How to identify hash types – new tools with modern hashes support
In the article “How to identify hash types” we have already got acquainted with such utilities as hashID and HashTag, which determine the hash string by which algorithm it was calculated.
The aforementioned tools still work, but the world does not stand still (and the development of these programs does stand still). Now there are new types of hashes that are not supported or have errors in these tools.
Right now, at the time of writing, two new programs are under active development for identifying hash types. They support more hashing algorithms and are just better than the old tools in everything. This article is devoted to acquaintance with new tools for identifying a hash type.
Why do we need new tools for identifying hash types?
hashID has been deprecated since March 2015, hash-identifier has been deprecated since 2011, Dagon since June 2018, and findmyhash since 2011. All of them do not have at all, or have incorrect, erroneous support for modern hashes such as Keccak/SHA3/Blake2, etc. Also, a tool like hash-identifier, which is completely interactive, has no parameters and is not convenient for use in scripts. findmyhash has a very limited set of detectable hashes. The most interesting tool is hashID (for identifying a hash), but since it hasn't been supported for over 5 years, problems and open PRs (Pull Requests) are piling up, bugs are not fixed, and some features are missing.
All this could have prompted the authors to create new tools with capabilities missing from their predecessors.
Let's look at a comparative table of tools for determining the type of hash:
- Ref.: showing next to the hash type the corresponding mode of hashcat and hash name of john the ripper
- ✅: function supported
- ❌: function not supported
- ⭕️: function is partially supported
- 💎: the Ruby programming language
- 🐍: the Python programming language
- #: correct support for modern hashes
- 🔢: number of hashes supported
If you need sample hashes for verifying instruments, see the section “Where to see examples of hashes”.
I selected several hashes for analysis:
- PKZIP Master Key
Hashes must be enclosed in single quotes!
Hashes can include special characters that have a special meaning to the shell. This is especially important if you are using Linux. If you do not take this into account, the program for determining the hash type, although it will not report an error, will receive a string different from the one you thought you entered.
Moreover, even in double quotes, the shell treats some characters as special. So to avoid escaping them, put the entire hash in single quotes.
It is not necessary to quote hashes consisting only of letters and numbers, but I prefer to pass all hashes in single quotes.
HAITI (HAsh IdenTifIer) is a command line tool (and library) for identifying the type of a given hash. The library is especially good for scripting because you don't have to wrap the command line tool in a subprocess.
- 382+ hash types detected
- Modern algorithms supported (SHA3, Keccak, Blake2, etc.)
- Hashcat and John the Ripper references
- CLI tool & library
- Color output
A complete list of program options and installation instructions can be found in the program card: https://en.kali.tools/?p=1567
Using the program is very simple - put your hash after the program name:
haiti OPTIONS 'HASH'
Moreover, OPTIONS are not necessary, the default behavior of the program is very balanced and in most cases you will not want to change it with any additional parameters.
SHA-512 [HC: 1700] [JtR: raw-sha512] SHA3-512 [HC: 17600] [JtR: raw-sha3] SHA3-512 [HC: 17600] [JtR: dynamic_400] Keccak-512 [HC: 18000] [JtR: raw-keccak] BLAKE2-512 [JtR: raw-blake2] Whirlpool [HC: 6100] [JtR: whirlpool] Salsa10 Salsa20 Skein-512 [JtR: skein-512] Skein-1024(512)
Among the output is the correct answer: SHA3-512
In the output, HC is an abbreviation for Hashcat, and subsequent digits (for example, 1700, 17600, and so on) are the mode numbers in this program.
JtR is short for John the Ripper, and the following lines are the name of the hash algorithms for cracking in this program (raw-sha512, raw-sha3, and so on).
Color improves the readability of the output very well, especially if it is large. If you want to disable color output, then use the --no-color option:
haiti --no-color 412ef78534ba6ab0e9b1607d3e9767a25c1ea9d5e83176b4c2817a6c
Although often the output contains more than one guess about the hash type, salted algorithms are excluded by default. To show all possible hashing algorithms, including using a salt, use the -e or --extended option:
haiti -e 7c2dc1d743735d4e069f3bda85b1b7e9172033dfdd8cd599ca094ef8570f3930c3f2c0b7afc8d6152ce4eaad6057a2ff22e71934b3a3dd0fb55a7fc84a53144e
If you only want to know the hash type and information about hashcat and john the ripper modes is superfluous for you, then you can specify the --short option for shortened output:
haiti --short f1eff5c0368d10311dcfc419
From January 2021, almost two years after work on HAITI began, a project called Name-That-Hash emerged because the author needed a Python library for Ciphey. There are now two relevant options for identifying a hash.
