Please note, this is a STATIC archive of website hashcat.net from October 2020, cach3.com does not collect or store any user information, there is no "phishing" involved.
hashcat Forum
Salted SHA-1 found by Lite but not by Plus - Printable Version

+- hashcat Forum (https://hashcat.net/forum)
+-- Forum: Deprecated; Ancient Versions (https://hashcat.net/forum/forum-46.html)
+--- Forum: Very old oclHashcat-plus Support (https://hashcat.net/forum/forum-23.html)
+--- Thread: Salted SHA-1 found by Lite but not by Plus (/thread-2407.html)



Salted SHA-1 found by Lite but not by Plus - qweasd - 06-26-2013

Hi folks, strange issue here...

I am using this input file as sha1($pass.$salt):
4205d56d3102258cc00b5eed8d13886225ebd618:134e012e33e18783de360103c1fb07798df0e1cf

When I run oclHashcat-lite64, it ils immediately found (password "test"), but it seems to transform the hash:
Code:
oclHashcat-lite64.exe -m 110 C:\hash.txt
(...)
Session.Name...: oclHashcat-lite
Status.........: Cracked
Hash.Target....: 6dd505428c250231ed5e0bc06288138d18d6eb25:134e012e33e18783de360103c1fb07798df0e1cf
Hash.Type......: sha1($pass.$salt)

However, when I run oclHashcat-plus64 in bruteforce mode, the hash does not go through the same transformation and doesn't get cracked:

Code:
oclHashcat-plus64.exe -a 3 -m 110 C:\hash.txt
(...)
Session.Name...: oclHashcat-plus
Status.........: Running
Input.Mode.....: Mask (?1?2?2?2?2?2)
Hash.Target....: 4205d56d3102258cc00b5eed8d13886225ebd618:134e012e33e18783de360103c1fb07798df0e1cf
Hash.Type......: sha1($pass.$salt)


What am I doing wrong here? I use the exact same command, except "-a 3" for the "plus" version. Same behaviour when I run "plus" with a dictionary and/or mask.

Thanks for your help!


RE: Salted SHA-1 found by Lite but not by Plus - atom - 06-26-2013

In oclHashcat-plus, the max. supported salt length is 32


RE: Salted SHA-1 found by Lite but not by Plus - qweasd - 07-02-2013

Hi atom,

Thanks for the reply. Can you explain what kind transformation oclHashcat lite applies to the hash it displays? I've tried with shorter salts, oclHashcat plus is able to crack them without applying this transformation.

I try to script some password cracking tasks, and I can't compare the original hash with the one oclHashcat lite produces when it cracks passwords.

Thank you again Smile


RE: Salted SHA-1 found by Lite but not by Plus - philsmd - 07-02-2013

I don't know if this is a problem w/ lite, but it seems to output the digest just in byte-swapped format, see here to understand that (first plus - correct -, then lite):
4205d56d
6dd50542

what happened? 42 was first is now last, 05 was second -> becomes second last, d5 was third -> 3rd to last, 6d last -> first

Will check if I can reproduce this w/ latest lite today.

Maybe this helps in the meantime (this will revert all hashes (before colon ":") in hashcat.pot, you could do the same by specifing the outfile instead):
Code:
sed -r 's@^([^:]*)(.*)$@echo -n \1|sed -r "s!([0-9a-f]{2})([0-9a-f]{2})([0-9a-f]{2})([0-9a-f]{2})!\\4\\3\\2\\1!g";echo \2;@ge' hashcat.pot



RE: Salted SHA-1 found by Lite but not by Plus - qweasd - 07-03-2013

Hey philsmd,

Good job on seeing that Smile - And congrats on the sed kung-fu - I'll be able to script something up to revert the resulting hashes in the good format now.

Problem solved for now.


RE: Salted SHA-1 found by Lite but not by Plus - qweasd - 07-03-2013

Here is the php version of it, if someone cares...

Code:
<?php
$hash = '6dd505428c250231ed5e0bc06288138d18d6eb25';
$res = '';

if (strlen($hash) % 8 == 0)
{
    $tab = str_split($hash, 8);
    foreach ($tab AS $chunk)
        $res .= join('', array_reverse(str_split($chunk, 2)));
}

echo $res;
?>



RE: Salted SHA-1 found by Lite but not by Plus - philsmd - 07-03-2013

I would like to trac(k) this problem here: https://hashcat.net/trac/ticket/174