Identify what kind of hash this is? – Digitalmunition




Home Forums Identify what kind of hash this is?

This topic contains 1 reply, has 2 voices, and was last updated by  IUsedToBeACave 3 weeks, 5 days ago.

  • Author
    Posts
  • #310833

    anonymous
    Participant

    Hello! I have been pen testing my modem/router and I managed to find some hashes through a serial terminal on the router storage.

    ​

    The default user:pass for the http server (boa) is user:user

    ​

    I managed to grab this hash:

    user:$1$7HhlSzbs5aShQSdkbGWJaadU

    ​

    Does this correspond to the password: user? And what kind of hash is it?

  • #310834

    IUsedToBeACave

    It’s a MD5 hash without a salt, and then it is encoded to something that is very similar to base64, but is really just the encoding method using by *nix systems for storing the password hashes in the shadow file.

    The MD5 hash of ‘user’ is ‘ee11cbb19052e40b07aac0ca060c23ee’.
    The Base64 encoding of the previous hash is ‘7hHLsZBS5AsHqsDKBgwj7g==’

    Again the actual mechanism to store the password isn’t base64, but encoding the MD5 hash of the string ‘user’ as Base64 creates a string that is very, very similar to the one in the unix password/shadow file.

  • #310835

    TrustmeImaConsultant

    First of all, change your user password. Now.

    And second, try to find out whether your router can use something better than MD5 to hash that password, that’s not really secure anymore.

    The answer you’re looking for is here: [https://www.cyberciti.biz/faq/understanding-etcshadow-file/](https://www.cyberciti.biz/faq/understanding-etcshadow-file/)

  • #310836

    Eid0x00rian

    There is a tool with Kali [Hash-Identifier](https://tools.kali.org/password-attacks/hash-identifier) if you want to know what kind of hash it is.

  • #310837

    w0keson

    The `$1$` prefix makes me think it *might* not be a simple MD5 hash. I’ve seen prefixes like that used with some “self-salting” hash algorithms before, like Bcrypt, where an example hash for “hello world” looks like:

    $2y$12$EV.C0ZNbcaG8711z1LJuneoSL0Q7YVOA9Fq0QqqX.1JoXAu.3OTXe

    Where the $12$ holds the “12 hashing iterations” parameter and the $2y$ part identifies the hashing algorithm used (e.g.: how a bcrypt validator function can know what version of bcrypt it’s using or whether the hash is even bcrypt at all, so it can skip bothering to validate it if you gave a completely invalid hash).

    That said, it could just be an esoteric way of encoding an MD5 hash and it’s hard to identify for 100% certain what algorithm a hash was using apart from trying to guess by its characteristics, i.e. an MD5 hex hash is 32 characters long which is different to SHA-1 which is different to SHA-256. Some like bcrypt can be identified by its magic number prefix but others aren’t so easy.

    At any rate: if you’re hoping to recover the plaintext password the only way is to 1) find the algorithm used, and 2) brute force guess every possible password until you find the one that hashes to an equivalent value. Tools like [John the Ripper](https://en.wikipedia.org/wiki/John_the_Ripper) may help here.

You must be logged in to reply to this topic.