Specific File Upload Target System Requirements
The file upload target type supports multiple hash types. The target file upload supports two different formats: normal text-file for common hash types or binary.
The tables below lists the support hash type formats. For detailed hash definitions, the vendor can provide test cases for each supported hash file format.
Supported hashing algorithms
The following sub-sections lists the supported hashing algorithms.
Android, Apple, Linux, Windows
| Android FDE <= 4.3 |
Android FDE (Samsung DEK) |
Apple File System (APFS) |
| Apple Secure Notes |
ArubaOS |
bcrypt $2*$, Blowfish (Unix) |
| descrypt, DES (Unix), Traditional DES |
Domain Cached Credentials 2 (DCC2), MS Cache 2 |
Domain Cached Credentials (DCC), MS Cache |
| FortiGate (FortiOS) |
GRUB 2 |
iTunes backup < 10.0 |
| iTunes backup >= 10.0 |
Juniper NetScreen/SSG (ScreenOS) |
Kerberos 5 AS-REP etype 23 |
| Kerberos 5 AS-REQ Pre-Auth etype 23 |
Kerberos 5 TGS-REP etype 23 |
LM |
| macOS v10.4, macOS v10.5, MacOS v10.6 |
macOS v10.7 |
NetNTLMv1 / NetNTLMv1+ESS |
| NetNTLMv2 |
NTLM |
Samsung Android Password/PIN |
| Windows Phone 8+ PIN/password |
Databases
| Lotus Notes/Domino 5 |
Lotus Notes/Domino 6 |
Lotus Notes/Domino 8 |
| MSSQL (2000) |
MSSQL (2005) |
MSSQL (2012, 2014) |
| MySQL CRAM (SHA1) |
MySQL323 |
MySQL4.1/MySQL5 |
| Oracle H: Type (Oracle 7+) |
Oracle S: Type (Oracle 11+) |
Oracle T: Type (Oracle 12+) |
| PostgreSQL |
PostgreSQL CRAM (MD5) |
HMAC
| HMAC-SHA1 (key = $pass) |
HMAC-SHA1 (key = $salt) |
TOTP (HMAC-SHA1) |
| IPMI2 RAKP HMAC-SHA1 |
HMAC-MD5 (key = $pass) |
HMAC-MD5 (key = $salt) |
| HMAC-SHA256 (key = $pass) |
HMAC-SHA256 (key = $salt) |
HMAC-Streebog-256 (key = $pass), big-endian |
| HMAC-Streebog-256 (key = $salt), big-endian |
HMAC-SHA512 (key = $pass) |
HMAC-SHA512 (key = $salt) |
| HMAC-Streebog-512 (key = $pass), big-endian |
HMAC-Streebog-512 (key = $salt), big-endian |
Message-Digest (MD)
| AIX {smd5} |
Apache $apr1$ MD5, md5apr1, MD5 (APR) |
Cisco-ASA MD5 |
Cisco-PIX MD5 |
CRAM-MD5 Dovecot |
CRAM-MD5 |
| Half MD5 |
IKE-PSK MD5 |
iSCSI CHAP authentication, MD5(CHAP) |
| MD4 |
MD5 |
md5crypt, MD5 (Unix), Cisco-IOS $1$ (MD5) |
| md5($pass.$salt) |
md5($salt.$pass) |
md5($salt.$pass.$salt) |
| md5($salt.md5($pass)) |
md5($salt.md5($pass.$salt)) |
md5($salt.md5($salt.$pass)) |
| md5(md5($pass)) |
md5($salt.utf16le($pass)) |
md5(md5($pass).md5($salt)) |
md5(sha1($pass)) |
md5(strtoupper(md5($pass))) |
md5(utf16le($pass).$salt) |
| phpass, WordPress (MD5), phpBB3 (MD5), Joomla (MD5) |
SIP digest authentication (MD5) |
Microsoft Office
| MS Office 2007 |
MS Office 2010 |
MS Office 2013 |
| MS Office <= 2003 $0/$1, MD5 + RC4 |
MS Office <= 2003 $0/$1, MD5 + RC4, collider #1 |
MS Office <= 2003 $0/$1, MD5 + RC4, collider #2 |
| MS Office <= 2003 $3/$4, SHA1 + RC4 |
MS Office <= 2003 $3, SHA1 + RC4, collider #1 |
MS Office <= 2003 $3, SHA1 + RC4, collider #2 |
PBKDF2
| PBKDF2-HMAC-SHA1 |
PBKDF2-HMAC-MD5 |
PBKDF2-HMAC-SHA256 |
| PBKDF2-HMAC-SHA512 |
