heitt 0.4.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (6) hide show
  1. checksums.yaml +7 -0
  2. data/bin/heitt +157 -0
  3. data/lib/heitt/database.rb +2516 -0
  4. data/lib/heitt/version.rb +6 -0
  5. data/lib/heitt.rb +357 -0
  6. metadata +61 -0
data/lib/heitt/database.rb ADDED
@@ -0,0 +1,2516 @@
1
+ module HEITT
2
+ DATABASE = [
3
+ {
4
+ _credit: "Adapted from hashid prototypes.json by psypanda",
5
+ _source: "https://github.com/psypanda/hashID",
6
+ _license: "GPL-3.0"
7
+ },
8
+ {
9
+ extract_regex: Regexp.new('\b[a-f0-9]{4}\b', Regexp::IGNORECASE),
10
+ modes: [
11
+ {
12
+ name:"CRC-16",
13
+ john: nil,
14
+ hashcat: nil,
15
+ extended: false,
16
+ description: "Cyclic Redundancy Check 16-bit — 4 hexadecimal chars, basic checksum",
17
+ notes: ["Error detection in data transmission", "Data storage integrity checks", "Not cryptographic", "Low collision resistance"],
18
+ context: ["checksum", "networking"],
19
+ prefixes: ["crc-16"],
20
+ common_sources: ["file verification", "network protocols", "embedded systems"]
21
+
22
+ },
23
+ {
24
+ name:"CRC-16-CCITT",
25
+ john: nil,
26
+ hashcat: nil,
27
+ extended: false,
28
+ description: "Cyclic Redundancy Check 16-bit Consultative Commitee for International Telegraph and Telephone",
29
+ notes: ["Used for error detection in communication and storage systems", "Data Integrity and verification", "Memory checks integrity", "Not cryptographic"],
30
+ context: ["checksum", "telecom", "bluetooth"],
31
+ common_sources: ["V.41", "X.25", "HDLC", "Bluetooth"]
32
+ },
33
+ {
34
+ name:"FCS-16",
35
+ john: nil,
36
+ hashcat: nil,
37
+ extended: false,
38
+ description: "Frame Check Sequence 6-bit — 4 hexadecimal chars, data link layer",
39
+ notes: ["Not cryptographic"],
40
+ prefixes: ["fcs-16"],
41
+ context: ["checksum", "networking"],
42
+ common_sources: ["Ethernet frames", "PPP"]
43
+ }
44
+ ]
45
+ },
46
+ {
47
+ extract_regex: Regexp.new('\b[a-f0-9]{8}\b', Regexp::IGNORECASE),
48
+ modes: [
49
+ {
50
+ name:"Adler-32",
51
+ john: nil,
52
+ hashcat: nil,
53
+ extended: false,
54
+ description: "Adler-32 checksum — 8 hex chars, zlib compression",
55
+ common_sources: ["zlib", "PNG files", "RSYNC"],
56
+ context: ["checksum", "compression"]
57
+ },
58
+ {
59
+ name:"CRC-32B",
60
+ john: nil,
61
+ hashcat: nil,
62
+ extended: false,
63
+ description: "CRC-32 IEEE 802.3 variant — 8 hex chars, Ethernet standard" ,
64
+ notes: ["Not cryptographic"],
65
+ common_sources: ["Ethernet", "MPEG-2", "PKZIP"],
66
+ context: ["checksum", "networking"]
67
+ },
68
+ {
69
+ name:"FCS-32",
70
+ john: nil,
71
+ hashcat: nil,
72
+ extended: false,
73
+ description: "Frame Check Sequence 32-bit — 8 hex chars, advanced networking",
74
+ common_sources: ["advanced networking protocols"],
75
+ context: ["checksum", "networking"]
76
+ },
77
+ {
78
+ name:"GHash-32-3",
79
+ john: nil,
80
+ hashcat: nil,
81
+ extended: false,
82
+ description: "G-Hash 32-bit 3-round — 8 hex chars, experimental hash",
83
+ common_sources: ["research", "academic"],
84
+ context: ["experimental"]
85
+ },
86
+ {
87
+ name:"GHash-32-5",
88
+ john: nil,
89
+ hashcat: nil,
90
+ extended: false,
91
+ description: "G-Hash 32-bit 5-round — 8 hex chars, experimental hash",
92
+ common_sources: ["research", "academic"],
93
+ context: ["experimental"]
94
+ },
95
+ {
96
+ name:"FNV-132",
97
+ john: nil,
98
+ hashcat: nil,
99
+ extended: false,
100
+ description: "Fowler-Noll-Vo hash 32-bit — 8 hex chars, fast non-crypto hash",
101
+ common_sources: ["DNS", "database indexing", "hash tables"],
102
+ context: ["checksum", "programming"]
103
+ },
104
+ {
105
+ name:"Fletcher-32",
106
+ john: nil,
107
+ hashcat: nil,
108
+ extended: false,
109
+ description: "Fletcher's checksum 32-bit — 8 hex chars, error detection",
110
+ common_sources: ["OSTA UDF", "ISO/IEC 8473-1"],
111
+ context: ["checksum", "storage"]
112
+ },
113
+ {
114
+ name:"Joaat",
115
+ john: nil,
116
+ hashcat: nil,
117
+ extended: false,
118
+ description: "Jenkins one-at-a-time hash — 8 hex chars, simple string hash",
119
+ common_sources: ["Perl", "Apache", "various applications"],
120
+ context: ["programming", "hashing"]
121
+ },
122
+ {
123
+ name:"ELF-32",
124
+ john: nil,
125
+ hashcat: nil,
126
+ extended: false,
127
+ description: "ELF-32 hash for object files — 8 hex chars, Unix/Linux object files",
128
+ context: ["executable", "system"],
129
+ "mime_types": ["application/octet-stream"]
130
+
131
+ },
132
+ {
133
+ name:"XOR-32",
134
+ john: nil,
135
+ hashcat: nil,
136
+ extended: false,
137
+ description: "Simple XOR-based 32-bit hash — 8 hex chars, basic XOR operation",
138
+ common_sources: ["simple applications", "embedded systems"],
139
+ context: ["basic", "embedded"]
140
+
141
+ }
142
+ ]
143
+ },
144
+ {
145
+ extract_regex: Regexp.new('\b[a-f0-9]{6}\b', Regexp::IGNORECASE),
146
+ modes: [
147
+ {
148
+ name:"CRC-24",
149
+ john: nil,
150
+ hashcat: nil,
151
+ extended: false,
152
+ description: "Cyclic Redundancy Check 24-bits — 6 hexadecimal chars, OpenPGP standard",
153
+ notes: ["Not cryptographic"],
154
+ context: ["checksum"],
155
+ common_sources: ["OpenPGP", "RFID", "some file formats"]
156
+ }
157
+ ]
158
+ },
159
+ {
160
+ extract_regex: Regexp.new('\b(\$crc32\$[a-f0-9]{8}.)?[a-f0-9]{8}\b', Regexp::IGNORECASE),
161
+ modes: [
162
+ {
163
+ name:"CRC-32",
164
+ john: "crc32",
165
+ hashcat: nil,
166
+ extended: false,
167
+ description: "Cyclic Redundancy Check 32-bit — 8 hex chars, most common checksum",
168
+ notes: ["Not cryptographic"]
169
+ }
170
+ ]
171
+ },
172
+ {
173
+ extract_regex: Regexp.new('\b\\+[a-z0-9\\/.]{12}\b', Regexp::IGNORECASE),
174
+ modes: [
175
+ {
176
+ john: "bfegg",
177
+ hashcat: nil,
178
+ extended: false,
179
+ name:"Eggdrop IRC Bot"
180
+ }
181
+ ]
182
+ },
183
+ {
184
+ extract_regex: Regexp.new('\b[a-z0-9\\/.]{13}\b', Regexp::IGNORECASE),
185
+ modes: [
186
+ {
187
+ name:"DES(Unix)",
188
+ john: "descrypt",
189
+ hashcat: 1500,
190
+ extended: false,
191
+ description: "DES-based Unix crypt — 13 chars, traditional Unix passwords",
192
+ notes: ["Only 8 char passwords", "weak salt"],
193
+ common_sources: ["/etc/passwd", "old Unix systems"],
194
+ context: ["unix", "legacy"]
195
+ },
196
+ {
197
+ name:"Traditional DES",
198
+ john: "descrypt",
199
+ hashcat: 1500,
200
+ extended: false
201
+
202
+ },
203
+ {
204
+ name:"DEScrypt",
205
+ john: "descrypt",
206
+ hashcat: 1500,
207
+ extended: false,
208
+ description: "DES crypt implementation — 13 chars",
209
+ notes: ["Traditional Unix password hashing"],
210
+ common_sources: ["old Unix/Linux"],
211
+ context: ["unix", "legacy"]
212
+ }
213
+ ]
214
+ },
215
+ {
216
+ extract_regex: Regexp.new('\b[a-f0-9]{16}\b', Regexp::IGNORECASE),
217
+ modes: [
218
+ {
219
+ name:"MySQL323",
220
+ john: "mysql",
221
+ hashcat: 200,
222
+ extended: false,
223
+ description: "MySQL 3.23 password hash — 16 chars typical, but can be padded to 32 (hexadecimals)",
224
+ notes: ["Used in old MySQL databases", "Can be broken in seconds", "Susceptible to rainbow tables", "Limited to 8 character passwords", "Deprecated since MySQL 4.1"]
225
+ },
226
+ {
227
+ name:"DES(Oracle)",
228
+ john: nil,
229
+ hashcat: 3100,
230
+ extended: false,
231
+ description: "Oracle DES-based hash — 16 hex chars, Oracle specific"
232
+ },
233
+ {
234
+ name:"Half MD5",
235
+ john: nil,
236
+ hashcat: 5100,
237
+ extended: false,
238
+ description: "First half of MD5 hash — 16 hex chars, MD5 truncated",
