#!/usr/bin/env python
# encoding: utf-8
__description__ = 'a simple tool to determine the crypto/encoding algorithm used according to traces of its representation'
__author__ = 'Francisco da Gama Tabanez Ribeiro'
__version__ = '0.6'
__date__ = '2011/12/04'
__license__ = 'WTFPL'
import re,sys,argparse,base64
def show(results, result_details, code, analyze=False, textmode=True):
for key in results.keys():
if(len(results[key]) > 0):
print '%s:' % key,results[key]
if analyze:
for codetype in results[key]:
if codetype in result_details.keys():
print '\t',result_details[codetype]
if(len(results['confident']) + len(results['likely']) + len(results['possible']) == 0):
print 'unknown! ;('
#(?<![a-zA-Z0-9./$])
def get_type_of(data, filters, analyze=False):
results={'confident':[],'likely':[],'possible':[]}
result_details={}
if re.findall(r"\b[a-fA-F\d]{32}\b", data): # md4 or md5
if(any(x for x in filters if x in ['web','other'])):
results['confident'].append('md5')
results['possible'].append('md4')
else:
results['likely'].append('md5')
results['possible'].append('md4')
if re.findall(r"\b[a-fA-F\d]{32}(?![a-fA-F0-9])", data) and 'win' in filters: # lm or ntlm
if(all(chr.isupper() or chr.isdigit() for chr in data)):
results['confident']+=['lm','ntlm']
else:
results['likely']+=['lm','ntlm']
if re.findall(r"\*[a-fA-F\d]{40}\b", data) and 'db' in filters: # MySQL4+
result_details['MySQL4+']='MySQL v4 or later hash: %s' % re.findall(r"\*(\b[a-fA-F\d]{40})\b", data)
if(all(chr.isupper() or chr.isdigit() for chr in data)):
results['confident'].append('MySQL4+')
else:
results['likely'].append('MySQL4+')
if re.findall(r"^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$", data) and 'other' in filters: # base64
result_details['base64']='base64 decoded string: %s' % base64.b64decode(data)
if(data.endswith('=')):
results['confident']+=['base64']
else:
results['possible']+=['base64']
if re.findall(r"^(\w+:\d+:)?\*:([a-fA-F\d]{32})(?![a-fA-F0-9])", data) and 'win' in filters: # SAM(*:NTLM)
result_details['SAM(*:ntlm)']='hashes in SAM file - LM:not defined\tNTLM:%s' % re.findall(r"\*:([a-fA-F\d]{32})\b",data)[0]
if(all(chr.isupper() or chr.isdigit() for chr in re.findall(r"\*:([a-fA-F\d]{32})\b",data)[0])):
results['confident']+=['SAM(*:ntlm)']
else:
results['possible']+=['SAM(*:ntlm)']
if re.findall(r"^(\w+:\d+:)?[a-fA-F\d]{32}:\*", data) and 'win' in filters: # SAM(LM:*)
result_details['SAM(lm:*)']='hashes in SAM file - LM:%s\tNTLM:not defined' % re.findall(r"([a-fA-F\d]{32}):\*",data)[0]
if(all(chr.isupper() or chr.isdigit() for chr in re.findall(r"([a-fA-F\d]{32}):\*",data)[0])):
results['confident']+=['SAM(lm:*)']
elif(re.match(r"^[\w+:]{4,6}", data)):
results['confident']+=['SAM(lm:*)']
else:
results['possible']+=['SAM(lm:*)']
if re.findall(r"^(\w+:\d+:)?[a-fA-F\d]{32}:[a-fA-F\d]{32}\b", data) and 'win' in filters: # SAM(LM:NTLM)
result_details['SAM(lm:ntlm)']='hashes in SAM file - LM:%s\tNTLM:%s' % re.findall(r"^(?:\w+:\d+:)?([a-fA-F\d]{32}):([a-fA-F\d]{32})\b",data)[0]
if(all(chr.isupper() or chr.isdigit() or chr == '$' for chr in data)):
results['confident']+=['SAM(lm:ntlm)']
elif(re.match(r"^[\w+:]{4}", data)):
results['confident']+=['SAM(lm:ntlm)']
else:
results['possible']+=['SAM(lm:ntlm)']
if re.findall(r"\b[a-fA-F\d]{80}\b", data) and 'other' in filters: # RipeMD320
