Please note, this is a STATIC archive of website hashcat.net from October 2020, cach3.com does not collect or store any user information, there is no "phishing" involved.

hashcat Forum

Full Version: sha-1 with salt cracking issue
You're currently viewing a stripped down version of our content. View the full version with proper formatting.
Hi, i got these hashes from an ASP classic webapp. I put the password and salt in a file like this: *********96bd14de96149dba8426761fb1be4c2:3898279071

and a dictionary with the correct password: snobben9

i tried
cudaHashcat-plus64.exe -m 120 C:\passcrack\hash.txt C:\passcrack\dict.txt

and
cudaHashcat-plus64.exe -m 110 C:\passcrack\hash.txt C:\passcrack\dict.txt

but both fails to crack the hash, am i doing something wrong?

Thanks in advance for any help

EDIT: censored hash and set correct salt.
(07-01-2013, 07:37 PM)johnreich Wrote: [ -> ]...am i doing something wrong?

Yes, you post hashes here, while the forum rules clearly say you should NEVER post hashes.
https://hashcat.net/forum/announcement-2.html

BTW: who says that the password is what you claim it is?
Verify it with:
echo -en "[YOURPASS][OPTIONALHEXLIKETHIS:\xaa AFTER OR B4 PASS?]" | sha1sum
(07-01-2013, 07:48 PM)philsmd Wrote: [ -> ]
(07-01-2013, 07:37 PM)johnreich Wrote: [ -> ]...am i doing something wrong?

Yes, you post hashes here, while the forum rules clearly say you should NEVER post hashes.
https://hashcat.net/forum/announcement-2.html

BTW: who says that the password is what you claim it is?
Verify it with:
echo -en "[YOURPASS][OPTIONALHEXLIKETHIS:\xaa AFTER OR B4 PASS?]" | sha1sum

I'm sorry i should have made its clear that it's my app and it's just a test user, i just wanted to try hashcat for fun. Thats why i know it's the correct password too.
Again, no reason to post hashes unmasked (but I see you now modified your 1st post, good).

So are you able to generate the *same* hash w/ e.g. sha1sum or an online hash generator?
If you are only able to use windows, maybe this is an option: https://blog.nfllab.com/archives/152-Win3...-etc..html
... or a simple php/asp script.

Maybe your app does sth. different (or wrongly), maybe the salt is converted somehow? Would you mind share the code snip or at least tell us with which tool/online generator you were able to generate the *same* hash that *hashcat wasn't able to crack?

The idea is, if you know the password and salt, any online sha1 generator or sha1sum tool etc *must* generate that hash, otherwise *you* did sth. wrong in code.
Sorry for the late reply, you are correct something is wrong. Unfortunately i didn't code the login part and i dont have access to the code since im on vacation atm, hence the playing around with hashcat. I tried to look around at how ASP classic hashes are done but it seems pretty straight up.

What could be going on, hashing is done more than one time? the salt is converted in someway? its stored as numeric.
The algorithm could use and do literally everything.
I mean, it could iterate a random number of times (and store the number in salt), it could split the salt and prefix/suffix it, append it, suffix it, transform it first etc etc etc

If it is your app, you should be able to check what it does AND know what it does, otherwise there is sth strange happening here.
Our focus should also remain on recovering passwords and not instead blindly guess what an app could possibly do. Of course, sometimes this job also needs to be done, but *not* if it is an app/code under your control.

Furthermore, it seems that before your changes the salt wasn't *at all* numeric (instead it seemed to be (I think) 4 hex chars)... so I am totally confused what you are trying to do here, why you changed the salt format and why one should *crack the algorithm* under his control
(07-02-2013, 09:29 AM)philsmd Wrote: [ -> ]The algorithm could use and do literally everything.
I mean, it could iterate a random number of times (and store the number in salt), it could split the salt and prefix/suffix it, append it, suffix it, transform it first etc etc etc

If it is your app, you should be able to check what it does AND know what it does, otherwise there is sth strange happening here.
Our focus should also remain on recovering passwords and not instead blindly guess what an app could possibly do. Of course, sometimes this job also needs to be done, but *not* if it is an app/code under your control.

Furthermore, it seems that before your changes the salt wasn't *at all* numeric (instead it seemed to be (I think) 4 hex chars)... so I am totally confused what you are trying to do here, why you changed the salt format and why one should *crack the algorithm* under his control

Sorry my head is in vacation mode, the first paste was from when i had tested to convert it to hex and see if that was the reason. But yes you are right it's going to be rather hard to know whats going on without the source and im just gonna wait till i get back to work where i can review the code. Thanks for the answers so far though Smile