Salted Hashes
With some unsalted examples out of the way, lets talk about salted hashes. If you missed what salting is, go back and take a few mins to read about it. Or be a boss an push forward, your call.
DES
DES has been around for a long time and was the standard storage method for passwords on UNIX(like) systems. It uses a 2 character salt which resides at the begining of the hash string and accepts [./0-9A-Za-z] as valid characters. The next 11 characters are the "key".
Ky | q4bCxAXJkbg |__| |_________| | | | | | |_ Key | |_ Salt
While for its time, DES was resitant to attack, it has major flaws by todays standards. Largely, the availability of cheap GPU's, advancement of cracking software, and input limitations make DES no longer viable as a secure hash storage method. When crypting a password with DES, it is truncated at 8 characters regardless of the length of the password. This means that there is a finite keyspace (895 on a standard US keyboard). The code flow is highly simplified here:
# Make a DESCrypt password with a value of "Password123"
$ echo -n "Password123" | mkpasswd -s -m descrypt
fkDoFlAhcFP2Q
$ ./hashcat -m 1500 example wordlist
Session..........: hashcat
Status...........: Cracked
Hash.Name........: descrypt, DES (Unix), Traditional DES
Hash.Target......: fkDoFlAhcFP2Q
fkDoFlAhcFP2Q:Password
$
Because of this flaw, it is useful to make wordlists that are focused for DES. Alternatively, run the tools in mask or bruteforce mode and save some disk space.
Example Hashes
00sT59UFWAiFs 90fTT3ANMb8cg 073FuiCzH/5i6 28w714B9PM/7c 02jMp6No47FPw 602lsTrkpE11U 84IvjBoU1o9nc 81MGdzhs5z6uI 379Y8pBSR1SA. 64b7KVYlJiiJg
md5crypt
md5crypt uses crypt scheme again but with the underlying algo being MD5. The input is salted and hashed with MD5 which is then passed through again with the input, salt, and first hash. The resulting hash is re-hashed 1000 times. This is done to slow down cracking attempts by increasing the work to get to the final result. The number of iterations is configurable leading some technologies to favor increase the "round" count over implementing newer hash functions.
md5crypt hashes can be broken out like so:
$ echo -n "Password123" | mkpasswd -s -m md5crypt $1$HT3WIA.C$BK7icam9wN0uGTNnvJNjn0 $1$ HT3WIA.C $ BK7icam9wN0uGTNnvJNjn0 |_| |______| | |____________________| | | | | | | | |_ Hash | | | | | |_ Separator | | | |_ Salt | |_ Magic
Example Hashes
$1$EOHQXhEn$iW4t1xxwryOpWLrJGfp.u/ $1$ldl0kx4O$XPGawztM0vJsLWcwtSDLL1 $1$otGB5mhy$KM86fJ/QLBUE7JeqqbI/2/ $1$6CQ1nJZt$BO/eyMBqdyM2U775Bhq5B/ $1$BkRjQ31z$8hR9Ht2E7uchgbxDreB63/ $1$wfLF.bOp$Naoz/RNQ1Dqp5BJiZ/oPX. $1$FcZhxLXH$s5/.RbMwMdIbQzvUtSD6o1 $1$AElE5zvk$gr8P7SKZUzCs.8KMYG1W9. $1$heZN7eQq$yok/w/NI.V5OZr3QAQD7m1 $1$ASEOv4FU$8dn.Jn2gXS6KZzk9eiS6..
sha256crypt
sha256crypt is the same as md5crypt, but, yep, you guessed it, using SHA-256. Here, 5000 rounds of SHA-256 are applied to increase workload.