results['possible'].append('RipeMD320')
if re.findall(r"\b[a-fA-F\d]{40}\b", data) and 'other' in filters: # SHA1
results['likely'].append('sha1')
if re.findall(r"\b[a-fA-F\d]{56}\b",data) and 'other' in filters: # SHA224
results['likely'].append('sha224')
if re.findall(r"\b[a-fA-F\d]{64}\b", data) and 'other' in filters: # SHA256
results['likely'].append('sha256')
if re.findall(r"\b[a-fA-F\d]{96}\b", data) and 'other' in filters: # SHA384
results['likely'].append('sha384')
if re.findall(r"\b[a-fA-F\d]{128}\b", data) and 'other' in filters: # SHA512 or Whirlpool
results['likely']+=['sha512','whirlpool']
if re.findall(r"\b[a-fA-F\d]{16}\b", data) and 'db' in filters: # MySQL323
result_details['MySQL323']='MySQL v3.23 or previous hash: %s' % re.findall(r"\b([a-fA-F\d]{16})\b", data)
if(filters == ['db'] and all(chr.isupper() or chr.isdigit() for chr in data)):
results['confident'].append('mysql323')
else:
results['likely'].append('mysql323')
if re.findall(r"0x[a-fA-F\d]{1,16}\b", data) and 'other' in filters: # CRC
if len(data[2:]) == 1:
result_details['CRC']='Cyclic redundancy check: CRC1 or CRC-4-ITU'
elif len(data[2:]) == 2:
result_details['CRC']='Cyclic redundancy check: CRC-4-ITUCRC-5-ITU, CRC-5-EPC, CRC-5-USB, CRC-6-ITU, CRC-7, CRC-8-CCITT, CRC-8-Dallas/Maxim, CRC-8, CRC-8-SAE J1850, CRC-8-WCDMA'
elif len(data[2:]) == 3:
result_details['CRC']='Cyclic redundancy check: CRC-10, CRC-11, CRC-12'
elif len(data[2:]) == 4:
result_details['CRC']='Cyclic redundancy check: CRC-15-CAN, CRC-16-IBM, CRC-16-CCITT, CRC-16-T10-DIF, CRC-16-DNP, CRC-16-DECT'
elif len(data[2:]) == 6:
result_details['CRC']='Cyclic redundancy check: CRC-24, CRC-24-Radix-64'
elif len(data[2:]) == 8:
result_details['CRC']='Cyclic redundancy check: CRC-30, CRC-32, CRC-32C, CRC-32K, CRC-32Q'
elif len(data[2:]) == 10:
result_details['CRC']='Cyclic redundancy check: CRC-40-GSM'
elif len(data[2:]) == 16:
result_details['CRC']='Cycle redundancy check: CRC-64-ISO, CRC-64-ECMA-182'
else:
result_details['CRC']='invalid CRC? truncated data?'
results['possible'].append('CRC')
if re.findall(r"(?<![a-zA-Z0-9./$])[a-zA-Z0-9./]{13}(?![a-zA-Z0-9./])", data) and 'unix' in filters: # DES-salt(UNIX)
result_details['des-salt-unix']='UNIX shadow file using salted DES - salt:%s\thash:%s' % re.findall(r"(?:\w+:)?([a-zA-Z0-9./]{2})([a-zA-Z0-9./]{11})",data)[0]
if(filters == ['unix'] or re.match(r'(?:\w+:)[a-zA-Z0-9./]{13}(?::\d*){2}(?::.*?){2}:.*$', data)):
results['confident'].append('des-salt-unix')
else:
results['possible'].append('des-salt-unix')
if re.findall(r"^(?:sha256|sha1)\$[a-zA-Z\d./]+\$[a-zA-Z0-9./]{64}$", data) and 'web' in filters: # SHA256-salt(Django)
result_details['sha256-salt-django']='Django shadow file using salted SHA256 - salt:%s\thash:%s' % re.findall(r"^(?:sha256|sha1)\$([a-zA-Z\d.]+)\$([a-zA-Z0-9./]{64})$", data)[0]
if(all(chr.islower() or chr.isdigit() or chr == '$' for chr in data)):
results['confident'].append('sha256-salt-django')
else:
results['likely'].append('sha256-salt-django')
if re.findall(r"^(?:sha256|sha1)\$\$[a-zA-Z0-9./]{64}$", data) and 'web' in filters: # SHA256(Django)
result_details['sha256-django']='Django shadow file using SHA256 - hash:%s' % re.findall(r"^(?:sha256|sha1)\$\$([a-zA-Z0-9./]{64})$", data)[0]
if(all(chr.islower() or chr.isdigit() or chr == '$' for chr in data)):