239
+ notes: ["Weaker than full MD5"]
240
+ },
241
+ {
242
+ name:"Oracle 7-10g",
243
+ john: nil,
244
+ hashcat: 3100,
245
+ extended: false
246
+ },
247
+ {
248
+ name:"FNV-164",
249
+ john: nil,
250
+ hashcat: nil,
251
+ extended: false,
252
+ description: "Fowler-Noll-Vo hash 64-bit — 16 hex chars, 64-bit version",
253
+ notes: ["Not cryptographic"]
254
+ },
255
+ {
256
+ name:"CRC-64",
257
+ john: nil,
258
+ hashcat: nil,
259
+ extended: false,
260
+ description: "Cyclic Redundancy Check 64-bit — 16 hex chars, ISO 3309",
261
+ notes: ["Not cryptographic"]
262
+ }
263
+ ]
264
+ },
265
+ {
266
+ extract_regex: Regexp.new('\b[a-z0-9\\/.]{16}\b', Regexp::IGNORECASE),
267
+ modes: [
268
+ {
269
+ name:"Cisco-PIX(MD5)",
270
+ john: "pix-md5",
271
+ hashcat: 2400,
272
+ extended: false,
273
+ description: "Cisco PIX MD5 hash"
274
+ }
275
+ ]
276
+ },
277
+ {
278
+ extract_regex: Regexp.new('\b\\([a-z0-9\\/+]{20}\\)\b', Regexp::IGNORECASE),
279
+ modes: [
280
+ {
281
+ john: "dominosec",
282
+ hashcat: 8700,
283
+ extended: false,
284
+ name:"Lotus Notes/Domino 6"
285
+ }
286
+ ]
287
+ },
288
+ {
289
+ extract_regex: Regexp.new('\b_[a-z0-9\\/.]{19}\b', Regexp::IGNORECASE),
290
+ modes: [
291
+ {
292
+ john: "bsdicrypt",
293
+ hashcat: nil,
294
+ extended: false,
295
+ name:"BSDi Crypt"
296
+ }
297
+ ]
298
+ },
299
+ {
300
+ extract_regex: Regexp.new('\b[a-f0-9]{24}\b', Regexp::IGNORECASE),
301
+ modes: [
302
+ {
303
+ name:"CRC-96(ZIP)",
304
+ john: nil,
305
+ hashcat: nil,
306
+ extended: false,
307
+ description: "CRC-96 used in some ZIP variants — 24 hex chars, extended CRC",
308
+ notes: ["Not cryptographic", "For some archive formats"]
309
+ }
310
+ ]
311
+ },
312
+ {
313
+ extract_regex: Regexp.new('\b[a-z0-9\\/.]{24}\b', Regexp::IGNORECASE),
314
+ modes: [
315
+ {
316
+ name:"Crypt16",
317
+ john: nil,
318
+ hashcat: nil,
319
+ extended: false,
320
+ description: "Extended crypt16 implementation",
321
+ characteristics: "24 chars, extended DES crypt",
322
+ notes: ["Rarely used", "Used by some Unix variants"]
323
+ }
324
+ ]
325
+ },
326
+ {
327
+ extract_regex: Regexp.new('\b(\$md2\$)?[a-f0-9]{32}\b', Regexp::IGNORECASE),
328
+ modes: [
329
+ {
330
+ john: "md2",
331
+ hashcat: nil,
332
+ extended: false,
333
+ name:"MD2"
334
+ }
335
+ ]
336
+ },
337
+ {
338
+ extract_regex: Regexp.new('\b[a-f0-9]{32}(:.+)?\b', Regexp::IGNORECASE),
339
+ modes: [
340
+ {
341
+ name:"MD5",
342
+ john: "raw-md5",
343
+ hashcat: 0,
344
+ extended: false,
345
+ description: "MD5 cryptographic hash function",
346
+ characteristics: "32 chars, hexadecimal, unsalted",
347
+ notes: ["Used as checksum to verify data or file integrity", "MD5 is cryptographically broken as it is vulnerable to collision attacks"],
348
+ context: ["web", "checksum", "legacy", "password", "hash", "md5"],
349
+ prefixes: ["md5", "hash", "checksum", "password"],
350
+ file_types: ["shadow", "htpasswd", "logs"],
351
+ mime_types: ["text/plain", "text/x-passwd"],
352
+ common_sources: ["web applications", "file integrity checks", "checksums", "legacy systems"]
353
+
354
+ },
355
+ {
356
+ name:"MD4",
357
+ john: "raw-md4",
358
+ hashcat: 900,
359
+ extended: false,
360
+ characteristics: "32 chars, legacy Microsoft systems",
361
+ prefixes: ["hash"],
362
+ context: ["hash"],
363
+ common_sources: ["Old Windows systems", "legacy applications"]
364
+ },
365
+ {
366
+ name:"Double MD5",
367
+ john: nil,
368
+ hashcat: 2600,
369
+ extended: false
370
+ },
371
+ {
372
+ name:"LM",
373
+ john: "lm",
374
+ hashcat: 3000,
375
+ extended: false,
376
+ description: "Windows LAN Manager hash",
377
+ characteristics: "16 hex chars, all uppercase, split password",
378
+ notes: ["Mainly found in Windows SAM files(legacy Windows)", "Very weak", "no lowercase", "split passwords"],
379
+ common_sources: ["Windows SAM", "legacy Windows systems"],
380
+ context: ["windows", "SAM"]
381
+ },
382
+ {
383
+ name:"RIPEMD-128",
384
+ john: "ripemd-128",
385
+ hashcat: nil,
386
+ extended: false
387
+ },
388
+ {
389
+ name:"Haval-128",
390
+ john: "haval-128-4",
391
+ hashcat: nil,
392
+ extended: false
393
+ },
394
+ {
395
+ name:"Tiger-128",
396
+ john: nil,
397
+ hashcat: nil,
398
+ extended: false
399
+ },
400
+ {
401
+ john: nil,
402
+ hashcat: nil,
403
+ extended: false,
404
+ name:"Skein-256(128)"
405
+ },
406
+ {
407
+ john: nil,
408
+ hashcat: nil,
409
+ extended: false,
410
+ name:"Skein-512(128)"
411
+ },
412
+ {
413
+ john: "lotus5",
414
+ hashcat: 8600,
415
+ extended: false,
416
+ name:"Lotus Notes/Domino 5"
417
+ },
418
+ {
419
+ john: nil,
420
+ hashcat: 23,
421
+ extended: false,
422
+ name:"Skype"
423
+ },
424
+ {
425
+ john: nil,
426
+ hashcat: nil,
427
+ extended: true,
428
+ name:"ZipMonster"
429
+ },
430
+ {
431
+ john: nil,
432
+ hashcat: 11000,
433
+ extended: true,
434
+ name:"PrestaShop"
435
+ },
436
+ {
437
+ john: nil,
438
+ hashcat: 3500,
439
+ extended: true,
440
+ name:"md5(md5(md5($pass)))"
441
+ },
442
+ {
443
+ john: nil,
444
+ hashcat: 4300,
445
+ extended: true,
446
+ name:"md5(strtoupper(md5($pass)))"
447
+ },
448
+ {
449
+ john: nil,
450
+ hashcat: 4400,
451
+ extended: true,
452
+ name:"md5(sha1($pass))"
453
+ },
454
+ {
455
+ john: nil,
456
+ hashcat: 10,
457
+ extended: true,
458
+ name:"md5($pass.$salt)"
459
+ },
460
+ {
461
+ john: nil,
462
+ hashcat: 20,
463
+ extended: true,
464
+ name:"md5($salt.$pass)"
465
+ },
466
+ {
467
+ john: nil,
468
+ hashcat: 30,
469
+ extended: true,
470
+ name:"md5(unicode($pass).$salt)"
471
+ },
472
+ {
473
+ john: nil,
474
+ hashcat: 40,
475
+ extended: true,
476
+ name:"md5($salt.unicode($pass))"
477
+ },
478
+ {
479
+ john: "hmac-md5",
480
+ hashcat: 50,
481
+ extended: true,
482
+ name:"HMAC-MD5 (key = $pass)"
483
+ },
484
+ {
485
+ john: "hmac-md5",
486
+ hashcat: 60,
487
+ extended: true,
488
+ name:"HMAC-MD5 (key = $salt)"
489
+ },
490
+ {
491
+ john: nil,
492
+ hashcat: 3610,
493
+ extended: true,
494
+ name:"md5(md5($salt).$pass)"
495
+ },
496
+ {
497
+ john: nil,
498
+ hashcat: 3710,
499
+ extended: true,
500
+ name:"md5($salt.md5($pass))"
501
+ },
502
+ {
503
+ john: nil,
504
+ hashcat: 3720,
505
+ extended: true,
506
+ name:"md5($pass.md5($salt))"
507
+ },
508
+ {
509
+ john: nil,
510
+ hashcat: 3810,
511
+ extended: true,
512
+ name:"md5($salt.$pass.$salt)"
513
+ },
514
+ {
515
+ john: nil,
516
+ hashcat: 3910,
517
+ extended: true,
518
+ name:"md5(md5($pass).md5($salt))"
519
+ },
520
+ {
521
+ john: nil,
522
+ hashcat: 4010,
523
+ extended: true,
524
+ name:"md5($salt.md5($salt.$pass))"
525
+ },
526
+ {
527
+ john: nil,
528
+ hashcat: 4110,
529
+ extended: true,
530
+ name:"md5($salt.md5($pass.$salt))"
531
+ },
532
+ {
533
+ john: nil,
534
+ hashcat: 4210,
535
+ extended: true,
536
+ name:"md5($username.0.$pass)"
537
+ }
538
+ ]
539
+ },
540
+ {
541
+ extract_regex: Regexp.new('\b(\$snefru\$)?[a-f0-9]{32}\b', Regexp::IGNORECASE),
542
+ modes: [
543
+ {
544
+ john: "snefru-128",
545
+ hashcat: nil,
546
+ extended: false,
547
+ name:"Snefru-128"
548
+ }
549
+ ]
550
+ },
551
+ {
552
+ extract_regex: Regexp.new('\b(\$NT\$)?[a-f0-9]{32}\b', Regexp::IGNORECASE),
553
+ modes: [
554
+ {
555
+ name:"NTLM",
556
+ john: "nt",
557
+ hashcat: 1000,
558
+ extended: false,
559
+ description: "Windows NTLM authentication hash",
560
+ characteristics: "32 chars, Windows authentication, based on MD4",
561
+ notes: ["Hashcat Mode: 5600 (NetNTLMv2) - if network captured", "Hashcat Mode: 5500 (NetNTLMv1/NetNTLMv1+ESS) - legacy versions", "John Format: netntlm (for network hashes)", "John Format: netntlmv2 (v2 hashes)"],
