heitt 0.4.5 → 0.4.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (12) hide show
  1. checksums.yaml +4 -4
  2. data/bin/heitt +29 -6
  3. data/lib/heitt/analyzer.rb +156 -0
  4. data/lib/heitt/database.rb +276 -1782
  5. data/lib/heitt/formatter.rb +125 -0
  6. data/lib/heitt/grouper.rb +22 -0
  7. data/lib/heitt/profiles.rb +184 -0
  8. data/lib/heitt/scanner.rb +65 -0
  9. data/lib/heitt/utils.rb +57 -0
  10. data/lib/heitt/version.rb +1 -1
  11. data/lib/heitt.rb +11 -362
  12. metadata +7 -1
data/lib/heitt/database.rb CHANGED
@@ -8,2508 +8,1002 @@ module HEITT
8
8
  {
9
9
  extract_regex: Regexp.new('\b[a-f0-9]{4}\b', Regexp::IGNORECASE),
10
10
  modes: [
11
- {
12
- name:"CRC-16",
13
- john: nil,
14
- hashcat: nil,
15
- extended: false,
16
- description: "Cyclic Redundancy Check 16-bit — 4 hexadecimal chars, basic checksum",
17
- notes: ["Error detection in data transmission", "Data storage integrity checks", "Not cryptographic", "Low collision resistance"],
18
- context: ["checksum", "networking"],
19
- prefixes: ["crc-16"],
20
- common_sources: ["file verification", "network protocols", "embedded systems"]
21
-
22
- },
23
- {
24
- name:"CRC-16-CCITT",
25
- john: nil,
26
- hashcat: nil,
27
- extended: false,
28
- description: "Cyclic Redundancy Check 16-bit Consultative Commitee for International Telegraph and Telephone",
29
- notes: ["Used for error detection in communication and storage systems", "Data Integrity and verification", "Memory checks integrity", "Not cryptographic"],
30
- context: ["checksum", "telecom", "bluetooth"],
31
- common_sources: ["V.41", "X.25", "HDLC", "Bluetooth"]
32
- },
33
- {
34
- name:"FCS-16",
35
- john: nil,
36
- hashcat: nil,
37
- extended: false,
38
- description: "Frame Check Sequence 6-bit — 4 hexadecimal chars, data link layer",
39
- notes: ["Not cryptographic"],
40
- prefixes: ["fcs-16"],
41
- context: ["checksum", "networking"],
42
- common_sources: ["Ethernet frames", "PPP"]
43
- }
11
+ {name:"CRC-16", john: nil, hashcat: nil, extended: false},
12
+ {name:"CRC-16-CCITT", john: nil, hashcat: nil, extended: false},
13
+ {name:"FCS-16", john: nil, hashcat: nil, extended: false}
44
14
  ]
45
15
  },
46
16
  {
47
17
  extract_regex: Regexp.new('\b[a-f0-9]{8}\b', Regexp::IGNORECASE),
48
18
  modes: [
49
- {
50
- name:"Adler-32",
51
- john: nil,
52
- hashcat: nil,
53
- extended: false,
54
- description: "Adler-32 checksum 8 hex chars, zlib compression",
55
- common_sources: ["zlib", "PNG files", "RSYNC"],
56
- context: ["checksum", "compression"]
57
- },
58
- {
59
- name:"CRC-32B",
60
- john: nil,
61
- hashcat: nil,
62
- extended: false,
63
- description: "CRC-32 IEEE 802.3 variant — 8 hex chars, Ethernet standard" ,
64
- notes: ["Not cryptographic"],
65
- common_sources: ["Ethernet", "MPEG-2", "PKZIP"],
66
- context: ["checksum", "networking"]
67
- },
68
- {
69
- name:"FCS-32",
70
- john: nil,
71
- hashcat: nil,
72
- extended: false,
73
- description: "Frame Check Sequence 32-bit — 8 hex chars, advanced networking",
74
- common_sources: ["advanced networking protocols"],
75
- context: ["checksum", "networking"]
76
- },
77
- {
78
- name:"GHash-32-3",
79
- john: nil,
80
- hashcat: nil,
81
- extended: false,
82
- description: "G-Hash 32-bit 3-round — 8 hex chars, experimental hash",
83
- common_sources: ["research", "academic"],
84
- context: ["experimental"]
85
- },
86
- {
87
- name:"GHash-32-5",
88
- john: nil,
89
- hashcat: nil,
90
- extended: false,
91
- description: "G-Hash 32-bit 5-round — 8 hex chars, experimental hash",
92
- common_sources: ["research", "academic"],
93
- context: ["experimental"]
94
- },
95
- {
96
- name:"FNV-132",
97
- john: nil,
98
- hashcat: nil,
99
- extended: false,
100
- description: "Fowler-Noll-Vo hash 32-bit — 8 hex chars, fast non-crypto hash",
101
- common_sources: ["DNS", "database indexing", "hash tables"],
102
- context: ["checksum", "programming"]
103
- },
104
- {
105
- name:"Fletcher-32",
106
- john: nil,
107
- hashcat: nil,
108
- extended: false,
109
- description: "Fletcher's checksum 32-bit — 8 hex chars, error detection",
110
- common_sources: ["OSTA UDF", "ISO/IEC 8473-1"],
111
- context: ["checksum", "storage"]
112
- },
113
- {
114
- name:"Joaat",
115
- john: nil,
116
- hashcat: nil,
117
- extended: false,
118
- description: "Jenkins one-at-a-time hash — 8 hex chars, simple string hash",
119
- common_sources: ["Perl", "Apache", "various applications"],
120
- context: ["programming", "hashing"]
121
- },
122
- {
123
- name:"ELF-32",
124
- john: nil,
125
- hashcat: nil,
126
- extended: false,
127
- description: "ELF-32 hash for object files — 8 hex chars, Unix/Linux object files",
128
- context: ["executable", "system"],
129
- "mime_types": ["application/octet-stream"]
130
-
131
- },
132
- {
133
- name:"XOR-32",
134
- john: nil,
135
- hashcat: nil,
136
- extended: false,
137
- description: "Simple XOR-based 32-bit hash — 8 hex chars, basic XOR operation",
138
- common_sources: ["simple applications", "embedded systems"],
139
- context: ["basic", "embedded"]
140
-
141
- }
19
+ {name:"Adler-32", john: nil, hashcat: nil, extended: false},
20
+ { name:"CRC-32B", john: nil, hashcat: nil, extended: false},
21
+ {name:"FCS-32", john: nil, hashcat: nil, extended: false},
22
+ {name:"GHash-32-3", john: nil, hashcat: nil, extended: false},
23
+ {name:"GHash-32-5", john: nil, hashcat: nil, extended: false},
24
+ {name:"FNV-132", john: nil, hashcat: nil, extended: false},
25
+ {name:"Fletcher-32", john: nil, hashcat: nil, extended: false},
26
+ {name:"Joaat", john: nil, hashcat: nil, extended: false},
27
+ {name:"ELF-32", john: nil, hashcat: nil, extended: false},
28
+ {name:"XOR-32", john: nil, hashcat: nil, extended: false}
142
29
  ]
143
30
  },
144
31
  {
145
32
  extract_regex: Regexp.new('\b[a-f0-9]{6}\b', Regexp::IGNORECASE),
146
33
  modes: [
147
- {
148
- name:"CRC-24",
149
- john: nil,
150
- hashcat: nil,
151
- extended: false,
152
- description: "Cyclic Redundancy Check 24-bits — 6 hexadecimal chars, OpenPGP standard",
153
- notes: ["Not cryptographic"],
154
- context: ["checksum"],
155
- common_sources: ["OpenPGP", "RFID", "some file formats"]
156
- }
34
+ {name:"CRC-24", john: nil, hashcat: nil, extended: false}
157
35
  ]
158
36
  },
159
37
  {
160
38
  extract_regex: Regexp.new('\b(\$crc32\$[a-f0-9]{8}.)?[a-f0-9]{8}\b', Regexp::IGNORECASE),
161
39
  modes: [
162
- {
163
- name:"CRC-32",
164
- john: "crc32",
165
- hashcat: nil,
166
- extended: false,
167
- description: "Cyclic Redundancy Check 32-bit — 8 hex chars, most common checksum",
168
- notes: ["Not cryptographic"]
169
- }
40
+ {name:"CRC-32", john: "crc32", hashcat: nil, extended: false}
170
41
  ]
171
42
  },
172
43
  {
173
44
  extract_regex: Regexp.new('\b\\+[a-z0-9\\/.]{12}\b', Regexp::IGNORECASE),
174
45
  modes: [
175
- {
176
- john: "bfegg",
177
- hashcat: nil,
178
- extended: false,
179
- name:"Eggdrop IRC Bot"
180
- }
46
+ {name:"Eggdrop IRC Bot", john: "bfegg", hashcat: nil, extended: false}
181
47
  ]
182
48
  },
183
49
  {
184
50
  extract_regex: Regexp.new('\b[a-z0-9\\/.]{13}\b', Regexp::IGNORECASE),
185
51
  modes: [
186
- {
187
- name:"DES(Unix)",
188
- john: "descrypt",
189
- hashcat: 1500,
190
- extended: false,
191
- description: "DES-based Unix crypt — 13 chars, traditional Unix passwords",
192
- notes: ["Only 8 char passwords", "weak salt"],
193
- common_sources: ["/etc/passwd", "old Unix systems"],
194
- context: ["unix", "legacy"]
195
- },
196
- {
197
- name:"Traditional DES",
198
- john: "descrypt",
199
- hashcat: 1500,
200
- extended: false
201
-
202
- },
203
- {
204
- name:"DEScrypt",
205
- john: "descrypt",
206
- hashcat: 1500,
207
- extended: false,
208
- description: "DES crypt implementation — 13 chars",
209
- notes: ["Traditional Unix password hashing"],
210
- common_sources: ["old Unix/Linux"],
211
- context: ["unix", "legacy"]
212
- }
52
+ {name:"DES(Unix)", john: "descrypt", hashcat: 1500, extended: false},
53
+ {name:"Traditional DES", john: "descrypt", hashcat: 1500, extended: false},
54
+ {name:"DEScrypt", john: "descrypt", hashcat: 1500, extended: false}
213
55
  ]
214
56
  },
215
57
  {
216
58
  extract_regex: Regexp.new('\b[a-f0-9]{16}\b', Regexp::IGNORECASE),
217
59
  modes: [
218
- {
219
- name:"MySQL323",
220
- john: "mysql",
221
- hashcat: 200,
222
- extended: false,
223
- description: "MySQL 3.23 password hash — 16 chars typical, but can be padded to 32 (hexadecimals)",
224
- notes: ["Used in old MySQL databases", "Can be broken in seconds", "Susceptible to rainbow tables", "Limited to 8 character passwords", "Deprecated since MySQL 4.1"]
225
- },
226
- {
227
- name:"DES(Oracle)",
228
- john: nil,
229
- hashcat: 3100,
230
- extended: false,
231
- description: "Oracle DES-based hash — 16 hex chars, Oracle specific"
232
- },
233
- {
234
- name:"Half MD5",
235
- john: nil,
236
- hashcat: 5100,
237
- extended: false,
238
- description: "First half of MD5 hash — 16 hex chars, MD5 truncated",
239
- notes: ["Weaker than full MD5"]
240
- },
241
- {
242
- name:"Oracle 7-10g",
243
- john: nil,
244
- hashcat: 3100,
245
- extended: false
246
- },
247
- {
248
- name:"FNV-164",
249
- john: nil,
250
- hashcat: nil,
251
- extended: false,
252
- description: "Fowler-Noll-Vo hash 64-bit — 16 hex chars, 64-bit version",
253
- notes: ["Not cryptographic"]
254
- },
255
- {
256
- name:"CRC-64",
257
- john: nil,
258
- hashcat: nil,
259
- extended: false,
260
- description: "Cyclic Redundancy Check 64-bit — 16 hex chars, ISO 3309",
261
- notes: ["Not cryptographic"]
262
- }
60
+ {name:"MySQL323", john: "mysql", hashcat: 200, extended: false},
61
+ {name:"DES(Oracle)", john: nil, hashcat: 3100, extended: false},
62
+ {name:"Half MD5", john: nil, hashcat: 5100, extended: false},
63
+ {name:"Oracle 7-10g", john: nil, hashcat: 3100, extended: false},
64
+ {name:"FNV-164", john: nil, hashcat: nil, extended: false},
65
+ {name:"CRC-64", john: nil, hashcat: nil, extended: false}
263
66
  ]
264
67
  },
265
68
  {
266
69
  extract_regex: Regexp.new('\b[a-z0-9\\/.]{16}\b', Regexp::IGNORECASE),
267
70
  modes: [
268
- {
269
- name:"Cisco-PIX(MD5)",
270
- john: "pix-md5",
271
- hashcat: 2400,
272
- extended: false,
273
- description: "Cisco PIX MD5 hash"
274
- }
71
+ {name:"Cisco-PIX(MD5)", john: "pix-md5", hashcat: 2400, extended: false}
275
72
  ]
276
73
  },
277
74
  {
278
75
  extract_regex: Regexp.new('\b\\([a-z0-9\\/+]{20}\\)\b', Regexp::IGNORECASE),
279
76
  modes: [
280
- {
281
- john: "dominosec",
282
- hashcat: 8700,
283
- extended: false,
