Hash type SHA1(SALTPLAIN) - disqus

Technical information, status and bugs are posted here.
0xdeadbeef
Posts: 11
Joined: Sat 22. Sep 2018, 02:08

Hash type SHA1(SALTPLAIN) - disqus

Postby 0xdeadbeef » Mon 24. Sep 2018, 14:53

I'm having trouble understanding the SHA1(SALTPLAIN) in disqus dump.

I would normally think the salt, in hex there, would always be divisible by 2 when in hex chars, not an odd number (like five chars). Although I suppose anything is possible.

The first few hashes look really hairy, lots of leading zeros. Reminds me of finding a PoW hash in Bitcoin mining :)

So can someone help with the disqus format, which looks like this?

Code: Select all

4d58c8aad8de711a3c2a353ba9d7434d20f2d4ad:5159d 4d58d010ce49e8221933b97757ae906a927a770f:977b3 4d58d0398e648eaf21e68091d88eea31e1cdfbc4:c7204 4d58d6a15096e086f13a9a5cecf32adcf701c3a3:30007 4d58d810e17dad199d31aa9187c63fb4b996955c:59b99 4d58d82cd38d60ef0deda2995be49529386a48af:ce857 4d58d857632b6e19895deec05bb905b7a6bff875:a2a17
... lots of others, all the same. Maybe the salt has been accidentally cut off? Maybe it's encoding the salt in hex improperly? Or am I misinterpreting the hex and it's something else that looks exactly like a hex string?

Is SHA1(SALTPLAIN) the same as hashcat mode 120, i.e. sha1($salt.$pass)? Maybe there's an iteration in there that I'm missing?

Thanks for any help.

User avatar
s3in!c
Administrator
Posts: 76
Joined: Thu 24. Sep 2015, 09:50
Location: Switzerland
Contact:

Re: Hash type SHA1(SALTPLAIN) - disqus

Postby s3in!c » Tue 25. Sep 2018, 12:15

The salt of the disqus hashes is not converted to binary before being used. So it's just a normal salt like if you would have just normal chars there instead of the hex.

So the algorithm is sha1($salt.$pass) just taking the salt and the plain as normal text input, e.g. sha1("5159d".$pass).

Yes, the first very few hashes maybe look a bit suspect, but technically you never know..

0xdeadbeef
Posts: 11
Joined: Sat 22. Sep 2018, 02:08

Re: Hash type SHA1(SALTPLAIN) - disqus

Postby 0xdeadbeef » Wed 26. Sep 2018, 02:15

Thanks. I ran a test and got over 10k finds pretty quickly.

I have to fix it up a little. Salt length and salt separator missing issues.

By the way, my quality score was very low. Could I assume that means I've only managed to recover a few new passwords not seen yet (percent of founds)? Or is quality something else? Maybe the strength of passwords?

User avatar
s3in!c
Administrator
Posts: 76
Joined: Thu 24. Sep 2015, 09:50
Location: Switzerland
Contact:

Re: Hash type SHA1(SALTPLAIN) - disqus

Postby s3in!c » Thu 27. Sep 2018, 22:29

The quality denotes the percentage of the lines you uploaded and were a new found which were in the left list.

So there are multiple reasons the quality is not that good:

- Someone was faster and uploaded the found for a hash before you
- The uploader was not able to parse your found (this mostly happens when the salt contains a colon). In this case maybe try with using a separator which for sure is not in any of the salts and set this one on upload.
- The plain was invalid

Please note that in case you are using the collected left lists of all hashlists that these are only updated once a day. The left lists of the leaks/hashlists are much more accurate, they get updated shortly after found uploads (normally just a few minutes).


Return to “Technical”

Who is online

Users browsing this forum: Google [Bot] and 1 guest

cron