Kitz ADSL Broadband Information
adsl spacer  
Support this site
Home Broadband ISPs Tech Routers Wiki Forum
 
     
   Compare ISP   Rate your ISP
 
Please login or register.

Login with username, password and session length
Advanced search  

News:

Author Topic: Hashcat Query  (Read 489 times)

burakkucat

  • Global Moderator
  • Senior Kitizen
  • *
  • Posts: 22588
  • Over the Rainbow Bridge
    • The ELRepo Project
Hashcat Query
« on: February 02, 2018, 06:11:03 PM »

Just a quick query to those who have systems with a GPU and, thus, can use the current version of hashcat. When prompted to display its inbuilt help, do you see any reference to the original, classical, DES?

Looking at the legacy version of hashcat, which I use on GPU-less systems, I see the following --

Code: [Select]
* Hash types:

[[ Roll-your-own: Raw Hashes ]]

    900 = MD4
      0 = MD5
   5100 = Half MD5
    100 = SHA1
   1400 = SHA-256
   1700 = SHA-512
   5000 = SHA-3(Keccak)
   6900 = GOST R 34.11-94
  99999 = Plaintext

[[ Roll-your-own: Iterated and / or Salted Hashes ]]

     10 = md5($pass.$salt)
     20 = md5($salt.$pass)
     30 = md5(unicode($pass).$salt)
     40 = md5($salt.unicode($pass))
   3800 = md5($salt.$pass.$salt)
   3710 = md5($salt.md5($pass))
   4110 = md5($salt.md5($pass.$salt))
   4010 = md5($salt.md5($salt.$pass))
   4210 = md5($username.0.$pass)
   3720 = md5($pass.md5($salt))
   3500 = md5(md5(md5($pass)))
   3610 = md5(md5($salt).$pass)
   3910 = md5(md5($pass).md5($salt))
   2600 = md5(md5($pass)
   4300 = md5(strtoupper(md5($pass)))
   4400 = md5(sha1($pass))
    110 = sha1($pass.$salt)
    120 = sha1($salt.$pass)
    130 = sha1(unicode($pass).$salt)
    140 = sha1($salt.unicode($pass))
   4500 = sha1(sha1($pass)
   4600 = sha1(sha1(sha1($pass)))
   4700 = sha1(md5($pass))
   4900 = sha1($salt.$pass.$salt)
   1410 = sha256($pass.$salt)
   1420 = sha256($salt.$pass)
   1430 = sha256(unicode($pass).$salt)
   1440 = sha256($salt.unicode($pass))
   1710 = sha512($pass.$salt)
   1720 = sha512($salt.$pass)
   1730 = sha512(unicode($pass).$salt)
   1740 = sha512($salt.unicode($pass))
   1431 = base64(sha256(unicode($pass)))

[[ Roll-your-own: Authenticated Hashes ]]

     50 = HMAC-MD5 (key = $pass)
     60 = HMAC-MD5 (key = $salt)
    150 = HMAC-SHA1 (key = $pass)
    160 = HMAC-SHA1 (key = $salt)
   1450 = HMAC-SHA256 (key = $pass)
   1460 = HMAC-SHA256 (key = $salt)
   1750 = HMAC-SHA512 (key = $pass)
   1760 = HMAC-SHA512 (key = $salt)

[[ Generic KDF ]]

    400 = phpass
   8900 = scrypt

[[ Network protocols, Challenge-Response ]]

     23 = Skype
   2500 = WPA/WPA2
   4800 = iSCSI CHAP authentication, MD5(Chap)
   5300 = IKE-PSK MD5
   5400 = IKE-PSK SHA1
   5500 = NetNTLMv1
   5500 = NetNTLMv1 + ESS
   5600 = NetNTLMv2
   7300 = IPMI2 RAKP HMAC-SHA1
  10200 = Cram MD5
  11100 = PostgreSQL Challenge-Response Authentication (MD5)
  11200 = MySQL Challenge-Response Authentication (SHA1)
  11400 = SIP digest authentication (MD5)

[[ Forums, CMS, E-Commerce, Frameworks, Middleware, Wiki, Management ]]

    121 = SMF (Simple Machines Forum)
    400 = phpBB3
   2611 = vBulletin < v3.8.5
   2711 = vBulletin > v3.8.5
   2811 = MyBB
   2811 = IPB (Invison Power Board)
   8400 = WBB3 (Woltlab Burning Board)
     11 = Joomla < 2.5.18
    400 = Joomla > 2.5.18
    400 = Wordpress
   2612 = PHPS
   7900 = Drupal7
     21 = osCommerce
     21 = xt:Commerce
  11000 = PrestaShop
    124 = Django (SHA-1)
  10000 = Django (PBKDF2-SHA256)
   3711 = Mediawiki B type
   7600 = Redmine
   3721 = WebEdition CMS

[[ Database Server ]]