Breaking the hash down:
$ echo -n "Password123" | mkpasswd -s -m sha-256
$5$KAlz5SULZNybHwil$3UgmS1pmo2r5HG.tjbjzoVxISBh8IH81d.bJh4MCC19
$5$ KAlz5SULZNybHwil $ 3UgmS1pmo2r5HG.tjbjzoVxISBh8IH81d.bJh4MCC19
|_| |______________| | |_________________________________________|
| | | |
| | | |_ Hash
| | |
| | |_ Separator
| |
| |_ Salt
|
|_ Magic
Example Hashes
$5$sMXmA/Bd.J8Cga1t$7vPiMoD2BcpH5TRzZCmcn6h01Nnhg3L5vCDNi6RYgtC $5$C/cuFYstQJD4GDe0$Q0pF35s5rMGf/6.GbdrrL9JScnTyWDO0SLlWrT8AQTA $5$khcuJTs9zKeEN9cN$VVveWWBJWqJyc89KPR2tTa3yfSafuNJr620AbhoKZ51 $5$EdymXPlUakWNlewr$R1lVrhrFIo/bdYUOyqEwPriUjTN0oH10SuKymOjrw50 $5$uvFWkKeKfyzACyd8$95Ii7MfnttyI29G2kTtqgWAhaes6Z6lP.NpyJiOF872 $5$vh92FO9dzW3V5M.T$eufgjQTgZv1Zuae09qFB5nYFhbqHZ4gPTfcqesmC114 $5$sXW0VtrdYZh2FxiV$GfqXWLdV65YU3.BmvkPnmpJ5dQzYOHn.YvdxULnK371 $5$RfENBfbwPw6pqAV1$Wa0FbBeHKqAWeG0HlubZEXiDsToHOrUGdJhNk4DqDJ5 $5$jd.Hmx9u1eyB0HYi$GHZUVRMQJLK3dzjPHBl0M5w5HD7/c5duER5aKYLWFh. $5$8aPIhr861u0iVpA8$zbvub3cf7zVh7UX0gvkEypJm25HJ1cI9XOV5z5qCMLC
sha512crypt
sha512crypt just getting repetative now. Same deal as above, but using SHA-512 as the underlying algo. This algo is the current default in most Linux distributions.
$ echo -n "Password123" | mkpasswd -s -m sha-512 $6$CencyQzN/xWke7di$0FVVc/f.6zV86Q.eZ7JjUSN95MtfM11ZWseZhHglt.ggNy3eNixFoi2ds0TeV3xrLFfxR1r48LkaoOT/cVESE0 $6$ CencyQzN/xWke7di $ 0FVVc/f.6zV86Q.eZ7JjUSN95MtfM11ZWseZhHglt.ggNy3eNixFoi2ds0TeV3xrLFfxR1r48LkaoOT/cVESE0 |_| |______________| | |____________________________________________________________________________________| | | | | | | | |_ Hash | | | | | |_ Separator | | | |_ Salt | |_ Magic
Example Hashes
$6$lcjA4R/aZSEfU2pe$PugKVsyQ2LHnqhpioMZNCtHPc60Zr0gmYvyiApdQYCRVWouIvhHO3vR3G.umhRYhuhbsPDtSlUns.CGEGcRYV0 $6$yex7ARPc7F5iHSsA$mfepXUKIPiEtu5amKIAKN3gSA4FSfQXQtb9RSKadbFaYT.FSy8p6GL9R.eHAi1q363B5kds7PqZNKtiqwc3t31 $6$9v7AMPEgnO/kXGwV$AWhphttJu0zOjB47sqTz/mSBhicRr9yD65dJ.V4jTnALQ287aEBZOu3bDfNCJ4KFgZVCEV/XCWbP0Z/x.TKy8. $6$I27uHYrAOKIbscIt$Ow/IURcc3YFQ/h0/qiulc1.u1icj6KNXhHevFP35ngm.s7yM00sP3l6C6WIkO32yx9Pzfy1jIC5CqjRwvyrAc1 $6$VX2UYsjsWXVpLVG6$lBDCx.Otj4JaEYVt.pF18GF3g4ghR2bpsDECLJMTaWalwgJSRIFkyvt9dXX8t/qq6ib3PmAzQRAVgPhneePdN0 $6$zdG0D4TOtOWAohST$Q7xzjHEFCDhG0iYmFDClFxcq1kTe8r5izTMXK1Gn/7lzTLThOAur.uv52j8l6PdLN1z0gGmhrkrV76k/C9PWk0 $6$SWnMIXJvxc2Cjhsx$pEMcQHBxy3dMhw1ve9ODvsRuY5jb25yXsD8Z3Card22aQ7dWdKhDFLnH2q1IwR.Bsy7QYPpD0qIOGrqKsb0P21 $6$XkP3APcgpoEqY4um$FPFmmo2b0EowNOlkuMOWXjJ8Einen4OYomE6boD9MNB/D9SPdc60Tlugz4Mv91Th1la48pyqbEYLbUQg1k3sU. $6$oLRoQVIjcgnrHeL2$lNw/dymxKKRX0ZUU/WgSsKCWoUfvpDdpKq.7oHK9DNSDiLnxeIp4UCbfI7/QoOtSbW9Sqpt7ug8F9RgI6biZr/ $6$sVRSucoJJjkiNEXT$uedbW4JOf235p9FF2AIzp1CNP.gvvbr3LTF5UczGbgb/NH8o5ugQYlGokdeyaa9NuMcwEpZmWvyS0n7sPsd790