hashID

Overview

hashID is a Python-based hash identification tool that recognizes 220+ hash types and formats. It helps pentesters, forensics analysts, and security researchers quickly identify hash algorithms before selecting appropriate cracking tools like Hashcat or John the Ripper.

Installation

From Source

git clone https://github.com/psneuzil/hashID.git
cd hashID
python3 hashid.py --help

Via pip

pip install hashid

Docker

docker run -it --rm psneuzil/hashid <hash>

Basic Usage

Identify Single Hash

# Interactive mode - paste hash at prompt
python3 hashid.py

# Identify specific hash
python3 hashid.py "5f4dcc3b5aa765d61d8327deb882cf99"

# Identify from file
python3 hashid.py -f hashes.txt

# Quiet mode - minimal output
python3 hashid.py "hash_here" -q

Output Example

$ python3 hashid.py "5f4dcc3b5aa765d61d8327deb882cf99"
Analyzing '5f4dcc3b5aa765d61d8327deb882cf99'
[+] MD5
[+] MD4
[+] Double MD5
[+] LM
[+] RIPEMD-128
[+] Haval-128
[+] Tiger-128
[+] Skein-256(128)
[+] Skein-512(128)

Common Hash Types Reference

Hash Type	Length	Example
MD5	32 hex	`5f4dcc3b5aa765d61d8327deb882cf99`
SHA-1	40 hex	`356a192b7913b04c54574d18c28d46e6395428ab`
SHA-256	64 hex	`e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855`
SHA-512	128 hex	`cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e`
NTLM	32 hex	`5f4dcc3b5aa765d61d8327deb882cf99`
bcrypt	Variable	`$2a$10$Dex8PPccx92u8.jVewYM2OPST9/PgBkqquzi.Ss7KIUgO2t0jWMUW`
Kerberos 5 TGT	Special format	`$krb5tgs$23$user$realm$spn$...`
NetNTLMv2	Special format	`user::DOMAIN:...`
MySQL	40 hex	`*81F5E21E35407D884A6CD4A731AEBFB6AF209E1B`
MSSQL (2000/2005)	40 hex	`0x0100A607BA7C54A24D17B565BAFCC390F216C8CCB`
Oracle 10g+	32 hex	`S:8F2D9E8F8F2D9E8F8F2D9E8F8F2D9E8FA1B2C3D4`
PostgreSQL	Variable	`md5abcd1234...`
WordPress	32 hex	`5f4dcc3b5aa765d61d8327deb882cf99`
WPA-PBKDF2	256+ hex	`ESSID:...`
LM Hash	32 hex	`AABBCCDD...`
DES Crypt	Variable	`$1$...`

Identifying Hashes from Files

Batch Processing

# Identify all hashes in a file (one per line)
python3 hashid.py -f hashes.txt

# Save results to file
python3 hashid.py -f hashes.txt > results.txt

# Identify and show hashcat modes
python3 hashid.py -f hashes.txt -m

File Formats

# One hash per line
cat hashes.txt
5f4dcc3b5aa765d61d8327deb882cf99
356a192b7913b04c54574d18c28d46e6395428ab
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

Advanced Options

Display Hashcat Modes

# Show Hashcat mode numbers for cracking
python3 hashid.py "hash" -m

# Example output:
# [+] MD5 [Hashcat Mode: 0]
# [+] MD4 [Hashcat Mode: 900]
# [+] Double MD5 [Hashcat Mode: 2600]

Display John the Ripper Formats

# Show John format identifiers
python3 hashid.py "hash" -j

# Example output:
# [+] MD5 [JtR Format: raw-md5]
# [+] SHA-1 [JtR Format: raw-sha1]

Extended Mode (All Algorithms)

# Show all possible algorithms including unlikely ones
python3 hashid.py "hash" -e

# Useful when standard identification is ambiguous

JSON Output

# Output in JSON format for scripting
python3 hashid.py "hash" --json

# Example:
# {"hash": "5f4dcc3b5aa765d61d8327deb882cf99", "algorithms": ["MD5", "MD4", ...]}

Integration with Password Cracking

Hashcat Workflow

# 1. Identify hash type
python3 hashid.py "hash" -m
# Output: [Hashcat Mode: 0]

# 2. Crack with identified mode
hashcat -m 0 -a 0 hash.txt wordlist.txt

# 3. Crack with rules
hashcat -m 0 -a 0 hash.txt wordlist.txt -r rules.txt

# 4. Brute force (small mode space)
hashcat -m 0 -a 3 hash.txt ?a?a?a?a

John the Ripper Workflow

# 1. Identify hash type
python3 hashid.py "hash" -j
# Output: [JtR Format: raw-md5]

# 2. Crack with identified format
john --format=raw-md5 hash.txt --wordlist=wordlist.txt

# 3. Show cracked passwords
john --format=raw-md5 hash.txt --show

# 4. Brute force attempt
john --format=raw-md5 hash.txt --incremental

Practical Examples

Identify Windows NTLM Hash

# NTLM (Windows password hashes)
python3 hashid.py "aabbccdd1234567890abcdef12345678"
# Output will show NTLM, MD4, MD5 possibilities
# Use -m to get Hashcat mode 1000 (NTLM)