     12 = PostgreSQL
    131 = MSSQL(2000)
    132 = MSSQL(2005)
   1731 = MSSQL(2012)
   1731 = MSSQL(2014)
    200 = MySQL323
    300 = MySQL4.1/MySQL5
    112 = Oracle S: Type (Oracle 11+)

[[ HTTP, SMTP, LDAP Server ]]

    123 = EPi
    141 = EPiServer 6.x < v4
   1441 = EPiServer 6.x > v4
   1600 = Apache $apr1$
   1421 = hMailServer
    101 = nsldap, SHA-1(Base64), Netscape LDAP SHA
    111 = nsldaps, SSHA-1(Base64), Netscape LDAP SSHA
   1711 = SSHA-512(Base64), LDAP {SSHA512}

[[ Operating-Systems ]]

   1000 = NTLM
   1100 = Domain Cached Credentials (DCC), MS Cache
    500 = md5crypt $1$, MD5(Unix)
   3200 = bcrypt $2*$, Blowfish(Unix)
   3300 = MD5(Sun)
   7400 = sha256crypt $5$, SHA256(Unix)
   1800 = sha512crypt $6$, SHA512(Unix)
    122 = OSX v10.4
    122 = OSX v10.5
    122 = OSX v10.6
   1722 = OSX v10.7
   7100 = OSX v10.8
   7100 = OSX v10.9
   7100 = OSX v10.10
   7100 = OSX v10.11
   6300 = AIX {smd5}
   6700 = AIX {ssha1}
   6400 = AIX {ssha256}
   6500 = AIX {ssha512}
   2400 = Cisco-PIX
   2410 = Cisco-ASA
    500 = Cisco-IOS $1$
   5700 = Cisco-IOS $4$
   9200 = Cisco-IOS $8$
   9300 = Cisco-IOS $9$
   5800 = Android PIN
   7200 = GRUB 2
   9900 = Radmin2
   7000 = Fortigate (FortiOS)

[[ Enterprise Application Software (EAS) ]]

  10300 = SAP CODVN H (PWDSALTEDHASH) iSSHA-1
    133 = PeopleSoft

[[ Password Managers ]]

   5200 = Password Safe v3

Absolutely no reference to DES.
Logged
:cat:  100% Linux and, previously, Unix. Co-founder of the ELRepo Project.

Please consider making a donation to support the running of this site.

22over7

  • Member
  • **
  • Posts: 54
Re: Hashcat Query
« Reply #1 on: February 02, 2018, 09:32:00 PM »

@burakkucat

I have v3.6.0-479-gb169653b.  ./hashcat --help | grep DES gives, under "[Hash modes]"
Code: [Select]
 
  14000 | DES (PT = $salt, key = $pass)                     | Raw Cipher, Known-Plaintext attack
  14100 | 3DES (PT = $salt, key = $pass)                   | Raw Cipher, Known-Plaintext attack
    1500 | descrypt, DES (Unix), Traditional DES          | Operating Systems
  12400 | BSDi Crypt, Extended DES                           | Operating Systems

Maybe "Traditional DES" is the one you're after?
Logged

j0hn

  • Kitizen
  • ****
  • Posts: 1512
Re: Hashcat Query
« Reply #2 on: February 02, 2018, 09:53:31 PM »

Yes. My full version of Hashcat definitely does DES (1500).
I'm sure that's what my vmg1312-b10a & vmg8924-b10a both use to encrypt the passwords.

Even though I could obtain both passes using the dumpmdm command I used Hashcat to get the Supervisor pass for both devices. It was while playing about with Hashcat for the 1st time.
Logged
BT FTTC 55/10 ECI now Huawei cab
Zyxel VMG1312-B10A bridge mode with 1508 MTU + Asus RT-AC68U running Asuswrt-Merlin

burakkucat

  • Global Moderator
  • Senior Kitizen
  • *
  • Posts: 22588
  • Over the Rainbow Bridge
    • The ELRepo Project
Re: Hashcat Query
« Reply #3 on: February 02, 2018, 10:29:56 PM »

Thank you, both. Yes, that is it. It's not available with the legacy version.

Code: [Select]
[Duo2 ~]$ hashcat --version
2.00
[Duo2 ~]$ hashcat --help | grep -i des
* Attack modes:
[Duo2 ~]$
Logged
:cat:  100% Linux and, previously, Unix. Co-founder of the ELRepo Project.

Please consider making a donation to support the running of this site.

burakkucat

  • Global Moderator
  • Senior Kitizen
  • *
  • Posts: 22588
  • Over the Rainbow Bridge
    • The ELRepo Project
Re: Hashcat Query
« Reply #4 on: February 02, 2018, 11:20:45 PM »

Curiouser and curiouser.  :-\

I put together some quick & unsophisticated C-code to DES encrypt the key string 0246813579 using a salt string gD. (Notice that I have deliberately exceeded the traditional DES key string limit of eight.)