284
- name:"Lotus Notes/Domino 6"
285
- }
77
+ {name:"Lotus Notes/Domino 6", john: "dominosec", hashcat: 8700, extended: false}
286
78
  ]
287
79
  },
288
80
  {
289
81
  extract_regex: Regexp.new('\b_[a-z0-9\\/.]{19}\b', Regexp::IGNORECASE),
290
82
  modes: [
291
- {
292
- john: "bsdicrypt",
293
- hashcat: nil,
294
- extended: false,
295
- name:"BSDi Crypt"
296
- }
83
+ {name:"BSDi Crypt", john: "bsdicrypt", hashcat: nil, extended: false}
297
84
  ]
298
85
  },
299
86
  {
300
87
  extract_regex: Regexp.new('\b[a-f0-9]{24}\b', Regexp::IGNORECASE),
301
88
  modes: [
302
- {
303
- name:"CRC-96(ZIP)",
304
- john: nil,
305
- hashcat: nil,
306
- extended: false,
307
- description: "CRC-96 used in some ZIP variants — 24 hex chars, extended CRC",
308
- notes: ["Not cryptographic", "For some archive formats"]
309
- }
89
+ {name:"CRC-96(ZIP)", john: nil, hashcat: nil, extended: false}
310
90
  ]
311
91
  },
312
92
  {
313
93
  extract_regex: Regexp.new('\b[a-z0-9\\/.]{24}\b', Regexp::IGNORECASE),
314
94
  modes: [
315
- {
316
- name:"Crypt16",
317
- john: nil,
318
- hashcat: nil,
319
- extended: false,
320
- description: "Extended crypt16 implementation",
321
- characteristics: "24 chars, extended DES crypt",
322
- notes: ["Rarely used", "Used by some Unix variants"]
323
- }
95
+ {name:"Crypt16", john: nil, hashcat: nil, extended: false}
324
96
  ]
325
97
  },
326
98
  {
327
99
  extract_regex: Regexp.new('\b(\$md2\$)?[a-f0-9]{32}\b', Regexp::IGNORECASE),
328
100
  modes: [
329
- {
330
- john: "md2",
331
- hashcat: nil,
332
- extended: false,
333
- name:"MD2"
334
- }
101
+ {name:"MD2", john: "md2", hashcat: nil, extended: false}
335
102
  ]
336
103
  },
337
104
  {
338
105
  extract_regex: Regexp.new('\b[a-f0-9]{32}(:.+)?\b', Regexp::IGNORECASE),
339
106
  modes: [
340
- {
341
- name:"MD5",
342
- john: "raw-md5",
343
- hashcat: 0,
344
- extended: false,
345
- description: "MD5 cryptographic hash function",
346
- characteristics: "32 chars, hexadecimal, unsalted",
347
- notes: ["Used as checksum to verify data or file integrity", "MD5 is cryptographically broken as it is vulnerable to collision attacks"],
348
- context: ["web", "checksum", "legacy", "password", "hash", "md5"],
349
- prefixes: ["md5", "hash", "checksum", "password"],
350
- file_types: ["shadow", "htpasswd", "logs"],
351
- mime_types: ["text/plain", "text/x-passwd"],
352
- common_sources: ["web applications", "file integrity checks", "checksums", "legacy systems"]
353
-
354
- },
355
- {
356
- name:"MD4",
357
- john: "raw-md4",
358
- hashcat: 900,
359
- extended: false,
360
- characteristics: "32 chars, legacy Microsoft systems",
361
- prefixes: ["hash"],
362
- context: ["hash"],
363
- common_sources: ["Old Windows systems", "legacy applications"]
364
- },
365
- {
366
- name:"Double MD5",
367
- john: nil,
368
- hashcat: 2600,
369
- extended: false
370
- },
371
- {
372
- name:"LM",
373
- john: "lm",
374
- hashcat: 3000,
375
- extended: false,
376
- description: "Windows LAN Manager hash",
377
- characteristics: "16 hex chars, all uppercase, split password",
378
- notes: ["Mainly found in Windows SAM files(legacy Windows)", "Very weak", "no lowercase", "split passwords"],
379
- common_sources: ["Windows SAM", "legacy Windows systems"],
380
- context: ["windows", "SAM"]
381
- },
382
- {
383
- name:"RIPEMD-128",
384
- john: "ripemd-128",
385
- hashcat: nil,
386
- extended: false
387
- },
388
- {
389
- name:"Haval-128",
390
- john: "haval-128-4",
391
- hashcat: nil,
392
- extended: false
393
- },
394
- {
395
- name:"Tiger-128",
396
- john: nil,
397
- hashcat: nil,
398
- extended: false
399
- },
400
- {
401
- john: nil,
402
- hashcat: nil,
403
- extended: false,
404
- name:"Skein-256(128)"
405
- },
406
- {
407
- john: nil,
408
- hashcat: nil,
409
- extended: false,
410
- name:"Skein-512(128)"
411
- },
412
- {
413
- john: "lotus5",
414
- hashcat: 8600,
415
- extended: false,
416
- name:"Lotus Notes/Domino 5"
417
- },
418
- {
419
- john: nil,
420
- hashcat: 23,
421
- extended: false,
422
- name:"Skype"
423
- },
424
- {
425
- john: nil,
426
- hashcat: nil,
427
- extended: true,
428
- name:"ZipMonster"
429
- },
430
- {
431
- john: nil,
432
- hashcat: 11000,
433
- extended: true,
434
- name:"PrestaShop"
435
- },
436
- {
437
- john: nil,
438
- hashcat: 3500,
439
- extended: true,
440
- name:"md5(md5(md5($pass)))"
441
- },
442
- {
443
- john: nil,
444
- hashcat: 4300,
445
- extended: true,
446
- name:"md5(strtoupper(md5($pass)))"
447
- },
448
- {
449
- john: nil,
450
- hashcat: 4400,
451
- extended: true,
452
- name:"md5(sha1($pass))"
453
- },
454
- {
455
- john: nil,
456
- hashcat: 10,
457
- extended: true,
458
- name:"md5($pass.$salt)"
459
- },
460
- {
461
- john: nil,
462
- hashcat: 20,
463
- extended: true,
464
- name:"md5($salt.$pass)"
465
- },
466
- {
467
- john: nil,
468
- hashcat: 30,
469
- extended: true,
470
- name:"md5(unicode($pass).$salt)"
471
- },
472
- {
473
- john: nil,
474
- hashcat: 40,
475
- extended: true,
476
- name:"md5($salt.unicode($pass))"
477
- },
478
- {
479
- john: "hmac-md5",
480
- hashcat: 50,
481
- extended: true,
482
- name:"HMAC-MD5 (key = $pass)"
483
- },
484
- {
485
- john: "hmac-md5",
486
- hashcat: 60,
487
- extended: true,
488
- name:"HMAC-MD5 (key = $salt)"
489
- },
490
- {
491
- john: nil,
492
- hashcat: 3610,
493
- extended: true,
494
- name:"md5(md5($salt).$pass)"
495
- },
496
- {
497
- john: nil,
498
- hashcat: 3710,
499
- extended: true,
500
- name:"md5($salt.md5($pass))"
501
- },
502
- {
503
- john: nil,
504
- hashcat: 3720,
505
- extended: true,
506
- name:"md5($pass.md5($salt))"
507
- },
508
- {
509
- john: nil,
510
- hashcat: 3810,
511
- extended: true,
512
- name:"md5($salt.$pass.$salt)"
513
- },
514
- {
515
- john: nil,
516
- hashcat: 3910,
517
- extended: true,
518
- name:"md5(md5($pass).md5($salt))"
519
- },
520
- {
521
- john: nil,
522
- hashcat: 4010,
523
- extended: true,
524
- name:"md5($salt.md5($salt.$pass))"
525
- },
526
- {
527
- john: nil,
528
- hashcat: 4110,
529
- extended: true,
530
- name:"md5($salt.md5($pass.$salt))"
531
- },
532
- {
533
- john: nil,
534
- hashcat: 4210,
535
- extended: true,
536
- name:"md5($username.0.$pass)"
537
- }
107
+ {name:"MD5", john: "raw-md5", hashcat: 0, extended: false},
108
+ {name:"MD4", john: "raw-md4", hashcat: 900, extended: false},
109
+ {name:"Double MD5", john: nil, hashcat: 2600, extended: false},
110
+ {name:"LM", john: "lm", hashcat: 3000, extended: false},
111
+ {name:"RIPEMD-128", john: "ripemd-128", hashcat: nil, extended: false},
112
+ {name:"Haval-128", john: "haval-128-4", hashcat: nil, extended: false},
113
+ {name:"Tiger-128", john: nil, hashcat: nil, extended: false},
114
+ {name:"Skein-256(128)", john: nil, hashcat: nil, extended: false},
115
+ {name:"Skein-512(128)", john: nil, hashcat: nil, extended: false},
116
+ {name:"Lotus Notes/Domino 5", john: "lotus5", hashcat: 8600, extended: false},
117
+ {name:"Skype", john: nil, hashcat: 23, extended: false},
118
+ {name:"ZipMonster", john: nil, hashcat: nil, extended: true},
119
+ {name:"PrestaShop", john: nil, hashcat: 11000, extended: true},
120
+ {name:"md5(md5(md5($pass)))", john: nil, hashcat: 3500, extended: true},
121
+ {name:"md5(strtoupper(md5($pass)))", john: nil, hashcat: 4300, extended: true},
122
+ {name:"md5(sha1($pass))", john: nil, hashcat: 4400, extended: true},
123
+ {name:"md5($pass.$salt)", john: nil, hashcat: 10, extended: true},
124
+ {name:"md5($salt.$pass)", john: nil, hashcat: 20, extended: true},
125
+ {name:"md5(unicode($pass).$salt)", john: nil, hashcat: 30, extended: true},
126
+ {name:"md5($salt.unicode($pass))", john: nil, hashcat: 40, extended: true},
127
+ {name:"HMAC-MD5 (key = $pass)", john: "hmac-md5", hashcat: 50, extended: true},
128
+ {name:"HMAC-MD5 (key = $salt)", john: "hmac-md5", hashcat: 60, extended: true},
129
+ {name:"md5(md5($salt).$pass)", john: nil, hashcat: 3610, extended: true},
130
+ {name:"md5($salt.md5($pass))", john: nil, hashcat: 3710, extended: true},
131
+ {name:"md5($pass.md5($salt))", john: nil, hashcat: 3720, extended: true},
132
+ {name:"md5($salt.$pass.$salt)", john: nil, hashcat: 3810, extended: true},
133
+ {name:"md5(md5($pass).md5($salt))", john: nil, hashcat: 3910, extended: true},
134
+ {name:"md5($salt.md5($salt.$pass))", john: nil, hashcat: 4010, extended: true},
135
+ {name:"md5($salt.md5($pass.$salt))", john: nil, hashcat: 4110, extended: true},
136
+ {name:"md5($username.0.$pass)", john: nil, hashcat: 4210, extended: true}
538
137
  ]
539
138
  },
540
139
  {
541
140
  extract_regex: Regexp.new('\b(\$snefru\$)?[a-f0-9]{32}\b', Regexp::IGNORECASE),
542
141
  modes: [
543
- {
544
- john: "snefru-128",
545
- hashcat: nil,
546
- extended: false,
547
- name:"Snefru-128"
548
- }
142
+ {name:"Snefru-128", john: "snefru-128", hashcat: nil, extended: false}
549
143
  ]
550
144
  },
551
145
  {
552
146
  extract_regex: Regexp.new('\b(\$NT\$)?[a-f0-9]{32}\b', Regexp::IGNORECASE),
553
147
  modes: [
554
- {
555
- name:"NTLM",
556
- john: "nt",
557
- hashcat: 1000,
558
- extended: false,
559
- description: "Windows NTLM authentication hash",
560
- characteristics: "32 chars, Windows authentication, based on MD4",
561
- notes: ["Hashcat Mode: 5600 (NetNTLMv2) - if network captured", "Hashcat Mode: 5500 (NetNTLMv1/NetNTLMv1+ESS) - legacy versions", "John Format: netntlm (for network hashes)", "John Format: netntlmv2 (v2 hashes)"],
562
- context: ["windows", "SAM", "LSASS", "nt", "ntlm"],
563
- prefixes: ["nt"],
564
- file_types: ["ntds", "logs"],
565
- mime_types: ["text/plain", "application/octet-stream"],
566
- common_sources: ["Windows SAM", "Active Directory", "LSASS memory"]
567
- }
148
+ {name:"NTLM", john: "nt", hashcat: 1000, extended: false}
568
149
  ]
569
150
  },
570
151
  {
571
152
  extract_regex: Regexp.new('\b([^\\\\\\/:*?\"<>|]{1,20}:)?[a-f0-9]{32}(:[^\\\\\\/:*?\"<>|]{1,20})?\b', Regexp::IGNORECASE),
572
153
  modes: [
573
- {
574
- john: "mscach",
575
- hashcat: 1100,
576
- extended: false,
577
- name:"Domain Cached Credentials"
578
- }
154
+ {name:"Domain Cached Credentials", john: "mscach", hashcat: 1100, extended: false}
579
155
  ]
580
156
  },
581
157
  {
582
158
  extract_regex: Regexp.new('\b([^\\\\\\/:*?\"<>|]{1,20}:)?(\$DCC2\$10240#[^\\\\\\/:*?\"<>|]{1,20}#)?[a-f0-9]{32}\b', Regexp::IGNORECASE),
583
159
  modes: [
584
- {
585
- john: "mscach2",
586
- hashcat: 2100,
587
- extended: false,
588
- name:"Domain Cached Credentials 2"
589
- }
160
+ {name:"Domain Cached Credentials 2", john: "mscach2", hashcat: 2100, extended: false}
