How would i format a hashed password with a known salt in hashcat.
$826y4$31226$dObT2IfxeM3WbUe54N0GcYc12M4T1M857N7zfg6zaN2ucM9W0.bD2p2S/7IvyzEiKXEHZZ8WX1LtpkG:65cd5a6addd58dce46fdc0b936c7740a
The column is separating the hash from the salt.
I haven't worked with this hash type before, but A) it's not pure bcrypt, and B) the portion after the colon is, I'm told, not a salt.
(12-08-2017, 04:41 AM)royce Wrote: [ -> ]I haven't worked with this hash type before, but A) it's not pure bcrypt, and B) the portion after the colon is, I'm told, not a salt.
I just read that the passwords are first MD5 hashed, then bcrypted, then obfuscated. So how would i get past the obfuscation.
I quickly searched on the web and it seems the obfuscation is just that the algorithm adds " 8 6 4 3 2 6 d b 2 f e 3 b e 4 0 c c 2 4 1 8 7 7 f 6 a 2 c 9 0 b" to the hash (from the start of the hash every second character needs to be removed when you try to come up with the original bcrypt hash, the un-obfuscated version):
e.g. like this:
$826y4$31226$dObT2IfxeM3WbUe54N0GcYc12M4T1M857N7zfg6zaN2ucM9W0.bD2p2S/7IvyzEiKXEHZZ8WX1LtpkG -
8 6 4 3 2 6 d b 2 f e 3 b e 4 0 c c 2 4 1 8 7 7 f 6 a 2 c 9 0 b
=>
$2y$12$OTIxMWU5NGY1MTM5NzgzNuMW.D2p2S/7IvyzEiKXEHZZ8WX1LtpkG
i.e. we remove the 8 at position 2, we remove 6 at position 4, we remove 4 at position 6... we remove b (the end is just copied as-is)
I have no clue where this algorithm/obfuscation is used in. Do you know which device/cms/website etc uses this format ?
I also did not find (during my very quick search) any reference to what the additional string you mentioned as "salt" is doing here.
Where do you read about the details about this algorithm. Can you please post the link/details here etc?
BTW: it is not allowed to post hashes within this forum. Posting hashes is against the forum rules. You will get banned. It's even worse that not even the original password (non-hashed version) was mentioned
Thanks for uncovering that, philsmd. Why are people so stupid? Security by obscurity ftw
edit: looks like this is from a leaked database