Jump to content


Photo
- - - - -

Unknown password hash format


  • Please log in to reply
4 replies to this topic

#1 chronomex

chronomex

    mad 1337

  • Members
  • 135 posts
  • Gender:Not Telling
  • Location:STTLWA

Posted 26 March 2013 - 09:46 PM

Has anyone ever seen a password hashing/encryption method that looks like these examples?

  • luje!svj. (suspected plaintext "indspw")
  • luwr!cn!!!! (suspected plaintext "crftpw")
  • !KV!!Y!S (this could also be "crftpw" instead)
  • j1b1rvn*!01! (plaintext unknown)

I'm pulling these from a hexdump, so these strings might either have extra crap at the end, or be zero-filled up to 12 bytes.  In the dump they're aligned.

 

My money's on a modified base64, which would turn these into 8 octets.  However, base64 has two punctuation characters, whereas these have three ('.', '!', and '*').

 

Your thoughts?


Edited by chronomex, 26 March 2013 - 09:48 PM.


#2 ThoughtPhreaker

ThoughtPhreaker

    DDP r0x0rz my s0x0rz

  • Members
  • 1,238 posts
  • Gender:Male

Posted 07 December 2013 - 08:00 PM

I thought I'd give a bit of an update to this. I've looked into these hashes independently as well. luwr!cn!!!! and luje!svj. are indeed crftpw and indspw in plaintext. I don't know anything about the encoding scheme, but if anybody would like to look into it, I can encode any passphrase you want with it.

 

For what it's worth, they don't seem to be salted or anything along those lines. You can overwrite one password with the other, and it'll be accepted without question.

 

EDIT: I'm a noob and have no idea how salting works. Nevermind me. My offer stands, though :) .


Edited by ThoughtPhreaker, 07 December 2013 - 08:21 PM.


#3 tekio

tekio

    5(R1P7 |<1DD13

  • Binrev Financier
  • 1,112 posts
  • Gender:Male
  • Location:The Blue Nowhere

Posted 08 December 2013 - 12:28 AM

I don't think it's hashed. I think it's obfuscated. Also, from googling, I think I know it is from. ;)

 

Look at the tools the developer had available to obfuscated credentials stored in the file you have got. 

 

My guess: it's using a combination of base64 and xor obfuscation. All you need to do is make a tool that will base64 encode/xor in different combinations, and stop and write to a file when a combination is found that takes a known plaintext and gets the obfuscated result.

 

Good luck!



#4 ThoughtPhreaker

ThoughtPhreaker

    DDP r0x0rz my s0x0rz

  • Members
  • 1,238 posts
  • Gender:Male

Posted 13 December 2013 - 09:41 AM

Also, from googling, I think I know it is from. ;%29.gif

>.>

<.<

 

Look at the tools the developer had available to obfuscated credentials stored in the file you have got.

 

Unfortunately, that's a bit of a tough one; the developer coded the OS from scratch in the mid-80's, and also pretty much developed most of the modern world as we know it. For what it's worth, they also introduced the abilitity to run Unix executables, though this was at least a couple years into the OS's lifespan. The obfuscation probably predates that.

 

I will say that if you do a ramdump of the process responsible for storing passwords, !KV!!Y!S appears in the exact spot as a password would be for any vacant accounts. I'll have to look into xor'ing myself in a bit, but I think this string having some hand in the obfuscation process would make the most sense.



#5 tekio

tekio

    5(R1P7 |<1DD13

  • Binrev Financier
  • 1,112 posts
  • Gender:Male
  • Location:The Blue Nowhere

Posted 13 December 2013 - 09:31 PM

 

the developer coded the OS from scratch in the mid-80's

 

Yes, I know. I know what kind of file it is.

 

He probably used C.  Why not just use an algorithm or key to xor the values? 

 

This might help: http://computer-fore...alware-analysis






BinRev is hosted by the great people at Lunarpages!