DEV Community

Heymun Pareek
Heymun Pareek

Posted on

Hash Identification Reference Guide

#algorithms #cybersecurity #infosec #tutorial

With commands and tools
This document serves as a professional, end-to-end reference for identifying, parsing, and cracking cryptographic hashes and encodings encountered during penetration tests, CTFs, and practical exams (like the CPTS).

1. Deep Dive: The Bcrypt Hashing Algorithm

How to Identify Bcrypt

Bcrypt is an adaptive, salted cryptographic hash function based on the Blowfish cipher. In database dumps, a bcrypt hash is immediately recognizable by its structured layout, modular delimiters ($), and a fixed length of exactly 60 characters.

Structural Breakdown

A standard bcrypt string is split into four distinct fields:

Plaintext

  $2y$13$e9zuohgFZzGtbQalcn9Mz.5PJbjxob00GMBXo8NHp3P/B42LUg0lS
  \ / \/ \____________________/\_____________________________/
   |   |            |                        |
 Identifier Cost   22-Char Salt            31-Char Hash
Enter fullscreen mode Exit fullscreen mode
  1. Identifier (Prefix): Defines the specific variant of the bcrypt algorithm.
- `$2a$`: The classic implementation.

- `$2b$`: Modern implementation fixing minor caching bugs.

- `$2y$`: Specifically generated by PHP (e.g., Laravel, custom frameworks) to handle specific password hashing variations.
Enter fullscreen mode Exit fullscreen mode
  1. Cost Factor: A two-digit integer indicating the work factor. It represents the number of key-expansion rounds as a power of 2 ($2^{\text{cost}}$).
- _Example:_ A cost of `13` means $2^{13} = 8,192$ iterations. This intentional slowness (key stretching) thwarts brute-force hardware.
Enter fullscreen mode Exit fullscreen mode

  1. Salt: A globally unique, 22-character string that prevents rainbow table attacks.

  2. Ciphertext (Digest): The remaining 31-character output containing the actual scrambled data.

Key Learning: Bcrypt uses a custom Base64 alphabet (./ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789). This is why you will see characters like . and / scattered through the text, but never padding signs like =.

2. Comprehensive Identification Matrix: Encodings vs. Hashes

As a pentester, you must distinguish between data that is merely encoded (reversible) and data that is cryptographically hashed (one-way).

Non-Cryptographic Encodings (Reversible)

Type Character Set Length Characteristics Structural Indicators / Giveaways
Base64 A-Z, a-z, 0-9, +, / Always a multiple of 4. Frequently ends with = or == padding characters.
Hexadecimal 0-9, a-f (or A-F) Always an even number of characters. No letters past F will ever appear.
ROT13 A-Z, a-z Matches the original plain text length. Retains all native punctuation, spaces, and numbers.
URL Encoding 0-9, A-F, % Variable. Dominated by percentage signs (%20, %3f, %2b).

  • Base64 Example: YWRtaW4xMjM= $\rightarrow$ Decodes to admin123

  • Hex Example: 61646d696e313233 $\rightarrow$ Decodes to admin123

  • ROT13 Example: nqzva123 $\rightarrow$ Decodes to admin123

Standard Linear Hashes (Fast Hashes)

These are raw hexadecimal outputs. They do not store their salt natively inside the output string and are identified entirely by character count.

MD5 (Message Digest 5)

  • Length: 32 characters (128-bit)

  • Format: Hexadecimal

  • Example: 0192023a7bbd73250516f069df18b500

SHA-1 (Secure Hash Algorithm 1)

  • Length: 40 characters (160-bit)

  • Format: Hexadecimal

  • Example: a0f7169bb83ab40d21d51a6579cf299e5a1532f7

SHA-256

  • Length: 64 characters (256-bit)

  • Format: Hexadecimal

  • Example: 240a1921a37c15234f9a0c6a589cf299e5a1532f7a0f7169bb83ab40d21d51a65

Application & OS Hashes (Slow / Salted Hashes)

SHA-512 Crypt

  • Where found: Linux /etc/shadow files.

  • Indicator: Starts explicitly with $6$.

  • Example: $6$rounds=5000$saltsalt$HashedOutputStrings...

Argon2 (2i / 2id)

  • Where found: Modern enterprise databases, KeePass databases.

  • Indicator: Starts with $argon2i$ or $argon2id$, followed by resource allocation variables (m= memory, t= time, p= parallelism).

  • Example: $argon2id$v=19$m=65536,t=3,p=4$Y29v...

NetNTLMv2

  • Where found: Sniffed over Windows networks via Responder or LLMNR/NBT-NS poisoning.

  • Indicator: Look for username, domain, and challenge blocks divided by double colons (::).

  • Example: Administrator::DOMAIN:1122334455667788:A1B2C3D4...

3. Cracking Suite Toolkit: Hashcat vs. John the Ripper

Understanding when to deploy specific cracking engines determines how quickly you recover credentials.