590
161
  ]
591
162
  },
592
163
  {
593
164
  extract_regex: Regexp.new('\b{SHA}[a-z0-9\\/+]{27}=\b', Regexp::IGNORECASE),
594
165
  modes: [
595
- {
596
- john: "nsldap",
597
- hashcat: 101,
598
- extended: false,
599
- name:"SHA-1(Base64)"
600
- },
601
- {
602
- john: "nsldap",
603
- hashcat: 101,
604
- extended: false,
605
- name:"Netscape LDAP SHA"
606
- }
166
+ {name:"SHA-1(Base64)", john: "nsldap", hashcat: 101, extended: false},
167
+ {name:"Netscape LDAP SHA", john: "nsldap", hashcat: 101, extended: false}
607
168
  ]
608
169
  },
609
170
  {
610
171
  extract_regex: Regexp.new('\b\$1\$[a-z0-9\\/.]{0,8}\$[a-z0-9\\/.]{22}(:.*)?\b', Regexp::IGNORECASE),
611
172
  modes: [
612
- {
613
- john: "md5crypt",
614
- hashcat: 500,
615
- extended: false,
616
- name:"MD5 Crypt"
617
- },
618
- {
619
- john: "md5crypt",
620
- hashcat: 500,
621
- extended: false,
622
- name:"Cisco-IOS(MD5)"
623
- },
624
- {
625
- john: "md5crypt",
626
- hashcat: 500,
627
- extended: false,
628
- name:"FreeBSD MD5"
629
- }
173
+ {name:"MD5 Crypt", john: "md5crypt", hashcat: 500, extended: false},
174
+ {name:"Cisco-IOS(MD5)", john: "md5crypt", hashcat: 500, extended: false},
175
+ {name:"FreeBSD MD5", john: "md5crypt", hashcat: 500, extended: false}
630
176
  ]
631
177
  },
632
178
  {
633
179
  extract_regex: Regexp.new('\b0x[a-f0-9]{32}\b', Regexp::IGNORECASE),
634
180
  modes: [
635
- {
636
- john: nil,
637
- hashcat: nil,
638
- extended: false,
639
- name:"Lineage II C4"
640
- }
181
+ {name:"Lineage II C4", john: nil, hashcat: nil, extended: false}
641
182
  ]
642
183
  },
643
184
  {
644
185
  extract_regex: Regexp.new('\b\$H\$[a-z0-9\\/.]{31}\b', Regexp::IGNORECASE),
645
186
  modes: [
646
- {
647
- john: "phpass",
648
- hashcat: 400,
649
- extended: false,
650
- name:"phpBB v3.x"
651
- },
652
- {
653
- john: "phpass",
654
- hashcat: 400,
655
- extended: false,
656
- name:"Wordpress v2.6.0/2.6.1"
657
- },
658
- {
659
- john: "phpass",
660
- hashcat: 400,
661
- extended: false,
662
- name:"PHPass' Portable Hash"
663
- }
187
+ {name:"phpBB v3.x", john: "phpass", hashcat: 400, extended: false},
188
+ {name:"Wordpress v2.6.0/2.6.1", john: "phpass", hashcat: 400, extended: false},
189
+ {name:"PHPass' Portable Hash", john: "phpass", hashcat: 400, extended: false}
664
190
  ]
665
191
  },
666
192
  {
667
193
  extract_regex: Regexp.new('\b\$P\$[a-z0-9\\/.]{31}\b', Regexp::IGNORECASE),
668
194
  modes: [
669
- {
670
- john: "phpass",
671
- hashcat: 400,
672
- extended: false,
673
- name:"Wordpress \u2265 v2.6.2"
674
- },
675
- {
676
- john: "phpass",
677
- hashcat: 400,
678
- extended: false,
679
- name:"Joomla \u2265 v2.5.18"
680
- },
681
- {
682
- john: "phpass",
683
- hashcat: 400,
684
- extended: false,
685
- name:"PHPass' Portable Hash"
686
- }
195
+ {name:"Wordpress \u2265 v2.6.2", john: "phpass", hashcat: 400, extended: false},
196
+ {name:"Joomla \u2265 v2.5.18", john: "phpass", hashcat: 400, extended: false},
197
+ {name:"PHPass' Portable Hash", john: "phpass", hashcat: 400, extended: false}
687
198
  ]
688
199
  },
689
200
  {
690
201
  extract_regex: Regexp.new('\b[a-f0-9]{32}:[a-z0-9]{2}\b', Regexp::IGNORECASE),
691
202
  modes: [
692
- {
693
- john: nil,
694
- hashcat: 21,
695
- extended: false,
696
- name:"osCommerce"
697
- },
698
- {
699
- john: nil,
700
- hashcat: 21,
701
- extended: false,
702
- name:"xt:Commerce"
703
- }
203
+ {name:"osCommerce", john: nil, hashcat: 21, extended: false},
204
+ {name:"xt:Commerce", john: nil, hashcat: 21, extended: false}
704
205
  ]
705
206
  },
706
207
  {
707
208
  extract_regex: Regexp.new('\b\$apr1\$[a-z0-9\\/.]{0,8}\$[a-z0-9\\/.]{22}\b', Regexp::IGNORECASE),
708
209
  modes: [
709
- {
710
- john: nil,
711
- hashcat: 1600,
712
- extended: false,
713
- name:"MD5(APR)"
714
- },
715
- {
716
- john: nil,
717
- hashcat: 1600,
718
- extended: false,
719
- name:"Apache MD5"
720
- },
721
- {
722
- john: nil,
723
- hashcat: 1600,
724
- extended: true,
725
- name:"md5apr1"
726
- }
210
+ {name:"MD5(APR)", john: nil, hashcat: 1600, extended: false},
211
+ {name:"Apache MD5", john: nil, hashcat: 1600, extended: false},
212
+ {name:"md5apr1", john: nil, hashcat: 1600, extended: true}
727
213
  ]
728
214
  },
729
215
  {
730
216
  extract_regex: Regexp.new('\b{smd5}[a-z0-9$\\/.]{31}\b', Regexp::IGNORECASE),
731
217
  modes: [
732
- {
733
- john: "aix-smd5",
734
- hashcat: 6300,
735
- extended: false,
736
- name:"AIX(smd5)"
737
- }
218
+ {name:"AIX(smd5)", john: "aix-smd5", hashcat: 6300, extended: false}
738
219
  ]
739
220
  },
740
221
  {
741
222
  extract_regex: Regexp.new('\b[a-f0-9]{32}:[a-f0-9]{32}\b', Regexp::IGNORECASE),
742
223
  modes: [
743
- {
744
- john: nil,
745
- hashcat: 3721,
746
- extended: false,
747
- name:"WebEdition CMS"
748
- }
224
+ {name:"WebEdition CMS", john: nil, hashcat: 3721, extended: false}
749
225
  ]
750
226
  },
751
227
  {
752
228
  extract_regex: Regexp.new('\b[a-f0-9]{32}:.{5}\b', Regexp::IGNORECASE),
753
229
  modes: [
754
- {
755
- john: nil,
756
- hashcat: 2811,
757
- extended: false,
758
- name:"IP.Board \u2265 v2+"
759
- }
230
+ {name:"IP.Board \u2265 v2+", john: nil, hashcat: 2811, extended: false}
760
231
  ]
761
232
  },
762
233
  {
763
234
  extract_regex: Regexp.new('\b[a-f0-9]{32}:.{8}\b', Regexp::IGNORECASE),
764
235
  modes: [
765
- {
766
- john: nil,
767
- hashcat: 2811,
768
- extended: false,
769
- name:"MyBB \u2265 v1.2+"
770
- }
236
+ {name:"MyBB \u2265 v1.2+", john: nil, hashcat: 2811, extended: false}
771
237
  ]
772
238
  },
773
239
  {
774
240
  extract_regex: Regexp.new('\b[a-z0-9]{34}\b', Regexp::IGNORECASE),
775
241
  modes: [
776
- {
777
- john: nil,
778
- hashcat: nil,
779
- extended: false,
780
- name:"CryptoCurrency(Adress)"
781
- }
242
+ {name:"CryptoCurrency(Adress)", john: nil, hashcat: nil, extended: false}
782
243
  ]
783
244
  },
784
245
  {
785
246
  extract_regex: Regexp.new('\b[a-f0-9]{40}(:.+)?\b', Regexp::IGNORECASE),
786
247
  modes: [
787
- {
788
- name:"SHA-1",
789
- john: "raw-sha1",
790
- hashcat: 100,
791
- extended: false,
792
- description: "SHA-1 cryptographic hash function",
793
- characteristics: "40 chars, hexadecimal, unsalted",
794
- notes: ["Used for file verification", "found in git commits and legacy certificates"],
795
- prefixes: ["sha1", "hash"],
796
- context: ["sha1", "hash"]
797
- },
798
- {
799
- john: nil,
800
- hashcat: 4500,
801
- extended: false,
802
- name:"Double SHA-1",
803
- context: ["sha1"]
804
- #prefixes: ["sha1"]
805
- },
806
- {
807
- name:"RIPEMD-160",
808
- john: "ripemd-160",
809
- hashcat: 6000,
810
- extended: false,
811
- characteristics: "40 chars, Bitcoin addresses, digital signatures",
812
- notes: ["Rarely used for passwords"]
813
- },
814
- {
815
- john: nil,
816
- hashcat: nil,
817
- extended: false,
818
- name:"Haval-160"
819
- },
820
- {
821
- john: nil,
822
- hashcat: nil,
823
- extended: false,
824
- name:"Tiger-160"
825
- },
826
- {
827
- john: nil,
828
- hashcat: nil,
829
- extended: false,
830
- name:"HAS-160"
831
- },
832
- {
833
- john: "raw-sha1-linkedin",
834
- hashcat: 190,
835
- extended: false,
836
- name:"LinkedIn"
837
- },
838
- {
839
- john: nil,
840
- hashcat: nil,
841
- extended: false,
842
- name:"Skein-256(160)"
843
- },
844
- {
845
- john: nil,
846
- hashcat: nil,
847
- extended: false,
848
- name:"Skein-512(160)"
849
- },
850
- {
851
- john: nil,
852
- hashcat: nil,
853
- extended: true,
854
- name:"MangosWeb Enhanced CMS"
855
- },
856
- {
857
- john: nil,
858
- hashcat: 4600,
859
- extended: true,
860
- name:"sha1(sha1(sha1($pass)))"
861
- },
862
- {
863
- john: nil,
864
- hashcat: 4700,
865
- extended: true,
866
- name:"sha1(md5($pass))"
867
- },
868
- {
869
- john: nil,
870
- hashcat: 110,
871
- extended: true,
872
- name:"sha1($pass.$salt)"
873
- },
874
- {
875
- john: nil,
876
- hashcat: 120,
877
- extended: true,
878
- name:"sha1($salt.$pass)"
879
- },
880
- {
881
- john: nil,
882
- hashcat: 130,
883
- extended: true,
884
- name:"sha1(unicode($pass).$salt)"
885
- },
886
- {
887
- john: nil,
888
- hashcat: 140,
889
- extended: true,
890
- name:"sha1($salt.unicode($pass))"
891
- },
892
- {
893
- john: "hmac-sha1",
894
- hashcat: 150,
895
- extended: true,
896
- name:"HMAC-SHA1 (key = $pass)"
897
- },
898
- {
899
- john: "hmac-sha1",
900
- hashcat: 160,
901
- extended: true,
902
- name:"HMAC-SHA1 (key = $salt)"
903
- },
904
- {
905
- john: nil,
906
- hashcat: 4710,
907
- extended: true,
908
- name:"sha1($salt.$pass.$salt)"
909
- }
248
+ {name:"SHA-1", john: "raw-sha1", hashcat: 100, extended: false},
249
+ {name:"Double SHA-1", john: nil, hashcat: 4500, extended: false},
250
+ {name:"RIPEMD-160", john: "ripemd-160", hashcat: 6000, extended: false},
251
+ {name:"Haval-160", john: nil, hashcat: nil, extended: false},
252
+ {name:"Tiger-160", john: nil, hashcat: nil, extended: false},
253
+ {name:"HAS-160", john: nil, hashcat: nil, extended: false},
254
+ {name:"LinkedIn", john: "raw-sha1-linkedin", hashcat: 190, extended: false},
255
+ {name:"Skein-256(160)", john: nil, hashcat: nil, extended: false},
256
+ {name:"Skein-512(160)", john: nil, hashcat: nil, extended: false},
257
+ {name:"MangosWeb Enhanced CMS", john: nil, hashcat: nil, extended: true},
258
+ {name:"sha1(sha1(sha1($pass)))", john: nil, hashcat: 4600, extended: true},
259
+ {name:"sha1(md5($pass))", john: nil, hashcat: 4700, extended: true},
260
+ {name:"sha1($pass.$salt)", john: nil, hashcat: 110, extended: true},
261
+ {name:"sha1($salt.$pass)", john: nil, hashcat: 120, extended: true},
262
+ {name:"sha1(unicode($pass).$salt)", john: nil, hashcat: 130, extended: true},
263
+ {name:"sha1($salt.unicode($pass))", john: nil, hashcat: 140, extended: true},
264
+ {name:"HMAC-SHA1 (key = $pass)", john: "hmac-sha1", hashcat: 150, extended: true},
265
+ {name:"HMAC-SHA1 (key = $salt)", john: "hmac-sha1", hashcat: 160, extended: true},
266
+ {name:"sha1($salt.$pass.$salt)", john: nil, hashcat: 4710, extended: true}
910
267
  ]
911
268
  },
912
269
  {
913
270
  extract_regex: Regexp.new('\b\\*[a-f0-9]{40}\b', Regexp::IGNORECASE),
914
271
  modes: [
915
- {
916
- john: "mysql-sha1",
917
- hashcat: 300,
918
- extended: false,
919
- name:"MySQL5.x"
920
- },
921
- {
922
- name:"MySQL4.1",
923
- john: "mysql-sha1",
924
- hashcat: 300,
925
- extended: false,
926
- description: "MySQL double SHA1 implementation",
927
- characteristics: "40 chars, double SHA1 with salt",
928
- notes: ["Used in database export"]
929
- }
272
+ {name:"MySQL5.x", john: "mysql-sha1", hashcat: 300, extended: false},
