nested sha1
#1
Hey guys, I have a function for generating hashes and it looks like that:

Code:
sha1($salt.sha1($str))

Is there a clever way of telling hashcat to crack such combination?

EDIT: the obvious one would be to perform sha1($str) first, but with big dictionaries it can take ages (or is there any good gpu-based software which can speed up whole process?)
Reply
#2
For instance the "Redmine Project Management Web App" uses exactly this algorithm, i.e.
sha1 ($salt . sha1 ($pass))

the algorithm is available on both hashcat and oclHashcat with attack mode -m 7600.
The format, as you can see here https://hashcat.net/wiki/doku.php?id=example_hashes , is
Code:
hash:salt
Reply
#3
Hmmm, indeed. But I wonder why oclHashcat is reporting 'Line-length exception' for every hash I try where hashcat is working quite OK with the whole set not complaining about anything? Both tools are at the recent available revisions, OS Win10 64bit with latest crimson software (radeon, r9 295x2) - not sure if that matters. Tried combinations with ascii salt and hex salt - same result. Hashcat is cracking passwords, oclhashcat is complaining about line length.

Salt is 12 characters long (hex24 character long of course), pass (hash) is 40 characters long.

EDIT: got answer on IRC from philsmd (thanks!) - hope you don't mind if I put it here.

Code:
<@philsmd> redmine uses a fixed salt length (32), oclHashcat does this additional check
           when parsing hashes (for performance reasons, only exactly 32 are allowed):
           https://github.com/hashcat/oclHashcat/blob/master/src/shared.c#L15998

So it seems that hashcat do not care about salt length when using "-m 7600" options, but oclHashcat does for performance reasons.

NeoTherm1c pointed out that there is already md5($salt.md5($str)) algo supported so perhaps sha1($salt.sha1($str)) should be requested.

I gave it a shot, and here is the request: https://github.com/hashcat/oclHashcat/issues/29
Reply