Code: [Select]
#define _XOPEN_SOURCE
#include <unistd.h>

#include <stdio.h>
#include <stdlib.h>

int main()
{
char *key, *salt;

key = "0246813579";
salt = "gD";

printf("%s\n", crypt(key, salt));

exit(EXIT_SUCCESS);
}

Once compiled and executed it output a thirteen character string, characters one & two being the salt and characters three to thirteen the encrypted representation of the key.

Code: [Select]
$ cc -lcrypt desencrypt.c -o desencrypt
$ desencrypt
gDs4cBIVIdzoU
$

I reran the code, sending the output to a file named bcat.hash.

Code: [Select]
$ desencrypt > bcat.hash
$

Finally, just to see what would happen, I set hashcat to work. This is what I saw --

Code: [Select]
$ hashcat -a 3 -m 1500 --increment -1 ?d bcat.hash ?1?1?1?1?1?1?1?1
Initializing hashcat v2.00 with 2 threads and 32mb segment-size...

Added hashes from file bcat.hash: 1 (1 salts)
Activating quick-digest mode for single-hash with salt

[s]tatus [p]ause [r]esume [b]ypass [q]uit =>

Input.Mode: Mask (?1) [1]
Index.....: 0/1 (segment), 10 (words), 0 (bytes)
Recovered.: 0/1 hashes, 0/1 salts
Speed/sec.: - plains, - words
Progress..: 10/10 (100.00%)
Running...: --:--:--:--
Estimated.: --:--:--:--


[s]tatus [p]ause [r]esume [b]ypass [q]uit =>

Input.Mode: Mask (?1?1) [2]
Index.....: 0/1 (segment), 100 (words), 0 (bytes)
Recovered.: 0/1 hashes, 0/1 salts
Speed/sec.: - plains, - words
Progress..: 100/100 (100.00%)
Running...: --:--:--:--
Estimated.: --:--:--:--


[s]tatus [p]ause [r]esume [b]ypass [q]uit =>

Input.Mode: Mask (?1?1?1) [3]
Index.....: 0/1 (segment), 1000 (words), 0 (bytes)
Recovered.: 0/1 hashes, 0/1 salts
Speed/sec.: - plains, - words
Progress..: 1000/1000 (100.00%)
Running...: --:--:--:--
Estimated.: --:--:--:--


[s]tatus [p]ause [r]esume [b]ypass [q]uit =>

Input.Mode: Mask (?1?1?1?1) [4]
Index.....: 0/1 (segment), 10000 (words), 0 (bytes)
Recovered.: 0/1 hashes, 0/1 salts
Speed/sec.: - plains, - words
Progress..: 10000/10000 (100.00%)
Running...: --:--:--:--
Estimated.: --:--:--:--


[s]tatus [p]ause [r]esume [b]ypass [q]uit =>

Input.Mode: Mask (?1?1?1?1?1) [5]
Index.....: 0/1 (segment), 100000 (words), 0 (bytes)
Recovered.: 0/1 hashes, 0/1 salts
Speed/sec.: 459.48k plains, 459.48k words
Progress..: 100000/100000 (100.00%)
Running...: --:--:--:--
Estimated.: --:--:--:--


[s]tatus [p]ause [r]esume [b]ypass [q]uit =>

Input.Mode: Mask (?1?1?1?1?1?1) [6]
Index.....: 0/1 (segment), 1000000 (words), 0 (bytes)
Recovered.: 0/1 hashes, 0/1 salts
Speed/sec.: 489.81k plains, 489.81k words
Progress..: 1000000/1000000 (100.00%)
Running...: 00:00:00:02
Estimated.: --:--:--:--


[s]tatus [p]ause [r]esume [b]ypass [q]uit =>

Input.Mode: Mask (?1?1?1?1?1?1?1) [7]
Index.....: 0/1 (segment), 10000000 (words), 0 (bytes)
Recovered.: 0/1 hashes, 0/1 salts
Speed/sec.: 496.30k plains, 496.30k words
Progress..: 10000000/10000000 (100.00%)
Running...: 00:00:00:21
Estimated.: --:--:--:--


gDs4cBIVIdzoU:02468135

All hashes have been recovered

Input.Mode: Mask (?1?1?1?1?1?1?1?1) [8]
Index.....: 0/1 (segment), 100000000 (words), 0 (bytes)
Recovered.: 1/1 hashes, 1/1 salts
Speed/sec.: - plains, 514.41k words
Progress..: 5971828/100000000 (5.97%)
Running...: 00:00:00:11
Estimated.: 00:00:03:02


Started: Fri Feb  2 23:07:17 2018
Stopped: Fri Feb  2 23:07:51 2018
$

The hashcat.pot file contained the line gDs4cBIVIdzoU:02468135.

So the legacy version of hashcat is able to operate on a traditional DES encrypted string.  :)
Logged
:cat:  100% Linux and, previously, Unix. Co-founder of the ELRepo Project.

Please consider making a donation to support the running of this site.
 

anything