562
+ context: ["windows", "SAM", "LSASS", "nt", "ntlm"],
563
+ prefixes: ["nt"],
564
+ file_types: ["ntds", "logs"],
565
+ mime_types: ["text/plain", "application/octet-stream"],
566
+ common_sources: ["Windows SAM", "Active Directory", "LSASS memory"]
567
+ }
568
+ ]
569
+ },
570
+ {
571
+ extract_regex: Regexp.new('\b([^\\\\\\/:*?\"<>|]{1,20}:)?[a-f0-9]{32}(:[^\\\\\\/:*?\"<>|]{1,20})?\b', Regexp::IGNORECASE),
572
+ modes: [
573
+ {
574
+ john: "mscach",
575
+ hashcat: 1100,
576
+ extended: false,
577
+ name:"Domain Cached Credentials"
578
+ }
579
+ ]
580
+ },
581
+ {
582
+ extract_regex: Regexp.new('\b([^\\\\\\/:*?\"<>|]{1,20}:)?(\$DCC2\$10240#[^\\\\\\/:*?\"<>|]{1,20}#)?[a-f0-9]{32}\b', Regexp::IGNORECASE),
583
+ modes: [
584
+ {
585
+ john: "mscach2",
586
+ hashcat: 2100,
587
+ extended: false,
588
+ name:"Domain Cached Credentials 2"
589
+ }
590
+ ]
591
+ },
592
+ {
593
+ extract_regex: Regexp.new('\b{SHA}[a-z0-9\\/+]{27}=\b', Regexp::IGNORECASE),
594
+ modes: [
595
+ {
596
+ john: "nsldap",
597
+ hashcat: 101,
598
+ extended: false,
599
+ name:"SHA-1(Base64)"
600
+ },
601
+ {
602
+ john: "nsldap",
603
+ hashcat: 101,
604
+ extended: false,
605
+ name:"Netscape LDAP SHA"
606
+ }
607
+ ]
608
+ },
609
+ {
610
+ extract_regex: Regexp.new('\b\$1\$[a-z0-9\\/.]{0,8}\$[a-z0-9\\/.]{22}(:.*)?\b', Regexp::IGNORECASE),
611
+ modes: [
612
+ {
613
+ john: "md5crypt",
614
+ hashcat: 500,
615
+ extended: false,
616
+ name:"MD5 Crypt"
617
+ },
618
+ {
619
+ john: "md5crypt",
620
+ hashcat: 500,
621
+ extended: false,
622
+ name:"Cisco-IOS(MD5)"
623
+ },
624
+ {
625
+ john: "md5crypt",
626
+ hashcat: 500,
627
+ extended: false,
628
+ name:"FreeBSD MD5"
629
+ }
630
+ ]
631
+ },
632
+ {
633
+ extract_regex: Regexp.new('\b0x[a-f0-9]{32}\b', Regexp::IGNORECASE),
634
+ modes: [
635
+ {
636
+ john: nil,
637
+ hashcat: nil,
638
+ extended: false,
639
+ name:"Lineage II C4"
640
+ }
641
+ ]
642
+ },
643
+ {
644
+ extract_regex: Regexp.new('\b\$H\$[a-z0-9\\/.]{31}\b', Regexp::IGNORECASE),
645
+ modes: [
646
+ {
647
+ john: "phpass",
648
+ hashcat: 400,
649
+ extended: false,
650
+ name:"phpBB v3.x"
651
+ },
652
+ {
653
+ john: "phpass",
654
+ hashcat: 400,
655
+ extended: false,
656
+ name:"Wordpress v2.6.0/2.6.1"
657
+ },
658
+ {
659
+ john: "phpass",
660
+ hashcat: 400,
661
+ extended: false,
662
+ name:"PHPass' Portable Hash"
663
+ }
664
+ ]
665
+ },
666
+ {
667
+ extract_regex: Regexp.new('\b\$P\$[a-z0-9\\/.]{31}\b', Regexp::IGNORECASE),
668
+ modes: [
669
+ {
670
+ john: "phpass",
671
+ hashcat: 400,
672
+ extended: false,
673
+ name:"Wordpress \u2265 v2.6.2"
674
+ },
675
+ {
676
+ john: "phpass",
677
+ hashcat: 400,
678
+ extended: false,
679
+ name:"Joomla \u2265 v2.5.18"
680
+ },
681
+ {
682
+ john: "phpass",
683
+ hashcat: 400,
684
+ extended: false,
685
+ name:"PHPass' Portable Hash"
686
+ }
687
+ ]
688
+ },
689
+ {
690
+ extract_regex: Regexp.new('\b[a-f0-9]{32}:[a-z0-9]{2}\b', Regexp::IGNORECASE),
691
+ modes: [
692
+ {
693
+ john: nil,
694
+ hashcat: 21,
695
+ extended: false,
696
+ name:"osCommerce"
697
+ },
698
+ {
699
+ john: nil,
700
+ hashcat: 21,
701
+ extended: false,
702
+ name:"xt:Commerce"
703
+ }
704
+ ]
705
+ },
706
+ {
707
+ extract_regex: Regexp.new('\b\$apr1\$[a-z0-9\\/.]{0,8}\$[a-z0-9\\/.]{22}\b', Regexp::IGNORECASE),
708
+ modes: [
709
+ {
710
+ john: nil,
711
+ hashcat: 1600,
712
+ extended: false,
713
+ name:"MD5(APR)"
714
+ },
715
+ {
716
+ john: nil,
717
+ hashcat: 1600,
718
+ extended: false,
719
+ name:"Apache MD5"
720
+ },
721
+ {
722
+ john: nil,
723
+ hashcat: 1600,
724
+ extended: true,
725
+ name:"md5apr1"
726
+ }
727
+ ]
728
+ },
729
+ {
730
+ extract_regex: Regexp.new('\b{smd5}[a-z0-9$\\/.]{31}\b', Regexp::IGNORECASE),
731
+ modes: [
732
+ {
733
+ john: "aix-smd5",
734
+ hashcat: 6300,
735
+ extended: false,
736
+ name:"AIX(smd5)"
737
+ }
738
+ ]
739
+ },
740
+ {
741
+ extract_regex: Regexp.new('\b[a-f0-9]{32}:[a-f0-9]{32}\b', Regexp::IGNORECASE),
742
+ modes: [
743
+ {
744
+ john: nil,
745
+ hashcat: 3721,
746
+ extended: false,
747
+ name:"WebEdition CMS"
748
+ }
749
+ ]
750
+ },
751
+ {
752
+ extract_regex: Regexp.new('\b[a-f0-9]{32}:.{5}\b', Regexp::IGNORECASE),
753
+ modes: [
754
+ {
755
+ john: nil,
756
+ hashcat: 2811,
757
+ extended: false,
758
+ name:"IP.Board \u2265 v2+"
759
+ }
760
+ ]
761
+ },
762
+ {
763
+ extract_regex: Regexp.new('\b[a-f0-9]{32}:.{8}\b', Regexp::IGNORECASE),
764
+ modes: [
765
+ {
766
+ john: nil,
767
+ hashcat: 2811,
768
+ extended: false,
769
+ name:"MyBB \u2265 v1.2+"
770
+ }
771
+ ]
772
+ },
773
+ {
774
+ extract_regex: Regexp.new('\b[a-z0-9]{34}\b', Regexp::IGNORECASE),
775
+ modes: [
776
+ {
777
+ john: nil,
778
+ hashcat: nil,
779
+ extended: false,
780
+ name:"CryptoCurrency(Adress)"
781
+ }
782
+ ]
783
+ },
784
+ {
785
+ extract_regex: Regexp.new('\b[a-f0-9]{40}(:.+)?\b', Regexp::IGNORECASE),
786
+ modes: [
787
+ {
788
+ name:"SHA-1",
789
+ john: "raw-sha1",
790
+ hashcat: 100,
791
+ extended: false,
792
+ description: "SHA-1 cryptographic hash function",
793
+ characteristics: "40 chars, hexadecimal, unsalted",
794
+ notes: ["Used for file verification", "found in git commits and legacy certificates"],
795
+ prefixes: ["sha1", "hash"],
796
+ context: ["sha1", "hash"]
797
+ },
798
+ {
799
+ john: nil,
800
+ hashcat: 4500,
801
+ extended: false,
802
+ name:"Double SHA-1",
803
+ context: ["sha1"]
804
+ #prefixes: ["sha1"]
805
+ },
806
+ {
807
+ name:"RIPEMD-160",
808
+ john: "ripemd-160",
809
+ hashcat: 6000,
810
+ extended: false,
811
+ characteristics: "40 chars, Bitcoin addresses, digital signatures",
812
+ notes: ["Rarely used for passwords"]
813
+ },
814
+ {
815
+ john: nil,
816
+ hashcat: nil,
817
+ extended: false,
818
+ name:"Haval-160"
819
+ },
820
+ {
821
+ john: nil,
822
+ hashcat: nil,
823
+ extended: false,
824
+ name:"Tiger-160"
825
+ },
826
+ {
827
+ john: nil,
828
+ hashcat: nil,
829
+ extended: false,
830
+ name:"HAS-160"
831
+ },
832
+ {
833
+ john: "raw-sha1-linkedin",
834
+ hashcat: 190,
835
+ extended: false,
836
+ name:"LinkedIn"
837
+ },
838
+ {
839
+ john: nil,
840
+ hashcat: nil,
841
+ extended: false,
842
+ name:"Skein-256(160)"
843
+ },
844
+ {
845
+ john: nil,
846
+ hashcat: nil,
847
+ extended: false,
848
+ name:"Skein-512(160)"
849
+ },
850
+ {
851
+ john: nil,
852
+ hashcat: nil,
853
+ extended: true,
854
+ name:"MangosWeb Enhanced CMS"
855
+ },
856
+ {
857
+ john: nil,
858
+ hashcat: 4600,
859
+ extended: true,
860
+ name:"sha1(sha1(sha1($pass)))"
861
+ },
862
+ {
863
+ john: nil,
864
+ hashcat: 4700,
865
+ extended: true,
866
+ name:"sha1(md5($pass))"
867
+ },
868
+ {
869
+ john: nil,
870
+ hashcat: 110,
871
+ extended: true,
872
+ name:"sha1($pass.$salt)"
873
+ },
874
+ {
875
+ john: nil,
876
+ hashcat: 120,
877
+ extended: true,
878
+ name:"sha1($salt.$pass)"
879
+ },
880
+ {
881
+ john: nil,
882
+ hashcat: 130,
883
+ extended: true,
884
+ name:"sha1(unicode($pass).$salt)"
885
+ },
886
+ {
887
+ john: nil,
888
+ hashcat: 140,
889
+ extended: true,
890
+ name:"sha1($salt.unicode($pass))"
891
+ },
892
+ {
893
+ john: "hmac-sha1",
894
+ hashcat: 150,
895
+ extended: true,
896
+ name:"HMAC-SHA1 (key = $pass)"
897
+ },
898
+ {
899
+ john: "hmac-sha1",
900
+ hashcat: 160,
901
+ extended: true,
902
+ name:"HMAC-SHA1 (key = $salt)"
903
+ },
904
+ {
905
+ john: nil,
906
+ hashcat: 4710,
907
+ extended: true,
908
+ name:"sha1($salt.$pass.$salt)"