273
+ {name:"MySQL4.1", john: "mysql-sha1", hashcat: 300, extended: false}
930
274
  ]
931
275
  },
932
276
  {
933
277
  extract_regex: Regexp.new('\b[a-z0-9]{43}\b', Regexp::IGNORECASE),
934
278
  modes: [
935
- {
936
- john: nil,
937
- hashcat: 5700,
938
- extended: false,
939
- name:"Cisco-IOS(SHA-256)"
940
- }
279
+ {name:"Cisco-IOS(SHA-256)", john: nil, hashcat: 5700, extended: false}
941
280
  ]
942
281
  },
943
282
  {
944
283
  extract_regex: Regexp.new('\b{SSHA}[a-z0-9\\/+]{38}==', Regexp::IGNORECASE),
945
284
  modes: [
946
- {
947
- john: "nsldaps",
948
- hashcat: 111,
949
- extended: false,
950
- name:"SSHA-1(Base64)"
951
- },
952
- {
953
- john: "nsldaps",
954
- hashcat: 111,
955
- extended: false,
956
- name:"Netscape LDAP SSHA"
957
- },
958
- {
959
- john: "nsldaps",
960
- hashcat: 111,
961
- extended: true,
962
- name:"nsldaps"
963
- }
285
+ {name:"SSHA-1(Base64)", john: "nsldaps", hashcat: 111, extended: false},
286
+ {name:"Netscape LDAP SSHA", john: "nsldaps", hashcat: 111, extended: false},
287
+ {name:"nsldaps", john: "nsldaps", hashcat: 111, extended: true}
964
288
  ]
965
289
  },
966
290
  {
967
291
  extract_regex: Regexp.new('\b[a-z0-9=]{47}\b', Regexp::IGNORECASE),
968
292
  modes: [
969
- {
970
- john: "fortigate",
971
- hashcat: 7000,
972
- extended: false,
973
- name:"Fortigate(FortiOS)"
974
- }
293
+ {name:"Fortigate(FortiOS)", john: "fortigate", hashcat: 7000, extended: false}
975
294
  ]
976
295
  },
977
296
  {
978
297
  extract_regex: Regexp.new('\b[a-f0-9]{48}\b', Regexp::IGNORECASE),
979
298
  modes: [
980
- {
981
- john: nil,
982
- hashcat: nil,
983
- extended: false,
984
- name:"Haval-192"
985
- },
986
- {
987
- john: "tiger",
988
- hashcat: nil,
989
- extended: false,
990
- name:"Tiger-192"
991
- },
992
- {
993
- john: nil,
994
- hashcat: nil,
995
- extended: false,
996
- name:"SHA-1(Oracle)"
997
- },
998
- {
999
- john: "xsha",
1000
- hashcat: 122,
1001
- extended: false,
1002
- name:"OSX v10.4"
1003
- },
1004
- {
1005
- john: "xsha",
1006
- hashcat: 122,
1007
- extended: false,
1008
- name:"OSX v10.5"
1009
- },
1010
- {
1011
- john: "xsha",
1012
- hashcat: 122,
1013
- extended: false,
1014
- name:"OSX v10.6"
1015
- }
299
+ {name:"Haval-192", john: nil, hashcat: nil, extended: false},
300
+ {name:"Tiger-192", john: "tiger", hashcat: nil, extended: false},
301
+ {name:"SHA-1(Oracle)", john: nil, hashcat: nil, extended: false},
302
+ {name:"OSX v10.4", john: "xsha", hashcat: 122, extended: false},
303
+ {name:"OSX v10.5", john: "xsha", hashcat: 122, extended: false},
304
+ {name:"OSX v10.6", john: "xsha", hashcat: 122, extended: false}
1016
305
  ]
1017
306
  },
1018
307
  {
1019
308
  extract_regex: Regexp.new('\b[a-f0-9]{51}\b', Regexp::IGNORECASE),
1020
309
  modes: [
1021
- {
1022
- john: nil,
1023
- hashcat: nil,
1024
- extended: false,
1025
- name:"Palshop CMS"
1026
- }
310
+ {name:"Palshop CMS", john: nil, hashcat: nil, extended: false}
1027
311
  ]
1028
312
  },
1029
313
  {
1030
314
  extract_regex: Regexp.new('\b[a-z0-9]{51}\b', Regexp::IGNORECASE),
1031
315
  modes: [
1032
- {
1033
- john: nil,
1034
- hashcat: nil,
1035
- extended: false,
1036
- name:"CryptoCurrency(PrivateKey)"
1037
- }
316
+ {name:"CryptoCurrency(PrivateKey)", john: nil, hashcat: nil, extended: false}
1038
317
  ]
1039
318
  },
1040
319
  {
1041
320
  extract_regex: Regexp.new('\b{ssha1}[0-9]{2}\$[a-z0-9$\\/.]{44}\b', Regexp::IGNORECASE),
1042
321
  modes: [
1043
- {
1044
- john: "aix-ssha1",
1045
- hashcat: 6700,
1046
- extended: false,
1047
- name:"AIX(ssha1)"
1048
- }
322
+ {name:"AIX(ssha1)", john: "aix-ssha1", hashcat: 6700, extended: false}
1049
323
  ]
1050
324
  },
1051
325
  {
1052
326
  extract_regex: Regexp.new('\b0x0100[a-f0-9]{48}\b', Regexp::IGNORECASE),
1053
327
  modes: [
1054
- {
1055
- john: "mssql05",
1056
- hashcat: 132,
1057
- extended: false,
1058
- name:"MSSQL(2005)"
1059
- },
1060
- {
1061
- john: "mssql05",
1062
- hashcat: 132,
1063
- extended: false,
1064
- name:"MSSQL(2008)"
1065
- }
328
+ {name:"MSSQL(2005)", john: "mssql05", hashcat: 132, extended: false},
329
+ {name:"MSSQL(2008)", john: "mssql05", hashcat: 132, extended: false}
1066
330
  ]
1067
331
  },
1068
332
  {
1069
333
  extract_regex: Regexp.new('\b(\$md5,rounds=[0-9]+\$|\$md5\$rounds=[0-9]+\$|\$md5\$)[a-z0-9\\/.]{0,16}(\$|\$\$)[a-z0-9\\/.]{22}\b', Regexp::IGNORECASE),
1070
334
  modes: [
1071
- {
1072
- john: "sunmd5",
1073
- hashcat: 3300,
1074
- extended: false,
1075
- name:"Sun MD5 Crypt"
1076
- }
335
+ {name:"Sun MD5 Crypt", john: "sunmd5", hashcat: 3300, extended: false}
1077
336
  ]
1078
337
  },
1079
338
  {
1080
339
  extract_regex: Regexp.new('\b[a-f0-9]{56}\b', Regexp::IGNORECASE),
1081
340
  modes: [
1082
- {
1083
- john: "raw-sha224",
1084
- hashcat: nil,
1085
- extended: false,
1086
- name:"SHA-224"
1087
- },
1088
- {
1089
- john: nil,
1090
- hashcat: nil,
1091
- extended: false,
1092
- name:"Haval-224"
1093
- },
1094
- {
1095
- john: nil,
1096
- hashcat: 17300,
1097
- extended: false,
1098
- name:"SHA3-224"
1099
- },
1100
- {
1101
- john: nil,
1102
- hashcat: 17700,
1103
- extended: false,
1104
- name:"Keccak-224"
1105
- },
1106
- {
1107
- john: nil,
1108
- hashcat: nil,
1109
- extended: false,
1110
- name:"Skein-256(224)"
1111
- },
1112
- {
1113
- john: nil,
1114
- hashcat: nil,
1115
- extended: false,
1116
- name:"Skein-512(224)"
1117
- }
341
+ {name:"SHA-224", john: "raw-sha224", hashcat: nil, extended: false},
342
+ {name:"Haval-224", john: nil, hashcat: nil, extended: false},
343
+ {name:"SHA3-224", john: nil, hashcat: 17300, extended: false},
344
+ {name:"Keccak-224", john: nil, hashcat: 17700, extended: false},
345
+ {name:"Skein-256(224)", john: nil, hashcat: nil, extended: false},
346
+ {name:"Skein-512(224)", john: nil, hashcat: nil, extended: false}
1118
347
  ]
1119
348
  },
1120
349
  {
1121
350
  extract_regex: Regexp.new('\b(\$2[axy]|\$2)\$[0-9]{2}\$[a-z0-9\\/.]{53}\b', Regexp::IGNORECASE),
1122
351
  modes: [
1123
- {
1124
- john: "bcrypt",
1125
- hashcat: 3200,
1126
- extended: false,
1127
- name:"Blowfish(OpenBSD)"
1128
- },
1129
- {
1130
- john: nil,
1131
- hashcat: nil,
1132
- extended: false,
1133
- name:"Woltlab Burning Board 4.x"
1134
- },
1135
- {
1136
- john: "bcrypt",
1137
- hashcat: 3200,
1138
- extended: false,
1139
- name:"bcrypt"
1140
- }
352
+ {name:"Blowfish(OpenBSD)", john: "bcrypt", hashcat: 3200, extended: false},
353
+ {name:"Woltlab Burning Board 4.x", john: nil, hashcat: nil, extended: false},
354
+ {name:"bcrypt", john: "bcrypt", hashcat: 3200, extended: false}
1141
355
  ]
1142
356
  },
1143
357
  {
1144
358
  extract_regex: Regexp.new('\b[a-f0-9]{40}:[a-f0-9]{16}\b', Regexp::IGNORECASE),
1145
359
  modes: [
1146
- {
1147
- name:"Android PIN",
1148
- john: nil,
1149
- hashcat: 5800,
1150
- extended: false,
1151
- description: "Android PIN/Password hash",
1152
- characteristics: "40 chars hash + 16 chars salt, SHA1 + MD5",
1153
- notes: ["found in android gesture.key files"]
1154
- }
360
+ {name:"Android PIN", john: nil, hashcat: 5800, extended: false}
1155
361
  ]
1156
362
  },
1157
363
  {
1158
364
  extract_regex: Regexp.new('\b(S:)?[a-f0-9]{40}(:)?[a-f0-9]{20}\b', Regexp::IGNORECASE),
1159
365
  modes: [
1160
- {
1161
- john: "oracle11",
1162
- hashcat: 112,
1163
- extended: false,
1164
- name:"Oracle 11g/12c"
1165
- }
366
+ {name:"Oracle 11g/12c", john: "oracle11", hashcat: 112, extended: false}
1166
367
  ]
1167
368
  },
1168
369
  {
1169
370
  extract_regex: Regexp.new('\b\$bcrypt-sha256\$(2[axy]|2)\\,[0-9]+\$[a-z0-9\\/.]{22}\$[a-z0-9\\/.]{31}\b', Regexp::IGNORECASE),
1170
371
  modes: [
1171
- {
1172
- john: nil,
1173
- hashcat: nil,
1174
- extended: false,
1175
- name:"bcrypt(SHA-256)"
1176
- }
372
+ {name:"bcrypt(SHA-256)", john: nil, hashcat: nil, extended: false}
1177
373
  ]
1178
374
  },
1179
375
  {
1180
376
  extract_regex: Regexp.new('\b[a-f0-9]{32}:.{3}\b', Regexp::IGNORECASE),
1181
377
  modes: [
1182
- {
1183
- john: nil,
1184
- hashcat: 2611,
1185
- extended: false,
1186
- name:"vBulletin < v3.8.5"
1187
- }
378
+ {name:"vBulletin < v3.8.5", john: nil, hashcat: 2611, extended: false}
1188
379
  ]
1189
380
  },
1190
381
  {
1191
382
  extract_regex: Regexp.new('\b[a-f0-9]{32}:.{30}\b', Regexp::IGNORECASE),
1192
383
  modes: [
1193
- {
1194
- john: nil,
1195
- hashcat: 2711,
1196
- extended: false,
1197
- name:"vBulletin \u2265 v3.8.5"
1198
- }
384
+ {name:"vBulletin \u2265 v3.8.5", john: nil, hashcat: 2711, extended: false}
1199
385
  ]
1200
386
  },
1201
387
  {
1202
388
  extract_regex: Regexp.new('\b(\$snefru\$)?[a-f0-9]{64}\b', Regexp::IGNORECASE),
1203
389
  modes: [
1204
- {
1205
- john: "snefru-256",
1206
- hashcat: nil,
1207
- extended: false,
1208
- name:"Snefru-256"
1209
- }
390
+ {name:"Snefru-256", john: "snefru-256", hashcat: nil, extended: false}
1210
391
  ]
1211
392
  },
1212
393
  {
1213
394
  extract_regex: Regexp.new('\b[a-f0-9]{64}(:.+)?\b', Regexp::IGNORECASE),
1214
395
  modes: [
1215
- {
1216
- john: "raw-sha256",
1217
- hashcat: 1400,
1218
- extended: false,
1219
- name:"SHA-256"
1220
- },
1221
- {
1222
- john: nil,
1223
- hashcat: nil,
1224
- extended: false,
1225
- name:"RIPEMD-256"
1226
- },
1227
- {
1228
- john: "haval-256-3",
1229
- hashcat: nil,
1230
- extended: false,
1231
- name:"Haval-256"
1232
- },
1233
- {
1234
- john: "gost",
1235
- hashcat: 6900,
1236
- extended: false,
1237
- name:"GOST R 34.11-94"
1238
- },
1239
- {
1240
- john: nil,
1241
- hashcat: nil,
1242
- extended: false,
1243
- name:"GOST CryptoPro S-Box"
1244
- },
1245
- {
1246
- john: nil,
1247
- hashcat: 17400,
1248
- extended: false,
1249
- name:"SHA3-256"
1250
- },
1251
- {
1252
- john: "raw-keccak-256",
1253
- hashcat: 17800,
1254
- extended: false,
1255
- name:"Keccak-256"
1256
- },
1257
- {
1258
- john: "skein-256",
1259
- hashcat: nil,
1260
- extended: false,
1261
- name:"Skein-256"
1262
- },
1263
- {
1264
- john: nil,
1265
- hashcat: nil,
1266
- extended: false,
1267
- name:"Skein-512(256)"
1268
- },
1269
- {
1270
- john: nil,
1271
- hashcat: nil,
1272
- extended: true,
1273
- name:"Ventrilo"
1274
- },
1275
- {
1276
- john: nil,
1277
- hashcat: 1410,
1278
- extended: true,
1279
- name:"sha256($pass.$salt)"
1280
- },
1281
- {
1282
- john: nil,
1283
- hashcat: 1420,
1284
- extended: true,
1285
- name:"sha256($salt.$pass)"
1286
- },
1287
- {
1288
- john: nil,
1289
- hashcat: 1430,
1290
- extended: true,
1291
- name:"sha256(unicode($pass).$salt)"
1292
- },
1293
- {
1294
- john: nil,
1295
- hashcat: 1440,
