0

I'm having an issue discovering what hashing algorithm is being used when inserting a password into a database, I have the password in the clear, and the hashed password itself, plus a salt, but I can't figure out what's going on in between (PHP developer, not .NET).

If anyone can help me out with what type of hashing has been used that would be ace.

  • The unhashed password: a77U3b3ovil@chee
  • The salt: 394279838
  • The hashed password: F80ADFC2175F9DB94745E6A9B8CFA575D5B94263C523F9249620BEC958026DB4

It's being inserted into an mssql database via ASP.

Improve this question
3
  • 1
    If you have access to this much, don't you have access to the asp files to find the code that's doing it? Commented Jul 14, 2011 at 12:24
  • No, it's a closed system, it has taken us a long time just to get access to this much of the database, and they only plan to give us access to the database. Commented Jul 14, 2011 at 12:39
  • It might be some 1000-fold application of SHA256 composed with concatenation of the salt... how would one find out? Try some standard bcrypt routines maybe. Commented Jul 14, 2011 at 12:40

2 Answers 2

Reset to default
1

Your result has 64 hex char, so 64 x 4 bits = 256 bits in total. That means that it's either

The output of SHA1, the default hashing algorithm of ASP.NET has 160 bits = 40 chars, so that seems to not fit well with the data you have.

On the other hand, there might be an application salt in the code (see):

computeHash( user.salt + "98hloj5674" + password )

and if you don't know that one, there's no chance to find your answer. Can you 'guess' it? You would need a dictionary attack (try all the possibilities) and the point of using hashes is just that this would take you years (for SHA-256) or hours (for MD5).

I've tried the obvious options (like sha256(Pass & Salt) ) but none of those worked. I'm afraid there is no obvious answer without access to the code.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

See this discussion: https://security.stackexchange.com/questions/3989/how-to-determine-what-type-of-encoding-encryption-has-been-used

and here's a page with a few encryption methods that you could run your data through: http://support.persits.com/encrypt/demo_text.asp

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.