909
+ }
910
+ ]
911
+ },
912
+ {
913
+ extract_regex: Regexp.new('\b\\*[a-f0-9]{40}\b', Regexp::IGNORECASE),
914
+ modes: [
915
+ {
916
+ john: "mysql-sha1",
917
+ hashcat: 300,
918
+ extended: false,
919
+ name:"MySQL5.x"
920
+ },
921
+ {
922
+ name:"MySQL4.1",
923
+ john: "mysql-sha1",
924
+ hashcat: 300,
925
+ extended: false,
926
+ description: "MySQL double SHA1 implementation",
927
+ characteristics: "40 chars, double SHA1 with salt",
928
+ notes: ["Used in database export"]
929
+ }
930
+ ]
931
+ },
932
+ {
933
+ extract_regex: Regexp.new('\b[a-z0-9]{43}\b', Regexp::IGNORECASE),
934
+ modes: [
935
+ {
936
+ john: nil,
937
+ hashcat: 5700,
938
+ extended: false,
939
+ name:"Cisco-IOS(SHA-256)"
940
+ }
941
+ ]
942
+ },
943
+ {
944
+ extract_regex: Regexp.new('\b{SSHA}[a-z0-9\\/+]{38}==', Regexp::IGNORECASE),
945
+ modes: [
946
+ {
947
+ john: "nsldaps",
948
+ hashcat: 111,
949
+ extended: false,
950
+ name:"SSHA-1(Base64)"
951
+ },
952
+ {
953
+ john: "nsldaps",
954
+ hashcat: 111,
955
+ extended: false,
956
+ name:"Netscape LDAP SSHA"
957
+ },
958
+ {
959
+ john: "nsldaps",
960
+ hashcat: 111,
961
+ extended: true,
962
+ name:"nsldaps"
963
+ }
964
+ ]
965
+ },
966
+ {
967
+ extract_regex: Regexp.new('\b[a-z0-9=]{47}\b', Regexp::IGNORECASE),
968
+ modes: [
969
+ {
970
+ john: "fortigate",
971
+ hashcat: 7000,
972
+ extended: false,
973
+ name:"Fortigate(FortiOS)"
974
+ }
975
+ ]
976
+ },
977
+ {
978
+ extract_regex: Regexp.new('\b[a-f0-9]{48}\b', Regexp::IGNORECASE),
979
+ modes: [
980
+ {
981
+ john: nil,
982
+ hashcat: nil,
983
+ extended: false,
984
+ name:"Haval-192"
985
+ },
986
+ {
987
+ john: "tiger",
988
+ hashcat: nil,
989
+ extended: false,
990
+ name:"Tiger-192"
991
+ },
992
+ {
993
+ john: nil,
994
+ hashcat: nil,
995
+ extended: false,
996
+ name:"SHA-1(Oracle)"
997
+ },
998
+ {
999
+ john: "xsha",
1000
+ hashcat: 122,
1001
+ extended: false,
1002
+ name:"OSX v10.4"
1003
+ },
1004
+ {
1005
+ john: "xsha",
1006
+ hashcat: 122,
1007
+ extended: false,
1008
+ name:"OSX v10.5"
1009
+ },
1010
+ {
1011
+ john: "xsha",
1012
+ hashcat: 122,
1013
+ extended: false,
1014
+ name:"OSX v10.6"
1015
+ }
1016
+ ]
1017
+ },
1018
+ {
1019
+ extract_regex: Regexp.new('\b[a-f0-9]{51}\b', Regexp::IGNORECASE),
1020
+ modes: [
1021
+ {
1022
+ john: nil,
1023
+ hashcat: nil,
1024
+ extended: false,
1025
+ name:"Palshop CMS"
1026
+ }
1027
+ ]
1028
+ },
1029
+ {
1030
+ extract_regex: Regexp.new('\b[a-z0-9]{51}\b', Regexp::IGNORECASE),
1031
+ modes: [
1032
+ {
1033
+ john: nil,
1034
+ hashcat: nil,
1035
+ extended: false,
1036
+ name:"CryptoCurrency(PrivateKey)"
1037
+ }
1038
+ ]
1039
+ },
1040
+ {
1041
+ extract_regex: Regexp.new('\b{ssha1}[0-9]{2}\$[a-z0-9$\\/.]{44}\b', Regexp::IGNORECASE),
1042
+ modes: [
1043
+ {
1044
+ john: "aix-ssha1",
1045
+ hashcat: 6700,
1046
+ extended: false,
1047
+ name:"AIX(ssha1)"
1048
+ }
1049
+ ]
1050
+ },
1051
+ {
1052
+ extract_regex: Regexp.new('\b0x0100[a-f0-9]{48}\b', Regexp::IGNORECASE),
1053
+ modes: [
1054
+ {
1055
+ john: "mssql05",
1056
+ hashcat: 132,
1057
+ extended: false,
1058
+ name:"MSSQL(2005)"
1059
+ },
1060
+ {
1061
+ john: "mssql05",
1062
+ hashcat: 132,
1063
+ extended: false,
1064
+ name:"MSSQL(2008)"
1065
+ }
1066
+ ]
1067
+ },
1068
+ {
1069
+ extract_regex: Regexp.new('\b(\$md5,rounds=[0-9]+\$|\$md5\$rounds=[0-9]+\$|\$md5\$)[a-z0-9\\/.]{0,16}(\$|\$\$)[a-z0-9\\/.]{22}\b', Regexp::IGNORECASE),
1070
+ modes: [
1071
+ {
1072
+ john: "sunmd5",
1073
+ hashcat: 3300,
1074
+ extended: false,
1075
+ name:"Sun MD5 Crypt"
1076
+ }
1077
+ ]
1078
+ },
1079
+ {
1080
+ extract_regex: Regexp.new('\b[a-f0-9]{56}\b', Regexp::IGNORECASE),
1081
+ modes: [
1082
+ {
1083
+ john: "raw-sha224",
1084
+ hashcat: nil,
1085
+ extended: false,
1086
+ name:"SHA-224"
1087
+ },
1088
+ {
1089
+ john: nil,
1090
+ hashcat: nil,
1091
+ extended: false,
1092
+ name:"Haval-224"
1093
+ },
1094
+ {
1095
+ john: nil,
1096
+ hashcat: 17300,
1097
+ extended: false,
1098
+ name:"SHA3-224"
1099
+ },
1100
+ {
1101
+ john: nil,
1102
+ hashcat: 17700,
1103
+ extended: false,
1104
+ name:"Keccak-224"
1105
+ },
1106
+ {
1107
+ john: nil,
1108
+ hashcat: nil,
1109
+ extended: false,
1110
+ name:"Skein-256(224)"
1111
+ },
1112
+ {
1113
+ john: nil,
1114
+ hashcat: nil,
1115
+ extended: false,
1116
+ name:"Skein-512(224)"
1117
+ }
1118
+ ]
1119
+ },
1120
+ {
1121
+ extract_regex: Regexp.new('\b(\$2[axy]|\$2)\$[0-9]{2}\$[a-z0-9\\/.]{53}\b', Regexp::IGNORECASE),
1122
+ modes: [
1123
+ {
1124
+ john: "bcrypt",
1125
+ hashcat: 3200,
1126
+ extended: false,
1127
+ name:"Blowfish(OpenBSD)"
1128
+ },
1129
+ {
1130
+ john: nil,
1131
+ hashcat: nil,
1132
+ extended: false,
1133
+ name:"Woltlab Burning Board 4.x"
1134
+ },
1135
+ {
1136
+ john: "bcrypt",
1137
+ hashcat: 3200,
1138
+ extended: false,
1139
+ name:"bcrypt"
1140
+ }
1141
+ ]
1142
+ },
1143
+ {
1144
+ extract_regex: Regexp.new('\b[a-f0-9]{40}:[a-f0-9]{16}\b', Regexp::IGNORECASE),
1145
+ modes: [
1146
+ {
1147
+ name:"Android PIN",
1148
+ john: nil,
1149
+ hashcat: 5800,
1150
+ extended: false,
1151
+ description: "Android PIN/Password hash",
1152
+ characteristics: "40 chars hash + 16 chars salt, SHA1 + MD5",
1153
+ notes: ["found in android gesture.key files"]
1154
+ }
1155
+ ]
1156
+ },
1157
+ {
1158
+ extract_regex: Regexp.new('\b(S:)?[a-f0-9]{40}(:)?[a-f0-9]{20}\b', Regexp::IGNORECASE),
1159
+ modes: [
1160
+ {
1161
+ john: "oracle11",
1162
+ hashcat: 112,
1163
+ extended: false,
1164
+ name:"Oracle 11g/12c"
1165
+ }
1166
+ ]
1167
+ },
1168
+ {
1169
+ extract_regex: Regexp.new('\b\$bcrypt-sha256\$(2[axy]|2)\\,[0-9]+\$[a-z0-9\\/.]{22}\$[a-z0-9\\/.]{31}\b', Regexp::IGNORECASE),
1170
+ modes: [
1171
+ {
1172
+ john: nil,
1173
+ hashcat: nil,
1174
+ extended: false,
1175
+ name:"bcrypt(SHA-256)"
1176
+ }
1177
+ ]
1178
+ },
1179
+ {
1180
+ extract_regex: Regexp.new('\b[a-f0-9]{32}:.{3}\b', Regexp::IGNORECASE),
1181
+ modes: [
1182
+ {
1183
+ john: nil,
1184
+ hashcat: 2611,
1185
+ extended: false,
1186
+ name:"vBulletin < v3.8.5"
1187
+ }
1188
+ ]
1189
+ },
1190
+ {
1191
+ extract_regex: Regexp.new('\b[a-f0-9]{32}:.{30}\b', Regexp::IGNORECASE),
1192
+ modes: [
1193
+ {
1194
+ john: nil,
1195
+ hashcat: 2711,
1196
+ extended: false,
1197
+ name:"vBulletin \u2265 v3.8.5"
1198
+ }
1199
+ ]
1200
+ },
1201
+ {
1202
+ extract_regex: Regexp.new('\b(\$snefru\$)?[a-f0-9]{64}\b', Regexp::IGNORECASE),
1203
+ modes: [
1204
+ {
1205
+ john: "snefru-256",
1206
+ hashcat: nil,
1207
+ extended: false,
1208
+ name:"Snefru-256"
1209
+ }
1210
+ ]
1211
+ },
1212
+ {
1213
+ extract_regex: Regexp.new('\b[a-f0-9]{64}(:.+)?\b', Regexp::IGNORECASE),
1214
+ modes: [
1215
+ {
1216
+ john: "raw-sha256",
1217
+ hashcat: 1400,
1218
+ extended: false,
1219
+ name:"SHA-256"
1220
+ },
1221
+ {
1222
+ john: nil,
1223
+ hashcat: nil,
1224
+ extended: false,
1225
+ name:"RIPEMD-256"
1226
+ },
1227
+ {
1228
+ john: "haval-256-3",
1229
+ hashcat: nil,
1230
+ extended: false,
1231
+ name:"Haval-256"
1232
+ },
1233
+ {
1234
+ john: "gost",
1235
+ hashcat: 6900,
1236
+ extended: false,
1237
+ name:"GOST R 34.11-94"
1238
+ },
1239
+ {
1240
+ john: nil,
1241
+ hashcat: nil,
1242
+ extended: false,
1243
+ name:"GOST CryptoPro S-Box"
1244
+ },
1245
+ {
1246
+ john: nil,
1247
+ hashcat: 17400,
1248
+ extended: false,
1249
+ name:"SHA3-256"
1250
+ },
1251
+ {
1252
+ john: "raw-keccak-256",
1253
+ hashcat: 17800,
1254
+ extended: false,
1255
+ name:"Keccak-256"
1256
+ },
1257
+ {
1258
+ john: "skein-256",
1259
+ hashcat: nil,