Architectural Differences

  • Hashcat (The GPU Beast): Specifically engineered for massively parallel hardware acceleration. It leverages graphics cards (GPUs) via OpenCL/CUDA.

  • John the Ripper (The Flexible CPU Swiss-Army Knife): Highly optimized for single-core or multi-core CPU architecture. It excels at parsing non-standard formats and handling heavily customized syntax structures easily.

Definitive Use-Case Table

Scenario Recommended Tool Core Reason
Massive Hex Lists (MD5/SHA256) Hashcat GPUs process simple linear math algorithms millions of times faster than CPUs.
Complex Linux/Windows Files John the Ripper Native internal tools (like unshadow or ssh2john) easily parse raw system formatting into crackable structures.
Bcrypt / Argon2 John / Hashcat Tied. Because these hashes are intentionally slow, high-end GPUs lose their structural scaling advantage over CPUs.
Custom Rulesets & Mangling John the Ripper JTR’s custom rule syntax engine is highly descriptive for complex conditional character modifications.

4. Practical Execution Reference (Commands)

Identifying a Hash Programmatically

Before running an intensive attack, use automated validation scripts to rule out edge cases:

Bash

# Method 1: Using hashid
hashid -m '$2y$13$e9zuohgFZzGtbQalcn9Mz.5PJbjxob00GMBXo8NHp3P/B42LUg0lS'

# Method 2: Using hash-identifier
hash-identifier
Enter fullscreen mode Exit fullscreen mode

Hashcat Execution Reference

Hashcat requires you to define the mode parameter (-m) corresponding to the specific algorithm target.

Hash Type Mode ID (-m)
MD5 0
SHA-1 100
SHA-256 1400
Bcrypt 3200
NetNTLMv2 5600

Standard Wordlist Attack (Straight Mode)

Bash

hashcat -m 3200 -a 0 targets.txt /usr/share/wordlists/rockyou.txt
Enter fullscreen mode Exit fullscreen mode

  • -m 3200: Specifies the target format is Bcrypt.

  • -a 0: Direct straight attack (runs lines exactly as they appear in the dictionary file).

Rule-Based Mangling Attack

Applies complex changes (capitalization, character substitution, padding) to every item in the wordlist:

Bash

hashcat -m 3200 -a 0 targets.txt /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule
Enter fullscreen mode Exit fullscreen mode

John the Ripper Execution Reference

John natively attempts to auto-detect formats, but manually defining the configuration flag (--format=) prevents parsing errors.

Standard Wordlist Attack

Bash

john --format=bcrypt --wordlist=/usr/share/wordlists/rockyou.txt targets.txt
Enter fullscreen mode Exit fullscreen mode

Cracking Linux Shadow Files (Unshadow Workflow)

John handles system authentication structures natively by merging configuration databases:

Bash

# Step 1: Combine passwd and shadow files into a cohesive crackable layout
unshadow /etc/passwd /etc/shadow > unshadowed.txt

# Step 2: Run the attack using John's default internal rule settings
john --wordlist=/usr/share/wordlists/rockyou.txt unshadowed.txt
Enter fullscreen mode Exit fullscreen mode

Checking Found Credentials

Bash

john --show unshadowed.txt
Enter fullscreen mode Exit fullscreen mode

5. Situational Problem Solving (Troubleshooting)

Problem 1: "Hashcat returns an 'Assocated hash encoding salt length exception' error"

  • Root Cause: The input format is broken. Fast hashes (MD5/SHA) cannot have extra white spaces, trailing newlines, or username descriptions appended without explicit syntax flags.

  • Resolution: Clean the target file using string utilities:

    Bash

    # Clean trailing spaces and convert strings to lowercase completely
tr -d ' ' < broken_hashes.txt | tr '[:upper:]' '[:lower:]' > clean_hashes.txt

Problem 2: "Bcrypt cracking speeds are painfully slow ($<500$ hashes/sec)"

  • Root Cause: This is expected behavior. Bcrypt's internal cost factor causes it to compute deliberately slow loops to mitigate massive computing arrays.

  • Resolution: Do not attempt massive multi-gigabyte wordlists right away. Optimize your dictionary strategy:

1. Extract custom words from the target's public-facing website using cewl -w custom.txt http://target.htb.


    

  1. Run top-tier password structures first (e.g., rockyou.txt trimmed down to the top 10,000 entries).

    2.
Enter fullscreen mode Exit fullscreen mode

Problem 3: "John the Ripper fails to recognize a valid SSH Private Key"

  • Root Cause: Modern keys must be stripped of extraneous header markers and reformatted into a standard linear cryptographic string.

  • Resolution: Process the file through the appropriate formatting tool before attacking:

    Bash

    ssh2john id_rsa > rsa_hash.txt
john --wordlist=/usr/share/wordlists/rockyou.txt rsa_hash.txt

Top comments (0)