Hash Identification Reference Guide

Heymun Pareek — Sun, 28 Jun 2026 18:53:48 +0000

With commands and tools
This document serves as a professional, end-to-end reference for identifying, parsing, and cracking cryptographic hashes and encodings encountered during penetration tests, CTFs, and practical exams (like the CPTS).

1. Deep Dive: The Bcrypt Hashing Algorithm

How to Identify Bcrypt

Bcrypt is an adaptive, salted cryptographic hash function based on the Blowfish cipher. In database dumps, a bcrypt hash is immediately recognizable by its structured layout, modular delimiters ($), and a fixed length of exactly 60 characters.

Structural Breakdown

A standard bcrypt string is split into four distinct fields:

Plaintext

  $2y$13$e9zuohgFZzGtbQalcn9Mz.5PJbjxob00GMBXo8NHp3P/B42LUg0lS
  \ / \/ \____________________/\_____________________________/
   |   |            |                        |
 Identifier Cost   22-Char Salt            31-Char Hash

Identifier (Prefix): Defines the specific variant of the bcrypt algorithm.

- `$2a$`: The classic implementation.

- `$2b$`: Modern implementation fixing minor caching bugs.

- `$2y$`: Specifically generated by PHP (e.g., Laravel, custom frameworks) to handle specific password hashing variations.

Cost Factor: A two-digit integer indicating the work factor. It represents the number of key-expansion rounds as a power of 2 ($2^{\text{cost}}$).

- _Example:_ A cost of `13` means $2^{13} = 8,192$ iterations. This intentional slowness (key stretching) thwarts brute-force hardware.

Salt: A globally unique, 22-character string that prevents rainbow table attacks.
Ciphertext (Digest): The remaining 31-character output containing the actual scrambled data.

Key Learning: Bcrypt uses a custom Base64 alphabet (./ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789). This is why you will see characters like . and / scattered through the text, but never padding signs like =.

2. Comprehensive Identification Matrix: Encodings vs. Hashes

As a pentester, you must distinguish between data that is merely encoded (reversible) and data that is cryptographically hashed (one-way).

Non-Cryptographic Encodings (Reversible)

Type	Character Set	Length Characteristics	Structural Indicators / Giveaways
Base64	`A-Z`, `a-z`, `0-9`, `+`, `/`	Always a multiple of 4.	Frequently ends with `=` or `==` padding characters.
Hexadecimal	`0-9`, `a-f` (or `A-F`)	Always an even number of characters.	No letters past `F` will ever appear.
ROT13	`A-Z`, `a-z`	Matches the original plain text length.	Retains all native punctuation, spaces, and numbers.
URL Encoding	`0-9`, `A-F`, `%`	Variable.	Dominated by percentage signs (`%20`, `%3f`, `%2b`).

Base64 Example: YWRtaW4xMjM= $\rightarrow$ Decodes to admin123
Hex Example: 61646d696e313233 $\rightarrow$ Decodes to admin123
ROT13 Example: nqzva123 $\rightarrow$ Decodes to admin123

Standard Linear Hashes (Fast Hashes)

These are raw hexadecimal outputs. They do not store their salt natively inside the output string and are identified entirely by character count.

MD5 (Message Digest 5)

Length: 32 characters (128-bit)
Format: Hexadecimal
Example: 0192023a7bbd73250516f069df18b500

SHA-1 (Secure Hash Algorithm 1)

Length: 40 characters (160-bit)
Format: Hexadecimal
Example: a0f7169bb83ab40d21d51a6579cf299e5a1532f7

SHA-256

Length: 64 characters (256-bit)
Format: Hexadecimal
Example: 240a1921a37c15234f9a0c6a589cf299e5a1532f7a0f7169bb83ab40d21d51a65

Application & OS Hashes (Slow / Salted Hashes)

SHA-512 Crypt

Where found: Linux /etc/shadow files.
Indicator: Starts explicitly with $6$ .
Example: $6$rounds=5000$saltsalt$HashedOutputStrings...

Argon2 (2i / 2id)

Where found: Modern enterprise databases, KeePass databases.
Indicator: Starts with $argon2i$ or $argon2id$ , followed by resource allocation variables (m= memory, t= time, p= parallelism).
Example: $argon2id$v=19$m=65536,t=3,p=4$Y29v...

NetNTLMv2

Where found: Sniffed over Windows networks via Responder or LLMNR/NBT-NS poisoning.
Indicator: Look for username, domain, and challenge blocks divided by double colons (::).
Example: Administrator::DOMAIN:1122334455667788:A1B2C3D4...

3. Cracking Suite Toolkit: Hashcat vs. John the Ripper

Understanding when to deploy specific cracking engines determines how quickly you recover credentials.

Architectural Differences

Hashcat (The GPU Beast): Specifically engineered for massively parallel hardware acceleration. It leverages graphics cards (GPUs) via OpenCL/CUDA.
John the Ripper (The Flexible CPU Swiss-Army Knife): Highly optimized for single-core or multi-core CPU architecture. It excels at parsing non-standard formats and handling heavily customized syntax structures easily.