1260
+ extended: false,
1261
+ name:"Skein-256"
1262
+ },
1263
+ {
1264
+ john: nil,
1265
+ hashcat: nil,
1266
+ extended: false,
1267
+ name:"Skein-512(256)"
1268
+ },
1269
+ {
1270
+ john: nil,
1271
+ hashcat: nil,
1272
+ extended: true,
1273
+ name:"Ventrilo"
1274
+ },
1275
+ {
1276
+ john: nil,
1277
+ hashcat: 1410,
1278
+ extended: true,
1279
+ name:"sha256($pass.$salt)"
1280
+ },
1281
+ {
1282
+ john: nil,
1283
+ hashcat: 1420,
1284
+ extended: true,
1285
+ name:"sha256($salt.$pass)"
1286
+ },
1287
+ {
1288
+ john: nil,
1289
+ hashcat: 1430,
1290
+ extended: true,
1291
+ name:"sha256(unicode($pass).$salt)"
1292
+ },
1293
+ {
1294
+ john: nil,
1295
+ hashcat: 1440,
1296
+ extended: true,
1297
+ name:"sha256($salt.unicode($pass))"
1298
+ },
1299
+ {
1300
+ john: "hmac-sha256",
1301
+ hashcat: 1450,
1302
+ extended: true,
1303
+ name:"HMAC-SHA256 (key = $pass)"
1304
+ },
1305
+ {
1306
+ john: "hmac-sha256",
1307
+ hashcat: 1460,
1308
+ extended: true,
1309
+ name:"HMAC-SHA256 (key = $salt)"
1310
+ }
1311
+ ]
1312
+ },
1313
+ {
1314
+ extract_regex: Regexp.new('\b[a-f0-9]{32}:[a-z0-9]{32}\b', Regexp::IGNORECASE),
1315
+ modes: [
1316
+ {
1317
+ john: nil,
1318
+ hashcat: 11,
1319
+ extended: false,
1320
+ name:"Joomla < v2.5.18"
1321
+ }
1322
+ ]
1323
+ },
1324
+ {
1325
+ extract_regex: Regexp.new('\b[a-f0-9]{32}:[a-f0-9]{32}\b', Regexp::IGNORECASE),
1326
+ modes: [
1327
+ {
1328
+ john: nil,
1329
+ hashcat: nil,
1330
+ extended: false,
1331
+ name:"SAM(LM_Hash:NT_Hash)"
1332
+ }
1333
+ ]
1334
+ },
1335
+ {
1336
+ extract_regex: Regexp.new('\b(\$chap\$0\\*)?[a-f0-9]{32}[\\*:][a-f0-9]{32}(:[0-9]{2})?\b', Regexp::IGNORECASE),
1337
+ modes: [
1338
+ {
1339
+ john: "chap",
1340
+ hashcat: 4800,
1341
+ extended: false,
1342
+ name:"MD5(Chap)"
1343
+ },
1344
+ {
1345
+ john: "chap",
1346
+ hashcat: 4800,
1347
+ extended: false,
1348
+ name:"iSCSI CHAP Authentication"
1349
+ }
1350
+ ]
1351
+ },
1352
+ {
1353
+ extract_regex: Regexp.new('\b\$episerver\$\\*0\\*[a-z0-9\\/=+]+\\*[a-z0-9\\/=+]{27,28}\b', Regexp::IGNORECASE),
1354
+ modes: [
1355
+ {
1356
+ john: "episerver",
1357
+ hashcat: 141,
1358
+ extended: false,
1359
+ name:"EPiServer 6.x < v4"
1360
+ }
1361
+ ]
1362
+ },
1363
+ {
1364
+ extract_regex: Regexp.new('\b{ssha256}[0-9]{2}\$[a-z0-9$\\/.]{60}\b', Regexp::IGNORECASE),
1365
+ modes: [
1366
+ {
1367
+ john: "aix-ssha256",
1368
+ hashcat: 6400,
1369
+ extended: false,
1370
+ name:"AIX(ssha256)"
1371
+ }
1372
+ ]
1373
+ },
1374
+ {
1375
+ extract_regex: Regexp.new('\b[a-f0-9]{80}\b', Regexp::IGNORECASE),
1376
+ modes: [
1377
+ {
1378
+ john: nil,
1379
+ hashcat: nil,
1380
+ extended: false,
1381
+ name:"RIPEMD-320"
1382
+ }
1383
+ ]
1384
+ },
1385
+ {
1386
+ extract_regex: Regexp.new('\b\$episerver\$\\*1\\*[a-z0-9\\/=+]+\\*[a-z0-9\\/=+]{42,43}\b', Regexp::IGNORECASE),
1387
+ modes: [
1388
+ {
1389
+ john: "episerver",
1390
+ hashcat: 1441,
1391
+ extended: false,
1392
+ name:"EPiServer 6.x \u2265 v4"
1393
+ }
1394
+ ]
1395
+ },
1396
+ {
1397
+ extract_regex: Regexp.new('\b0x0100[a-f0-9]{88}\b', Regexp::IGNORECASE),
1398
+ modes: [
1399
+ {
1400
+ john: "mssql",
1401
+ hashcat: 131,
1402
+ extended: false,
1403
+ name:"MSSQL(2000)"
1404
+ }
1405
+ ]
1406
+ },
1407
+ {
1408
+ extract_regex: Regexp.new('\b[a-f0-9]{96}\b', Regexp::IGNORECASE),
1409
+ modes: [
1410
+ {
1411
+ john: "raw-sha384",
1412
+ hashcat: 10800,
1413
+ extended: false,
1414
+ name:"SHA-384"
1415
+ },
1416
+ {
1417
+ john: nil,
1418
+ hashcat: 17500,
1419
+ extended: false,
1420
+ name:"SHA3-384"
1421
+ },
1422
+ {
1423
+ john: nil,
1424
+ hashcat: 17900,
1425
+ extended: false,
1426
+ name:"Keccak-384"
1427
+ },
1428
+ {
1429
+ john: nil,
1430
+ hashcat: nil,
1431
+ extended: false,
1432
+ name:"Skein-512(384)"
1433
+ },
1434
+ {
1435
+ john: nil,
1436
+ hashcat: nil,
1437
+ extended: false,
1438
+ name:"Skein-1024(384)"
1439
+ }
1440
+ ]
1441
+ },
1442
+ {
1443
+ extract_regex: Regexp.new('\b{SSHA512}[a-z0-9\\/+]{96}\b', Regexp::IGNORECASE),
1444
+ modes: [
1445
+ {
1446
+ john: "ssha512",
1447
+ hashcat: 1711,
1448
+ extended: false,
1449
+ name:"SSHA-512(Base64)"
1450
+ },
1451
+ {
1452
+ john: "ssha512",
1453
+ hashcat: 1711,
1454
+ extended: false,
1455
+ name:"LDAP(SSHA-512)"
1456
+ }
1457
+ ]
1458
+ },
1459
+ {
1460
+ extract_regex: Regexp.new('\b{ssha512}[0-9]{2}\$[a-z0-9\\/.]{16,48}\$[a-z0-9\\/.]{86}\b', Regexp::IGNORECASE),
1461
+ modes: [
1462
+ {
1463
+ john: "aix-ssha512",
1464
+ hashcat: 6500,
1465
+ extended: false,
1466
+ name:"AIX(ssha512)"
1467
+ }
1468
+ ]
1469
+ },
1470
+ {
1471
+ extract_regex: Regexp.new('\b[a-f0-9]{128}(:.+)?\b', Regexp::IGNORECASE),
1472
+ modes: [
1473
+ {
1474
+ john: "raw-sha512",
1475
+ hashcat: 1700,
1476
+ extended: false,
1477
+ name:"SHA-512"
1478
+ },
1479
+ {
1480
+ john: "whirlpool",
1481
+ hashcat: 6100,
1482
+ extended: false,
1483
+ name:"Whirlpool"
1484
+ },
1485
+ {
1486
+ john: nil,
1487
+ hashcat: nil,
1488
+ extended: false,
1489
+ name:"Salsa10"
1490
+ },
1491
+ {
1492
+ john: nil,
1493
+ hashcat: nil,
1494
+ extended: false,
1495
+ name:"Salsa20"
1496
+ },
1497
+ {
1498
+ john: "raw-sha3",
1499
+ hashcat: 17600,
1500
+ extended: false,
1501
+ name:"SHA3-512"
1502
+ },
1503
+ {
1504
+ john: "raw-keccak",
1505
+ hashcat: 18000,
1506
+ extended: false,
1507
+ name:"Keccak-512"
1508
+ },
1509
+ {
1510
+ john: "skein-512",
1511
+ hashcat: nil,
1512
+ extended: false,
1513
+ name:"Skein-512"
1514
+ },
1515
+ {
1516
+ john: nil,
1517
+ hashcat: nil,
1518
+ extended: false,
1519
+ name:"Skein-1024(512)"
1520
+ },
1521
+ {
1522
+ john: nil,
1523
+ hashcat: 1710,
1524
+ extended: true,
1525
+ name:"sha512($pass.$salt)"
1526
+ },
1527
+ {
1528
+ john: nil,
1529
+ hashcat: 1720,
1530
+ extended: true,
1531
+ name:"sha512($salt.$pass)"
1532
+ },
1533
+ {
1534
+ john: nil,
1535
+ hashcat: 1730,
1536
+ extended: true,
1537
+ name:"sha512(unicode($pass).$salt)"
1538
+ },
1539
+ {
1540
+ john: nil,
1541
+ hashcat: 1740,
1542
+ extended: true,
1543
+ name:"sha512($salt.unicode($pass))"
1544
+ },
1545
+ {
1546
+ john: "hmac-sha512",
1547
+ hashcat: 1750,
1548
+ extended: true,
1549
+ name:"HMAC-SHA512 (key = $pass)"
1550
+ },
1551
+ {
1552
+ john: "hmac-sha512",
1553
+ hashcat: 1760,
1554
+ extended: true,
1555
+ name:"HMAC-SHA512 (key = $salt)"
1556
+ }
1557
+ ]
1558
+ },
1559
+ {
1560
+ extract_regex: Regexp.new('\b[a-f0-9]{136}\b', Regexp::IGNORECASE),
1561
+ modes: [
1562
+ {
1563
+ john: "xsha512",
1564
+ hashcat: 1722,
1565
+ extended: false,
1566
+ name:"OSX v10.7"
1567
+ }
1568
+ ]
1569
+ },
1570
+ {
1571
+ extract_regex: Regexp.new('\b0x0200[a-f0-9]{136}\b', Regexp::IGNORECASE),
1572
+ modes: [
1573
+ {
1574
+ john: "msql12",
1575
+ hashcat: 1731,
1576
+ extended: false,
1577
+ name:"MSSQL(2012)"
1578
+ },
1579
+ {
1580
+ john: "msql12",
1581
+ hashcat: 1731,
1582
+ extended: false,
1583
+ name:"MSSQL(2014)"
1584
+ }
1585
+ ]
1586
+ },
1587
+ {
1588
+ extract_regex: Regexp.new('\b\$ml\$[0-9]+\$[a-f0-9]{64}\$[a-f0-9]{128}\b', Regexp::IGNORECASE),
1589
+ modes: [
1590
+ {
1591
+ john: "pbkdf2-hmac-sha512",
1592
+ hashcat: 7100,
1593
+ extended: false,
1594
+ name:"OSX v10.8"
1595
+ },
1596
+ {
1597
+ john: "pbkdf2-hmac-sha512",
1598
+ hashcat: 7100,
1599
+ extended: false,
1600
+ name:"OSX v10.9"
1601
+ }
1602
+ ]
1603
+ },
1604
+ {
1605
+ extract_regex: Regexp.new('\b[a-f0-9]{256}\b', Regexp::IGNORECASE),
1606
+ modes: [
1607
+ {
1608
+ john: nil,
1609
+ hashcat: nil,
1610
+ extended: false,
1611
