Hash

De Linuxmemo.

Version du 16 février 2018 à 11:54

Ubuntu password storage

$1 = MD5 hashing algorithm.
$2 =Blowfish Algorithm is in use.
$2a=eksblowfish Algorithm
$5 =SHA-256 Algorithm
$6 =SHA-512 Algorithm

https://en.wikipedia.org/wiki/Crypt_(C)

$5$salt$encrypted is an SHA-256 encoded password.
$6$salt$encrypted is an SHA-512 encoded one.

How to generate a shadow style password hash?

[root@localhost ~]# openssl passwd -1 redhat123
$1$jp5rCMS4$mhvf4utonDubW5M00z0Ow0

sha1pass - Create a SHA1 password hash
sha1pass [PASSWORD] [SALT]

Format

http://openwall.info/wiki/john/hash-formats

<hash> When only the hash is present, JtR will output ”?” as the username when showing and or cracking.
<username>:<hash> (This is a basic/generic format)
<useruame>:<hash>:<uid>:<gid>:<GECOS>:<directory>:<shell> (This is a typical *nix “unshadowed” format)
<username>:<uid>:<LM-hash>:<NTLM-hash>:<comment>:<homedir>: (This is a PWDump Format)

???

MD5    hashed password using the MD5 hash algorithm
SMD5   MD5 with salt
SHA    hashed password using the SHA-1 hash algorithm
SSHA   SHA-1 with salt

Outils

• online

http://www.lorem-ipsum.co.uk/hasher.php

• commande pour générer des mots de passe Unix like (Shadow)

mkpasswd --method=help
Méthodes disponibles :
des	standard 56 bit DES-based crypt(3)
md5	MD5
sha-256	SHA-256
sha-512	SHA-512
mkpasswd --method=sha-512 --salt=ilgneZZz MotDePass
$6$ilgneZZz$3F0CFqdnusWgqidMGk0.7n7nGjjSyDLUXnY3/qYWKYlOhygJx05JuxmK6xTrCgeBP/CLZYOZ3F2Jc5TZ9w.XJ/

If you don't provide mkpasswd with a salt it will automatically generate a random salt.

Astuces

• comparer 2 hash

if [ "$hash1" = "$hash2" ]; then echo same; fi

Voir hashid

LDAP

Base64Encode(SHA1(salt+password)+salt)

So inside that Base64 value you have both the hash and salt.

With SSHA, normally the salt is appended to the SHA1 hash and then the whole thing is Base64 encoded (I've never seen an LDAP that didn't do SSHA this way). You should be able to tell this by looking at the userPassword attribute. If it's 28 character long with a = at the end, it's only the hash.

If the Base64 value is 32 character long or greater, it contains both the hash and the salt. Base64 decode the value and strip off the first 20 bytes, this is the SHA1 hash. The remaining bytes are the salt.

Example: Base64 encoded hash with salt
userPassword: {SSHA}MTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0

Base64 decoded value
     SHA1 Hash      Salt
--------------------++++
123456789012345678901234

echo "e3NzaGF9NTIyZXI0Y2FoRitvWVIzS1JtYUpFYUhUWXFYZzJKZEV3SUN5VlE9PQ"| base64 -d
{ssha}522er4cahF+oYR3KRmaJEaHTYqXg2JdEwICyVQ==
echo "522er4cahF+oYR3KRmaJEaHTYqXg2JdEwICyVQ" | cut -b1-20
522er4cahF+oYR3K
echo "522er4cahF+oYR3KRmaJEaHTYqXg2JdEwICyVQ" | cut -b21-
EaHTYqXg2JdEwICyVQ