1296
- extended: true,
1297
- name:"sha256($salt.unicode($pass))"
1298
- },
1299
- {
1300
- john: "hmac-sha256",
1301
- hashcat: 1450,
1302
- extended: true,
1303
- name:"HMAC-SHA256 (key = $pass)"
1304
- },
1305
- {
1306
- john: "hmac-sha256",
1307
- hashcat: 1460,
1308
- extended: true,
1309
- name:"HMAC-SHA256 (key = $salt)"
1310
- }
396
+ {name:"SHA-256", john: "raw-sha256", hashcat: 1400, extended: false},
397
+ {name:"RIPEMD-256", john: nil, hashcat: nil, extended: false},
398
+ {name:"Haval-256", john: "haval-256-3", hashcat: nil, extended: false},
399
+ {name:"GOST R 34.11-94", john: "gost", hashcat: 6900, extended: false},
400
+ {name:"GOST CryptoPro S-Box", john: nil, hashcat: nil, extended: false},
401
+ {name:"SHA3-256", john: nil, hashcat: 17400, extended: false},
402
+ {name:"Keccak-256", john: "raw-keccak-256", hashcat: 17800, extended: false},
403
+ {name:"Skein-256", john: "skein-256", hashcat: nil, extended: false},
404
+ {name:"Skein-512(256)", john: nil, hashcat: nil, extended: false},
405
+ {name:"Ventrilo", john: nil, hashcat: nil, extended: true},
406
+ {name:"sha256($pass.$salt)", john: nil, hashcat: 1410, extended: true},
407
+ {name:"sha256($salt.$pass)", john: nil, hashcat: 1420, extended: true},
408
+ {name:"sha256(unicode($pass).$salt)", john: nil, hashcat: 1430, extended: true},
409
+ {name:"sha256($salt.unicode($pass))", john: nil, hashcat: 1440, extended: true},
410
+ {name:"HMAC-SHA256 (key = $pass)", john: "hmac-sha256", hashcat: 1450, extended: true},
411
+ {name:"HMAC-SHA256 (key = $salt)", john: "hmac-sha256", hashcat: 1460, extended: true}
1311
412
  ]
1312
413
  },
1313
414
  {
1314
415
  extract_regex: Regexp.new('\b[a-f0-9]{32}:[a-z0-9]{32}\b', Regexp::IGNORECASE),
1315
416
  modes: [
1316
- {
1317
- john: nil,
1318
- hashcat: 11,
1319
- extended: false,
1320
- name:"Joomla < v2.5.18"
1321
- }
417
+ {name:"Joomla < v2.5.18", john: nil, hashcat: 11, extended: false}
1322
418
  ]
1323
419
  },
1324
420
  {
1325
421
  extract_regex: Regexp.new('\b[a-f0-9]{32}:[a-f0-9]{32}\b', Regexp::IGNORECASE),
1326
422
  modes: [
1327
- {
1328
- john: nil,
1329
- hashcat: nil,
1330
- extended: false,
1331
- name:"SAM(LM_Hash:NT_Hash)"
1332
- }
423
+ {name:"SAM(LM_Hash:NT_Hash)", john: nil, hashcat: nil, extended: false}
1333
424
  ]
1334
425
  },
1335
426
  {
1336
427
  extract_regex: Regexp.new('\b(\$chap\$0\\*)?[a-f0-9]{32}[\\*:][a-f0-9]{32}(:[0-9]{2})?\b', Regexp::IGNORECASE),
1337
428
  modes: [
1338
- {
1339
- john: "chap",
1340
- hashcat: 4800,
1341
- extended: false,
1342
- name:"MD5(Chap)"
1343
- },
1344
- {
1345
- john: "chap",
1346
- hashcat: 4800,
1347
- extended: false,
1348
- name:"iSCSI CHAP Authentication"
1349
- }
429
+ {name:"MD5(Chap)", john: "chap", hashcat: 4800, extended: false},
430
+ {name:"iSCSI CHAP Authentication", john: "chap", hashcat: 4800, extended: false}
1350
431
  ]
1351
432
  },
1352
433
  {
1353
434
  extract_regex: Regexp.new('\b\$episerver\$\\*0\\*[a-z0-9\\/=+]+\\*[a-z0-9\\/=+]{27,28}\b', Regexp::IGNORECASE),
1354
435
  modes: [
1355
- {
1356
- john: "episerver",
1357
- hashcat: 141,
1358
- extended: false,
1359
- name:"EPiServer 6.x < v4"
1360
- }
436
+ {name:"EPiServer 6.x < v4", john: "episerver", hashcat: 141, extended: false}
1361
437
  ]
1362
438
  },
1363
439
  {
1364
440
  extract_regex: Regexp.new('\b{ssha256}[0-9]{2}\$[a-z0-9$\\/.]{60}\b', Regexp::IGNORECASE),
1365
441
  modes: [
1366
- {
1367
- john: "aix-ssha256",
1368
- hashcat: 6400,
1369
- extended: false,
1370
- name:"AIX(ssha256)"
1371
- }
442
+ {name:"AIX(ssha256)", john: "aix-ssha256", hashcat: 6400, extended: false}
1372
443
  ]
1373
444
  },
1374
445
  {
1375
446
  extract_regex: Regexp.new('\b[a-f0-9]{80}\b', Regexp::IGNORECASE),
1376
447
  modes: [
1377
- {
1378
- john: nil,
1379
- hashcat: nil,
1380
- extended: false,
1381
- name:"RIPEMD-320"
1382
- }
448
+ {name:"RIPEMD-320", john: nil, hashcat: nil, extended: false}
1383
449
  ]
1384
450
  },
1385
451
  {
1386
452
  extract_regex: Regexp.new('\b\$episerver\$\\*1\\*[a-z0-9\\/=+]+\\*[a-z0-9\\/=+]{42,43}\b', Regexp::IGNORECASE),
1387
453
  modes: [
1388
- {
1389
- john: "episerver",
1390
- hashcat: 1441,
1391
- extended: false,
1392
- name:"EPiServer 6.x \u2265 v4"
1393
- }
454
+ {name:"EPiServer 6.x \u2265 v4", john: "episerver", hashcat: 1441, extended: false}
1394
455
  ]
1395
456
  },
1396
457
  {
1397
458
  extract_regex: Regexp.new('\b0x0100[a-f0-9]{88}\b', Regexp::IGNORECASE),
1398
459
  modes: [
1399
- {
1400
- john: "mssql",
1401
- hashcat: 131,
1402
- extended: false,
1403
- name:"MSSQL(2000)"
1404
- }
460
+ {name:"MSSQL(2000)", john: "mssql", hashcat: 131, extended: false}
1405
461
  ]
1406
462
  },
1407
463
  {
1408
464
  extract_regex: Regexp.new('\b[a-f0-9]{96}\b', Regexp::IGNORECASE),
1409
465
  modes: [
1410
- {
1411
- john: "raw-sha384",
1412
- hashcat: 10800,
1413
- extended: false,
1414
- name:"SHA-384"
1415
- },
1416
- {
1417
- john: nil,
1418
- hashcat: 17500,
1419
- extended: false,
1420
- name:"SHA3-384"
1421
- },
1422
- {
1423
- john: nil,
1424
- hashcat: 17900,
1425
- extended: false,
1426
- name:"Keccak-384"
1427
- },
1428
- {
1429
- john: nil,
1430
- hashcat: nil,
1431
- extended: false,
1432
- name:"Skein-512(384)"
1433
- },
1434
- {
1435
- john: nil,
1436
- hashcat: nil,
1437
- extended: false,
1438
- name:"Skein-1024(384)"
1439
- }
466
+ {name:"SHA-384", john: "raw-sha384", hashcat: 10800, extended: false},
467
+ {name:"SHA3-384", john: nil, hashcat: 17500, extended: false},
468
+ {name:"Keccak-384", john: nil, hashcat: 17900, extended: false},
469
+ {name:"Skein-512(384)", john: nil, hashcat: nil, extended: false},
470
+ {name:"Skein-1024(384)", john: nil, hashcat: nil, extended: false}
1440
471
  ]
1441
472
  },
1442
473
  {
1443
474
  extract_regex: Regexp.new('\b{SSHA512}[a-z0-9\\/+]{96}\b', Regexp::IGNORECASE),
1444
475
  modes: [
1445
- {
1446
- john: "ssha512",
1447
- hashcat: 1711,
1448
- extended: false,
1449
- name:"SSHA-512(Base64)"
1450
- },
1451
- {
1452
- john: "ssha512",
1453
- hashcat: 1711,
1454
- extended: false,
1455
- name:"LDAP(SSHA-512)"
1456
- }
476
+ {name:"SSHA-512(Base64)", john: "ssha512", hashcat: 1711, extended: false},
477
+ {name:"LDAP(SSHA-512)", john: "ssha512", hashcat: 1711, extended: false}
1457
478
  ]
1458
479
  },
1459
480
  {
1460
481
  extract_regex: Regexp.new('\b{ssha512}[0-9]{2}\$[a-z0-9\\/.]{16,48}\$[a-z0-9\\/.]{86}\b', Regexp::IGNORECASE),
1461
482
  modes: [
1462
- {
1463
- john: "aix-ssha512",
1464
- hashcat: 6500,
1465
- extended: false,
1466
- name:"AIX(ssha512)"
1467
- }
483
+ {name:"AIX(ssha512)", john: "aix-ssha512", hashcat: 6500, extended: false}
1468
484
  ]
1469
485
  },
1470
486
  {
1471
487
  extract_regex: Regexp.new('\b[a-f0-9]{128}(:.+)?\b', Regexp::IGNORECASE),
1472
488
  modes: [
1473
- {
1474
- john: "raw-sha512",
1475
- hashcat: 1700,
1476
- extended: false,
1477
- name:"SHA-512"
1478
- },
1479
- {
1480
- john: "whirlpool",
1481
- hashcat: 6100,
1482
- extended: false,
1483
- name:"Whirlpool"
1484
- },
1485
- {
1486
- john: nil,
1487
- hashcat: nil,
1488
- extended: false,
1489
- name:"Salsa10"
1490
- },
1491
- {
1492
- john: nil,
1493
- hashcat: nil,
1494
- extended: false,
1495
- name:"Salsa20"
1496
- },
1497
- {
1498
- john: "raw-sha3",
1499
- hashcat: 17600,
1500
- extended: false,
1501
- name:"SHA3-512"
1502
- },
1503
- {
1504
- john: "raw-keccak",
1505
- hashcat: 18000,
1506
- extended: false,
1507
- name:"Keccak-512"
1508
- },
1509
- {
1510
- john: "skein-512",
1511
- hashcat: nil,
1512
- extended: false,
1513
- name:"Skein-512"
1514
- },
1515
- {
1516
- john: nil,
1517
- hashcat: nil,
1518
- extended: false,
1519
- name:"Skein-1024(512)"
1520
- },
1521
- {
1522
- john: nil,
1523
- hashcat: 1710,
1524
- extended: true,
1525
- name:"sha512($pass.$salt)"
1526
- },
1527
- {
1528
- john: nil,
1529
- hashcat: 1720,
1530
- extended: true,
1531
- name:"sha512($salt.$pass)"
1532
- },
1533
- {
1534
- john: nil,
1535
- hashcat: 1730,
1536
- extended: true,
1537
- name:"sha512(unicode($pass).$salt)"
1538
- },
1539
- {
1540
- john: nil,
1541
- hashcat: 1740,
1542
- extended: true,
1543
- name:"sha512($salt.unicode($pass))"
1544
- },
1545
- {
1546
- john: "hmac-sha512",
1547
- hashcat: 1750,
1548
- extended: true,
1549
- name:"HMAC-SHA512 (key = $pass)"
1550
- },
1551
- {
1552
- john: "hmac-sha512",
1553
- hashcat: 1760,
1554
- extended: true,
1555
- name:"HMAC-SHA512 (key = $salt)"
1556
- }
489
+ {name:"SHA-512", john: "raw-sha512", hashcat: 1700, extended: false},
490
+ {name:"Whirlpool", john: "whirlpool", hashcat: 6100, extended: false},
491
+ {name:"Salsa10", john: nil, hashcat: nil, extended: false},
492
+ {name:"Salsa20", john: nil, hashcat: nil, extended: false},
493
+ {name:"SHA3-512", john: "raw-sha3", hashcat: 17600, extended: false},
494
+ {name:"Keccak-512", john: "raw-keccak", hashcat: 18000, extended: false},
495
+ {name:"Skein-512", john: "skein-512", hashcat: nil, extended: false},
496
+ {name:"Skein-1024(512)", john: nil, hashcat: nil, extended: false},
497
+ {name:"sha512($pass.$salt)", john: nil, hashcat: 1710, extended: true},
498
+ {name:"sha512($salt.$pass)", john: nil, hashcat: 1720, extended: true},
499
+ {name:"sha512(unicode($pass).$salt)", john: nil, hashcat: 1730, extended: true},
500
+ {name:"sha512($salt.unicode($pass))", john: nil, hashcat: 1740, extended: true},
501
+ {name:"HMAC-SHA512 (key = $pass)", john: "hmac-sha512", hashcat: 1750, extended: true},
502
+ {name:"HMAC-SHA512 (key = $salt)", john: "hmac-sha512", hashcat: 1760, extended: true}
1557
503
  ]
1558
504
  },
1559
505
  {
1560
506
  extract_regex: Regexp.new('\b[a-f0-9]{136}\b', Regexp::IGNORECASE),
1561
507
  modes: [
1562
- {
1563
- john: "xsha512",
1564
- hashcat: 1722,
1565
- extended: false,
1566
- name:"OSX v10.7"
1567
- }
508
+ {name:"OSX v10.7", john: "xsha512", hashcat: 1722, extended: false}
1568
509
  ]
1569
510
  },
1570
511
  {
1571
512
  extract_regex: Regexp.new('\b0x0200[a-f0-9]{136}\b', Regexp::IGNORECASE),
1572
513
  modes: [
1573
- {
1574
- john: "msql12",
1575
- hashcat: 1731,
1576
- extended: false,
1577
- name:"MSSQL(2012)"
1578
- },
1579
- {
1580
- john: "msql12",
1581
- hashcat: 1731,
1582
- extended: false,
1583
- name:"MSSQL(2014)"
1584
- }
514
+ {name:"MSSQL(2012)", john: "msql12", hashcat: 1731, extended: false},
515
+ {name:"MSSQL(2014)", john: "msql12", hashcat: 1731, extended: false}
1585
516
  ]
1586
517
  },
1587
518
  {
1588
519
  extract_regex: Regexp.new('\b\$ml\$[0-9]+\$[a-f0-9]{64}\$[a-f0-9]{128}\b', Regexp::IGNORECASE),