+ name:"Skein-1024"
1612
+ }
1613
+ ]
1614
+ },
1615
+ {
1616
+ extract_regex: Regexp.new('\bgrub\\.pbkdf2\\.sha512\\.[0-9]+\\.([a-f0-9]{128,2048}\\.|[0-9]+\\.)?[a-f0-9]{128}\b', Regexp::IGNORECASE),
1617
+ modes: [
1618
+ {
1619
+ john: nil,
1620
+ hashcat: 7200,
1621
+ extended: false,
1622
+ name:"GRUB 2"
1623
+ }
1624
+ ]
1625
+ },
1626
+ {
1627
+ extract_regex: Regexp.new('\bsha1\$[a-z0-9]+\$[a-f0-9]{40}\b', Regexp::IGNORECASE),
1628
+ modes: [
1629
+ {
1630
+ john: nil,
1631
+ hashcat: 124,
1632
+ extended: false,
1633
+ name:"Django(SHA-1)"
1634
+ }
1635
+ ]
1636
+ },
1637
+ {
1638
+ extract_regex: Regexp.new('\b[a-f0-9]{49}\b', Regexp::IGNORECASE),
1639
+ modes: [
1640
+ {
1641
+ john: "citrix_ns10",
1642
+ hashcat: 8100,
1643
+ extended: false,
1644
+ name:"Citrix Netscaler"
1645
+ }
1646
+ ]
1647
+ },
1648
+ {
1649
+ extract_regex: Regexp.new('\b\$S\$[a-z0-9\\/.]{52}\b', Regexp::IGNORECASE),
1650
+ modes: [
1651
+ {
1652
+ john: "drupal7",
1653
+ hashcat: 7900,
1654
+ extended: false,
1655
+ name:"Drupal > v7.x"
1656
+ }
1657
+ ]
1658
+ },
1659
+ {
1660
+ extract_regex: Regexp.new('\b\$5\$(rounds=[0-9]+\$)?[a-z0-9\\/.]{0,16}\$[a-z0-9\\/.]{43}\b', Regexp::IGNORECASE),
1661
+ modes: [
1662
+ {
1663
+ john: "sha256crypt",
1664
+ hashcat: 7400,
1665
+ extended: false,
1666
+ name:"SHA-256 Crypt"
1667
+ }
1668
+ ]
1669
+ },
1670
+ {
1671
+ extract_regex: Regexp.new('\b0x[a-f0-9]{4}[a-f0-9]{16}[a-f0-9]{64}\b', Regexp::IGNORECASE),
1672
+ modes: [
1673
+ {
1674
+ john: "sybasease",
1675
+ hashcat: 8000,
1676
+ extended: false,
1677
+ name:"Sybase ASE"
1678
+ }
1679
+ ]
1680
+ },
1681
+ {
1682
+ extract_regex: Regexp.new('\b\$6\$(rounds=[0-9]+\$)?[a-z0-9\\/.]{0,16}\$[a-z0-9\\/.]{86}\b', Regexp::IGNORECASE),
1683
+ modes: [
1684
+ {
1685
+ name:"SHA-512 Crypt",
1686
+ john: "sha512crypt",
1687
+ hashcat: 1800,
1688
+ extended: false,
1689
+ characteristics: "$6$ prefix, includes salt, 96-106 chars",
1690
+ notes: ["Industry standard for modern Linux systems"]
1691
+
1692
+ }
1693
+ ]
1694
+ },
1695
+ {
1696
+ extract_regex: Regexp.new('\b\$sha\$[a-z0-9]{1,16}\$([a-f0-9]{32}|[a-f0-9]{40}|[a-f0-9]{64}|[a-f0-9]{128}|[a-f0-9]{140})\b', Regexp::IGNORECASE),
1697
+ modes: [
1698
+ {
1699
+ john: nil,
1700
+ hashcat: nil,
1701
+ extended: false,
1702
+ name:"Minecraft(AuthMe Reloaded)"
1703
+ }
1704
+ ]
1705
+ },
1706
+ {
1707
+ extract_regex: Regexp.new('\bsha256\$[a-z0-9]+\$[a-f0-9]{64}\b', Regexp::IGNORECASE),
1708
+ modes: [
1709
+ {
1710
+ john: nil,
1711
+ hashcat: nil,
1712
+ extended: false,
1713
+ name:"Django(SHA-256)"
1714
+ }
1715
+ ]
1716
+ },
1717
+ {
1718
+ extract_regex: Regexp.new('\bsha384\$[a-z0-9]+\$[a-f0-9]{96}\b', Regexp::IGNORECASE),
1719
+ modes: [
1720
+ {
1721
+ john: nil,
1722
+ hashcat: nil,
1723
+ extended: false,
1724
+ name:"Django(SHA-384)"
1725
+ }
1726
+ ]
1727
+ },
1728
+ {
1729
+ extract_regex: Regexp.new('\bcrypt1:[a-z0-9+=]{12}:[a-z0-9+=]{12}\b', Regexp::IGNORECASE),
1730
+ modes: [
1731
+ {
1732
+ john: nil,
1733
+ hashcat: nil,
1734
+ extended: false,
1735
+ name:"Clavister Secure Gateway"
1736
+ }
1737
+ ]
1738
+ },
1739
+ {
1740
+ extract_regex: Regexp.new('\b[a-f0-9]{112}\b', Regexp::IGNORECASE),
1741
+ modes: [
1742
+ {
1743
+ john: nil,
1744
+ hashcat: nil,
1745
+ extended: false,
1746
+ name:"Cisco VPN Client(PCF-File)"
1747
+ }
1748
+ ]
1749
+ },
1750
+ {
1751
+ extract_regex: Regexp.new('\b[a-f0-9]{1329}\b', Regexp::IGNORECASE),
1752
+ modes: [
1753
+ {
1754
+ john: nil,
1755
+ hashcat: nil,
1756
+ extended: false,
1757
+ name:"Microsoft MSTSC(RDP-File)"
1758
+ }
1759
+ ]
1760
+ },
1761
+ {
1762
+ extract_regex: Regexp.new('\b[^\\\\\\/:*?\"<>|]{1,20}[:]{2,3}([^\\\\\\/:*?\"<>|]{1,20})?:[a-f0-9]{48}:[a-f0-9]{48}:[a-f0-9]{16}\b', Regexp::IGNORECASE),
1763
+ modes: [
1764
+ {
1765
+ john: "netntlm",
1766
+ hashcat: 5500,
1767
+ extended: false,
1768
+ name:"NetNTLMv1-VANILLA / NetNTLMv1+ESS"
1769
+ }
1770
+ ]
1771
+ },
1772
+ {
1773
+ extract_regex: Regexp.new('\b([^\\\\\\/:*?\"<>|]{1,20}\\\\)?[^\\\\\\/:*?\"<>|]{1,20}[:]{2,3}([^\\\\\\/:*?\"<>|]{1,20}:)?[^\\\\\\/:*?\"<>|]{1,20}:[a-f0-9]{32}:[a-f0-9]+\b', Regexp::IGNORECASE),
1774
+ modes: [
1775
+ {
1776
+ john: "netntlmv2",
1777
+ hashcat: 5600,
1778
+ extended: false,
1779
+ name:"NetNTLMv2"
1780
+ }
1781
+ ]
1782
+ },
1783
+ {
1784
+ extract_regex: Regexp.new('\b\$(krb5pa|mskrb5)\$([0-9]{2})?\$.+\$[a-f0-9]{1,}\b', Regexp::IGNORECASE),
1785
+ modes: [
1786
+ {
1787
+ john: "krb5pa-md5",
1788
+ hashcat: 7500,
1789
+ extended: false,
1790
+ name:"Kerberos 5 AS-REQ Pre-Auth"
1791
+ }
1792
+ ]
1793
+ },
1794
+ {
1795
+ extract_regex: Regexp.new('\b\$scram\$[0-9]+\$[a-z0-9\\/.]{16}\$sha-1=[a-z0-9\\/.]{27},sha-256=[a-z0-9\\/.]{43},sha-512=[a-z0-9\\/.]{86}\b', Regexp::IGNORECASE),
1796
+ modes: [
1797
+ {
1798
+ john: nil,
1799
+ hashcat: nil,
1800
+ extended: false,
1801
+ name:"SCRAM Hash"
1802
+ }
1803
+ ]
1804
+ },
1805
+ {
1806
+ extract_regex: Regexp.new('\b[a-f0-9]{40}:[a-f0-9]{0,32}\b', Regexp::IGNORECASE),
1807
+ modes: [
1808
+ {
1809
+ john: nil,
1810
+ hashcat: 7600,
1811
+ extended: false,
1812
+ name:"Redmine Project Management Web App"
1813
+ }
1814
+ ]
1815
+ },
1816
+ {
1817
+ extract_regex: Regexp.new('\b(.+)?\$[a-f0-9]{16}\b', Regexp::IGNORECASE),
1818
+ modes: [
1819
+ {
1820
+ john: "sapb",
1821
+ hashcat: 7700,
1822
+ extended: false,
1823
+ name:"SAP CODVN B (BCODE)"
1824
+ }
1825
+ ]
1826
+ },
1827
+ {
1828
+ extract_regex: Regexp.new('\b(.+)?\$[a-f0-9]{40}\b', Regexp::IGNORECASE),
1829
+ modes: [
1830
+ {
1831
+ john: "sapg",
1832
+ hashcat: 7800,
1833
+ extended: false,
1834
+ name:"SAP CODVN F/G (PASSCODE)"
1835
+ }
1836
+ ]
1837
+ },
1838
+ {
1839
+ extract_regex: Regexp.new('\b(.+\$)?[a-z0-9\\/.+]{30}(:.+)?\b', Regexp::IGNORECASE),
1840
+ modes: [
1841
+ {
1842
+ john: "md5",
1843
+ hashcat: 22,
1844
+ extended: false,
1845
+ name:"Juniper Netscreen/SSG(ScreenOS)"
1846
+ }
1847
+ ]
1848
+ },
1849
+ {
1850
+ extract_regex: Regexp.new('\b0x[a-f0-9]{60}\\s0x[a-f0-9]{40}\b', Regexp::IGNORECASE),
1851
+ modes: [
1852
+ {
1853
+ john: nil,
1854
+ hashcat: 123,
1855
+ extended: false,
1856
+ name:"EPi"
1857
+ }
1858
+ ]
1859
+ },
1860
+ {
1861
+ extract_regex: Regexp.new('\b[a-f0-9]{40}:[^*]{1,25}\b', Regexp::IGNORECASE),
1862
+ modes: [
1863
+ {
1864
+ john: nil,
1865
+ hashcat: 121,
1866
+ extended: false,
1867
+ name:"SMF \u2265 v1.1"
1868
+ }
1869
+ ]
1870
+ },
1871
+ {
1872
+ extract_regex: Regexp.new('\b(\$wbb3\$\\*1\\*)?[a-f0-9]{40}[:*][a-f0-9]{40}\b', Regexp::IGNORECASE),
1873
+ modes: [
1874
+ {
1875
+ john: "wbb3",
1876
+ hashcat: 8400,
1877
+ extended: false,
1878
+ name:"Woltlab Burning Board 3.x"
1879
+ }
1880
+ ]
1881
+ },
1882
+ {
1883
+ extract_regex: Regexp.new('\b[a-f0-9]{130}(:[a-f0-9]{40})?\b', Regexp::IGNORECASE),
1884
+ modes: [
1885
+ {
1886
+ john: nil,
1887
+ hashcat: 7300,
1888
+ extended: false,
1889
+ name:"IPMI2 RAKP HMAC-SHA1"
1890
+ }
1891
+ ]
1892
+ },
1893
+ {
1894
+ extract_regex: Regexp.new('\b[a-f0-9]{32}:[0-9]+:[a-z0-9_.+\\-]+@[a-z0-9\\-]+\\.[a-z0-9\\-.]+\b', Regexp::IGNORECASE),
1895
+ modes: [
1896
+ {
1897
+ john: nil,
1898
+ hashcat: 6800,
1899
+ extended: false,
1900
+ name:"Lastpass"
1901
+ }
1902
+ ]
1903
+ },
1904
+ {
1905
+ extract_regex: Regexp.new('\b[a-z0-9\\/.]{16}([:$].{1,})?\b', Regexp::IGNORECASE),
1906
+ modes: [
1907
+ {
1908
+ john: "asa-md5",
1909
+ hashcat: 2410,
1910
+ extended: false,
1911
+ name:"Cisco-ASA(MD5)"
1912
+ }
1913
+ ]
1914
+ },
1915
+ {
1916
