The hash-function is a function performing a one-way transformation. Referring to a target string (password), it gets some hash-value (normally a string of digits and letters from “A” to “F”). Usually just referring to this value it is pretty difficult to obtain some information on the original string/password.         

Primordially the word is derived from the English language: hash means jumble, rubbish, or garbage.

The word implication could be treated as follows: we are not going to obtain any useful information referring to a hash-value; hence by itself it is just a meaningless set of bytes, gibberish.  

However, bearing a feature of general functions (i.e. referring to the similar strings we are to get similar hash-values), hash-functions prove useful in the sphere of authorization (access differentiation). It is quite easy referring to the password to get a hash-value to be stored and used for matching passwords against the original one. At the same time, even having an access to the hash-values base, it might seem that we cannot gain an access to passwords.               

Simple example: We want to save the string test as a password for the user Admin. For that we enter the following into the password database:
Admin =
098f6bcd4621d373cade4e832627b4f6 (this string is a MD5 hash-value of the string test).

Now we can easily check up any string in respect of its conformance with our password: we have to derive a hash-value from it, and match it against one we’ve stored in the database.

For instance, MD5 from the string rest is 65e8800b5c6800aad896f888b2a62afc and it fails to match with one we have saved. So the rest is not a valid password for the Admin.

At the same time, MD5 from the string test is always 098f6bcd4621d373cade4e832627b4f6, which perfectly matches the stored value. So the test always fits the Admin as a password.

Some times ago they believed that hash-values as such actually do not disclose any information on a password, and hence they did not need to be concealed. By now basically hash-values are kept secret.  

And hence the attack process is phased into three stages:

And now some more details.

As far as the first stage is concerned, that is an extraction of hash-values, it is a fairly complicated matter. Usually to obtain hash-values (just "hashes" as canted by hackers) one needs special skills and techniques. They relate to searching vulnerabilities within the target system or to fraud. In principle, it is nearly impossible to obtain strange hash-values, therefore further on we shall be talking rather about a password recovery towards its own hash-values. Besides, remember that theft of hash-values is illegal, and The UDC program is intended for a user’s activities which comply with current laws.  

Nevertheless, in the Internet there are scores of websites providing hash-values for recovery.  For example:

From these websites one can gain some practical information on extraction of hash-values from a target system.

Now a few words about the second stage that is about determination of a hash-function used as to hash-values. The situation here, in the general case, is not that smooth at all. In fact, hash-values bears no information on the original password or applied hash-function. They can hardly be distinguished from a random string of the same length at all.        

The only thing able to provide certain information is a length of a hash-value in terms of characters. It should exactly fit a digit capacity of the hash-function which could be retrieved with The UDC program on the tag *Progress* (it should be noted that to convert bytes into characters we need to divide the number of bytes by 4).

There is still only one problem here: for each length of a hash-value there are several hash-functions with the same capacity, e.g.:

This is why it is quite desirable (if not obligatory) to know precisely which particular hash-function has been applied. Almost right along it could be done as to a source code of target system.       

Here are the simplest conformances of hash-functions from UDC with actual systems:

The bulk of information on the attack on hash-values through enumeration is located in the  basic information.

Why are there no techniques of finding passwords smarter than just enumeration? As we have seen above, referring to the hash-value it is pretty difficult to obtain some information on the original string/password as maintained by mathematicians, and so far nobody has refuted this assertion. And so, there is nothing smarter in finding a password than just to insert various strings into a hash-function.               

There are some techniques to considerably intensify enumeration, e.g. the Hybrid Rainbow attack, however, we have no alternatives to enumeration and its variations for stable hash-functions.


© The [SNS] Technologies, 28 April, 2007