This page attempts to document the format(s) JtR is expecting for most hash types. There are several formats JtR can look for, these are some of the more typical:

While almost all hashes can be loaded using one of the formats above, not all can, and it is more desirable to signify what hash is being used. There are a number of hash “prefixes” or identifiers that can be used to help JtR automatically determine which hash type to crack. This is especially true when you have one file with many different types, lots of hashes can look the “same” because of length mostly. The prefixes also help when JtR's automatic hash type detection incorrectly identifies one hash type as another. The next section includes the formats, the descriptions, prefixes, as well as some test hashes.

NOTE: The GECOS field (among others as well), is used by SINGLE crack mode to help crack passwords. The example hashes below contain the plain-text password in this field whenever possible. Not all hash types will look at this field.

FORMAT_LABEL        "afs"
FORMAT_NAME         "Kerberos AFS DES"
PLAINTEXT_LENGTH    63
CIPHERTEXT_LENGTH   20
NOTES:  The comma is required, and most times the cell name following the 
        comma is also required.
PREFIX: $K4$
FORMAT: <username>:$K4$<hash>,<cellname>:::
  user_x:$K4$dfda85c7619183a2,XXXXXXXX:::XXXXXXXX
  user_y:$K4$e3e59de6f1d5eaf4,cell:::password355
  user_z:$K4$b02cc24aefbc865b,:::thisisaverylongpassword
FORMAT_LABEL        "bf"
FORMAT_NAME         "OpenBSD Blowfish"
PLAINTEXT_LENGTH    72
CIPHERTEXT_LENGTH   60
NOTES:  "$2y$" prefix (which guarantees correct handling of both 7- and 8-bit 
         characters as in OpenBSD's "$2a$") and a countermeasure to avoid 
         one-correct to many-buggy hash collisions with the "$2a$" prefix.     
         http://www.openwall.com/lists/announce/2011/07/17/1
PREFIX: $2a$ | $2y$
FORMAT: <username>:$2a$<hash>:::<GECOS>
  user_x:$2a$05$CCCCCCCCCCCCCCCCCCCCC.E5YPO9kmyuRGyh0XouQYb4YMJKvyOeW:::U*U
  user_y:$2a$05$CCCCCCCCCCCCCCCCCCCCC.VGOzA784oUp/Z0DY336zx7pLYAy0lwK:::U*U*
  user_z:$2a$05$abcdefghijklmnopqrstuu5s2v8.iXieOjg/.AySBTTZIIVFJeBui:0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789  //chars after 72 are ignored
FORMAT_LABEL       "bfegg"
FORMAT_NAME        "Eggdrop"
PLAINTEXT_LENGTH    31
CIPHERTEXT_LENGTH   33
NOTES:  
PREFIX:
FORMAT: <username>:<hash>
  user_x:+9F93o1OxwgK1:123456
  user_y:+C/.8o.Wuph9.:qwerty
  user_z:+EEHgy/MBLDd0:walkman
FORMAT_LABEL        "bsdi"
FORMAT_NAME         "BSDI DES"
PLAINTEXT_LENGTH    64
CIPHERTEXT_LENGTH   20
NOTES:  http://www.openwall.com/lists/owl-users/2006/07/03/6
PREFIX: _ (underscore is the prefix for BSDI DES)
FORMAT: <username>:_<hash>:::<GECOS>
  user_x:_J9..SDizh.vll5VED9g:::ab1234567
  user_y:_J9..SDizRjWQ/zePPHc:::cr1234567
  user_z:_J9..SDizxmRI1GjnQuE:::zxyDPWgydbQjgq
  user_a:_K9..SaltNrQgIYUAeoY:::726 even
  user_b:_J9..SDSD5YGyRCr4W4c:::
FORMAT_LABEL        "crypt"
FORMAT_NAME         "generic crypt(3)"
PLAINTEXT_LENGTH    72
NOTES:  Windows builds do not accept "crypt" as a format. SHA is not 
        supported on windows builds.
        http://www.openwall.com/lists/john-users/2010/06/20/2
PREFIX: Varies <username>:prefix<hash>  Prefix = $1$, $5$, $6$ or $2a$
FORMAT: <username>:hash
#DES
  user_x:CCNf8Sbh3HDfQ
  user_y:CCX.K.MFy4Ois
  user_z:CC4rMpbg9AMZ.
  user_a:SDbsugeBiC58A
#MD5
  user_x:$1$dXc3I7Rw$ctlgjDdWJLMT.qwHsWhXR1
  user_y:$1$dXc3I7Rw$94JPyQc/eAgQ3MFMCoMF.0
  user_z:$1$dXc3I7Rw$is1mVIAEtAhIzSdfn5JOO0
  user_a:$1$Eu.GHtia$CFkL/nE1BYTlEPiVx1VWX0
