ASP Password hashing algorithm

Question

I'm having an issue discovering what hashing algorithm is being used when inserting a password into a database, I have the password in the clear, and the hashed password itself, plus a salt, but I can't figure out what's going on in between (PHP developer, not .NET).

If anyone can help me out with what type of hashing has been used that would be ace.

The unhashed password: a77U3b3ovil@chee
The salt: 394279838
The hashed password: F80ADFC2175F9DB94745E6A9B8CFA575D5B94263C523F9249620BEC958026DB4

It's being inserted into an mssql database via ASP.

If you have access to this much, don't you have access to the asp files to find the code that's doing it? — Treborbob, Jul 14 '11 at 12:24
No, it's a closed system, it has taken us a long time just to get access to this much of the database, and they only plan to give us access to the database. — Andrew Lowther, Jul 14 '11 at 12:39
It might be some 1000-fold application of SHA256 composed with concatenation of the salt... how would one find out? Try some standard bcrypt routines maybe. — Kerrek SB, Jul 14 '11 at 12:40

score 1 · Answer 1 · edited May 23 '17 at 10:29

Your result has 64 hex char, so 64 x 4 bits = 256 bits in total. That means that it's either

the result of a SHA-256 (but this is a recent algorithm that is not built in to ASP)

use http://hash.online-convert.com/sha256-generator to calc
the concatenation of 2 MD5 hashes

use http://hash.online-convert.com/md5-generator to calc

The output of SHA1, the default hashing algorithm of ASP.NET has 160 bits = 40 chars, so that seems to not fit well with the data you have.

On the other hand, there might be an application salt in the code (see):

computeHash( user.salt + "98hloj5674" + password )

and if you don't know that one, there's no chance to find your answer. Can you 'guess' it? You would need a dictionary attack (try all the possibilities) and the point of using hashes is just that this would take you years (for SHA-256) or hours (for MD5).

I've tried the obvious options (like sha256(Pass & Salt) ) but none of those worked. I'm afraid there is no obvious answer without access to the code.

score 0 · Answer 2 · edited Mar 17 '17 at 10:45

0

See this discussion: https://security.stackexchange.com/questions/3989/how-to-determine-what-type-of-encoding-encryption-has-been-used

and here's a page with a few encryption methods that you could run your data through: http://support.persits.com/encrypt/demo_text.asp

edited Mar 17 '17 at 10:45

Community

1
1

answered Jul 14 '11 at 13:08

Kevin Burton

11,676
2
24
37

ASP Password hashing algorithm

2 Answers2