Unsalted Hashes

As you may have guessed, these are hash types that don't use a salt. This is NOT an exhaustive list of hashes, simply a sample of those that are commonly seen in the wild. Hashcat and JTR example command's, as well as a set of example hashes are provided for you to crack. Grab a wordlist and give it a try!

MD4


MD4 was first introduced in 1990 by designer Ronald Rivest. In 1993 Microsoft used this algo as its base for the widely used NT format discussed in the next block. By 1995 collisions were being found and the algorithm was considered insecure, however it wasn't until 2011 that it was officially sunset by the IETF

Hashes are 16 bytes long (32 hex characters or 128 bits) and have no maximum input length.

Hashcat Example Command JTR Example Command
./hashcat64.bin -m 900 hashlist wordlist ./john --format=Raw-MD4 hashlist -w:wordlist
c28f57f0dcdaf9cc5e875b087aff7f4e
5bf0ebdc9d2527402b604eb608054923
4e106ebd69d8533b16c379a92ffa65b0
c150581d7f5f95134377ddec2e7243d8
1ac9d1b51b47fc206046c793ac1d693c
134f4fdf7f4015771417c33802d81b81
e8edaf5b71d795e659e55abeb73e3a93
3a45af0335f143d1fa78d59ac5642aaa
4c79ea9f8f27e5a6ca5aaf7afbe3f2ab
378d7c3261c40002c15cd70ba8c639c2

NT

This is the worst. NT (New Technology) was introduced with Windows NT 3.1 in 1993 as a successor to LM (LAN Manager). It baffles me how this remains the storage method Windows domains use. NT is based on MD4. It takes your password as an input, converts it to UTF-16-LE, and stores it. This means that it's marginally slower than base MD4, but were still talking billions of attempts per second.

Unlike LM, an NT hash can store passwords up length up to 255. It allows for case sensitivity. NT's are generally found in NTDS dumps (Active Directory database) and SAM files (local user database).

These hashes can be extracted from SAM files with tools like PwDump, and Mimikatz. NTDS.dit files can be extracted with tools like DSInternals, NTDSXtract, or Crackmapexec (in NTDS export mode).

Hashcat Example Command JTR Example Command
./hashcat64.bin -m 1000 hashlist wordlist ./john --format=NT hashlist -w:wordlist>
3999868f8d87fe5c8c9044cf8b8dec91
7b92f8950fcb76636ef36ca61bf32c85
b515eb1cb66a3f3f7ff3e4b0499aad09
90f7f2d3ceb3e5ede7fa198afc44fc09
18315bdead97478cc9a6875c6c220e9b
0be895cd983f3959655d17aa833e64f6
aca792533c2acd150cc1f33c4b20fb20
59442c7caa854a4c31c420056c31b721
542de7bbdbb100e5d8b1fbd2c815c18b
7a6d479489896842bca3eb781a36f904
$NT$3999868f8d87fe5c8c9044cf8b8dec91
$NT$7b92f8950fcb76636ef36ca61bf32c85
$NT$b515eb1cb66a3f3f7ff3e4b0499aad09
$NT$90f7f2d3ceb3e5ede7fa198afc44fc09
$NT$18315bdead97478cc9a6875c6c220e9b
$NT$0be895cd983f3959655d17aa833e64f6
$NT$aca792533c2acd150cc1f33c4b20fb20
$NT$59442c7caa854a4c31c420056c31b721
$NT$542de7bbdbb100e5d8b1fbd2c815c18b
$NT$7a6d479489896842bca3eb781a36f904

MD5

MD5 is the successor to MD4. It was introduced in 1991 when weaknesses in MD4 started being discovered. This algo was widely used in web technologies and can still be found in public dumps today. MD5 offers little resistence to GPU cracking, and on todays CPU's.

Hashes are 16 bytes long (32 hex characters or 128 bits) and have no maximum input length.

Hashcat Example Command JTR Example Command
./hashcat64.bin hashlist wordlist(No mode is needed as MD5 is the default mode) ./john --format=Raw-MD5 hashlist -w:wordlist
955f900f5fbc37f42e8e4289bc21711f
ddaaf4bee696da70a56189f6c210cf39
a7770ef1f55c048af38f0e3dcff7a50f
05ac3995217f1bb4ea131c6579475455
b40cf38c2330905c41fedc321a39659f
0dff5c5fea7ccf4d10c66eac735dd146
b5ba584a6c300b96ca96dfe48c0af396
f1eda23b7d7b91112e54661bb283f7d6
d79ba6b42fab896d7e4d257bcde2b958
c036dcec18a9b37eef519adb8211ae7e

SHA1

SHA1 was designed by NSA in 1995 as a successor to SHA-0 (which was found to have cryptographic flaws). It provides slightly more resistence to attack than MD5 due to the increased work cost to generate a hash (more math = more time to calculate). This is the base format of the LinkedIn leak in 2012. ~6.5 million hashes were stolen in SHA1 format.