results['confident'].append('sha256-django')
else:
results['likely'].append('sha256-django')
if re.findall(r"^sha384\$[a-zA-Z\d.]+\$[a-zA-Z0-9./]{96}$", data) and 'web' in filters: # SHA384-salt(Django)
result_details['sha384-salt-django']='Django shadow file using salted SHA384 - salt:%s\thash:%s' % re.findall(r"^sha384\$([a-zA-Z\d.]+)\$([a-zA-Z0-9./]{96})$", data)[0]
if(all(chr.islower() or chr.isdigit() or chr == '$' for chr in data)):
results['confident'].append('sha384-salt-django')
else:
results['likely'].append('sha384-salt-django')
if re.findall(r"^sha384\$\$[a-zA-Z0-9./]{96}$", data) and 'web' in filters: # SHA384(Django)
result_details['sha384-django']='Django shadow file using SHA384 - hash:%s' % re.findall(r"^sha384\$\$([a-zA-Z0-9./]{96})$", data)[0]
if(all(chr.islower() or chr.isdigit() or chr == '$' for chr in data)):
results['confident'].append('sha384-django')
else:
results['likely'].append('sha384-django')
if re.findall(r"\$5\$[a-zA-Z0-9./]{8,16}\$[a-zA-Z0-9./]{43}(?![a-zA-Z0-9./])", data) and 'unix' in filters: # SHA256-salt(UNIX)
result_details['sha256-salt-unix']='UNIX shadow file using salted SHA256 - salt:%s\thash:%s' % re.findall(r"\$5\$([a-zA-Z0-9./]{8,16})\$([a-zA-Z0-9./]{43})", data)
results['confident'].append('sha256-salt-unix')
if re.findall(r"\$6\$[a-zA-Z0-9./]{8,16}\$[a-zA-Z0-9./]{86}(?![a-zA-Z0-9./])", data) and 'unix' in filters: # SHA512-salt(UNIX)
result_details['sha512-salt-unix']='UNIX shadow file using salted SHA512 - salt:%s\thash:%s' % re.findall(r"\$6\$([a-zA-Z0-9./]{8,16})\$([a-zA-Z0-9./]{86})", data)
results['confident'].append('sha512-salt-unix')
if re.findall(r"\$apr1\$[a-zA-Z0-9./]{8}\$[a-zA-Z0-9./]{22}(?![a-zA-Z0-9./])", data) and 'unix' in filters: # APR1-salt(Apache)
result_details['apr1-salt-unix']='Apache htpasswd file (MD5x2000)- salt:%s\thash:%s' % re.findall(r"\$apr1\$([a-zA-Z0-9./]{8})\$([a-zA-Z0-9./]{22})", data)[0]
results['confident'].append('apr1-salt-unix')
if re.findall(r"(?<![a-zA-Z0-9.])[a-zA-Z0-9./]{8}\$[a-zA-Z0-9./]{22}(?![a-zA-Z0-9./])", data) and 'unix' in filters: # MD5-salt(UNIX)
result_details['md5-salt-unix']='UNIX shadow file using salted MD5 - salt:%s\thash:%s' % re.findall(r"([a-zA-Z0-9./]{8})\$([a-zA-Z0-9./]{22})", data)[0]
results['confident'].append('md5-salt-unix')
if re.findall(r"(?<![a-zA-Z0-9.])[a-zA-Z0-9./]{31}(?![a-zA-Z0-9./])", data) and 'web' in filters: # MD5(Wordpress)
result_details['md5-wordpress']='Wordpress MD5 - hash:%s' % re.findall("([a-zA-Z0-9./]{31})$", data)[0]
if re.match(r"\$P\$[a-zA-Z0-9./]{31}$", data):
results['confident'].append('md5-wordpress')
elif filters == ['web'] and data.startswith('$'):
results['likely'].append('md5-wordpress')
else:
results['possible'].append('md5-wordpress')
if re.findall(r"(?<![a-zA-Z0-9.])[a-zA-Z0-9./]{31}(?![a-zA-Z0-9./])", data) and 'web' in filters: # MD5(phpBB3)
result_details['md5-phpBB3']='phpBB3 MD5 - hash: %s' % re.findall("[a-zA-Z0-9./]{31}$", data)[0]
if re.match(r"\$H\$[a-zA-Z0-9./]{31}$", data):
results['confident'].append('md5-phpBB3')
elif filters == ['web'] and data.startswith('$'):
results['likely'].append('md5-phpBB3')
else:
results['possible'].append('md5-phpBB3')
if re.match(r"(?<![a-zA-Z0-9.])([a-zA-Z0-9./]{32})(?::[a-zA-Z0-9./]{32})?(?![a-zA-Z0-9./])", data) and 'web' in filters: # MD5-salt(joomla2)