macOS v10.8+ (PBKDF2-SHA512) |
Cisco-IOS $8$ (PBKDF2-SHA256) |
| MS-AzureSync PBKDF2-HMAC-SHA256 |
Ethereum Wallet, PBKDF2-HMAC-SHA256 |
Ethereum Pre-Sale Wallet, PBKDF2-HMAC-SHA256 |
| Atlassian (PBKDF2-HMAC-SHA1) |
Django (PBKDF2-SHA256) |
PDF
| PDF 1.1 - 1.3 (Acrobat 2 - 4) |
PDF 1.1 - 1.3 (Acrobat 2 - 4), collider #1 |
PDF 1.1 - 1.3 (Acrobat 2 - 4), collider #2 |
| PDF 1.4 - 1.6 (Acrobat 5 - 8) |
PDF 1.7 Level 3 (Acrobat 9) |
PDF 1.7 Level 8 (Acrobat 10 - 11) |
SHA
| SHA1 |
Django (SHA-1) |
sha1(CX) |
| sha1(sha1($pass)) |
sha1($pass.$salt) |
sha1($salt.$pass) |
| sha1(md5($pass)) |
sha1(md5(md5($pass))) |
sha1($salt.sha1($pass)) |
| sha1($salt.$pass.$salt) |
sha1(utf16le($pass).$salt) |
sha1($salt.utf16le($pass)) |
| SHA2-224 |
SHA2-256 |
sha256($pass.$salt) |
| sha256($salt.$pass) |
sha256(utf16le($pass).$salt) |
sha256($salt.utf16le($pass)) |
| sha256crypt $5$, SHA256 (Unix) |
SSHA-256(Base64), LDAP {SSHA256} |
SSHA-512(Base64), LDAP {SSHA512} |
| SHA2-512 |
sha512($pass.$salt) |
sha512($salt.$pass) |
| sha512(utf16le($pass).$salt) |
sha512($salt.utf16le($pass)) |
sha512crypt $6$, SHA512 (Unix) |
| Keccak-224 |
Keccak-256 |
Keccak-384 |
| Keccak-512 |
SHA3-224 |
SHA2-384 |
| SHA3-256 |
SHA3-384 |
SHA3-512 |
| AIX {ssha1} |
AIX {ssha256} |
AIX {ssha512} |
| JKS Java Key Store Private Keys (SHA1) |
nsldap, SHA-1(Base64), Netscape LDAP SHA |
nsldaps, SSHA-1(Base64), Netscape LDAP SSHA |
| AxCrypt in-memory SHA1 |
IKE-PSK SHA1 |
Cisco-IOS type 4 (SHA256) |
| Juniper/NetBSD sha1crypt |
Open Document Format (ODF) 1.1 (SHA-1, Blowfish) |
Open Document Format (ODF) 1.2 (SHA-256, AES) |
SAP
| SAP CODVN B (BCODE) |
SAP CODVN B (BCODE) mangled from RFC_READ_TABLE |
SAP CODVN H (PWDSALTEDHASH) iSSHA-1 |
| SAP CODVN F/G (PASSCODE) |
SAP CODVN F/G (PASSCODE) mangled from RFC_READ_TABLE |
TrueCrypt
| TrueCrypt PBKDF2-HMAC-RIPEMD160 + XTS 512 bit |
TrueCrypt PBKDF2-HMAC-RIPEMD160 + XTS 1024 bit |
TrueCrypt PBKDF2-HMAC-RIPEMD160 + XTS 1536 bit |
| TrueCrypt PBKDF2-HMAC-SHA512 + XTS 512 bit |
TrueCrypt PBKDF2-HMAC-SHA512 + XTS 1024 bit |
TrueCrypt PBKDF2-HMAC-SHA512 + XTS 1536 bit |
| TrueCrypt PBKDF2-HMAC-Whirlpool + XTS 512 bit |
TrueCrypt PBKDF2-HMAC-Whirlpool + XTS 1024 bit |
TrueCrypt PBKDF2-HMAC-Whirlpool + XTS 1536 bit |
| TrueCrypt PBKDF2-HMAC-RIPEMD160 + XTS 512 bit + boot-mode |
TrueCrypt PBKDF2-HMAC-RIPEMD160 + XTS 1024 bit + boot-mode |
TrueCrypt PBKDF2-HMAC-RIPEMD160 + XTS 1536 bit + boot-mode |
VeraCrypt
| VeraCrypt PBKDF2-HMAC-RIPEMD160 + XTS 512 bit |
VeraCrypt PBKDF2-HMAC-RIPEMD160 + XTS 1024 bit |
VeraCrypt PBKDF2-HMAC-RIPEMD160 + XTS 1536 bit |
| VeraCrypt PBKDF2-HMAC-SHA512 + XTS 512 bit |
VeraCrypt PBKDF2-HMAC-SHA512 + XTS 1024 bit |
VeraCrypt PBKDF2-HMAC-SHA512 + XTS 1536 bit |
| VeraCrypt PBKDF2-HMAC-Whirlpool + XTS 512 bit |
VeraCrypt PBKDF2-HMAC-Whirlpool + XTS 1024 bit |
VeraCrypt PBKDF2-HMAC-Whirlpool + XTS 1536 bit |
| VeraCrypt PBKDF2-HMAC-SHA256 + XTS 512 bit |
VeraCrypt PBKDF2-HMAC-SHA256 + XTS 1024 bit |
VeraCrypt PBKDF2-HMAC-SHA256 + XTS 1536 bit |