Hashes are 20 bytes long (40 hex characters or 160 bits) and have no maximum input length.

Hashcat Example Command JTR Example Command
./hashcat64.bin -m 100 hashlist wordlist> ./john --format=Raw-SHA1 hashlist -w:wordlist
c3baf8575d0ce25d438a07cd98f595fabc5f5e74
406a26b2e7e5fce354a5147ab827087e47d7ac34
2a1497fdf80692a04cb84961ed6e01fb90434aa3
d16cd2b5bf1fd305ce6c72f321579b5e754fd2ef
1caa450ae784a854d89e8faa3705206cd6d3be4e
29efe29760442e936ce6318b08f51210f2337742
08f0de711672c7d468ae4f843d4dd5604645676a
5a96edf54467a393140d7a9d19abf15265151f7b
55bc7b64eddfe2b3330840e90a9157d91a1b965d
2d99c4c2e6f76d4424116eb101bf90a11838ae05

SHA256

SHA256 is part of the SHA2 family designed again by NSA and published in 2001. The publication was formally accepted in 2002 as the successor to SHA. It is comprised of SHA224, SHA256, SHA384, and SHA512, however SHA256 and 512 are the most commonly seen.

Hashes are 32 bytes long (64 hex characters or 256 bits) and have no maximum input length.

Hashcat Example Command JTR Example Command
./hashcat64.bin -m 1400 hashlist wordlist ./john --format=Raw-SHA256 hashlist -w:wordlist
a4ff2943e1e7c34370548f68a236f2d27e869955ed79f1e67c7c07be97aaa97e
9b1035eea3d0266df926744100b92e8ebbd434aa6aead37c34b00f6892a29521
84f43e9976a43dff99b3675c45631bc9efe63a2f3abed3fb5ce75f28b8769360
d0ce74c8efea2d366398ab61b56933c80add8a089cd40354356e9422665e32d7
98ca704e9149ca345fd5ba5635fe62eaddccb3b1be85cef15a3567981b154aa0
41a9c44f0bc5d83410c13a2bdb50bd4f68812bcb774fe5e4c575268b175651fd
06c3461ee2a4f6caa7d22940bdfc2b41cc1234199e33205b2c5b97244a4afc35
2e5969693f76c90a09e60a1160e3e08ab6e543a76d57fc16e8a70b29576f276c
95206e2f18b80939e5832fe400ac0e51cad1b0b5321309fe76efccb469e28013
ef46582759c8d25b2547377fbe1d19c98d77b32b14e18e7d21972ccde1b1dc1e

SHA512

SHA512 is also part of the SHA2 family. SHA256 and SHA512 use different shift ammount and additive constants, but otherwise are very similar.

Hashes are 64 bytes long (128 hex characters or 512 bits), twice the length of SHA256, and have no maximum input length.

Hashcat Example Command JTR Example Command
./hashcat64.bin -m 1700 hashlist wordlist ./john --format=Raw-SHA512 hashlist -w:wordlist
094f0cb2d4c423a8b58e422a25dbe99c4f610876dc773ebedf72fb5ac5724dd9c32ad4f96b7e320fa8d3cb02b41c2837642e0848bab800076f610d7059dfbe5f
abc1bca268caa69d455ac5bdb07447ea437c4273400ef3b1d68167573114ded80e26c7f384373509759921bb54d143b2181c878decd822537fad538296f8c5d0
f89bb21cb2c0484dfb841dccadb03a3a594ebe12c2396ddbe1083e40f3b5e6406f434b47445f1d1778cb8c5ea7556b284a259cf53ab7312f4b72fc07def677c0
e0b1c1c861f363be1470b46ccd9835fabee8b0dcd3b63adb02c9c0c5a6b5f50b9392c8b275e9984cd93296e9d378a754d0478824edd6672014e46589635e2f7b
9213069a2285de67ba8eff78699e4566677d977a3943c12cdf405e8a7610f546d4381c38427562393903a1d9dab2525964a556fbf12be03f2ab588ddc0df3d9e
3098ce0794c13a5fa177209b3f38cded107f57c78c9262defd60144c06ee9ff08cf56900042693369d91bb8301afa238a668e238977d048de036fce6bac8d99c
e59f3630c13cd791f253f2094b1a8233b9d327f3a8777c05066b49f9d2308025553a13e1c01915fed1ca126697189e3730bd8366059e5bb16c18e41ba8e24f53
f7380ae1275919b3a251eec30664257fad93c197831b1cc90f49d12f6cbabd5f9a804624f542be6613f58ca7cf30a8aa4164485fa0b7a658ae87b4faf76a4c23
c4dd1232bb8d6bc52e49336ab4a7836a2863c0b4b95470148f0b6e20e46b8e9b75fed9dd805ed837c1209e3f73ccee461e666da0ce97439ec65f390339e80688
9883ce028d7811ba491b5772cf5cf7640d057d36db6353aa130cce9c466bc24a309fb7a729e03e97c29e7c71e358678782c2acb4ba79cbfdf75b92ec582123ed