1589
520
  modes: [
1590
- {
1591
- john: "pbkdf2-hmac-sha512",
1592
- hashcat: 7100,
1593
- extended: false,
1594
- name:"OSX v10.8"
1595
- },
1596
- {
1597
- john: "pbkdf2-hmac-sha512",
1598
- hashcat: 7100,
1599
- extended: false,
1600
- name:"OSX v10.9"
1601
- }
521
+ {name:"OSX v10.8", john: "pbkdf2-hmac-sha512", hashcat: 7100, extended: false},
522
+ {name:"OSX v10.9", john: "pbkdf2-hmac-sha512", hashcat: 7100, extended: false}
1602
523
  ]
1603
524
  },
1604
525
  {
1605
526
  extract_regex: Regexp.new('\b[a-f0-9]{256}\b', Regexp::IGNORECASE),
1606
527
  modes: [
1607
- {
1608
- john: nil,
1609
- hashcat: nil,
1610
- extended: false,
1611
- name:"Skein-1024"
1612
- }
528
+ {name:"Skein-1024", john: nil, hashcat: nil, extended: false}
1613
529
  ]
1614
530
  },
1615
531
  {
1616
532
  extract_regex: Regexp.new('\bgrub\\.pbkdf2\\.sha512\\.[0-9]+\\.([a-f0-9]{128,2048}\\.|[0-9]+\\.)?[a-f0-9]{128}\b', Regexp::IGNORECASE),
1617
533
  modes: [
1618
- {
1619
- john: nil,
1620
- hashcat: 7200,
1621
- extended: false,
1622
- name:"GRUB 2"
1623
- }
534
+ {name:"GRUB 2", john: nil, hashcat: 7200, extended: false}
1624
535
  ]
1625
536
  },
1626
537
  {
1627
538
  extract_regex: Regexp.new('\bsha1\$[a-z0-9]+\$[a-f0-9]{40}\b', Regexp::IGNORECASE),
1628
539
  modes: [
1629
- {
1630
- john: nil,
1631
- hashcat: 124,
1632
- extended: false,
1633
- name:"Django(SHA-1)"
1634
- }
540
+ {name:"Django(SHA-1)", john: nil, hashcat: 124, extended: false}
1635
541
  ]
1636
542
  },
1637
543
  {
1638
544
  extract_regex: Regexp.new('\b[a-f0-9]{49}\b', Regexp::IGNORECASE),
1639
545
  modes: [
1640
- {
1641
- john: "citrix_ns10",
1642
- hashcat: 8100,
1643
- extended: false,
1644
- name:"Citrix Netscaler"
1645
- }
546
+ {name:"Citrix Netscaler", john: "citrix_ns10", hashcat: 8100, extended: false}
1646
547
  ]
1647
548
  },
1648
549
  {
1649
550
  extract_regex: Regexp.new('\b\$S\$[a-z0-9\\/.]{52}\b', Regexp::IGNORECASE),
1650
551
  modes: [
1651
- {
1652
- john: "drupal7",
1653
- hashcat: 7900,
1654
- extended: false,
1655
- name:"Drupal > v7.x"
1656
- }
552
+ {name:"Drupal > v7.x", john: "drupal7", hashcat: 7900, extended: false}
1657
553
  ]
1658
554
  },
1659
555
  {
1660
556
  extract_regex: Regexp.new('\b\$5\$(rounds=[0-9]+\$)?[a-z0-9\\/.]{0,16}\$[a-z0-9\\/.]{43}\b', Regexp::IGNORECASE),
1661
557
  modes: [
1662
- {
1663
- john: "sha256crypt",
1664
- hashcat: 7400,
1665
- extended: false,
1666
- name:"SHA-256 Crypt"
1667
- }
558
+ {name:"SHA-256 Crypt", john: "sha256crypt", hashcat: 7400, extended: false}
1668
559
  ]
1669
560
  },
1670
561
  {
1671
562
  extract_regex: Regexp.new('\b0x[a-f0-9]{4}[a-f0-9]{16}[a-f0-9]{64}\b', Regexp::IGNORECASE),
1672
563
  modes: [
1673
- {
1674
- john: "sybasease",
1675
- hashcat: 8000,
1676
- extended: false,
1677
- name:"Sybase ASE"
1678
- }
564
+ {name:"Sybase ASE", john: "sybasease", hashcat: 8000, extended: false}
1679
565
  ]
1680
566
  },
1681
567
  {
1682
568
  extract_regex: Regexp.new('\b\$6\$(rounds=[0-9]+\$)?[a-z0-9\\/.]{0,16}\$[a-z0-9\\/.]{86}\b', Regexp::IGNORECASE),
1683
569
  modes: [
1684
- {
1685
- name:"SHA-512 Crypt",
1686
- john: "sha512crypt",
1687
- hashcat: 1800,
1688
- extended: false,
1689
- characteristics: "$6$ prefix, includes salt, 96-106 chars",
1690
- notes: ["Industry standard for modern Linux systems"]
1691
-
1692
- }
570
+ {name:"SHA-512 Crypt", john: "sha512crypt", hashcat: 1800, extended: false}
1693
571
  ]
1694
572
  },
1695
573
  {
1696
574
  extract_regex: Regexp.new('\b\$sha\$[a-z0-9]{1,16}\$([a-f0-9]{32}|[a-f0-9]{40}|[a-f0-9]{64}|[a-f0-9]{128}|[a-f0-9]{140})\b', Regexp::IGNORECASE),
1697
575
  modes: [
1698
- {
1699
- john: nil,
1700
- hashcat: nil,
1701
- extended: false,
1702
- name:"Minecraft(AuthMe Reloaded)"
1703
- }
576
+ {name:"Minecraft(AuthMe Reloaded)", john: nil, hashcat: nil, extended: false}
1704
577
  ]
1705
578
  },
1706
579
  {
1707
580
  extract_regex: Regexp.new('\bsha256\$[a-z0-9]+\$[a-f0-9]{64}\b', Regexp::IGNORECASE),
1708
581
  modes: [
1709
- {
1710
- john: nil,
1711
- hashcat: nil,
1712
- extended: false,
1713
- name:"Django(SHA-256)"
1714
- }
582
+ {name:"Django(SHA-256)", john: nil, hashcat: nil, extended: false}
1715
583
  ]
1716
584
  },
1717
585
  {
1718
586
  extract_regex: Regexp.new('\bsha384\$[a-z0-9]+\$[a-f0-9]{96}\b', Regexp::IGNORECASE),
1719
587
  modes: [
1720
- {
1721
- john: nil,
1722
- hashcat: nil,
1723
- extended: false,
1724
- name:"Django(SHA-384)"
1725
- }
588
+ {name:"Django(SHA-384)", john: nil, hashcat: nil, extended: false}
1726
589
  ]
1727
590
  },
1728
591
  {
1729
592
  extract_regex: Regexp.new('\bcrypt1:[a-z0-9+=]{12}:[a-z0-9+=]{12}\b', Regexp::IGNORECASE),
1730
593
  modes: [
1731
- {
1732
- john: nil,
1733
- hashcat: nil,
1734
- extended: false,
1735
- name:"Clavister Secure Gateway"
1736
- }
594
+ {name:"Clavister Secure Gateway", john: nil, hashcat: nil, extended: false}
1737
595
  ]
1738
596
  },
1739
597
  {
1740
598
  extract_regex: Regexp.new('\b[a-f0-9]{112}\b', Regexp::IGNORECASE),
1741
599
  modes: [
1742
- {
1743
- john: nil,
1744
- hashcat: nil,
1745
- extended: false,
1746
- name:"Cisco VPN Client(PCF-File)"
1747
- }
600
+ {name:"Cisco VPN Client(PCF-File)", john: nil, hashcat: nil, extended: false}
1748
601
  ]
1749
602
  },
1750
603
  {
1751
604
  extract_regex: Regexp.new('\b[a-f0-9]{1329}\b', Regexp::IGNORECASE),
1752
605
  modes: [
1753
- {
1754
- john: nil,
1755
- hashcat: nil,
1756
- extended: false,
1757
- name:"Microsoft MSTSC(RDP-File)"
1758
- }
606
+ {name:"Microsoft MSTSC(RDP-File)", john: nil, hashcat: nil, extended: false}
1759
607
  ]
1760
608
  },
1761
609
  {
1762
610
  extract_regex: Regexp.new('\b[^\\\\\\/:*?\"<>|]{1,20}[:]{2,3}([^\\\\\\/:*?\"<>|]{1,20})?:[a-f0-9]{48}:[a-f0-9]{48}:[a-f0-9]{16}\b', Regexp::IGNORECASE),
1763
611
  modes: [
1764
- {
1765
- john: "netntlm",
1766
- hashcat: 5500,
1767
- extended: false,
1768
- name:"NetNTLMv1-VANILLA / NetNTLMv1+ESS"
1769
- }
612
+ {name:"NetNTLMv1-VANILLA / NetNTLMv1+ESS", john: "netntlm", hashcat: 5500, extended: false}
1770
613
  ]
1771
614
  },
1772
615
  {
1773
616
  extract_regex: Regexp.new('\b([^\\\\\\/:*?\"<>|]{1,20}\\\\)?[^\\\\\\/:*?\"<>|]{1,20}[:]{2,3}([^\\\\\\/:*?\"<>|]{1,20}:)?[^\\\\\\/:*?\"<>|]{1,20}:[a-f0-9]{32}:[a-f0-9]+\b', Regexp::IGNORECASE),
1774
617
  modes: [
1775
- {
1776
- john: "netntlmv2",
1777
- hashcat: 5600,
1778
- extended: false,
1779
- name:"NetNTLMv2"
1780
- }
618
+ {name:"NetNTLMv2", john: "netntlmv2", hashcat: 5600, extended: false}
1781
619
  ]
1782
620
  },
1783
621
  {
1784
622
  extract_regex: Regexp.new('\b\$(krb5pa|mskrb5)\$([0-9]{2})?\$.+\$[a-f0-9]{1,}\b', Regexp::IGNORECASE),
1785
623
  modes: [
1786
- {
1787
- john: "krb5pa-md5",
1788
- hashcat: 7500,
1789
- extended: false,
1790
- name:"Kerberos 5 AS-REQ Pre-Auth"
1791
- }
624
+ {name:"Kerberos 5 AS-REQ Pre-Auth", john: "krb5pa-md5", hashcat: 7500, extended: false}
1792
625
  ]
1793
626
  },
1794
627
  {
1795
628
  extract_regex: Regexp.new('\b\$scram\$[0-9]+\$[a-z0-9\\/.]{16}\$sha-1=[a-z0-9\\/.]{27},sha-256=[a-z0-9\\/.]{43},sha-512=[a-z0-9\\/.]{86}\b', Regexp::IGNORECASE),
1796
629
  modes: [
1797
- {
1798
- john: nil,
1799
- hashcat: nil,
1800
- extended: false,
1801
- name:"SCRAM Hash"
1802
- }
630
+ {name:"SCRAM Hash", john: nil, hashcat: nil, extended: false}
1803
631
  ]
1804
632
  },
1805
633
  {
1806
634
  extract_regex: Regexp.new('\b[a-f0-9]{40}:[a-f0-9]{0,32}\b', Regexp::IGNORECASE),
1807
635
  modes: [
1808
- {
1809
- john: nil,
1810
- hashcat: 7600,
1811
- extended: false,
1812
- name:"Redmine Project Management Web App"
1813
- }
636
+ {name:"Redmine Project Management Web App", john: nil, hashcat: 7600, extended: false}
1814
637
  ]
1815
638
  },
1816
639
  {
1817
640
  extract_regex: Regexp.new('\b(.+)?\$[a-f0-9]{16}\b', Regexp::IGNORECASE),
1818
641
  modes: [
1819
- {
1820
- john: "sapb",
1821
- hashcat: 7700,
1822
- extended: false,
1823
- name:"SAP CODVN B (BCODE)"
1824
- }
642
+ {name:"SAP CODVN B (BCODE)", john: "sapb", hashcat: 7700, extended: false}
1825
643
  ]
1826
644
  },
1827
645
  {
1828
646
  extract_regex: Regexp.new('\b(.+)?\$[a-f0-9]{40}\b', Regexp::IGNORECASE),
1829
647
  modes: [
1830
- {
1831
- john: "sapg",
1832
- hashcat: 7800,
1833
- extended: false,
1834
- name:"SAP CODVN F/G (PASSCODE)"
1835
- }
648
+ {name:"SAP CODVN F/G (PASSCODE)", john: "sapg", hashcat: 7800, extended: false}
1836
649
  ]
1837
650
  },
1838
651
  {
1839
652
  extract_regex: Regexp.new('\b(.+\$)?[a-z0-9\\/.+]{30}(:.+)?\b', Regexp::IGNORECASE),
1840
653
  modes: [
1841
- {
1842
- john: "md5",
1843
- hashcat: 22,
1844
- extended: false,
1845
- name:"Juniper Netscreen/SSG(ScreenOS)"
1846
- }
654
+ {name:"Juniper Netscreen/SSG(ScreenOS)", john: "md5", hashcat: 22, extended: false}
1847
655
  ]
1848
656
  },
1849
657
  {
1850
658
  extract_regex: Regexp.new('\b0x[a-f0-9]{60}\\s0x[a-f0-9]{40}\b', Regexp::IGNORECASE),
1851
659
  modes: [
1852
- {
1853
- john: nil,
1854
- hashcat: 123,
1855
- extended: false,
1856
- name:"EPi"
1857
- }
660
+ {name:"EPi", john: nil, hashcat: 123, extended: false}
1858
661
  ]
1859
662
  },
1860
663
  {
1861
664
  extract_regex: Regexp.new('\b[a-f0-9]{40}:[^*]{1,25}\b', Regexp::IGNORECASE),
1862
665
  modes: [
1863
- {
1864
- john: nil,
1865
- hashcat: 121,
1866
- extended: false,
1867
- name:"SMF \u2265 v1.1"
1868
- }
666
+ {name:"SMF \u2265 v1.1", john: nil, hashcat: 121, extended: false}
1869
667
  ]
1870
668
  },
1871
669
  {
1872
670
  extract_regex: Regexp.new('\b(\$wbb3\$\\*1\\*)?[a-f0-9]{40}[:*][a-f0-9]{40}\b', Regexp::IGNORECASE),
1873
671
  modes: [
1874
- {
1875
- john: "wbb3",
1876
- hashcat: 8400,
1877
- extended: false,
1878
- name:"Woltlab Burning Board 3.x"
1879
- }
672
+ {name:"Woltlab Burning Board 3.x", john: "wbb3", hashcat: 8400, extended: false}
1880
673
  ]
1881
674
  },
1882
675
  {
1883
676
  extract_regex: Regexp.new('\b[a-f0-9]{130}(:[a-f0-9]{40})?\b', Regexp::IGNORECASE),
1884
677
  modes: [
1885
- {
1886
- john: nil,
1887
- hashcat: 7300,
1888
- extended: false,
1889
- name:"IPMI2 RAKP HMAC-SHA1"
1890
- }
678
+ {name:"IPMI2 RAKP HMAC-SHA1", john: nil, hashcat: 7300, extended: false}
1891
679
  ]
1892
680
  },
1893
681
  {
1894
682
  extract_regex: Regexp.new('\b[a-f0-9]{32}:[0-9]+:[a-z0-9_.+\\-]+@[a-z0-9\\-]+\\.[a-z0-9\\-.]+\b', Regexp::IGNORECASE),
1895
683
  modes: [
1896
- {
1897
- john: nil,
1898
- hashcat: 6800,
1899
- extended: false,
1900
- name:"Lastpass"
1901
- }
684
+ {name:"Lastpass", john: nil, hashcat: 6800, extended: false}