Identify Salted Bcrypt

# bcrypt format (automatically detected by $2a/$2b/$2y)
python3 hashid.py '$2b$12$R9h/cIPz0gi.URNNX3kh2OPST9/PgBkqquzi.Ss7KIUgO2t0jWMUW'
# [+] bcrypt [JtR Format: bcrypt] [Hashcat Mode: 3200]

Identify Kerberos Hash

# Kerberos 5 TGT format
python3 hashid.py '$krb5tgs$23$*user$REALM$service*$hash...'
# [+] Kerberos 5 TGT [Hashcat Mode: 13100]

Identify SQL Server Hash

# MSSQL 2012+ (SHA2-based)
python3 hashid.py '0x0200...'
# [+] MSSQL (2012, 2014) [Hashcat Mode: 1731]

Batch Identify Domain Hashes

# NetNTLMv2 from Responder capture
python3 hashid.py -f responder_hashes.txt -m
# Quickly identify all captured hashes with Hashcat modes

Troubleshooting

Hash Not Recognized

# 1. Try extended mode to see all possibilities
python3 hashid.py "hash" -e

# 2. Check hash format/length - ensure it's complete
echo "hash" | wc -c

# 3. Try online tools as secondary check
# https://hashes.com/en/tools/hash_identifier

Too Many Possibilities

# Use context clues:
# - Source (Windows = NTLM likely)
# - Length (64 chars = SHA-256 or bcrypt header)
# - Format ($2a$ = bcrypt, $krb5 = Kerberos)

# Use Hashcat mode testing
hashcat -m 0 hash.txt wordlist.txt --workload-profile=1
hashcat -m 900 hash.txt wordlist.txt --workload-profile=1
# Try different modes until one cracks

Comparison with Alternative Tools

Feature	hashID	hash-identifier	name-that-hash
Hash Types	220+	100+	Similar to hashID
Hashcat Modes	Yes	No	Yes
John Formats	Yes	No	Yes
Installation	pip/git	perl script	pip
Speed	Fast	Fast	Fast
GUI	No	No	GUI available

Tips & Best Practices

Identify Before Cracking

# Always identify hash type first
python3 hashid.py "hash" -m > modes.txt

# Prevents wasting time on wrong attack modes
# Hashcat mode mismatch = no cracks

Use Extended Mode for Ambiguous Hashes

# 32-character hex strings are common for multiple algorithms
python3 hashid.py "5f4dcc3b5aa765d61d8327deb882cf99" -e

# Extended mode shows LM, DES, Snefru, Tiger, etc.

Validate Hash Before Cracking

# Ensure hash format is valid
echo "hash" | grep -E '^[a-fA-F0-9]+$'

# Remove formatting, extra whitespace
cat hashes.txt | tr -d ' ' > hashes_clean.txt

Combine with Other Tools

# Chain with Hashcat
python3 hashid.py -f hashes.txt -m | \
  awk -F': ' '{print $NF}' | \
  xargs -I {} hashcat -m {} hashes.txt wordlist.txt

# Pipe to JtR
python3 hashid.py -f hashes.txt -j | \
  grep "JtR Format" | \
  awk -F': ' '{print $NF}' | \
  xargs -I {} john --format={} hashes.txt

Supported Hash Types (Selection)

MD5, MD4, MD2, MD1
SHA-1, SHA-224, SHA-256, SHA-384, SHA-512
RIPEMD-128, RIPEMD-160, RIPEMD-256, RIPEMD-320
Whirlpool, Tiger, Haval
bcrypt, scrypt, Argon2, PBKDF2
Kerberos (TGT, AS-REQ)
NTLM, NetNTLM, NetNTLMv2
MySQL, PostgreSQL, MSSQL, Oracle
WordPress, Joomla, Drupal
WPA, WPA2, WPA3
DES, 3DES, Blowfish
And 170+ more algorithm variations

Resources

GitHub: https://github.com/psneuzil/hashID
Hashcat Hash Modes: https://hashcat.net/wiki/doku.php?id=hashcat
John the Ripper Formats: https://www.openwall.com/john/doc/MODES.shtml
Hash Format Reference: https://hashes.com/en/tools/hash_identifier