if(re.findall(r"(?<![a-zA-Z0-9.])([a-z0-9./]{32}):([a-zA-Z0-9./]{32})\b", data)):
result_details['md5-salt-joomla2']='Joomla v2 salted MD5 - hash:%s\tsalt:%s' % re.findall(r"([a-z0-9./]{32}):([a-zA-Z0-9./]{32})", data)[0]
results['confident'].append('md5-salt-joomla2')
elif(re.findall(r"(?<![a-zA-Z0-9.])([a-z0-9./]{32})\b", data)):
result_details['md5-joomla2']='Joomla v2 MD5 - hash:%s' % re.findall(r"([a-z0-9./]{32})", data)[0]
results['likely'].append('md5-joomla2')
# else:
# results['possible'].append('md5-salt-joomla2')
if re.findall(r"(?<![a-zA-Z0-9.])([a-zA-Z0-9./]{32})(?::[a-zA-Z0-9./]{16})?(?![a-zA-Z0-9./])", data) and 'web' in filters: # MD5-salt(joomla1)
if(re.findall(r"(?<![a-zA-Z0-9.])([a-z0-9./]{32}):([a-zA-Z0-9./]{16}(?![a-zA-Z0-9./]))", data)):
result_details['md5-salt-joomla1']='Joomla v1 salted MD5 - hash:%s\tsalt:%s' % re.findall(r"([a-z0-9./]{32}):([a-zA-Z0-9./]{16})", data)[0]
results['confident'].append('md5-salt-joomla1')
elif(re.findall(r"(?<![a-zA-Z0-9.])([a-z0-9./]{32})(?![a-zA-Z0-9./])", data)):
result_details['md5-joomla1']='Joomla v1 MD5 - hash:%s' % re.findall(r"([a-z0-9./]{32})", data)[0]
results['likely'].append('md5-joomla1')
# else:
# results['possible'].append('md5-salt-joomla1')
if re.findall(r"[a-zA-Z0-9./]{2}\$[a-zA-Z0-9./]{53}(?![a-zA-Z0-9./])", data) and 'unix' in filters: # Blowfish(UNIX)
result_details['blowfish-salt-unix']='UNIX shadow file using salted Blowfish - salt: %s\thash: %s' % re.findall(r"\$(?:2a|2)\$([a-zA-Z0-9./]{2})\$([a-zA-Z0-9./]{53})", data)[0]
if re.findall(r"\$(?:2a|2)\$[a-zA-Z0-9./]{2}\$[a-zA-Z0-9./]{53}\$?", data):
results['confident'].append('blowfish-salt-unix')
else:
results['likely'].append('blowfish-salt-unix')
return results,result_details
if __name__ == '__main__':
parser = argparse.ArgumentParser(description=__description__,
epilog='use filters for more accurate results')
parser.add_argument('string',type=str,nargs='?',
help='determine algorithm used for <string> according to its data representation')
parser.add_argument('-t', metavar='filters', default=['win','web','unix','db','other'], type=str, nargs=1,
dest='filters', help='filter by source of your string. can be: win, web, db, unix or other')
parser.add_argument('-a', '-analyze', dest='analyze', help='show more details whenever possible (expands shadow files fields,...)', required=False, action='store_true')
parser.add_argument('-f','-file', dest='filename', nargs=1, help='load a file')
parser.add_argument('-l','-list', dest='list', help='lists supported algorithms', required=False, action='store_true')
args=parser.parse_args()
if(args.list):
print "shadow and SAM files, phpBB3, Wordpress, Joomla, CRC, LM, NTLM, MD4, MD5, Apr, SHA1, SHA256, base64, MySQL323, MYSQL4+, DES, RipeMD320, Whirlpool, SHA1, SHA224, SHA256, SHA384, SHA512, Blowfish, Java Session IDs"
elif(args.string is not None):
results,result_details = get_type_of(args.string, args.filters)
show(results, result_details, args.string, args.analyze)
elif(args.filename is not None):
fl = open(args.filename[0],'r')
for line in fl.readlines():
results,result_details = get_type_of(line, args.filters)
print "%s : %s" % (line.strip('\n'), results)
if args.analyze:
for detail in result_details.keys():
print '\t',result_details[detail]
fl.close()
else:
parser.print_help()
#@TODO: add OS fingerprinting from shadow/SAM file parsing