested to convert it to hex and see if that was the reason. But yes you are right it's going to be rather hard to know whats going on without the source and im just gonna wait till i get back to work where i can review the code. Thanks for the answers so far though