Definitive Use-Case Table

Scenario	Recommended Tool	Core Reason
Massive Hex Lists (MD5/SHA256)	Hashcat	GPUs process simple linear math algorithms millions of times faster than CPUs.
Complex Linux/Windows Files	John the Ripper	Native internal tools (like `unshadow` or `ssh2john`) easily parse raw system formatting into crackable structures.
Bcrypt / Argon2	John / Hashcat	Tied. Because these hashes are intentionally slow, high-end GPUs lose their structural scaling advantage over CPUs.
Custom Rulesets & Mangling	John the Ripper	JTR’s custom rule syntax engine is highly descriptive for complex conditional character modifications.

4. Practical Execution Reference (Commands)

Identifying a Hash Programmatically

Before running an intensive attack, use automated validation scripts to rule out edge cases:

Bash

# Method 1: Using hashid
hashid -m '$2y$13$e9zuohgFZzGtbQalcn9Mz.5PJbjxob00GMBXo8NHp3P/B42LUg0lS'

# Method 2: Using hash-identifier
hash-identifier

Hashcat Execution Reference

Hashcat requires you to define the mode parameter (-m) corresponding to the specific algorithm target.

Hash Type	Mode ID (-m)
MD5	`0`
SHA-1	`100`
SHA-256	`1400`
Bcrypt	`3200`
NetNTLMv2	`5600`

Standard Wordlist Attack (Straight Mode)

Bash

hashcat -m 3200 -a 0 targets.txt /usr/share/wordlists/rockyou.txt

-m 3200: Specifies the target format is Bcrypt.
-a 0: Direct straight attack (runs lines exactly as they appear in the dictionary file).

Rule-Based Mangling Attack

Applies complex changes (capitalization, character substitution, padding) to every item in the wordlist:

Bash

hashcat -m 3200 -a 0 targets.txt /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule

John the Ripper Execution Reference

John natively attempts to auto-detect formats, but manually defining the configuration flag (--format=) prevents parsing errors.

Standard Wordlist Attack

Bash

john --format=bcrypt --wordlist=/usr/share/wordlists/rockyou.txt targets.txt

Cracking Linux Shadow Files (Unshadow Workflow)

John handles system authentication structures natively by merging configuration databases:

Bash

# Step 1: Combine passwd and shadow files into a cohesive crackable layout
unshadow /etc/passwd /etc/shadow > unshadowed.txt

# Step 2: Run the attack using John's default internal rule settings
john --wordlist=/usr/share/wordlists/rockyou.txt unshadowed.txt

Checking Found Credentials

Bash

john --show unshadowed.txt

5. Situational Problem Solving (Troubleshooting)

Problem 1: "Hashcat returns an 'Assocated hash encoding salt length exception' error"

Root Cause: The input format is broken. Fast hashes (MD5/SHA) cannot have extra white spaces, trailing newlines, or username descriptions appended without explicit syntax flags.

Resolution: Clean the target file using string utilities:

Bash

# Clean trailing spaces and convert strings to lowercase completely
tr -d ' ' < broken_hashes.txt | tr '[:upper:]' '[:lower:]' > clean_hashes.txt

Problem 2: "Bcrypt cracking speeds are painfully slow ($<500$ hashes/sec)"

Root Cause: This is expected behavior. Bcrypt's internal cost factor causes it to compute deliberately slow loops to mitigate massive computing arrays.
Resolution: Do not attempt massive multi-gigabyte wordlists right away. Optimize your dictionary strategy:

1. Extract custom words from the target's public-facing website using cewl -w custom.txt http://target.htb.


Run top-tier password structures first (e.g., rockyou.txt trimmed down to the top 10,000 entries).

Problem 3: "John the Ripper fails to recognize a valid SSH Private Key"

Root Cause: Modern keys must be stripped of extraneous header markers and reformatted into a standard linear cryptographic string.

Resolution: Process the file through the appropriate formatting tool before attacking:

Bash

ssh2john id_rsa > rsa_hash.txt
john --wordlist=/usr/share/wordlists/rockyou.txt rsa_hash.txt

DEV Community: Heymun Pareek

Hash Identification Reference Guide

1. Deep Dive: The Bcrypt Hashing Algorithm

How to Identify Bcrypt

Structural Breakdown

2. Comprehensive Identification Matrix: Encodings vs. Hashes

Non-Cryptographic Encodings (Reversible)

Standard Linear Hashes (Fast Hashes)

MD5 (Message Digest 5)

SHA-1 (Secure Hash Algorithm 1)

SHA-256

Application & OS Hashes (Slow / Salted Hashes)

SHA-512 Crypt

Argon2 (2i / 2id)

NetNTLMv2

3. Cracking Suite Toolkit: Hashcat vs. John the Ripper

Architectural Differences

Definitive Use-Case Table

4. Practical Execution Reference (Commands)

Identifying a Hash Programmatically

Hashcat Execution Reference

Standard Wordlist Attack (Straight Mode)

Rule-Based Mangling Attack

John the Ripper Execution Reference

Standard Wordlist Attack

Cracking Linux Shadow Files (Unshadow Workflow)

Checking Found Credentials

5. Situational Problem Solving (Troubleshooting)

Problem 1: "Hashcat returns an 'Assocated hash encoding salt length exception' error"

Problem 2: "Bcrypt cracking speeds are painfully slow ($<500$ hashes/sec)"

Problem 3: "John the Ripper fails to recognize a valid SSH Private Key"