Trouble finding attacking hash format
#1
Hi,
I'm analyzing the password algorithm used by an open source CMS system. I've searched the wiki and studied the help information but can't find the hash format to use.

I know the algo is SHA256 computed on plaintext+salt.

Here's the actual implementation in the source in c#:
     
Code:
        static string GeneratePasswordHash(string password, byte[] salt)
        {
            using (var algorithm = new SHA256Managed())
            {
                byte[] plainText = Encoding.UTF8.GetBytes(password);
                byte[] arr = new byte[plainText.Length + salt.Length];
                plainText.CopyTo(arr, 0);
                salt.CopyTo(arr, plainText.Length);
                return Convert.ToBase64String(algorithm.ComputeHash(arr));
            }
        }

       static byte[] GenerateHashSalt()
        {
            using (var cs = new RNGCryptoServiceProvider())
            {
                var salt = new byte[24];
                cs.GetBytes(salt);
                return salt;
            }
        }


Usage would be 
string passwordHash = GeneratePasswordHash("1234", GenerateHashSalt());

I've created a new user in the CMS with the password "1234".

I would expect the hash mode is 1410 sha256($hash.$salt)
When I try to run hashcat using a simple wordlist it gives me a hash encoding exception

Code:
> hashcat64.exe -a 0 -m 1410 c:\Temp\myhashes.txt c:\Temp\dict.txt
...
Hashfile 'c:\Temp\myhashes.txt' on line 1: Hash-encoding exception
No hashes loaded

I've tried these formats but I keep getting a format exception:

$hash.$salt
hash : salt

What am I doing wrong here? 

Cheers
Reply
#2
If base64 encoded : base64 decode it and hex encode it (whenever hashcat expects the hexadecimal hashes)

BTW: it is not allowed to post hashes on this forum
Reply
#3
(06-09-2018, 08:03 AM)philsmd Wrote: If base64 encoded : base64 decode it and hex encode it (whenever hashcat expects the hexadecimal hashes)

BTW: it is not allowed to post hashes on this forum

Thanks. I've updated the post.

I base64 decoded the hash and the salt, hex encoded them and tried again.
Still get the same error though. "Hash-encoding exception".
Reply
#4
You can find example hashes here: https://hashcat.net/wiki/doku.php?id=example_hashes
The salt doesn't need to be hex encoded, only the hashes are hexadecimal (but you can alternatively still use the salt in hex with the --hex-salt command line parameter).

Anyway, you shouldn't see the error message (even if the salt is "wrong"). The format is
Code:
hash:salt
like you can see in the example hashes wiki page (or with the --example-hashes command line option)
(no dollar signs, no spaces etc)
Reply
#5
Thanks again. I tried the hash example on the example pages and it worked fine.
Tried renaming my hashes.txt file to example.hash and dict.txt to example.dict and suddenly it ran without exeptions.

Now the problem is the result is Exhausted, even though the password '1234' is in the dictionary.

Didn't know about the --hex-salt option. I will try use this.
Reply
#6
Wink 
Success. Finally worked it out. Trick was using correct fileextensions and the --hex-salt option.

Thanks again for the help philsmd 

/J
Reply
#7
hashcat doesn't care about file extensions at all.
Reply