Password Hash Types and Identification

Password Hash Types and Identification – A Complete Guide for GIAC GCIH

Why Password Hash Types and Identification Matters

Understanding password hash types and how to identify them is a critical skill for incident handlers and penetration testers alike. During a security assessment or an incident response engagement, you will frequently encounter password hashes extracted from compromised systems, databases, or network captures. Knowing what type of hash you are looking at determines the tools, techniques, and wordlists you will use to crack it, as well as the likelihood of success. On the GIAC GCIH exam, this knowledge is tested because it directly relates to exploitation frameworks, password attacks, and post-exploitation activities. Misidentifying a hash can waste hours of cracking time or, worse, lead you to overlook a vulnerability entirely.

What Are Password Hashes?

A password hash is the output of a one-way cryptographic function applied to a plaintext password. Instead of storing passwords in cleartext, operating systems and applications store hashes so that even if the hash database is compromised, the original passwords are not immediately revealed. Common hash types include:

1. LM (LAN Manager) Hash
- Legacy Windows hash, extremely weak
- Splits the password into two 7-character halves, converts to uppercase, and DES-encrypts each half independently
- Recognizable by its 32-character hexadecimal format; if the password is 7 characters or fewer, the second half is always AAD3B435B51404EE
- Example: AAD3B435B51404EEAAD3B435B51404EE

2. NTLM (NT LAN Manager) Hash
- Modern Windows hash, uses MD4 of the Unicode password
- 32-character hexadecimal string
- Case-sensitive, no password length splitting
- Often seen in SAM database dumps and stored as: username:RID:LMhash:NTLMhash:::

3. MD5
- 32-character hexadecimal output (128 bits)
- Commonly used in web applications and older Linux systems
- On Linux, MD5-based crypt hashes start with $1$

4. SHA-1
- 40-character hexadecimal output (160 bits)
- Used in some legacy applications and older database systems

5. SHA-256 and SHA-512
- SHA-256 produces a 64-character hex string; SHA-512 produces a 128-character hex string
- On Linux, SHA-256 crypt hashes start with $5$ and SHA-512 crypt hashes start with $6$

6. bcrypt
- Starts with $2a$, $2b$, or $2y$
- Includes a cost factor (e.g., $2a$12$) and a 60-character total string
- Designed to be slow, making brute-force attacks computationally expensive

7. NTLMv1 and NTLMv2 (Network Authentication Hashes)
- These are challenge-response hashes captured during authentication over the network
- NTLMv2 is more secure and includes a timestamp and server challenge
- Often captured using tools like Responder or Impacket
- Format in tools like hashcat: username::domain:challenge:NTProofStr:blob

8. Kerberos Hashes (AS-REP Roasting and Kerberoasting)
- Kerberoast tickets use RC4 (type 23) or AES (type 17/18) encryption
- AS-REP roasting targets accounts without pre-authentication
- Identifiable by $krb5tgs$ or $krb5asrep$ prefixes

9. Other Common Types
- $apr1$ – Apache MD5
- $pbkdf2-sha256$ – PBKDF2-based hashes
- {SSHA} – Salted SHA-1 used in LDAP
- DES-based crypt – 13 characters, no prefix (legacy Unix)

How to Identify Hash Types

Identification is based on several factors:

Length of the hash string:
- 13 characters → DES crypt
- 32 characters (hex) → MD5 or NTLM
- 40 characters (hex) → SHA-1
- 64 characters (hex) → SHA-256
- 128 characters (hex) → SHA-512

Prefix identifiers (most reliable method):
- $1$ → MD5 crypt
- $2a$ / $2b$ / $2y$ → bcrypt
- $5$ → SHA-256 crypt
- $6$ → SHA-512 crypt
- $apr1$ → Apache MD5
- $krb5tgs$23$ → Kerberoast (RC4)
- $krb5asrep$23$ → AS-REP Roast

Context of where the hash was found:
- Windows SAM database → LM and NTLM
- Linux /etc/shadow → Check the prefix
- Network capture → NTLMv1/v2, Kerberos
- Web application database → Could be MD5, SHA-1, SHA-256, bcrypt, etc.