1902
685
  ]
1903
686
  },
1904
687
  {
1905
688
  extract_regex: Regexp.new('\b[a-z0-9\\/.]{16}([:$].{1,})?\b', Regexp::IGNORECASE),
1906
689
  modes: [
1907
- {
1908
- john: "asa-md5",
1909
- hashcat: 2410,
1910
- extended: false,
1911
- name:"Cisco-ASA(MD5)"
1912
- }
690
+ {name:"Cisco-ASA(MD5)", john: "asa-md5", hashcat: 2410, extended: false}
1913
691
  ]
1914
692
  },
1915
693
  {
1916
694
  extract_regex: Regexp.new('\b\$vnc\$\\*[a-f0-9]{32}\\*[a-f0-9]{32}\b', Regexp::IGNORECASE),
1917
695
  modes: [
1918
- {
1919
- john: "vnc",
1920
- hashcat: nil,
1921
- extended: false,
1922
- name:"VNC"
1923
- }
696
+ {name:"VNC", john: "vnc", hashcat: nil, extended: false}
1924
697
  ]
1925
698
  },
1926
699
  {
1927
700
  extract_regex: Regexp.new('\b[a-z0-9]{32}(:([a-z0-9\\-]+\\.)?[a-z0-9\\-.]+\\.[a-z]{2,7}:.+:[0-9]+)?\b', Regexp::IGNORECASE),
1928
701
  modes: [
1929
- {
1930
- john: nil,
1931
- hashcat: 8300,
1932
- extended: false,
1933
- name:"DNSSEC(NSEC3)"
1934
- }
702
+ {name:"DNSSEC(NSEC3)", john: nil, hashcat: 8300, extended: false}
1935
703
  ]
1936
704
  },
1937
705
  {
1938
706
  extract_regex: Regexp.new('\b(user-.+:)?\$racf\$\\*.+\\*[a-f0-9]{16}\b', Regexp::IGNORECASE),
1939
707
  modes: [
1940
- {
1941
- john: "racf",
1942
- hashcat: 8500,
1943
- extended: false,
1944
- name:"RACF"
1945
- }
708
+ {name:"RACF", john: "racf", hashcat: 8500, extended: false}
1946
709
  ]
1947
710
  },
1948
711
  {
1949
712
  extract_regex: Regexp.new('\b\$3\$\$[a-f0-9]{32}\b', Regexp::IGNORECASE),
1950
713
  modes: [
1951
- {
1952
- john: nil,
1953
- hashcat: nil,
1954
- extended: false,
1955
- name:"NTHash(FreeBSD Variant)"
1956
- }
714
+ {name:"NTHash(FreeBSD Variant)", john: nil, hashcat: nil, extended: false}
1957
715
  ]
1958
716
  },
1959
717
  {
1960
718
  extract_regex: Regexp.new('\b\$sha1\$[0-9]+\$[a-z0-9\\/.]{0,64}\$[a-z0-9\\/.]{28}\b', Regexp::IGNORECASE),
1961
719
  modes: [
1962
- {
1963
- john: "sha1crypt",
1964
- hashcat: nil,
1965
- extended: false,
1966
- name:"SHA-1 Crypt"
1967
- }
720
+ {name:"SHA-1 Crypt", john: "sha1crypt", hashcat: nil, extended: false}
1968
721
  ]
1969
722
  },
1970
723
  {
1971
724
  extract_regex: Regexp.new('\b[a-f0-9]{70}\b', Regexp::IGNORECASE),
1972
725
  modes: [
1973
- {
1974
- john: "hmailserver",
1975
- hashcat: 1421,
1976
- extended: false,
1977
- name:"hMailServer"
1978
- }
726
+ {name:"hMailServer", john: "hmailserver", hashcat: 1421, extended: false}
1979
727
  ]
1980
728
  },
1981
729
  {
1982
730
  extract_regex: Regexp.new('\b[:\$][AB][:\$]([a-f0-9]{1,8}[:\$])?[a-f0-9]{32}\b', Regexp::IGNORECASE),
1983
731
  modes: [
1984
- {
1985
- john: "mediawiki",
1986
- hashcat: 3711,
1987
- extended: false,
1988
- name:"MediaWiki"
1989
- }
732
+ {name:"MediaWiki", john: "mediawiki", hashcat: 3711, extended: false}
1990
733
  ]
1991
734
  },
1992
735
  {
1993
736
  extract_regex: Regexp.new('\b[a-f0-9]{140}\b', Regexp::IGNORECASE),
1994
737
  modes: [
1995
- {
1996
- john: nil,
1997
- hashcat: nil,
1998
- extended: false,
1999
- name:"Minecraft(xAuth)"
2000
- }
738
+ {name:"Minecraft(xAuth)", john: nil, hashcat: nil, extended: false}
2001
739
  ]
2002
740
  },
2003
741
  {
2004
742
  extract_regex: Regexp.new('\b\$pbkdf2(-sha1)?\$[0-9]+\$[a-z0-9\\/.]+\$[a-z0-9\\/.]{27}\b', Regexp::IGNORECASE),
2005
743
  modes: [
2006
- {
2007
- john: nil,
2008
- hashcat: nil,
2009
- extended: false,
2010
- name:"PBKDF2-SHA1(Generic)"
2011
- }
744
+ {name:"PBKDF2-SHA1(Generic)", john: nil, hashcat: nil, extended: false}
2012
745
  ]
2013
746
  },
2014
747
  {
2015
748
  extract_regex: Regexp.new('\b\$pbkdf2-sha256\$[0-9]+\$[a-z0-9\\/.]+\$[a-z0-9\\/.]{43}\b', Regexp::IGNORECASE),
2016
749
  modes: [
2017
- {
2018
- john: "pbkdf2-hmac-sha256",
2019
- hashcat: nil,
2020
- extended: false,
2021
- name:"PBKDF2-SHA256(Generic)"
2022
- }
750
+ {name:"PBKDF2-SHA256(Generic)", john: "pbkdf2-hmac-sha256", hashcat: nil, extended: false}
2023
751
  ]
2024
752
  },
2025
753
  {
2026
754
  extract_regex: Regexp.new('\b\$pbkdf2-sha512\$[0-9]+\$[a-z0-9\\/.]+\$[a-z0-9\\/.]{86}\b', Regexp::IGNORECASE),
2027
755
  modes: [
2028
- {
2029
- john: nil,
2030
- hashcat: nil,
2031
- extended: false,
2032
- name:"PBKDF2-SHA512(Generic)"
2033
- }
756
+ {name:"PBKDF2-SHA512(Generic)", john: nil, hashcat: nil, extended: false}
2034
757
  ]
2035
758
  },
2036
759
  {
2037
760
  extract_regex: Regexp.new('\b\$p5k2\$[0-9]+\$[a-z0-9\\/+=-]+\$[a-z0-9\\/+-]{27}=\b', Regexp::IGNORECASE),
2038
761
  modes: [
2039
- {
2040
- john: nil,
2041
- hashcat: nil,
2042
- extended: false,
2043
- name:"PBKDF2(Cryptacular)"
2044
- }
762
+ {name:"PBKDF2(Cryptacular)", john: nil, hashcat: nil, extended: false}
2045
763
  ]
2046
764
  },
2047
765
  {
2048
766
  extract_regex: Regexp.new('\b\$p5k2\$[0-9]+\$[a-z0-9\\/.]+\$[a-z0-9\\/.]{32}\b', Regexp::IGNORECASE),
2049
767
  modes: [
2050
- {
2051
- john: nil,
2052
- hashcat: nil,
2053
- extended: false,
2054
- name:"PBKDF2(Dwayne Litzenberger)"
2055
- }
768
+ {name:"PBKDF2(Dwayne Litzenberger)", john: nil, hashcat: nil, extended: false}
2056
769
  ]
2057
770
  },
2058
771
  {
2059
772
  extract_regex: Regexp.new('\b{FSHP[0123]\\|[0-9]+\\|[0-9]+}[a-z0-9\\/+=]+\b', Regexp::IGNORECASE),
2060
773
  modes: [
2061
- {
2062
- john: nil,
2063
- hashcat: nil,
2064
- extended: false,
2065
- name:"Fairly Secure Hashed Password"
2066
- }
774
+ {name:"Fairly Secure Hashed Password", john: nil, hashcat: nil, extended: false}
2067
775
  ]
2068
776
  },
2069
777
  {
2070
778
  extract_regex: Regexp.new('\b\$PHPS\$.+\$[a-f0-9]{32}\b', Regexp::IGNORECASE),
2071
779
  modes: [
2072
- {
2073
- john: "phps",
2074
- hashcat: 2612,
2075
- extended: false,
2076
- name:"PHPS"
2077
- }
780
+ {name:"PHPS", john: "phps", hashcat: 2612, extended: false}
2078
781
  ]
2079
782
  },
2080
783
  {
2081
784
  extract_regex: Regexp.new('\b[0-9]{4}:[a-f0-9]{16}:[a-f0-9]{2080}\b', Regexp::IGNORECASE),
2082
785
  modes: [
2083
- {
2084
- john: nil,
2085
- hashcat: 6600,
2086
- extended: false,
2087
- name:"1Password(Agile Keychain)"
2088
- }
786
+ {name:"1Password(Agile Keychain)", john: nil, hashcat: 6600, extended: false}
2089
787
  ]
2090
788
  },
2091
789
  {
2092
790
  extract_regex: Regexp.new('\b[a-f0-9]{64}:[a-f0-9]{32}:[0-9]{5}:[a-f0-9]{608}\b', Regexp::IGNORECASE),
2093
791
  modes: [
2094
- {
2095
- john: nil,
2096
- hashcat: 8200,
2097
- extended: false,
2098
- name:"1Password(Cloud Keychain)"
2099
- }
792
+ {name:"1Password(Cloud Keychain)", john: nil, hashcat: 8200, extended: false}
2100
793
  ]
2101
794
  },
2102
795
  {
2103
796
  extract_regex: Regexp.new('\b[a-f0-9]{256}:[a-f0-9]{256}:[a-f0-9]{16}:[a-f0-9]{16}:[a-f0-9]{320}:[a-f0-9]{16}:[a-f0-9]{40}:[a-f0-9]{40}:[a-f0-9]{32}\b', Regexp::IGNORECASE),
2104
797
  modes: [
2105
- {
2106
- john: nil,
2107
- hashcat: 5300,
2108
- extended: false,
2109
- name:"IKE-PSK MD5"
2110
- }
798
+ {name:"IKE-PSK MD5", john: nil, hashcat: 5300, extended: false}
2111
799
  ]
2112
800
  },
2113
801
  {
2114
802
  extract_regex: Regexp.new('\b[a-f0-9]{256}:[a-f0-9]{256}:[a-f0-9]{16}:[a-f0-9]{16}:[a-f0-9]{320}:[a-f0-9]{16}:[a-f0-9]{40}:[a-f0-9]{40}:[a-f0-9]{40}\b', Regexp::IGNORECASE),
2115
803
  modes: [
2116
- {
2117
- john: nil,
2118
- hashcat: 5400,
2119
- extended: false,
2120
- name:"IKE-PSK SHA1"
2121
- }
804
+ {name:"IKE-PSK SHA1", john: nil, hashcat: 5400, extended: false}
2122
805
  ]
2123
806
  },
2124
807
  {
2125
808
  extract_regex: Regexp.new('\b[a-z0-9\\/+]{27}=\b', Regexp::IGNORECASE),
2126
809
  modes: [
2127
- {
2128
- john: nil,
2129
- hashcat: 133,
2130
- extended: false,
2131
- name:"PeopleSoft"
2132
- }
810
+ {name:"PeopleSoft", john: nil, hashcat: 133, extended: false}
2133
811
  ]
2134
812
  },
2135
813
  {
2136
814
  extract_regex: Regexp.new('\bcrypt\$[a-f0-9]{5}\$[a-z0-9\\/.]{13}\b', Regexp::IGNORECASE),
2137
815
  modes: [
2138
- {
2139
- john: nil,
2140
- hashcat: nil,
2141
- extended: false,
2142
- name:"Django(DES Crypt Wrapper)"
2143
- }
816
+ {name:"Django(DES Crypt Wrapper)", john: nil, hashcat: nil, extended: false}
2144
817
  ]
2145
818
  },
2146
819
  {
2147
820
  extract_regex: Regexp.new('\b(\$django\$\\*1\\*)?pbkdf2_sha256\$[0-9]+\$[a-z0-9]+\$[a-z0-9\\/+=]{44}\b', Regexp::IGNORECASE),
2148
821
  modes: [
2149
- {
2150
- john: "django",
2151
- hashcat: 10000,
2152
- extended: false,
2153
- name:"Django(PBKDF2-HMAC-SHA256)"
2154
- }
822
+ {name:"Django(PBKDF2-HMAC-SHA256)", john: "django", hashcat: 10000, extended: false}
2155
823
  ]
2156
824
  },
2157
825
  {
2158
826
  extract_regex: Regexp.new('\bpbkdf2_sha1\$[0-9]+\$[a-z0-9]+\$[a-z0-9\\/+=]{28}\b', Regexp::IGNORECASE),
2159
827
  modes: [
2160
- {
2161
- john: nil,
2162
- hashcat: nil,
2163
- extended: false,
2164
- name:"Django(PBKDF2-HMAC-SHA1)"
2165
- }
828
+ {name:"Django(PBKDF2-HMAC-SHA1)", john: nil, hashcat: nil, extended: false}
2166
829
  ]
2167
830
  },
2168
831
  {
2169
832
  extract_regex: Regexp.new('\bbcrypt(\$2[axy]|\$2)\$[0-9]{2}\$[a-z0-9\\/.]{53}\b', Regexp::IGNORECASE),
2170
833
  modes: [
2171
- {
2172
- john: nil,
2173
- hashcat: nil,
2174
- extended: false,
2175
- name:"Django(bcrypt)"
2176
- }
834
+ {name:"Django(bcrypt)", john: nil, hashcat: nil, extended: false}
2177
835
  ]
2178
836
  },
2179
837
  {
2180
838
  extract_regex: Regexp.new('\bmd5\$[a-f0-9]+\$[a-f0-9]{32}\b', Regexp::IGNORECASE),
2181
839
  modes: [
2182
- {
2183
- john: nil,
2184
- hashcat: nil,
2185
- extended: false,
2186
- name:"Django(MD5)"
2187
- }
840
+ {name:"Django(MD5)", john: nil, hashcat: nil, extended: false}
2188
841
  ]
2189
842
  },
2190
843
  {
2191
844
  extract_regex: Regexp.new('\b\\{PKCS5S2\\}[a-z0-9\\/+]{64}\b', Regexp::IGNORECASE),
2192
845
  modes: [
2193
- {
2194
- john: nil,
2195
- hashcat: nil,
2196
- extended: false,
2197
- name:"PBKDF2(Atlassian)"
2198
- }
846
+ {name:"PBKDF2(Atlassian)", john: nil, hashcat: nil, extended: false}
2199
847
  ]
2200
848
  },
2201
849
  {
2202
850
  extract_regex: Regexp.new('\bmd5[a-f0-9]{32}\b', Regexp::IGNORECASE),
2203
851
  modes: [
2204
- {
2205
- john: nil,
2206
- hashcat: nil,
2207
- extended: false,
2208
- name:"PostgreSQL MD5"
2209
- }
852
+ {name:"PostgreSQL MD5", john: nil, hashcat: nil, extended: false}
2210
853
  ]
2211
854
  },
2212
855
  {
2213
856
  extract_regex: Regexp.new('\b\\([a-z0-9\\/+]{49}\\)\b', Regexp::IGNORECASE),
2214
857
  modes: [
2215
- {
2216
- john: nil,
2217
- hashcat: 9100,
2218
- extended: false,
2219
- name:"Lotus Notes/Domino 8"
2220
- }
858
+ {name:"Lotus Notes/Domino 8", john: nil, hashcat: 9100, extended: false}
