DCC1, DCC2?
#1
Good day to all of you,

I have (during a pentest) managed to get some dumps out of the firewall, but to my amazement, I had never seen hashes like this. 

Do you think these are realistic hashes :

first one seems normal, such as a DCC hash: (changed a few letters for sec)

PBzXaJrO7QnfB4XjNmVp8uXyJVjjG8IT

but the second one of a different user:

NrHoFGjPO%2BYpWGhvWJNKZNhPkdYtVf3O (notice the %)

Do you have any idea of what that could be?

Thank you
#2
DCC as in Domain Cached Credentials? 'Coz they certainly look nothing like either DCC or DCC2. Take a look at an example of one of each here.

They're in hex. Yours look more like base64 encoded something or other.
[url=http://hashcat.net/wiki/doku.php?id=example_hashes][/url]
#3
You have a great point! Thank you for you prompt reply. What am concerned with is the %2 in the second hash.. I know the password, I ve tried base64 and base32 decode, and then analysing the hash, its possible that it is a Haval192.. This is complex.
Thanks for the help Rico
#4
(09-15-2015, 12:33 PM)yashar26 Wrote: You have a great point! Thank you for you prompt reply. What am concerned with is the %2 in the second hash.. I know the password, I ve tried base64 and base32 decode, and then analysing the hash, its possible that it is a Haval192.. This is complex.
Thanks for the help Rico

The %2B is probably just hex for + which you might find in Base64.

Haval192? Have you ever bothered to check the format of Haval? Seems to be hex to me, same as DCC hashes are in hex format - nothing like what you've got.