Kitz Forum
Chat => Tech Chat => Topic started by: burakkucat on February 02, 2018, 06:11:03 PM
-
Just a quick query to those who have systems with a GPU and, thus, can use the current version of hashcat. When prompted to display its inbuilt help, do you see any reference to the original, classical, DES?
Looking at the legacy version of hashcat, which I use on GPU-less systems, I see the following --
* Hash types:
[[ Roll-your-own: Raw Hashes ]]
900 = MD4
0 = MD5
5100 = Half MD5
100 = SHA1
1400 = SHA-256
1700 = SHA-512
5000 = SHA-3(Keccak)
6900 = GOST R 34.11-94
99999 = Plaintext
[[ Roll-your-own: Iterated and / or Salted Hashes ]]
10 = md5($pass.$salt)
20 = md5($salt.$pass)
30 = md5(unicode($pass).$salt)
40 = md5($salt.unicode($pass))
3800 = md5($salt.$pass.$salt)
3710 = md5($salt.md5($pass))
4110 = md5($salt.md5($pass.$salt))
4010 = md5($salt.md5($salt.$pass))
4210 = md5($username.0.$pass)
3720 = md5($pass.md5($salt))
3500 = md5(md5(md5($pass)))
3610 = md5(md5($salt).$pass)
3910 = md5(md5($pass).md5($salt))
2600 = md5(md5($pass)
4300 = md5(strtoupper(md5($pass)))
4400 = md5(sha1($pass))
110 = sha1($pass.$salt)
120 = sha1($salt.$pass)
130 = sha1(unicode($pass).$salt)
140 = sha1($salt.unicode($pass))
4500 = sha1(sha1($pass)
4600 = sha1(sha1(sha1($pass)))
4700 = sha1(md5($pass))
4900 = sha1($salt.$pass.$salt)
1410 = sha256($pass.$salt)
1420 = sha256($salt.$pass)
1430 = sha256(unicode($pass).$salt)
1440 = sha256($salt.unicode($pass))
1710 = sha512($pass.$salt)
1720 = sha512($salt.$pass)
1730 = sha512(unicode($pass).$salt)
1740 = sha512($salt.unicode($pass))
1431 = base64(sha256(unicode($pass)))
[[ Roll-your-own: Authenticated Hashes ]]
50 = HMAC-MD5 (key = $pass)
60 = HMAC-MD5 (key = $salt)
150 = HMAC-SHA1 (key = $pass)
160 = HMAC-SHA1 (key = $salt)
1450 = HMAC-SHA256 (key = $pass)
1460 = HMAC-SHA256 (key = $salt)
1750 = HMAC-SHA512 (key = $pass)
1760 = HMAC-SHA512 (key = $salt)
[[ Generic KDF ]]
400 = phpass
8900 = scrypt
[[ Network protocols, Challenge-Response ]]
23 = Skype
2500 = WPA/WPA2
4800 = iSCSI CHAP authentication, MD5(Chap)
5300 = IKE-PSK MD5
5400 = IKE-PSK SHA1
5500 = NetNTLMv1
5500 = NetNTLMv1 + ESS
5600 = NetNTLMv2
7300 = IPMI2 RAKP HMAC-SHA1
10200 = Cram MD5
11100 = PostgreSQL Challenge-Response Authentication (MD5)
11200 = MySQL Challenge-Response Authentication (SHA1)
11400 = SIP digest authentication (MD5)
[[ Forums, CMS, E-Commerce, Frameworks, Middleware, Wiki, Management ]]
121 = SMF (Simple Machines Forum)
400 = phpBB3
2611 = vBulletin < v3.8.5
2711 = vBulletin > v3.8.5
2811 = MyBB
2811 = IPB (Invison Power Board)
8400 = WBB3 (Woltlab Burning Board)
11 = Joomla < 2.5.18
400 = Joomla > 2.5.18
400 = Wordpress
2612 = PHPS
7900 = Drupal7
21 = osCommerce
21 = xt:Commerce
11000 = PrestaShop
124 = Django (SHA-1)
10000 = Django (PBKDF2-SHA256)
3711 = Mediawiki B type
7600 = Redmine
3721 = WebEdition CMS
[[ Database Server ]]
12 = PostgreSQL
