I am trying to use DD for Windows to obtain the hash of a non-system partition that was encrypted via Veracrypt, but have run into a bit of a problem.
The command I used to get the hash of the encrypted partition looks like this
dd if=\?\Device\HarddiskVolume11 of=hash_output.txt bs=512 count=1
And this command (in theory) should create a file called hash_output.txt that contains the encrypted hash that should, for example, look something similar to this:
However, the output I am getting when issuing the DD command above looks more like this:
fb55 d397 2879 2f55 7653 24a3 c250 14d3 3711 7109 e563 617f ab73 f11a 3469 33bb
Which is obviously not the hash I was expecting so I am hoping someone might be able to help me figure out what I am doing wrong.
Some things to note:
- I am 100% positive that the drive I am selecting in the DD command is the right drive.
- There is only 1 encrypted partition on the drive that spans the entire size of the drive.
- There is no physical / functional damage to the drive which would cause this issue.
- This on an external 1tb drive that is connected via usb 3.0 (I have tried other cables and ports).
- The same DD command worked fine for a test drive that I encrypted using the same parameters that were set for this drive.
Based on my research it looks like 2008 R2 AD hashes passwords using MD4. That can’t be right…right? That is an ancient algorithm. If that is the case, what protections are in place for passwords in 2008 R2 AD?
I’m working on an API that I’d like to be accessible internally by other servers as well as devices that I consider both as confidential private clients. Devices are considered private clients because the client_secret is stored in an encrypted area that prevents from unauthorised readout and modification (even though nothing is never bullet proof)
For auth, I’d like to use OAuth2 with the
client_credentials grant that seems to be a very good fit for these use cases. However I’m wondering how flexible is the standard regarding sharing the client_secret.
Basically the RFC doesn’t say much about sending your client id / client secret, it just offers an example here: https://tools.ietf.org/html/rfc6749#section-4.4.2 which is very simple by using the following header Authorization Basic: base64(client_id:client_secret)
In my opinion, it could be slightly more secure by computing a hash:
- the client requests a random to the server by sending their client_id
- the server replies with a random code (valid for like 10 mins, just like an authorization code)
- the client computes a hash = sha256(client_id, client_secret, code) and asks for a token
- the server computes the same hash, compares the client hash with the computed hash and sends an access token if they match
It would add an extra layer of security in case https is somehow broken or if anyone is able to read the header somehow.
However it doesn’t seem very OAuth2 compliant and I don’t really like re-inventing a standard. Another option would be to create my own extention grant, I’m just wondering if it’s really worth it, like no one seems to have done this.
Also, if I want to share my API with a 3rd party app, not sure it’s a good thing to force them into using something non really standard.
Please hear me out. I used to scoff at people who asked this question because client-side hashing is “so obviously wrong.” I have read similar questions on this site but haven’t found a satisfactory answer.
Why hash on the server instead of the client?
If the goal is to prevent someone with access to the password database from logging in, then server-side hashing is an absolute must (otherwise someone could just send to the server whatever they stole from the passwords database).
However, my understanding is that the purpose of hashing is to help people who share the same password across many sites. When a password is properly hashed & salted, an attacker cannot as easily brute force the plaintext password then try it on a bunch of other websites.
If mitigating password-reuse attacks is the goal, apart from clients having less hashing power, hashing & salting  on the client side makes sense because it means that even a fully compromised server would never see a client’s plaintext password.
What am I missing?
 salting is important so that a compromised server cannot re-use hashes to log into other services hashing passwords on the client
I read the following in CLRS 3rd Edition (Section 11.5, “Perfect Hashing“):
How does the choice of $ m_j = n^2_j$ lead to no collisions?
Given a hash function H, it’s possible that H(a) = H(b) = c
Let’s assume we have a big data set [N1 … Nk], with K items and we hash each item in this set
After operation is done, we’d get a set of hashes [H1 … Hm] where m < k, meaning we had collisions
What would be the most memory-efficient way(without storing all of hashes and hashed items) to determine if we’ve ever hashed item X before and if we did, did it collide with anything?
Is it even possible to relax memory constrains on such kind of task?
I’m attempting to learn C++ right now, but I am struggling on this project from here: https://ucsb-cs32.github.io/f19/lab/lab04a/
I’m desperate for help right now, as I have no idea how to do it. If anybody would be so kind as to explain how to do this project in detail, that would be wonderful.
This might be a very easy question. Let’s consider cryptograhic hash functions with the usual properties, weak and strong collision resistance and preimage resistance.
For any given output, obviously there are multiple inputs. But is that necessarily an infinite number of preimages, for any given hash value?
How would I go about giving a formal proof that there exists no crypto hash function h() such that there is a given value v = h(m*) for which the possible set of inputs m* is finite? Would this necessarily break collision resistance?
I have a list of malicious hashes. I want to scan the end system with that list to find if the file is present. Please let me know if any script available for same
I have a router
Huawei HG8145V5 and I backup config file in order to find root password, but I found that password is encrypted and here is how does it look like
UserName="root" Password="$ 2tMx=+eY3+*g46l*b@Uk<3YN$ L`<#K!j(5a%(5\G1ma7;;hP=RH.:q[XMze!FL43,O#}Fz9zLFQ6/>!:)aHY:QL/Bg<TMj(5^U2$ I$ " Salt="8d72593e65eac9eccfc75ce7"
I tried SHA256(MD5(password)) but its not sha256 its something diferent