1

I have pairs of email addresses and hashes, can you tell what's being used to create them?

[email protected]
BeRs114JrR0sBpueyEmnOWZfnLuigYTA

and 

[email protected]
4KoujQHr3N2wHWBLQBy%2b26t8GgVRTqSEmKduST9BqPYV6wBZF4IfebJS%2fxYVvIvR

and

[email protected]
819kwGAcTsMw3DndEVzu%2fA%3d%3d
Improve this question
2
  • 2
    I'm voting to close this question as off-topic because it is impossible to determine which algorithm produced this output, since ciphertexts and hash outputs are supposed to be indistinguishable from random noise and there are infinitely many of them. We're not here to play the guessing game, but you can guess yourself: determine what type of encoding/encryption has been used Commented Mar 31, 2016 at 20:26
  • 4
    It's definitely not a hash, because then the output would have always the same length. Commented Mar 31, 2016 at 20:27

2 Answers 2

Reset to default
2

First, the obvious even if you know nothing about cryptography: the percent signs are URL encoding; decoding that gives

BeRs114JrR0sBpueyEmnOWZfnLuigYTA
4KoujQHr3N2wHWBLQBy+26t8GgVRTqSEmKduST9BqPYV6wBZF4IfebJS/xYVvIvR
819kwGAcTsMw3DndEVzu/A==

And that in turn is base64. The lengths of the encodings wrt the length of the original strings are

plaintext  encoding
17         24
43         48
10         16

More samples would give more confidence, but it's fairly clear that the encoding pads the plaintext to a multiple of 8 bytes. That suggest a block cipher (it can't be a hash since a hash would be fixed-size). The de facto standard block algorithm is AES which uses 16-byte blocks; 24 is not a multiple of 16 so that's out. The most common block algorithm with a block size of 8 (which fits the data) is DES; 3DES or blowfish or something even rarer is also a possibility but DES is what I'd put my money on.

Since it's a cipher, there must be a key somewhere. It might be in a configuration file, or hard-coded in the source code. If all you have is the binary, you should be able to locate it with the help of a debugger. With DES, you could find the key by brute force (because a key is only 56 bits and that's doable by renting a bit of CPU time on Amazon) but finding it in the program would be easier.

If you want to reproduce the algorithm then you'll also need to figure out the mode of operation. Here one clue is that the encoding is never more than 7 bytes longer than the plaintext, so there's no room for an initialization vector. If the developers who made that software did a horrible job they might have used ECB. If they made a slightly less horrible job they might have used CBC or (much less likely) some other mode with a constant IV. If they did an again slightly less horrible job then the IV may be derived from some other characteristic of the account. You can refine the analysis by testing some patterns:

  • If the encoding of [email protected] (starting with two identical 8-byte blocks) starts with two identical 8-byte blocks, it's ECB.
  • If the encoding of [email protected] and [email protected] (differing at the 9th character) have identical first blocks, it's CBC (probably) with a constant IV.

Another thing you'll need to figure out is the padding mode. There are a few common ones. That's a bit harder to figure out as a black box except with ECB.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

There are some tools online, and also some open source projects. For example:

https://code.google.com/archive/p/hash-identifier/

http://www.insidepro.com/

Improve this answer

2 Comments

Tried both, no luck.
These sites help if you have a password hash in a standard format, but that's obviously not the case here.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.