Identify Unknown Hash Types with hashid and Hashcat

Introduction

In the fields of cybersecurity and digital forensics, you will often encounter cryptographic hashes. A hash is a fixed-size string of bytes that is the result of a one-way mathematical function applied to an arbitrary block of data. Before you can attempt to crack a password hash, you must first identify the algorithm used to create it, such as MD5, SHA-1, or NTLM.

In this lab, you will learn the essential skill of identifying unknown hash types. You will use common command-line tools available in Linux to analyze a list of example hashes and determine their corresponding algorithms. This is a critical first step for any password cracking activity.

Gather a List of Various Example Hashes

In this step, you will create a text file containing several different types of hashes. This file will serve as the input for the identification tools in the subsequent steps. Each hashing algorithm produces a hash with a specific length and character set, which is how identification tools can distinguish between them.

First, use the cat command with a Here Document (<<EOF) to create a file named hashes.txt in the ~/project directory. This file will contain three common hash types: MD5, SHA-1, and NTLM.

Execute the following command in your terminal:

cat << EOF > hashes.txt
d41d8cd98f00b204e9800998ecf8427e
da39a3ee5e6b4b0d3255bfef95601890afd80709
32ed87bd5fdc5e204e2620a05a069858
EOF

After creating the file, you can verify its contents using the cat command again.

cat hashes.txt

You should see the following output, confirming the three hashes have been saved to the file:

d41d8cd98f00b204e9800998ecf8427e
da39a3ee5e6b4b0d3255bfef95601890afd80709
32ed87bd5fdc5e204e2620a05a069858

Now that you have your list of hashes, you are ready to start identifying them.

Use the hashid Tool in Kali

In this step, you will use the hashid tool to analyze the hashes you saved in the hashes.txt file. hashid is a command-line utility that identifies different hash types by analyzing their length and character composition. It's a simple yet powerful tool for the initial phase of hash analysis.

To use hashid, you simply provide the file containing the hashes as an argument. The tool will process each line of the file and attempt to identify the hash on that line.

Run hashid on your hashes.txt file:

hashid hashes.txt

The tool will analyze each hash and print its findings to the terminal. The output will show the hash string, followed by a list of possible hash algorithms.

--File 'hashes.txt'--
d41d8cd98f00b204e9800998ecf8427e
[+] MD5
[+] Domain Cached Credentials (DCC)
da39a3ee5e6b4b0d3255bfef95601890afd80709
[+] SHA-1
[+] RipeMD-160
32ed87bd5fdc5e204e2620a05a069858
[+] NTLM
[+] MD4
[+] MD5
--End of file 'hashes.txt'--

As you can see, hashid provides one or more potential matches for each hash. In the next step, you will learn how to interpret this output.

Analyze the Output of hashid

In this step, you will learn how to interpret the output from hashid. While the tool provides a list of possibilities, you often need to use context or further analysis to narrow down the correct hash type.

Let's break down the output from the previous step:

For the first hash (d41d8cd98f00b204e9800998ecf8427e), hashid suggests MD5 and Domain Cached Credentials (DCC). MD5 is the most common type for a hash of this format.
For the second hash (da39a3ee5e6b4b0d3255bfef95601890afd80709), the suggestions are SHA-1 and RipeMD-160. SHA-1 is a very common choice.
For the third hash (32ed87bd5fdc5e204e2620a05a069858), hashid lists NTLM, MD4, and MD5. In Windows environments, NTLM is a very likely candidate.

hashid can also show you the corresponding mode code used by the password cracking tool Hashcat. To do this, use the -m flag followed by a single hash. Let's check the first hash for its Hashcat mode.

hashid -m d41d8cd98f00b204e9800998ecf8427e

The output will now include the Hashcat mode number for each potential hash type.

--Hash 'd41d8cd98f00b204e9800998ecf8427e'--
[+] MD5 [HC: 0]
[+] Domain Cached Credentials (DCC) [HC: 1100]

This tells you that for Hashcat, MD5 corresponds to mode -m 0. This information is crucial for setting up a cracking session.

Use an Online Hash Analyzer Tool as a Second Opinion

In this step, you will use another command-line tool, hash-identifier, to get a second opinion on the hash types. In any analysis, it's good practice to use multiple tools to verify your findings, as different tools may have different databases and algorithms.

hash-identifier is an interactive Python script. You run the command, and it prompts you to enter the hash you want to identify.

First, launch the tool by typing its name in the terminal:

hash-identifier

You will see a prompt asking for the hash.

   #########################################################################
   ##     __  __                     __           __    _           _   _   #
   ##    / / / /___  ____ ___  ___  / /_  _______/ /_  (_)_________| | / /   #
   ##   / /_/ / __ \/ __ `__ \/ _ \/ __ \/ ___/ __ \/ / / ___/ ___/  |/ /    #
   ##  / __  / /_/ / / / / / /  __/ /_/ / /__/ / / / / / /__/ /  / /|  /     #
   ## /_/ /_/\____/_/ /_/ /_/\___/_.___/\___/_/ /_/_/_/\___/_/  /_/ |_/      #
   ##                                                                       #
   ##                                by c0decracker                         #
   #########################################################################

 HASH:

Now, copy one of the hashes from your hashes.txt file, for example, the second one (da39a3ee5e6b4b0d3255bfef95601890afd80709), paste it at the prompt, and press Enter.

The tool will analyze the hash and provide its conclusion.

 HASH: da39a3ee5e6b4b0d3255bfef95601890afd80709

Possible Hashs:
[+] SHA-1
[+] RipeMD-160

Least Possible Hashs:

The output confirms hashid's finding that the hash is most likely SHA-1. You can press Ctrl+C to exit the hash-identifier tool.

Match the Identified Hash Type with Hashcat's -m Code

In this final step, you will learn how to find the correct mode (-m) code for use with Hashcat, the world's fastest password recovery tool. While hashid -m can provide this information, you can also find it directly from Hashcat's extensive help menu. This is useful for confirming the mode or finding codes for less common hash types.

Hashcat requires you to specify the hash type using a numeric code with the -m flag. To find the correct code, you can use grep to search Hashcat's help output.

Let's find the mode for MD5. Run the following command:

hashcat --help | grep "MD5"

The output will be a long list of all modes related to MD5. Look for the plain MD5 entry.

...
      0 | MD5                                            | Raw Hash
...

As you can see, the mode for a standard MD5 hash is 0.

Now, let's do the same for SHA-1:

hashcat --help | grep "SHA-1"

...
    100 | SHA-1                                          | Raw Hash
...

The mode for SHA-1 is 100.

Finally, let's find the mode for NTLM:

hashcat --help | grep "NTLM"

...
   1000 | NTLM                                           | Raw Hash
...

The mode for NTLM is 1000. By correctly identifying the hash type and its corresponding Hashcat mode, you are now prepared to configure a password cracking attack.

Summary

In this lab, you learned the fundamental process of identifying unknown hash types, a critical prerequisite for password cracking. You started by creating a file with various hash examples. You then used two powerful command-line tools, hashid and hash-identifier, to analyze these hashes and determine their probable algorithms. Finally, you learned how to cross-reference the identified hash type with Hashcat's extensive list of modes to find the correct -m code for a cracking session. This skill is indispensable for any cybersecurity professional involved in penetration testing or digital forensics.