One question that I get asked a lot when I’m teaching the password cracking section in the SANS SEC504 class is “Once I get a password hash, how do I figure out what type of hash it is?” I mention a few resources in class but thought it would be worthwhile to put together a quick write-up to help past and future students after the class.
The first thing I always mention is that you will likely know exactly what type of hash it is based off how you acquired it. If you use meterpreter to dump hashes from a Windows system, grab the hashes from an /etc/shadow file or capture a hash using Responder, you know exactly what type of hash it is based on the method you used to capture it. If you obtained the hash from an encrypted file as I discussed in this blog post on the SANS pen test blog, you know exactly what type of hash it is.
With that out of the way, let’s talk about what to do when you’re not sure what type of hash it is.
Option 1: Have a program identify the hash for you
Some password cracking programs like John the Ripper will try to identify the hashes you ask it to crack for you, but it’s not always right.
Another option is called HashTag and is available here. HashTag is a python program that can look at a single hash or a text file full of hashes and attempt to identify them for you. It will generate a list of the hashes it found and what it thinks they could be.
It appears to detect 269 different hash formats and even includes a handy excel spreadsheet of those formats complete with examples.
Option 2: Check the Wiki that Hashcat maintains for examples
When you’re trying to figure out what a hash it’s, it’s always import to ask yourself what seems likely. If the hashes come from SQL injection attack against a custom web app running on an Apache server, LanMan hashes seem highly unlikely. In that scenario, options like md5 would be much more likely.
If you have an idea of what the hash might be, Hashcat maintains a fantastic wiki of example password hashes for different formats at: https://hashcat.net/wiki/doku.php?id=example_hashes
Option 3: Ask for help
Hashcat maintains a fairly active forum at https://hashcat.net/forum/. You ARE NOT allowed to post hashes in the forum (doing so is grounds for getting banned), but if you sanitize the hash you can post it, provide what details you can about the source, and ask if anyone has advice on what it is and how to deal with it. I’ve seen veterans go the extra mile on edge cases where things like a custom salt encoding were used.
As I stated in the beginning, we usually have a really good idea of what the format of a hash is. If the hashes come from a custom web app or some other obscure source, we now have a few resources we can check so that we can correctly identify them, and more importantly, start cracking them 🙂