2221
859
  ]
2222
860
  },
2223
861
  {
2224
862
  extract_regex: Regexp.new('\bSCRYPT:[0-9]{1,}:[0-9]{1}:[0-9]{1}:[a-z0-9:\\/+=]{1,}\b', Regexp::IGNORECASE),
2225
863
  modes: [
2226
- {
2227
- john: nil,
2228
- hashcat: 8900,
2229
- extended: false,
2230
- name:"scrypt"
2231
- }
864
+ {name:"scrypt", john: nil, hashcat: 8900, extended: false}
2232
865
  ]
2233
866
  },
2234
867
  {
2235
868
  extract_regex: Regexp.new('\b\$8\$[a-z0-9\\/.]{14}\$[a-z0-9\\/.]{43}\b', Regexp::IGNORECASE),
2236
869
  modes: [
2237
- {
2238
- john: "cisco8",
2239
- hashcat: 9200,
2240
- extended: false,
2241
- name:"Cisco Type 8"
2242
- }
870
+ {name:"Cisco Type 8", john: "cisco8", hashcat: 9200, extended: false}
2243
871
  ]
2244
872
  },
2245
873
  {
2246
874
  extract_regex: Regexp.new('\b\$9\$[a-z0-9\\/.]{14}\$[a-z0-9\\/.]{43}\b', Regexp::IGNORECASE),
2247
875
  modes: [
2248
- {
2249
- john: "cisco9",
2250
- hashcat: 9300,
2251
- extended: false,
2252
- name:"Cisco Type 9"
2253
- }
876
+ {name:"Cisco Type 9", john: "cisco9", hashcat: 9300, extended: false}
2254
877
  ]
2255
878
  },
2256
879
  {
2257
880
  extract_regex: Regexp.new('\b\$office\$\\*2007\\*[0-9]{2}\\*[0-9]{3}\\*[0-9]{2}\\*[a-z0-9]{32}\\*[a-z0-9]{32}\\*[a-z0-9]{40}\b', Regexp::IGNORECASE),
2258
881
  modes: [
2259
- {
2260
- john: "office",
2261
- hashcat: 9400,
2262
- extended: false,
2263
- name:"Microsoft Office 2007"
2264
- }
882
+ {name:"Microsoft Office 2007", john: "office", hashcat: 9400, extended: false}
2265
883
  ]
2266
884
  },
2267
885
  {
2268
886
  extract_regex: Regexp.new('\b\$office\$\\*2010\\*[0-9]{6}\\*[0-9]{3}\\*[0-9]{2}\\*[a-z0-9]{32}\\*[a-z0-9]{32}\\*[a-z0-9]{64}\b', Regexp::IGNORECASE),
2269
887
  modes: [
2270
- {
2271
- name:"Microsoft Office 2010",
2272
- john: nil,
2273
- hashcat: 9500,
2274
- extended: false
2275
- }
888
+ {name:"Microsoft Office 2010", john: nil, hashcat: 9500, extended: false}
2276
889
  ]
2277
890
  },
2278
891
  {
2279
892
  extract_regex: Regexp.new('\b\$office\$\\*2013\\*[0-9]{6}\\*[0-9]{3}\\*[0-9]{2}\\*[a-z0-9]{32}\\*[a-z0-9]{32}\\*[a-z0-9]{64}\b', Regexp::IGNORECASE),
2280
893
  modes: [
2281
- {
2282
- name:"Microsoft Office 2013",
2283
- john: nil,
2284
- hashcat: 9600,
2285
- extended: false
2286
- }
894
+ {name:"Microsoft Office 2013", john: nil, hashcat: 9600, extended: false}
2287
895
  ]
2288
896
  },
2289
897
  {
2290
898
  extract_regex: Regexp.new('\b\$fde\$[0-9]{2}\$[a-f0-9]{32}\$[0-9]{2}\$[a-f0-9]{32}\$[a-f0-9]{3072}\b', Regexp::IGNORECASE),
2291
899
  modes: [
2292
- {
2293
- john: "fde",
2294
- hashcat: 8800,
2295
- extended: false,
2296
- name:"Android FDE \u2264 4.3"
2297
- }
900
+ {name:"Android FDE \u2264 4.3", john: "fde", hashcat: 8800, extended: false}
2298
901
  ]
2299
902
  },
2300
903
  {
2301
904
  extract_regex: Regexp.new('\b\$oldoffice\$[01]\\*[a-f0-9]{32}\\*[a-f0-9]{32}\\*[a-f0-9]{32}\b', Regexp::IGNORECASE),
2302
905
  modes: [
2303
- {
2304
- john: "oldoffice",
2305
- hashcat: 9700,
2306
- extended: false,
2307
- name:"Microsoft Office \u2264 2003 (MD5+RC4)"
2308
- },
2309
- {
2310
- john: "oldoffice",
2311
- hashcat: 9710,
2312
- extended: false,
2313
- name:"Microsoft Office \u2264 2003 (MD5+RC4) collider-mode #1"
2314
- },
2315
- {
2316
- john: "oldoffice",
2317
- hashcat: 9720,
2318
- extended: false,
2319
- name:"Microsoft Office \u2264 2003 (MD5+RC4) collider-mode #2"
2320
- }
906
+ {name:"Microsoft Office \u2264 2003 (MD5+RC4)", john: "oldoffice", hashcat: 9700, extended: false},
907
+ {name:"Microsoft Office \u2264 2003 (MD5+RC4) collider-mode #1", john: "oldoffice", hashcat: 9710, extended: false},
908
+ {name:"Microsoft Office \u2264 2003 (MD5+RC4) collider-mode #2", john: "oldoffice", hashcat: 9720, extended: false}
2321
909
  ]
2322
910
  },
2323
911
  {
2324
912
  extract_regex: Regexp.new('\b\$oldoffice\$[34]\\*[a-f0-9]{32}\\*[a-f0-9]{32}\\*[a-f0-9]{40}\b', Regexp::IGNORECASE),
2325
913
  modes: [
2326
- {
2327
- john: nil,
2328
- hashcat: 9800,
2329
- extended: false,
2330
- name:"Microsoft Office \u2264 2003 (SHA1+RC4)"
2331
- },
2332
- {
2333
- john: nil,
2334
- hashcat: 9810,
2335
- extended: false,
2336
- name:"Microsoft Office \u2264 2003 (SHA1+RC4) collider-mode #1"
2337
- },
2338
- {
2339
- john: nil,
2340
- hashcat: 9820,
2341
- extended: false,
2342
- name:"Microsoft Office \u2264 2003 (SHA1+RC4) collider-mode #2"
2343
- }
914
+ {name:"Microsoft Office \u2264 2003 (SHA1+RC4)", john: nil, hashcat: 9800, extended: false},
915
+ {name:"Microsoft Office \u2264 2003 (SHA1+RC4) collider-mode #1", john: nil, hashcat: 9810, extended: false},
916
+ {name:"Microsoft Office \u2264 2003 (SHA1+RC4) collider-mode #2", john: nil, hashcat: 9820, extended: false}
2344
917
  ]
2345
918
  },
2346
919
  {
2347
920
  extract_regex: Regexp.new('\b(\$radmin2\$)?[a-f0-9]{32}\b', Regexp::IGNORECASE),
2348
921
  modes: [
2349
- {
2350
- john: "radmin",
2351
- hashcat: 9900,
2352
- extended: false,
2353
- name:"RAdmin v2.x"
2354
- }
922
+ {name:"RAdmin v2.x", john: "radmin", hashcat: 9900, extended: false}
2355
923
  ]
2356
924
  },
2357
925
  {
2358
926
  extract_regex: Regexp.new('\b{x-issha,\\s[0-9]{4}}[a-z0-9\\/+=]+\b', Regexp::IGNORECASE),
2359
927
  modes: [
2360
- {
2361
- john: "saph",
2362
- hashcat: 10300,
2363
- extended: false,
2364
- name:"SAP CODVN H (PWDSALTEDHASH) iSSHA-1"
2365
- }
928
+ {name:"SAP CODVN H (PWDSALTEDHASH) iSSHA-1", john: "saph", hashcat: 10300, extended: false}
2366
929
  ]
2367
930
  },
2368
931
  {
2369
932
  extract_regex: Regexp.new('\b\$cram_md5\$[a-z0-9\\/+=-]+\$[a-z0-9\\/+=-]{52}\b', Regexp::IGNORECASE),
2370
933
  modes: [
2371
- {
2372
- john: nil,
2373
- hashcat: 10200,
2374
- extended: false,
2375
- name:"CRAM-MD5"
2376
- }
934
+ {name:"CRAM-MD5", john: nil, hashcat: 10200, extended: false}
2377
935
  ]
2378
936
  },
2379
937
  {
2380
938
  extract_regex: Regexp.new('\b[a-f0-9]{16}:2:4:[a-f0-9]{32}\b', Regexp::IGNORECASE),
2381
939
  modes: [
2382
- {
2383
- john: nil,
2384
- hashcat: 10100,
2385
- extended: false,
2386
- name:"SipHash"
2387
- }
940
+ {name:"SipHash", john: nil, hashcat: 10100, extended: false}
2388
941
  ]
2389
942
  },
2390
943
  {
2391
944
  extract_regex: Regexp.new('\b[a-f0-9]{4,}\b', Regexp::IGNORECASE),
2392
945
  modes: [
2393
- {
2394
- name:"Cisco Type 7",
2395
- john: nil,
2396
- hashcat: nil,
2397
- extended: true
2398
- }
946
+ {name:"Cisco Type 7", john: nil, hashcat: nil, extended: true}
2399
947
  ]
2400
948
  },
2401
949
  {
2402
950
  extract_regex: Regexp.new('\b[a-z0-9\\/.]{13,}\b', Regexp::IGNORECASE),
2403
951
  modes: [
2404
- {
2405
- name:"BigCrypt",
2406
- john: "bigcrypt",
2407
- hashcat: nil,
2408
- extended: true,
2409
- description: "Extended DES crypt — 13+ chars, extended length",
2410
- notes: ["Rarely used", "Used in some Unix variants"],
2411
- common_sources: ["some Unix variants"],
2412
- context: ["unix", "extended"]
2413
- }
952
+ {name:"BigCrypt", john: "bigcrypt", hashcat: nil, extended: true}
2414
953
  ]
2415
954
  },
2416
955
  {
2417
956
  extract_regex: Regexp.new('\b(\$cisco4\$)?[a-z0-9\\/.]{43}\b', Regexp::IGNORECASE),
2418
957
  modes: [
2419
- {
2420
- name:"Cisco Type 4",
2421
- john: "cisco4",
2422
- hashcat: nil,
2423
- extended: false
2424
- }
958
+ {name:"Cisco Type 4", john: "cisco4", hashcat: nil, extended: false}
2425
959
  ]
2426
960
  },
2427
961
  {
2428
962
  extract_regex: Regexp.new('\bbcrypt_sha256\$\$(2[axy]|2)\$[0-9]+\$[a-z0-9\\/.]{53}\b', Regexp::IGNORECASE),
2429
963
  modes: [
2430
- {
2431
- name:"Django(bcrypt-SHA256)",
2432
- john: nil,
2433
- hashcat: nil,
2434
- extended: false
2435
- }
964
+ {name:"Django(bcrypt-SHA256)", john: nil, hashcat: nil, extended: false}
2436
965
  ]
2437
966
  },
2438
967
  {
2439
968
  extract_regex: Regexp.new('\b\$postgres\$.[^\\*]+[*:][a-f0-9]{1,32}[*:][a-f0-9]{32}\b', Regexp::IGNORECASE),
2440
969
  modes: [
2441
- {
2442
- name:"PostgreSQL Challenge-Response Authentication (MD5)",
2443
- john: "postgres",
2444
- hashcat: 11100,
2445
- extended: false
2446
- }
970
+ {name:"PostgreSQL Challenge-Response Authentication (MD5)", john: "postgres", hashcat: 11100, extended: false}
2447
971
  ]
2448
972
  },
2449
973
  {
2450
974
  extract_regex: Regexp.new('\b\$siemens-s7\$[0-9]{1}\$[a-f0-9]{40}\$[a-f0-9]{40}\b', Regexp::IGNORECASE),
2451
975
  modes: [
2452
- {
2453
- name:"Siemens-S7",
2454
- john: "siemens-s7",
2455
- hashcat: nil,
2456
- extended: false
2457
- }
976
+ {name:"Siemens-S7", john: "siemens-s7", hashcat: nil, extended: false}
2458
977
  ]
2459
978
  },
2460
979
  {
2461
980
  extract_regex: Regexp.new('\b(\$pst\$)?[a-f0-9]{8}\b', Regexp::IGNORECASE),
2462
981
  modes: [
2463
- {
2464
- name:"Microsoft Outlook PST",
2465
- john: nil,
2466
- hashcat: nil,
2467
- extended: false
2468
- }
982
+ {name:"Microsoft Outlook PST", john: nil, hashcat: nil, extended: false}
2469
983
  ]
2470
984
  },
2471
985
  {
2472
986
  extract_regex: Regexp.new('\bsha256[:$][0-9]+[:$][a-z0-9\\/+]+[:$][a-z0-9\\/+]{32,128}\b', Regexp::IGNORECASE),
2473
987
  modes: [
2474
- {
2475
- name:"PBKDF2-HMAC-SHA256(PHP)",
2476
- john: nil,
2477
- hashcat: 10900,
2478
- extended: false
2479
- }
988
+ {name:"PBKDF2-HMAC-SHA256(PHP)", john: nil, hashcat: 10900, extended: false}
2480
989
  ]
2481
990
  },
2482
991
  {
2483
992
  extract_regex: Regexp.new('\b(\$dahua\$)?[a-z0-9]{8}\b', Regexp::IGNORECASE),
2484
993
  modes: [
2485
- {
2486
- name:"Dahua",
2487
- john: "dahua",
2488
- hashcat: nil,
2489
- extended: false
2490
- }
994
+ {name:"Dahua", john: "dahua", hashcat: nil, extended: false}
2491
995
  ]
2492
996
  },
2493
997
  {
2494
998
  extract_regex: Regexp.new('\b\$mysqlna\$[a-f0-9]{40}[:*][a-f0-9]{40}\b', Regexp::IGNORECASE),
2495
999
  modes: [
2496
- {
2497
- name:"MySQL Challenge-Response Authentication (SHA1)",
2498
- john: nil,
2499
- hashcat: 11200,
2500
- extended: false
2501
- }
1000
+ {name:"MySQL Challenge-Response Authentication (SHA1)", john: nil, hashcat: 11200, extended: false}
2502
1001
  ]
2503
1002
  },
2504
1003
  {
2505
1004
  extract_regex: Regexp.new('\b\$pdf\$[24]\\*[34]\\*128\\*[0-9-]{1,5}\\*1\\*(16|32)\\*[a-f0-9]{32,64}\\*32\\*[a-f0-9]{64}\\*(8|16|32)\\*[a-f0-9]{16,64}\b', Regexp::IGNORECASE),
2506
1005
  modes: [
2507
- {
2508
- name:"PDF 1.4 - 1.6 (Acrobat 5 - 8)",
2509
- john: "pdf",
2510
- hashcat: 10500,
2511
- extended: false
2512
- }
1006
+ {name:"PDF 1.4 - 1.6 (Acrobat 5 - 8)", john: "pdf", hashcat: 10500, extended: false}
2513
1007
  ]
2514
1008
  }
2515
1009
  ].freeze