+ extract_regex: Regexp.new('\b\$vnc\$\\*[a-f0-9]{32}\\*[a-f0-9]{32}\b', Regexp::IGNORECASE),
1917
+ modes: [
1918
+ {
1919
+ john: "vnc",
1920
+ hashcat: nil,
1921
+ extended: false,
1922
+ name:"VNC"
1923
+ }
1924
+ ]
1925
+ },
1926
+ {
1927
+ extract_regex: Regexp.new('\b[a-z0-9]{32}(:([a-z0-9\\-]+\\.)?[a-z0-9\\-.]+\\.[a-z]{2,7}:.+:[0-9]+)?\b', Regexp::IGNORECASE),
1928
+ modes: [
1929
+ {
1930
+ john: nil,
1931
+ hashcat: 8300,
1932
+ extended: false,
1933
+ name:"DNSSEC(NSEC3)"
1934
+ }
1935
+ ]
1936
+ },
1937
+ {
1938
+ extract_regex: Regexp.new('\b(user-.+:)?\$racf\$\\*.+\\*[a-f0-9]{16}\b', Regexp::IGNORECASE),
1939
+ modes: [
1940
+ {
1941
+ john: "racf",
1942
+ hashcat: 8500,
1943
+ extended: false,
1944
+ name:"RACF"
1945
+ }
1946
+ ]
1947
+ },
1948
+ {
1949
+ extract_regex: Regexp.new('\b\$3\$\$[a-f0-9]{32}\b', Regexp::IGNORECASE),
1950
+ modes: [
1951
+ {
1952
+ john: nil,
1953
+ hashcat: nil,
1954
+ extended: false,
1955
+ name:"NTHash(FreeBSD Variant)"
1956
+ }
1957
+ ]
1958
+ },
1959
+ {
1960
+ extract_regex: Regexp.new('\b\$sha1\$[0-9]+\$[a-z0-9\\/.]{0,64}\$[a-z0-9\\/.]{28}\b', Regexp::IGNORECASE),
1961
+ modes: [
1962
+ {
1963
+ john: "sha1crypt",
1964
+ hashcat: nil,
1965
+ extended: false,
1966
+ name:"SHA-1 Crypt"
1967
+ }
1968
+ ]
1969
+ },
1970
+ {
1971
+ extract_regex: Regexp.new('\b[a-f0-9]{70}\b', Regexp::IGNORECASE),
1972
+ modes: [
1973
+ {
1974
+ john: "hmailserver",
1975
+ hashcat: 1421,
1976
+ extended: false,
1977
+ name:"hMailServer"
1978
+ }
1979
+ ]
1980
+ },
1981
+ {
1982
+ extract_regex: Regexp.new('\b[:\$][AB][:\$]([a-f0-9]{1,8}[:\$])?[a-f0-9]{32}\b', Regexp::IGNORECASE),
1983
+ modes: [
1984
+ {
1985
+ john: "mediawiki",
1986
+ hashcat: 3711,
1987
+ extended: false,
1988
+ name:"MediaWiki"
1989
+ }
1990
+ ]
1991
+ },
1992
+ {
1993
+ extract_regex: Regexp.new('\b[a-f0-9]{140}\b', Regexp::IGNORECASE),
1994
+ modes: [
1995
+ {
1996
+ john: nil,
1997
+ hashcat: nil,
1998
+ extended: false,
1999
+ name:"Minecraft(xAuth)"
2000
+ }
2001
+ ]
2002
+ },
2003
+ {
2004
+ extract_regex: Regexp.new('\b\$pbkdf2(-sha1)?\$[0-9]+\$[a-z0-9\\/.]+\$[a-z0-9\\/.]{27}\b', Regexp::IGNORECASE),
2005
+ modes: [
2006
+ {
2007
+ john: nil,
2008
+ hashcat: nil,
2009
+ extended: false,
2010
+ name:"PBKDF2-SHA1(Generic)"
2011
+ }
2012
+ ]
2013
+ },
2014
+ {
2015
+ extract_regex: Regexp.new('\b\$pbkdf2-sha256\$[0-9]+\$[a-z0-9\\/.]+\$[a-z0-9\\/.]{43}\b', Regexp::IGNORECASE),
2016
+ modes: [
2017
+ {
2018
+ john: "pbkdf2-hmac-sha256",
2019
+ hashcat: nil,
2020
+ extended: false,
2021
+ name:"PBKDF2-SHA256(Generic)"
2022
+ }
2023
+ ]
2024
+ },
2025
+ {
2026
+ extract_regex: Regexp.new('\b\$pbkdf2-sha512\$[0-9]+\$[a-z0-9\\/.]+\$[a-z0-9\\/.]{86}\b', Regexp::IGNORECASE),
2027
+ modes: [
2028
+ {
2029
+ john: nil,
2030
+ hashcat: nil,
2031
+ extended: false,
2032
+ name:"PBKDF2-SHA512(Generic)"
2033
+ }
2034
+ ]
2035
+ },
2036
+ {
2037
+ extract_regex: Regexp.new('\b\$p5k2\$[0-9]+\$[a-z0-9\\/+=-]+\$[a-z0-9\\/+-]{27}=\b', Regexp::IGNORECASE),
2038
+ modes: [
2039
+ {
2040
+ john: nil,
2041
+ hashcat: nil,
2042
+ extended: false,
2043
+ name:"PBKDF2(Cryptacular)"
2044
+ }
2045
+ ]
2046
+ },
2047
+ {
2048
+ extract_regex: Regexp.new('\b\$p5k2\$[0-9]+\$[a-z0-9\\/.]+\$[a-z0-9\\/.]{32}\b', Regexp::IGNORECASE),
2049
+ modes: [
2050
+ {
2051
+ john: nil,
2052
+ hashcat: nil,
2053
+ extended: false,
2054
+ name:"PBKDF2(Dwayne Litzenberger)"
2055
+ }
2056
+ ]
2057
+ },
2058
+ {
2059
+ extract_regex: Regexp.new('\b{FSHP[0123]\\|[0-9]+\\|[0-9]+}[a-z0-9\\/+=]+\b', Regexp::IGNORECASE),
2060
+ modes: [
2061
+ {
2062
+ john: nil,
2063
+ hashcat: nil,
2064
+ extended: false,
2065
+ name:"Fairly Secure Hashed Password"
2066
+ }
2067
+ ]
2068
+ },
2069
+ {
2070
+ extract_regex: Regexp.new('\b\$PHPS\$.+\$[a-f0-9]{32}\b', Regexp::IGNORECASE),
2071
+ modes: [
2072
+ {
2073
+ john: "phps",
2074
+ hashcat: 2612,
2075
+ extended: false,
2076
+ name:"PHPS"
2077
+ }
2078
+ ]
2079
+ },
2080
+ {
2081
+ extract_regex: Regexp.new('\b[0-9]{4}:[a-f0-9]{16}:[a-f0-9]{2080}\b', Regexp::IGNORECASE),
2082
+ modes: [
2083
+ {
2084
+ john: nil,
2085
+ hashcat: 6600,
2086
+ extended: false,
2087
+ name:"1Password(Agile Keychain)"
2088
+ }
2089
+ ]
2090
+ },
2091
+ {
2092
+ extract_regex: Regexp.new('\b[a-f0-9]{64}:[a-f0-9]{32}:[0-9]{5}:[a-f0-9]{608}\b', Regexp::IGNORECASE),
2093
+ modes: [
2094
+ {
2095
+ john: nil,
2096
+ hashcat: 8200,
2097
+ extended: false,
2098
+ name:"1Password(Cloud Keychain)"
2099
+ }
2100
+ ]
2101
+ },
2102
+ {
2103
+ extract_regex: Regexp.new('\b[a-f0-9]{256}:[a-f0-9]{256}:[a-f0-9]{16}:[a-f0-9]{16}:[a-f0-9]{320}:[a-f0-9]{16}:[a-f0-9]{40}:[a-f0-9]{40}:[a-f0-9]{32}\b', Regexp::IGNORECASE),
2104
+ modes: [
2105
+ {
2106
+ john: nil,
2107
+ hashcat: 5300,
2108
+ extended: false,
2109
+ name:"IKE-PSK MD5"
2110
+ }
2111
+ ]
2112
+ },
2113
+ {
2114
+ extract_regex: Regexp.new('\b[a-f0-9]{256}:[a-f0-9]{256}:[a-f0-9]{16}:[a-f0-9]{16}:[a-f0-9]{320}:[a-f0-9]{16}:[a-f0-9]{40}:[a-f0-9]{40}:[a-f0-9]{40}\b', Regexp::IGNORECASE),
2115
+ modes: [
2116
+ {
2117
+ john: nil,
2118
+ hashcat: 5400,
2119
+ extended: false,
2120
+ name:"IKE-PSK SHA1"
2121
+ }
2122
+ ]
2123
+ },
2124
+ {
2125
+ extract_regex: Regexp.new('\b[a-z0-9\\/+]{27}=\b', Regexp::IGNORECASE),
2126
+ modes: [
2127
+ {
2128
+ john: nil,
2129
+ hashcat: 133,
2130
+ extended: false,
2131
+ name:"PeopleSoft"
2132
+ }
2133
+ ]
2134
+ },
2135
+ {
2136
+ extract_regex: Regexp.new('\bcrypt\$[a-f0-9]{5}\$[a-z0-9\\/.]{13}\b', Regexp::IGNORECASE),
2137
+ modes: [
2138
+ {
2139
+ john: nil,
2140
+ hashcat: nil,
2141
+ extended: false,
2142
+ name:"Django(DES Crypt Wrapper)"
2143
+ }
2144
+ ]
2145
+ },
2146
+ {
2147
+ extract_regex: Regexp.new('\b(\$django\$\\*1\\*)?pbkdf2_sha256\$[0-9]+\$[a-z0-9]+\$[a-z0-9\\/+=]{44}\b', Regexp::IGNORECASE),
2148
+ modes: [
2149
+ {
2150
+ john: "django",
2151
+ hashcat: 10000,
2152
+ extended: false,
2153
+ name:"Django(PBKDF2-HMAC-SHA256)"
2154
+ }
2155
+ ]
2156
+ },
2157
+ {
2158
+ extract_regex: Regexp.new('\bpbkdf2_sha1\$[0-9]+\$[a-z0-9]+\$[a-z0-9\\/+=]{28}\b', Regexp::IGNORECASE),
2159
+ modes: [
2160
+ {
2161
+ john: nil,
2162
+ hashcat: nil,
2163
+ extended: false,
2164
+ name:"Django(PBKDF2-HMAC-SHA1)"
2165
+ }
2166
+ ]
2167
+ },
2168
+ {
2169
+ extract_regex: Regexp.new('\bbcrypt(\$2[axy]|\$2)\$[0-9]{2}\$[a-z0-9\\/.]{53}\b', Regexp::IGNORECASE),
2170
+ modes: [
2171
+ {
2172
+ john: nil,
2173
+ hashcat: nil,
2174
+ extended: false,
2175
+ name:"Django(bcrypt)"
2176
+ }
2177
+ ]
2178
+ },
2179
+ {
2180
+ extract_regex: Regexp.new('\bmd5\$[a-f0-9]+\$[a-f0-9]{32}\b', Regexp::IGNORECASE),
2181
+ modes: [
2182
+ {
2183
+ john: nil,
2184
+ hashcat: nil,
2185
+ extended: false,
2186
+ name:"Django(MD5)"
2187
+ }
2188
+ ]
2189
+ },
2190
+ {
2191
+ extract_regex: Regexp.new('\b\\{PKCS5S2\\}[a-z0-9\\/+]{64}\b', Regexp::IGNORECASE),
2192
+ modes: [
2193
+ {
2194
+ john: nil,
2195
+ hashcat: nil,
2196
+ extended: false,
2197
+ name:"PBKDF2(Atlassian)"
2198
+ }
2199
+ ]
2200
+ },
2201
+ {
2202
+ extract_regex: Regexp.new('\bmd5[a-f0-9]{32}\b', Regexp::IGNORECASE),
2203
+ modes: [
2204
+ {
2205
+ john: nil,
2206
+ hashcat: nil,
2207
+ extended: false,
2208
+ name:"PostgreSQL MD5"
2209
+ }
2210
+ ]
2211
+ },
2212
+ {
2213
+ extract_regex: Regexp.new('\b\\([a-z0-9\\/+]{49}\\)\b', Regexp::IGNORECASE),
2214
+ modes: [
2215
+ {
2216
+ john: nil,
2217
+ hashcat: 9100,
2218
+ extended: false,
2219
+ name:"Lotus Notes/Domino 8"
2220
+ }
2221
+ ]
2222
+ },
2223
+ {
2224