#SHA-256 (rounds=5000)
  $5$LKO/Ute40T3FNF95$U0prpBQd4PloSGU0pnpM4z9wKn4vZ1.jsrzQfPqxph9
  $5$LKO/Ute40T3FNF95$fdgfoJEBoMajNxCv3Ru9LyQ0xZgv0OBMQoq80LQ/Qd.
  $5$LKO/Ute40T3FNF95$8Ry82xGnnPI/6HtFYnvPBTYgOL23sdMXn8C29aO.x/A
  $5$kc7lRD1fpYg0g.IP$d7CMTcEqJyTXyeq8hTdu/jB/I6DGkoo62NXbHIR7S43
#SHA-512 (rounds=5000)
  user_x:$6$LKO/Ute40T3FNF95$6S/6T2YuOIHY0N3XpLKABJ3soYcXD9mB7uVbtEZDj/LNscVhZoZ9DEH.sBciDrMsHOWOoASbNLTypH/5X26gN0
  user_y:$6$LKO/Ute40T3FNF95$wK80cNqkiAUzFuVGxW6eFe8J.fSVI65MD5yEm8EjYMaJuDrhwe5XXpHDJpwF/kY.afsUs1LlgQAaOapVNbggZ1
  user_z:$6$LKO/Ute40T3FNF95$YS81pp1uhOHTgKLhSMtQCr2cDiUiN03Ud3gyD4ameviK1Zqz.w3oXsMgO6LrqmIEcG3hiqaUqHi/WEE2zrZqa/
  user_a:$6$ojWH1AiTee9x1peC$QVEnTvRVlPRhcLQCk/HnHaZmlGAAjCfrAN0FtOsOnUk5K5Bn/9eLHHiRzrTzaIKjW9NTLNIBUCtNVOowWS2mN.
 #BF (x32)
  user_x:$2a$05$c92SVSfjeiCD6F2nAD6y0uBpJDjdRkt0EgeC4/31Rf2LUZbDRDE.O
  user_y:$2a$05$WY62Xk2TXZ7EvVDQ5fmjNu7b0GEzSzUXUh2cllxJwhtOeMtWV3Ujq
  user_z:$2a$05$Fa0iKV3E2SYVUlMknirWU.CFYGvJ67UwVKI1E2FP6XeLiZGcH3MJi
  user_a:$2a$05$Otz9agnajgrAe0.kFVF9V.tzaStZ2s1s4ZWi/LY4sw2k/MTVFj/IO
FORMAT_LABEL        "crc32"
FORMAT_NAME         "CRC-32"
PLAINTEXT_LENGTH    31
NOTES:  This format is:   8hex.8hex  The first 8 hex is the 'starting' crc 
        value. So, if you have a file and its CRC is XYZ, then you would put 
        that value here, then when the password(s) are found, append them to 
        the file, and get the final CRC value.  If you want to find a 
        password with the 'proper' CRC value, then put 0 into the first field.
        The 2nd 8 hex value is what we are looking for.
PREFIX: $crc$
FORMAT: <username>:$crc$<8hex.8hex>:::GECOS
  user_x:$crc32$00000000.fa455f6b:::ripper
  user_y:$crc32$00000000.4ff4f23f:::dummy
  user_z:$crc32$4ff4f23f.ce6eb863:::password //dummypassword
  user_a:$crc32$fa455f6b.c59b2aeb:::123456   //ripper123456
FORMAT_LABEL      "dmd5"
FORMAT_NAME       "DIGEST-MD5"
ALGORITHM_NAME    "DIGEST-MD5 authentication"
PLAINTEXT_LENGTH  32
NOTES:  
PREFIX: $DIGEST-MD5$
FORMAT: <username>:<$DIGEST-MD5$>$<realm>$<nonce>$<digest_uri>$<cnonce>$<nc>$<qop>$<response>$<authzid>:::<GECOS>
  user_x:$DIGEST-MD5$s3443$pjwstk$00$ldap/10.253.34.43$0734d94ad9abd5bd7fc5e7e77bcf49a8$00000001$auth-int$dd98347e6da3efd6c4ff2263a729ef77:::test
FORMAT_LABEL      "dominosec"
FORMAT_NAME       "More Secure Internet Password"
ALGORITHM_NAME    "RSA MD defined by BSAFE 1.x - Lotus v6"
PLAINTEXT_LENGTH  64
NOTES:  http://www.openwall.com/lists/john-users/2005/11/21/5 
PREFIX: None, but hash is enclosed in parentheses...
FORMAT: <username>:(<hash>):::<GECOS>
  user_x:(G+dfECo845XxUw+nFVYD):::szesnascieznakow
  user_y:(GowT5I2hVHZpRWpvGmux):::terazjakiesdwadziesciacos
  user_z:(Gq2bAtpguiTSSycy6dhu):::trzydziescidwamozesieudaojnieuda
  user_a:(G82TtgNcqcHGkpEo7wQp):::looongrandominputdataforfunbutnotonlyoi!
FORMAT_LABEL    "EPiServer"
BINARY_LENGTH      20
NOTES:  Expects ciphertext of format: 0xHEX*60 0xHEX*40. Take note of the space
        character that seperates the hash "halves".
PREFIX:
FORMAT: <username>:<0xHEX*60 0xHEX*40>:::GECOS
  user_x:0x5F1D84A6DE97E2BEFB637A3CB5318AFEF0750B856CF1836BD1D4470175BE 0x4D5EFDFA143EDF74193076F174AC47CEBF2F417F:::Abc.!23

More information

john/hash-formats.txt · Last modified: 2012/07/21 11:38 by claudio.andre
 
Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Noncommercial-Share Alike 3.0 Unported
Recent changes RSS feed Donate to DokuWiki Powered by PHP Valid XHTML 1.0 Valid CSS Driven by DokuWiki Powered by OpenVZ Powered by Openwall GNU/*/Linux Bookmark and Share