ASP Password hashing algorithm

I'm having an issue discovering what hashing algorithm is being used when inserting a password into a database, I have the password in the clear, and the hashed password itself, plus a salt, but I can't figure out开发者_运维百科 what's going on in between (PHP developer, not .NET).

If anyone can help me out with what type of hashing has been used that would be ace.

• The unhashed password: a77U3b3ovil@chee
• The salt: 394279838
• The hashed password: F80ADFC2175F9DB94745E6A9B8CFA575D5B94263C523F9249620BEC958026DB4

It's being inserted into an mssql database via ASP.

Your result has 64 hex char, so 64 x 4 bits = 256 bits in total. That means that it's either

• the result of a SHA-256 (but this is a recent algorithm that is not built in to ASP)

  use http://hash.online-convert.com/sha256-generator to calc

• the concatenation of 2 MD5 hashes

  use http://hash.online-convert.com/md5-generator to calc

The output of SHA1, the default hashing algorithm of ASP.NET has 160 bits = 40 chars, so that seems to not fit well with the data you have.

On the other hand, there might be an application salt in the code (see):

computeHash( user.salt + "98hloj5674" + password )

and if you don't know that one, there's no chance to find your answer. Can you 'guess' it? You would need a dictionary attack (try all the possibilities) and the point of using hashes is just that this would take you years (for SHA-256) or hours (for MD5).

I've tried the obvious options (like sha256(Pass & Salt) ) but none of those worked. I'm afraid there is no obvious answer without access to the code.

See this discussion: https://security.stackexchange.com/questions/3989/how-to-determine-what-type-of-encoding-encryption-has-been-used

and here's a page with a few encryption methods that you could run your data through: http://support.persits.com/encrypt/demo_text.asp