| VeraCrypt PBKDF2-HMAC-Streebog-512 + XTS 512 bit |
VeraCrypt PBKDF2-HMAC-Streebog-512 + XTS 1024 bit |
VeraCrypt PBKDF2-HMAC-Streebog-512 + XTS 1536 bit |
WIFI
| WPA-PMKID-PMK |
WPA-PMKID-PBKDF2 |
WPA-EAPOL-PBKDF2 |
WPA-EAPOL-PMK |
Zip / RAR
| 7-Zip |
RAR3-hp |
RAR5 |
WinZip |
Others
| 1Password, agilekeychain |
1Password, cloudkeychain |
3DES (PT = $salt, key = $pass) |
| Ansible Vault |
AxCrypt |
Bitcoin/Litecoin wallet.dat |
| BLAKE2b |
Blockchain, My Wallet |
Blockchain, My Wallet, V2 |
| BSDi Crypt, Extended DES |
ChaCha20 |
Cisco-IOS $9$ (scrypt) |
| Citrix NetScaler |
ColdFusion 10+ |
CRC32 |
| DES (PT = $salt, key = $pass) |
DNSSEC (NSEC3) |
DPAPI masterkey file v1 |
| DPAPI masterkey file v2 |
Drupal7 |
eCryptfs |
| Electrum Wallet (Salt-Type 1-3) |
Episerver 6.x < .NET 4 |
Episerver 6.x >= .NET 4 |
| Ethereum Wallet, SCRYPT |
FileVault 2 |
FileZilla Server >= 0.9.55 |
| GOST R 34.11-2012 (Streebog) 256-bit, big-endian |
GOST R 34.11-2012 (Streebog) 512-bit, big-endian |
GOST R 34.11-94 |
| hMailServer |
IPB2+ (Invision Power Board), MyBB 1.2+ |
Joomla < 2.5.18 |
| Juniper IVE |
JWT (JSON Web Token) |
KeePass 1 (AES/Twofish) and KeePass 2 (AES) |
| LastPass + LastPass sniffed |
MediaWiki B type |
OpenCart |
| osCommerce, xt:Commerce |
Password Safe v2 |
Password Safe v3 |
| PeopleSoft PS_TOKEN |
PeopleSoft |
PHPS |
| Plaintext |
PrestaShop |
PunBB |
| RACF KDFAES |
RACF |
Radmin2 |
| Redmine |
RIPEMD-160 |
scrypt |
| SipHash |
Skip32 (PT = $salt, key = $pass) |
Skype |
| SMF (Simple Machines Forum) > v1.1 |
Sybase ASE |
TACACS+ |
| Tripcode |
vBulletin < v3.8.5 |
vBulletin >= v3.8.5 |
| WBB3 (Woltlab Burning Board) |
Whirlpool |
Binary files
For the following hash types, it is required to upload binary files, which correspond to the generic binary data that the hash types provide:
- Password Safe v2 (e.g. *.psafe2.dat)
- Password Safe v3 (e.g. *.psafe3)
- LUKS (e.g. *.luks)
- TrueCrypt (e.g. *.tc)
- VeraCrypt (e.g. *.vc)
- WPA-EAPOL-PBKDF2 (e.g. *.hccapx)
- WPA-EAPOL-PMK (e.g. *.hccapx)
Requirements
Besides the above exceptions, to audit passwords for all entries in the table above, place hashes of the same type in files, using the following format, replacing (TAB) with actual tab characters:
USERNAME(TAB)PASSWORD HASH(TAB)ADDITIONAL INFORMATION
Please note that the ADDITIONAL INFORMATION field is required, even if it is empty (each line should always contain two tabs). An example hash file for the (DCC) MSS Cache type is presented below, for reference.
user1 c90eebd29df7a8c258a68fa47ad7ad52:584700
user2 c896b3c6963e03c86ade3a38370bbb09:54161084332
user3 ce8ce2a695a5507d45d029fbdb2dd194:217
user4 4be6800d34cb2f435b144a633713dc3f:3785364726411041
user5 2dc45c734faf70308c951466f5a105b3:236054675134201220
user6 2ad25e56ca33e279ed031695a7813903:0363
user7 bf5d175d500bd473c7ada3e50d9b997d:61
user8 d18f9088886621b55332ef785f0be834:53044850
user9 e4bae8fc2f44005513baed8d9e6ec80b:1467307
user10 97d51748fb6e85dbd9ef346aef5863d1:8560086335435