Automated Identification Tools:
- hashid – Python tool that identifies hash types based on patterns
- hash-identifier – Another CLI tool for hash identification
- hashcat --identify or referencing the hashcat example hashes page
- john --list=formats – Lists supported formats in John the Ripper

How Hash Cracking Relates to Identification

Once you identify the hash type, you select the appropriate mode in your cracking tool:

- Hashcat uses mode numbers: e.g., -m 0 for MD5, -m 1000 for NTLM, -m 3200 for bcrypt, -m 13100 for Kerberoast, -m 18200 for AS-REP Roast, -m 5600 for NTLMv2
- John the Ripper uses format flags: e.g., --format=NT, --format=Raw-MD5, --format=bcrypt

Selecting the wrong mode will result in zero results even if the password is in your wordlist. This is why correct identification is paramount.

Key Concepts for the GCIH Exam

- LM hashes are the weakest Windows hash type and should be disabled (they are disabled by default in modern Windows)
- NTLM hashes are unsalted, making them vulnerable to rainbow table attacks and fast brute-force cracking
- Salted hashes (like those in /etc/shadow, bcrypt, PBKDF2) are significantly harder to crack because precomputed tables cannot be used
- bcrypt, scrypt, and Argon2 are considered modern, secure hashing algorithms because they are deliberately slow
- Pass-the-hash attacks use NTLM hashes directly for authentication without needing to crack them
- NTLMv2 hashes captured on the network cannot be used for pass-the-hash; they must be cracked
- Tools like Responder, Impacket, and Mimikatz are commonly used to obtain hashes
- Tools like Hashcat and John the Ripper are used to crack hashes
- The secretsdump.py tool from Impacket can extract NTLM hashes remotely

Exam Tips: Answering Questions on Password Hash Types and Identification

1. Memorize the prefixes. The most reliable way to identify a hash on the exam is by its prefix. Know that $6$ is SHA-512 crypt, $1$ is MD5 crypt, $2a$ is bcrypt, etc. This is frequently tested.

2. Know your hash lengths. If you see a 32-character hex string with no prefix, consider both MD5 and NTLM. The context (Windows vs. web application) will help you differentiate.

3. Understand the difference between stored hashes and network hashes. NTLM hashes from the SAM/NTDS.dit can be used for pass-the-hash. NTLMv1/v2 hashes captured on the wire are challenge-response and must be cracked.

4. Remember the LM hash weakness. If a question mentions passwords being split into 7-character halves or converted to uppercase, it is referring to LM hashes.

5. Know which hashes are salted vs. unsalted. NTLM and plain MD5 are unsalted. Linux crypt hashes ($1$, $5$, $6$), bcrypt, and PBKDF2 are salted. Salting prevents rainbow table attacks.

6. Associate tools with hash types. Mimikatz extracts NTLM hashes from Windows memory. Responder captures NTLMv1/v2 hashes from the network. hashdump in Metasploit retrieves SAM hashes.

7. Understand hashcat mode numbers for common types. You may be asked which tool and mode to use: -m 1000 for NTLM, -m 5600 for NTLMv2, -m 13100 for Kerberoast.

8. Read the question context carefully. If the question says hashes were extracted from /etc/shadow on a Linux system, look for the crypt prefix. If it says hashes were dumped from a Windows domain controller using secretsdump, think NTLM (and possibly LM).

9. Use your index effectively. During the open-book GCIH exam, have a reference sheet or index tab for hash prefixes, lengths, and corresponding hashcat/John modes. This saves valuable time.

10. Understand why hash identification matters in the attack chain. Questions may present a scenario where an attacker has obtained hashes and ask what the next step is. The answer often involves identifying the hash type first, then selecting the appropriate cracking approach (dictionary, brute-force, rainbow table, or pass-the-hash if applicable).

11. Do not confuse encoding with hashing. Base64 is encoding, not hashing. If you see a string that ends with = or ==, it may be Base64-encoded data, not a hash.

12. Know the security hierarchy. From weakest to strongest: LM → NTLM → MD5 → SHA-1 → SHA-256 → SHA-512 → bcrypt/scrypt/Argon2. Questions about which hash type provides the best protection will typically point to bcrypt or Argon2 due to their built-in work factor and salting.