+ extract_regex: Regexp.new('\bSCRYPT:[0-9]{1,}:[0-9]{1}:[0-9]{1}:[a-z0-9:\\/+=]{1,}\b', Regexp::IGNORECASE),
2225
+ modes: [
2226
+ {
2227
+ john: nil,
2228
+ hashcat: 8900,
2229
+ extended: false,
2230
+ name:"scrypt"
2231
+ }
2232
+ ]
2233
+ },
2234
+ {
2235
+ extract_regex: Regexp.new('\b\$8\$[a-z0-9\\/.]{14}\$[a-z0-9\\/.]{43}\b', Regexp::IGNORECASE),
2236
+ modes: [
2237
+ {
2238
+ john: "cisco8",
2239
+ hashcat: 9200,
2240
+ extended: false,
2241
+ name:"Cisco Type 8"
2242
+ }
2243
+ ]
2244
+ },
2245
+ {
2246
+ extract_regex: Regexp.new('\b\$9\$[a-z0-9\\/.]{14}\$[a-z0-9\\/.]{43}\b', Regexp::IGNORECASE),
2247
+ modes: [
2248
+ {
2249
+ john: "cisco9",
2250
+ hashcat: 9300,
2251
+ extended: false,
2252
+ name:"Cisco Type 9"
2253
+ }
2254
+ ]
2255
+ },
2256
+ {
2257
+ extract_regex: Regexp.new('\b\$office\$\\*2007\\*[0-9]{2}\\*[0-9]{3}\\*[0-9]{2}\\*[a-z0-9]{32}\\*[a-z0-9]{32}\\*[a-z0-9]{40}\b', Regexp::IGNORECASE),
2258
+ modes: [
2259
+ {
2260
+ john: "office",
2261
+ hashcat: 9400,
2262
+ extended: false,
2263
+ name:"Microsoft Office 2007"
2264
+ }
2265
+ ]
2266
+ },
2267
+ {
2268
+ extract_regex: Regexp.new('\b\$office\$\\*2010\\*[0-9]{6}\\*[0-9]{3}\\*[0-9]{2}\\*[a-z0-9]{32}\\*[a-z0-9]{32}\\*[a-z0-9]{64}\b', Regexp::IGNORECASE),
2269
+ modes: [
2270
+ {
2271
+ name:"Microsoft Office 2010",
2272
+ john: nil,
2273
+ hashcat: 9500,
2274
+ extended: false
2275
+ }
2276
+ ]
2277
+ },
2278
+ {
2279
+ extract_regex: Regexp.new('\b\$office\$\\*2013\\*[0-9]{6}\\*[0-9]{3}\\*[0-9]{2}\\*[a-z0-9]{32}\\*[a-z0-9]{32}\\*[a-z0-9]{64}\b', Regexp::IGNORECASE),
2280
+ modes: [
2281
+ {
2282
+ name:"Microsoft Office 2013",
2283
+ john: nil,
2284
+ hashcat: 9600,
2285
+ extended: false
2286
+ }
2287
+ ]
2288
+ },
2289
+ {
2290
+ extract_regex: Regexp.new('\b\$fde\$[0-9]{2}\$[a-f0-9]{32}\$[0-9]{2}\$[a-f0-9]{32}\$[a-f0-9]{3072}\b', Regexp::IGNORECASE),
2291
+ modes: [
2292
+ {
2293
+ john: "fde",
2294
+ hashcat: 8800,
2295
+ extended: false,
2296
+ name:"Android FDE \u2264 4.3"
2297
+ }
2298
+ ]
2299
+ },
2300
+ {
2301
+ extract_regex: Regexp.new('\b\$oldoffice\$[01]\\*[a-f0-9]{32}\\*[a-f0-9]{32}\\*[a-f0-9]{32}\b', Regexp::IGNORECASE),
2302
+ modes: [
2303
+ {
2304
+ john: "oldoffice",
2305
+ hashcat: 9700,
2306
+ extended: false,
2307
+ name:"Microsoft Office \u2264 2003 (MD5+RC4)"
2308
+ },
2309
+ {
2310
+ john: "oldoffice",
2311
+ hashcat: 9710,
2312
+ extended: false,
2313
+ name:"Microsoft Office \u2264 2003 (MD5+RC4) collider-mode #1"
2314
+ },
2315
+ {
2316
+ john: "oldoffice",
2317
+ hashcat: 9720,
2318
+ extended: false,
2319
+ name:"Microsoft Office \u2264 2003 (MD5+RC4) collider-mode #2"
2320
+ }
2321
+ ]
2322
+ },
2323
+ {
2324
+ extract_regex: Regexp.new('\b\$oldoffice\$[34]\\*[a-f0-9]{32}\\*[a-f0-9]{32}\\*[a-f0-9]{40}\b', Regexp::IGNORECASE),
2325
+ modes: [
2326
+ {
2327
+ john: nil,
2328
+ hashcat: 9800,
2329
+ extended: false,
2330
+ name:"Microsoft Office \u2264 2003 (SHA1+RC4)"
2331
+ },
2332
+ {
2333
+ john: nil,
2334
+ hashcat: 9810,
2335
+ extended: false,
2336
+ name:"Microsoft Office \u2264 2003 (SHA1+RC4) collider-mode #1"
2337
+ },
2338
+ {
2339
+ john: nil,
2340
+ hashcat: 9820,
2341
+ extended: false,
2342
+ name:"Microsoft Office \u2264 2003 (SHA1+RC4) collider-mode #2"
2343
+ }
2344
+ ]
2345
+ },
2346
+ {
2347
+ extract_regex: Regexp.new('\b(\$radmin2\$)?[a-f0-9]{32}\b', Regexp::IGNORECASE),
2348
+ modes: [
2349
+ {
2350
+ john: "radmin",
2351
+ hashcat: 9900,
2352
+ extended: false,
2353
+ name:"RAdmin v2.x"
2354
+ }
2355
+ ]
2356
+ },
2357
+ {
2358
+ extract_regex: Regexp.new('\b{x-issha,\\s[0-9]{4}}[a-z0-9\\/+=]+\b', Regexp::IGNORECASE),
2359
+ modes: [
2360
+ {
2361
+ john: "saph",
2362
+ hashcat: 10300,
2363
+ extended: false,
2364
+ name:"SAP CODVN H (PWDSALTEDHASH) iSSHA-1"
2365
+ }
2366
+ ]
2367
+ },
2368
+ {
2369
+ extract_regex: Regexp.new('\b\$cram_md5\$[a-z0-9\\/+=-]+\$[a-z0-9\\/+=-]{52}\b', Regexp::IGNORECASE),
2370
+ modes: [
2371
+ {
2372
+ john: nil,
2373
+ hashcat: 10200,
2374
+ extended: false,
2375
+ name:"CRAM-MD5"
2376
+ }
2377
+ ]
2378
+ },
2379
+ {
2380
+ extract_regex: Regexp.new('\b[a-f0-9]{16}:2:4:[a-f0-9]{32}\b', Regexp::IGNORECASE),
2381
+ modes: [
2382
+ {
2383
+ john: nil,
2384
+ hashcat: 10100,
2385
+ extended: false,
2386
+ name:"SipHash"
2387
+ }
2388
+ ]
2389
+ },
2390
+ {
2391
+ extract_regex: Regexp.new('\b[a-f0-9]{4,}\b', Regexp::IGNORECASE),
2392
+ modes: [
2393
+ {
2394
+ name:"Cisco Type 7",
2395
+ john: nil,
2396
+ hashcat: nil,
2397
+ extended: true
2398
+ }
2399
+ ]
2400
+ },
2401
+ {
2402
+ extract_regex: Regexp.new('\b[a-z0-9\\/.]{13,}\b', Regexp::IGNORECASE),
2403
+ modes: [
2404
+ {
2405
+ name:"BigCrypt",
2406
+ john: "bigcrypt",
2407
+ hashcat: nil,
2408
+ extended: true,
2409
+ description: "Extended DES crypt — 13+ chars, extended length",
2410
+ notes: ["Rarely used", "Used in some Unix variants"],
2411
+ common_sources: ["some Unix variants"],
2412
+ context: ["unix", "extended"]
2413
+ }
2414
+ ]
2415
+ },
2416
+ {
2417
+ extract_regex: Regexp.new('\b(\$cisco4\$)?[a-z0-9\\/.]{43}\b', Regexp::IGNORECASE),
2418
+ modes: [
2419
+ {
2420
+ name:"Cisco Type 4",
2421
+ john: "cisco4",
2422
+ hashcat: nil,
2423
+ extended: false
2424
+ }
2425
+ ]
2426
+ },
2427
+ {
2428
+ extract_regex: Regexp.new('\bbcrypt_sha256\$\$(2[axy]|2)\$[0-9]+\$[a-z0-9\\/.]{53}\b', Regexp::IGNORECASE),
2429
+ modes: [
2430
+ {
2431
+ name:"Django(bcrypt-SHA256)",
2432
+ john: nil,
2433
+ hashcat: nil,
2434
+ extended: false
2435
+ }
2436
+ ]
2437
+ },
2438
+ {
2439
+ extract_regex: Regexp.new('\b\$postgres\$.[^\\*]+[*:][a-f0-9]{1,32}[*:][a-f0-9]{32}\b', Regexp::IGNORECASE),
2440
+ modes: [
2441
+ {
2442
+ name:"PostgreSQL Challenge-Response Authentication (MD5)",
2443
+ john: "postgres",
2444
+ hashcat: 11100,
2445
+ extended: false
2446
+ }
2447
+ ]
2448
+ },
2449
+ {
2450
+ extract_regex: Regexp.new('\b\$siemens-s7\$[0-9]{1}\$[a-f0-9]{40}\$[a-f0-9]{40}\b', Regexp::IGNORECASE),
2451
+ modes: [
2452
+ {
2453
+ name:"Siemens-S7",
2454
+ john: "siemens-s7",
2455
+ hashcat: nil,
2456
+ extended: false
2457
+ }
2458
+ ]
2459
+ },
2460
+ {
2461
+ extract_regex: Regexp.new('\b(\$pst\$)?[a-f0-9]{8}\b', Regexp::IGNORECASE),
2462
+ modes: [
2463
+ {
2464
+ name:"Microsoft Outlook PST",
2465
+ john: nil,
2466
+ hashcat: nil,
2467
+ extended: false
2468
+ }
2469
+ ]
2470
+ },
2471
+ {
2472
+ extract_regex: Regexp.new('\bsha256[:$][0-9]+[:$][a-z0-9\\/+]+[:$][a-z0-9\\/+]{32,128}\b', Regexp::IGNORECASE),
2473
+ modes: [
2474
+ {
2475
+ name:"PBKDF2-HMAC-SHA256(PHP)",
2476
+ john: nil,
2477
+ hashcat: 10900,
2478
+ extended: false
2479
+ }
2480
+ ]
2481
+ },
2482
+ {
2483
+ extract_regex: Regexp.new('\b(\$dahua\$)?[a-z0-9]{8}\b', Regexp::IGNORECASE),
2484
+ modes: [
2485
+ {
2486
+ name:"Dahua",
2487
+ john: "dahua",
2488
+ hashcat: nil,
2489
+ extended: false
2490
+ }
2491
+ ]
2492
+ },
2493
+ {
2494
+ extract_regex: Regexp.new('\b\$mysqlna\$[a-f0-9]{40}[:*][a-f0-9]{40}\b', Regexp::IGNORECASE),
2495
+ modes: [
2496
+ {
2497
+ name:"MySQL Challenge-Response Authentication (SHA1)",
2498
+ john: nil,
2499
+ hashcat: 11200,
2500
+ extended: false
2501
+ }
2502
+ ]
2503
+ },
2504
+ {
2505
+ extract_regex: Regexp.new('\b\$pdf\$[24]\\*[34]\\*128\\*[0-9-]{1,5}\\*1\\*(16|32)\\*[a-f0-9]{32,64}\\*32\\*[a-f0-9]{64}\\*(8|16|32)\\*[a-f0-9]{16,64}\b', Regexp::IGNORECASE),
2506
+ modes: [
2507
+ {
2508
+ name:"PDF 1.4 - 1.6 (Acrobat 5 - 8)",
2509
+ john: "pdf",
2510
+ hashcat: 10500,
2511
+ extended: false
2512
+ }
2513
+ ]
2514
+ }
2515
+ ].freeze
2516
+ end