131 = MSSQL(2000)
132 = MSSQL(2005)
1731 = MSSQL(2012)
1731 = MSSQL(2014)
200 = MySQL323
300 = MySQL4.1/MySQL5
112 = Oracle S: Type (Oracle 11+)
[[ HTTP, SMTP, LDAP Server ]]
123 = EPi
141 = EPiServer 6.x < v4
1441 = EPiServer 6.x > v4
1600 = Apache $apr1$
1421 = hMailServer
101 = nsldap, SHA-1(Base64), Netscape LDAP SHA
111 = nsldaps, SSHA-1(Base64), Netscape LDAP SSHA
1711 = SSHA-512(Base64), LDAP {SSHA512}
[[ Operating-Systems ]]
1000 = NTLM
1100 = Domain Cached Credentials (DCC), MS Cache
500 = md5crypt $1$, MD5(Unix)
3200 = bcrypt $2*$, Blowfish(Unix)
3300 = MD5(Sun)
7400 = sha256crypt $5$, SHA256(Unix)
1800 = sha512crypt $6$, SHA512(Unix)
122 = OSX v10.4
122 = OSX v10.5
122 = OSX v10.6
1722 = OSX v10.7
7100 = OSX v10.8
7100 = OSX v10.9
7100 = OSX v10.10
7100 = OSX v10.11
6300 = AIX {smd5}
6700 = AIX {ssha1}
6400 = AIX {ssha256}
6500 = AIX {ssha512}
2400 = Cisco-PIX
2410 = Cisco-ASA
500 = Cisco-IOS $1$
5700 = Cisco-IOS $4$
9200 = Cisco-IOS $8$
9300 = Cisco-IOS $9$
5800 = Android PIN
7200 = GRUB 2
9900 = Radmin2
7000 = Fortigate (FortiOS)
[[ Enterprise Application Software (EAS) ]]
10300 = SAP CODVN H (PWDSALTEDHASH) iSSHA-1
133 = PeopleSoft
[[ Password Managers ]]
5200 = Password Safe v3
Absolutely no reference to DES.
-
@burakkucat
I have v3.6.0-479-gb169653b. ./hashcat --help | grep DES gives, under "[Hash modes]"
14000 | DES (PT = $salt, key = $pass) | Raw Cipher, Known-Plaintext attack
14100 | 3DES (PT = $salt, key = $pass) | Raw Cipher, Known-Plaintext attack
1500 | descrypt, DES (Unix), Traditional DES | Operating Systems
12400 | BSDi Crypt, Extended DES | Operating Systems
Maybe "Traditional DES" is the one you're after?
-
Yes. My full version of Hashcat definitely does DES (1500).
I'm sure that's what my vmg1312-b10a & vmg8924-b10a both use to encrypt the passwords.
Even though I could obtain both passes using the dumpmdm command I used Hashcat to get the Supervisor pass for both devices. It was while playing about with Hashcat for the 1st time.
-
Thank you, both. Yes, that is it. It's not available with the legacy version.
[Duo2 ~]$ hashcat --version
2.00
[Duo2 ~]$ hashcat --help | grep -i des
* Attack modes:
[Duo2 ~]$
-
Curiouser and curiouser. :-\
I put together some quick & unsophisticated C-code to DES encrypt the key string 0246813579 using a salt string gD. (Notice that I have deliberately exceeded the traditional DES key string limit of eight.)
#define _XOPEN_SOURCE
#include <unistd.h>
#include <stdio.h>
#include <stdlib.h>
int main()
{
char *key, *salt;
key = "0246813579";
salt = "gD";
printf("%s\n", crypt(key, salt));
exit(EXIT_SUCCESS);
}
Once compiled and executed it output a thirteen character string, characters one & two being the salt and characters three to thirteen the encrypted representation of the key.
$ cc -lcrypt desencrypt.c -o desencrypt
$ desencrypt
gDs4cBIVIdzoU
$
I reran the code, sending the output to a file named bcat.hash.
