Sha1 with salt help
#1
I need assistance with putting my salt and hash together. I was working on a hack the box machine and came across a hash and a salt. I have tried placing the values as hash:salt in a text file and use both -m 110 and -m 120 on the attack. I am not able to get the password. I have an idea about what the value of the hash is from hints I've read. So my question is: Am I doing something wrong with creating the target hash as hash:salt? I've looked up hashcat's example hashes and this appears to be the same as what they have for their 110 and 120 values.

Attempts I've tried:
hashcat -m 120 -a 0 hashfile.txt wordlist.txt
Reply
#2
well, it's difficult to say. we would need to have the exact algorithm with input and output (masked hashes if really needed, but first let's discuss it in more detail... also see forum rules which do NOT allow posting hashes).

--hex-salt
could be for instance one solution if the salt is in hex instead of raw/plain.
Reply
#3
(08-04-2020, 09:44 PM)philsmd Wrote: well, it's difficult to say. we would need to have the exact algorithm with input and output (masked hashes if really needed, but first let's discuss it in more detail... also see forum rules which do NOT allow posting hashes).

--hex-salt
could be for instance one solution if the salt is in hex instead of raw/plain.


I put the hash into hash-identifier and it returns:
[+] SHA-1
[+] MySQL5 - SHA-1(SHA-1($pass))

Which I believe it is just sha1. The salt appears to be just plain text.
Reply
#4
we are very sceptical about identifying hashes with those tools just by doing some regular expressions.

They either provide just a too long list of possibilities or totally wrong / stupid results.

It's much more clever to understand which software generated them and have a look at the source code or documentation etc.

It doesn't make much sense to just try to guess the hashing algorithm and in most cases it's not an unknown if you know the software that generated it (and it shouldn't be a hide and seek game to obscure the details about the hashing algorithm or keep the algorithm secret, that's not how security works).
Reply
#5
(08-05-2020, 12:17 AM)philsmd Wrote: we are very sceptical about identifying hashes with those tools just by doing some regular expressions.

They either provide just a too long list of possibilities or totally wrong / stupid results.

It's much more clever to understand which software generated them and have a look at the source code or documentation etc.

It doesn't make much sense to just try to guess the hashing algorithm and in most cases it's not an unknown if you know the software that generated it (and it shouldn't be a hide and seek game to obscure the details about the hashing algorithm or keep the algorithm secret, that's not how security works).

I understand that. I will use that approach from now on. I will do some digging and get back to you.
Reply