Name That Hash defines the type of hash. The program supports MD5, SHA256 and over 300 other hashes.
Features of Name That Hash:
- Popularity Ratings – You will see the most popular hashes first.
- Hash Summaries – Name-that-hash will summarize the basics of using each hash, allowing you to make an informed choice.
- The color output is contrasting and descriptive.
- Output to JSON and API – you can use Name-That-Hash in your project, since the program has an API and a command line interface. Use JSON output or import the program as a Python module!
- Updated – Name-That-Hash is a 2021 project.
- Thoughtfulness – the authors have thought over the functions, interface and options with ease of use in mind.
- Extensibility – add new hashes as quickly as you can edit the text file.
- Working with files – the program reads a file line by line and checks the type of each hash.
- Hash lookup is an extreme mode that tries to extract a hash even if the string contains garbage.
Installation instructions and a complete list of options can be found at https://en.kali.tools/?p=1556.
To determine the hash type, specify it with the -t (--text) option:
nth -t 'HASH'
nth -t '7c2dc1d743735d4e069f3bda85b1b7e9172033dfdd8cd599ca094ef8570f3930c3f2c0b7afc8d6152ce4eaad6057a2ff22e71934b3a3dd0fb55a7fc84a53144e'
Hashes are divided into two groups:
- Most Likely
- Least Likely
Moreover, in these groups, they are also sorted by frequency of use.
In the output, you can see the already familiar HC and JtR strings with the numbers and names of hashing algorithms in Hashcat and John.
In addition, there is a short description of the application, for example:
- Summary: Used in Bitcoin Blockchain and Shadow Files.
- Summary: Used in Wireguard, Zcash, IPFS and more.
- Summary: Not considered a hash function
Moreover, please note that some entries are hyperlinks (they are underlined with dots) and for more information you can go to web pages. All this is done so that you can navigate the proposed hash types and choose the most suitable one.
To check multiple hashes, use the -f (--file) option:
nth -f 'FILE'
The file format is one hash per line.
One of these options (-t or -f) is required.
If your hashes are Base64 encoded, then use the -b64 (--base64) option. It tells the program to decode Base64 hashes before identifying. For files with mixed Base64 strings and in plain text, the program first tries to decode base64, and if this fails, then it treats the hash as an ordinary plain text string.
nth -t 'ZjFlZmY1YzAzNjhkMTAzMTFkY2ZjNDE5Cg==' -b64
Please note that the already decoded string is shown as a hash (after the header).
The -e (--extreme) option enables searching for hashes in a string. This mode will get 5d41402abc4b2a76b9719d911017c592 from ####5d41402abc4b2a76b9719d911017c592###.
In theory, the following two commands should give the same result:
nth -t '####5d41402abc4b2a76b9719d911017c592###' -e nth -t '5d41402abc4b2a76b9719d911017c592'
But they turned out differently for me. Therefore, use this mode rather as an experimental one.
Free online hash type detection
The Online hash type detection service has existed for a long time. It works very simply – you enter a hash and you get a hash type. Previously, it relied on the hashID and HashTag utilities. Now the service has been updated and works with the HAITI and Name That Hash utilities – the most up-to-date tools for determining the type of hash.
Service address: https://w-e-b.site/?act=hashtag
As you can see, it is difficult to choose which of the programs is better – HAITI or Name That Hash. You can use one or two. Or if you need JSON output or need API support or a library for defining hashes, then you can choose the one that best suits your needs.
- How to identify hash types (100%)
- Hash-generation software (55%)
- How to hack a Windows password (55%)
- How to decrypt stored Windows passwords using mimikatz and DAPA (55%)
- Comprehensive Guide to John the Ripper. Part 6: How to brute force non-standard hashes (55%)
- How to generate dictionaries by any parameters with pydictor (RANDOM - 50%)