$ desencrypt > bcat.hash
$
Finally, just to see what would happen, I set hashcat to work. This is what I saw --
$ hashcat -a 3 -m 1500 --increment -1 ?d bcat.hash ?1?1?1?1?1?1?1?1
Initializing hashcat v2.00 with 2 threads and 32mb segment-size...
Added hashes from file bcat.hash: 1 (1 salts)
Activating quick-digest mode for single-hash with salt
[s]tatus [p]ause [r]esume [b]ypass [q]uit =>
Input.Mode: Mask (?1) [1]
Index.....: 0/1 (segment), 10 (words), 0 (bytes)
Recovered.: 0/1 hashes, 0/1 salts
Speed/sec.: - plains, - words
Progress..: 10/10 (100.00%)
Running...: --:--:--:--
Estimated.: --:--:--:--
[s]tatus [p]ause [r]esume [b]ypass [q]uit =>
Input.Mode: Mask (?1?1) [2]
Index.....: 0/1 (segment), 100 (words), 0 (bytes)
Recovered.: 0/1 hashes, 0/1 salts
Speed/sec.: - plains, - words
Progress..: 100/100 (100.00%)
Running...: --:--:--:--
Estimated.: --:--:--:--
[s]tatus [p]ause [r]esume [b]ypass [q]uit =>
Input.Mode: Mask (?1?1?1) [3]
Index.....: 0/1 (segment), 1000 (words), 0 (bytes)
Recovered.: 0/1 hashes, 0/1 salts
Speed/sec.: - plains, - words
Progress..: 1000/1000 (100.00%)
Running...: --:--:--:--
Estimated.: --:--:--:--
[s]tatus [p]ause [r]esume [b]ypass [q]uit =>
Input.Mode: Mask (?1?1?1?1) [4]
Index.....: 0/1 (segment), 10000 (words), 0 (bytes)
Recovered.: 0/1 hashes, 0/1 salts
Speed/sec.: - plains, - words
Progress..: 10000/10000 (100.00%)
Running...: --:--:--:--
Estimated.: --:--:--:--
[s]tatus [p]ause [r]esume [b]ypass [q]uit =>
Input.Mode: Mask (?1?1?1?1?1) [5]
Index.....: 0/1 (segment), 100000 (words), 0 (bytes)
Recovered.: 0/1 hashes, 0/1 salts
Speed/sec.: 459.48k plains, 459.48k words
Progress..: 100000/100000 (100.00%)
Running...: --:--:--:--
Estimated.: --:--:--:--
[s]tatus [p]ause [r]esume [b]ypass [q]uit =>
Input.Mode: Mask (?1?1?1?1?1?1) [6]
Index.....: 0/1 (segment), 1000000 (words), 0 (bytes)
Recovered.: 0/1 hashes, 0/1 salts
Speed/sec.: 489.81k plains, 489.81k words
Progress..: 1000000/1000000 (100.00%)
Running...: 00:00:00:02
Estimated.: --:--:--:--
[s]tatus [p]ause [r]esume [b]ypass [q]uit =>
Input.Mode: Mask (?1?1?1?1?1?1?1) [7]
Index.....: 0/1 (segment), 10000000 (words), 0 (bytes)
Recovered.: 0/1 hashes, 0/1 salts
Speed/sec.: 496.30k plains, 496.30k words
Progress..: 10000000/10000000 (100.00%)
Running...: 00:00:00:21
Estimated.: --:--:--:--
gDs4cBIVIdzoU:02468135
All hashes have been recovered
Input.Mode: Mask (?1?1?1?1?1?1?1?1) [8]
Index.....: 0/1 (segment), 100000000 (words), 0 (bytes)
Recovered.: 1/1 hashes, 1/1 salts
Speed/sec.: - plains, 514.41k words
Progress..: 5971828/100000000 (5.97%)
Running...: 00:00:00:11
Estimated.: 00:00:03:02
Started: Fri Feb 2 23:07:17 2018
Stopped: Fri Feb 2 23:07:51 2018
$
The hashcat.pot file contained the line gDs4cBIVIdzoU:02468135.
So the legacy version of hashcat is able to operate on a traditional DES encrypted string. :)