Author Topic: SHA to test passwords  (Read 47 times)

stanl

  • Pundit
  • *****
  • Posts: 945
SHA to test passwords
« on: October 09, 2019, 05:00:27 am »
Tony;


Thanks to your assistance with my earlier post regarding creating an SHA hash, I have another use for this. Trying to help out a friend who found a website: https://api.pwnedpasswords.com


to test whether a password could have been potentially used or hacked previously. I found that the url will accept a 5 byte SHA1 has and return results. Although the code you supplied me was SHA256 the same methods work with SHA1.  So, in the script below, a hash for a suggested password:
Code: Winbatch

ObjectClrOption('useany', 'System.Core')
objCrypt = ObjectClrNew('System.Security.Cryptography.SHA1Cng')
pw = 'W1Batc$e'
pw = ChrStringToUnicode(pw)
aBytes = ObjectType('array|ui1', pw)
aHash = objCrypt.ComputeHash(aBytes)
hHash = BinaryAllocArray(aHash)
strHash = BinaryPeekHex(hHash, 0, BinaryEODGet(hHash))
BinaryFree(hHash)
Message('Hash Result', 'Hash string: ':strHash:@lf:'Length: ':StrLen(strHash))
objCrypt.Clear()
objCrypt = 0
Exit
 

But similar code in powershell returns a completely different hash

Code: [Select]

$pw = 'W1Batc$e'
$bytes = [Text.Encoding]::UTF8. GetBytes($pw)
$stream = [IO.MemoryStream]::new($bytes )
$hash = Get-FileHash -Algorithm 'SHA1' -InputStream $stream
$stream.Close()
$stream.Dispose()
$hash


My less than knowledgeable assumption is the PS text encoding is the difference but would appreciate your expertise

td

  • Tech Support
  • *****
  • Posts: 3054
    • WinBatch
Re: SHA to test passwords
« Reply #1 on: October 09, 2019, 07:59:36 am »
I tend to stay away from SHA1 because the algorithm is eminently hackable and has been deprecated in the context of security usage.  That said, it doesn't really matter when you are using SHA1 to generate a thumbprint key for lookups or something similar.

Powsershell is mostly just an interpreter.  The real work is done by the dotNet framework classes that it calls underneath the hood. If you poke around in the FCL security classes you may find serval different iterations of SHA1 available.  Those different iterations may explain the difference in hash output.
"No one who sees a peregrine falcon fly can ever forget the beauty and thrill of that flight."
  - Dr. Tom Cade

stanl

  • Pundit
  • *****
  • Posts: 945
Re: SHA to test passwords
« Reply #2 on: October 10, 2019, 02:51:17 am »

EDIT: forget what I posted below. When I do things for friends, I don't charge. This looks like it would take a lot of code and not a simple script, or just use PS. Also, not something for Tech db.  I just recommended some google finds.



Thanks. I read the warnings about SHA1 also. Changed the PS to SHA256 as well as WB. Still get 2 different hashes. Regardless, the url will accept the first 5 chars of the hash but seems to return a SHA1 40-char with what I assume after the colon is the number of hits and I guess they would need to be decrypted?


https://api.pwnedpasswords.com/range/51194




Code: [Select]

004593A12B86479B246D18AD747412CEBCA:2
00A133BA395B042F69B02F498ABD97B2BC1:1
00A2C96D2041337C6D143601DD1D606BED0:3
011F4F3F78B696288AF0E584000C2499894:2
0160C7A2F3FD5A1F3022BDB2D374D47D102:1
028BFE37B7DD5EA0C0592E56515F3BAB42D:2
02AA8FCEA1E7D9C5D4FE1A1962F2E3579F3:4
0380C95E775593F087B1BFEDBC728823C22:1
04294C1B377D08C04803CCD49F303DF1E5B:2
04B756AE8A2740056A0EF3C84748C443238:15
04BC1B76C6DCF4996DF9D69B97758F0C671:2
0593BA8ADBEBB8361BE2B8BACBB4539E52C:2
05CDB44FCDEB396EF1D1036609344F237B0:1
07190468B69531DC846D67B5A9D4330AE93:2
09215EE3642F44ABB45ACF1149D964EB2B1:2

td

  • Tech Support
  • *****
  • Posts: 3054
    • WinBatch
Re: SHA to test passwords
« Reply #3 on: October 10, 2019, 08:24:00 am »
Our first encounter with the SHA1 issue dates back ~8-10 years.  WindowWare had to get all new codesigning and SSL certificates.  The codesigning certificates were a problem because MSFT didn't add support for 256-bit hashing to Windows Vista until very late in its life cycle.  And then the patch was only for the 64-bit version and it wasn't initially part of a monthly update.  The user had to find and download it from MSFT's site.
"No one who sees a peregrine falcon fly can ever forget the beauty and thrill of that flight."
  - Dr. Tom Cade

stanl

  • Pundit
  • *****
  • Posts: 945
Re: SHA to test passwords
« Reply #4 on: October 11, 2019, 05:22:10 am »
I introduced my friend to a url that has 1/2 billion pawned passwords and you can submit text and it will return if it appears in the lookup, or you can download the data [about 11 gig].....


To the point: he supports computer training in retirement homes... and you know old people like [me] who set their passwords to their favorite dog or other easy things to hack. So part of the ask was if I could help with a compiled exe to show the risk.


The lookup data [above] is all SHA1. The curious aspect of the api lookup I was going to replicate was it accepted the first 5 bytes of the SHA1 has, then looked up the remaining 35 bytes in the return adding up the number(s) after the :


For fun I might just try a script with some basic passwords like 'Lassie' just to work out parsing the results.[/me]