2x32 Bytes in base64, separated by $
#1
Does anyone know what this hash format is?

0scx3GtxzTEN+TyXXXXXXXXAB7vAvxqkUh64mT/j/fM=$NXp/2HbZVpr3YwG/XXXXXXXdq8J501Avl4PFMQuyog=

It's 2x 32 Bytes encoded as base64 and separated by a $. Both halves look completely random; there is no skew towards low/high/even or a range of values.

This format is apparently used by CommerceTools. (This is a hash of the password abc.)

It's curious that both halves are the same length. I've already tried all obvious forms I could think of (all hashes which output 256 Bits, using the left or right half as a salt).
Reply
#2
do you have the source code for this ?

I guess without it it's just a (maybe impossible) guessing game. it could be anything. The software could even mix in some kind of pepper (an additional static string for instance "CommerceTools:" etc, it could be anything).
Reply
#3
Thanks for your answer! The reason I asked is that I did not have the source code, and upon request CommerceTools apparently does not disclose the algorithm for "security reasons".

However, I suspected it was written in Java, and just found this Stack Overflow post which uses the same format.

From there, it was just an easy search through all Java algorithms and configurations (the code is O(n²) to iteration sizes and not parallelized, let alone GPU, but that didn't matter).

Turns out, the first half is the salt, and the second half is PBKDF2 with HMAC construction, SHA1, and 4096 iterations.
Reply
#4
PBKDF2-HMAC-SHA1 is supported by hashcat (mode 12000)
Reply
#5
Cool, nice way you found that out too
Reply