kingfisher/crates/kingfisher-rules/data/rules/hashes.yml

rules:
  - name: Password Hash (md5crypt)
    id: kingfisher.pwhash.1
    pattern: '(\$1\$[./A-Za-z0-9]{8}\$[./A-Za-z0-9]{22})'
    references:
      - https://en.wikipedia.org/wiki/Crypt_(C)#MD5-based_scheme
      - https://unix.stackexchange.com/a/511017
      - https://hashcat.net/wiki/doku.php?id=example_hashes
      - https://passwordvillage.org/salted.html#md5crypt
    pattern_requirements:
      min_digits: 2
    min_entropy: 3.3
    confidence: medium
    examples: # generated with `openssl passwd -1 -salt 'OKgLCmVl' 'a'`
      - '$1$OKgLCmVl$d02jECa4DXn/oXX0R.MoQ/'
      - '$1$28772684$iEwNOgGugqO9.bIz5sk8k/'
  - name: Password Hash (bcrypt)
    id: kingfisher.pwhash.2
    # Format from Wikipedia:
    #   $2<a/b/x/y>$[cost]$[22 character salt][31 character hash]
    pattern: '(\$2[abxy]\$\d+\$[./A-Za-z0-9]{53})'
    references:
      - https://en.wikipedia.org/wiki/Bcrypt
      - https://hashcat.net/wiki/doku.php?id=example_hashes
    min_entropy: 3.3
    confidence: medium
    examples:
      - '$2a$12$R9h/cIPz0gi.URNNX3kh2OPST9/PgBkqquzi.Ss7KIUgO2t0jWMUW'
      - '$2a$05$/VT2Xs2dMd8GJKfrXhjYP.DkTjOVrY12yDN7/6I8ZV0q/1lEohLru'
      - '$2a$05$Uo385Fa0g86uUXHwZxB90.qMMdRFExaXePGka4WGFv.86I45AEjmO'
      - '$2a$05$LhayLxezLhK1LhWvKxCyLOj0j1u.Kj0jZ0pEmm134uzrQlFvQJLF6'
      - '$2y$12$atWJ1Nx6ep65tNx0YIJ4I.jzgI86znQbNRI3lF0qIt/XCYnEPxSc2'
  - name: Password Hash (sha256crypt)
    id: kingfisher.pwhash.3
    pattern: |
      (?x)
      (
      \$ 5
      (?: \$ rounds=\d+ )?
      \$ [./A-Za-z0-9]{8,16}
      \$ [./A-Za-z0-9]{43}
      )
    pattern_requirements:
      min_digits: 2
    references:
      - https://en.wikipedia.org/wiki/Crypt_(C)#Key_derivation_functions_supported_by_crypt
      - https://hashcat.net/wiki/doku.php?id=example_hashes
      - https://passwordvillage.org/salted.html#sha256crypt
    min_entropy: 3.3
    confidence: medium
    examples:
      - '$5$rounds=5000$GX7BopJZJxPc/KEK$le16UF8I2Anb.rOrn22AUPWvzUETDGefUmAV8AZkGcD'
      - '$5$9ks3nNEqv31FX.F$gdEoLFsCRsn/WRN3wxUnzfeZLoooVlzeF4WjLomTRFD'
      - '$5$KAlz5SULZNybHwil$3UgmS1pmo2r5HG.tjbjzoVxISBh8IH81d.bJh4MCC19'
  - name: Password Hash (sha512crypt)
    id: kingfisher.pwhash.4
    pattern: |
      (?x)
      (
      \$ 6
      (?: \$ rounds=\d+ )?
      \$ [./A-Za-z0-9]{8,16}
      \$ [./A-Za-z0-9]{86}
      )
    pattern_requirements:
      min_digits: 2
    references:
      - https://en.wikipedia.org/wiki/Crypt_(C)#Key_derivation_functions_supported_by_crypt
      - https://hashcat.net/wiki/doku.php?id=example_hashes
      - https://passwordvillage.org/salted.html#sha512crypt
    min_entropy: 3.3
    confidence: medium
    examples:
      - '$6$52450745$k5ka2p8bFuSmoVT1tzOyyuaREkkKBcCNqoDKzYiJL9RaE8yMnPgh2XzzF0NDrUhgrcLwg78xs1w5pJiypEdFX/'
      - '$6$qoE2letU$wWPRl.PVczjzeMVgjiA8LLy2nOyZbf7Amj3qLIL978o18gbMySdKZ7uepq9tmMQXxyTIrS12Pln.2Q/6Xscao0'
  - name: Password Hash (Cisco IOS PBKDF2 with SHA256)
    id: kingfisher.pwhash.5
    pattern: |
      (?x)
      (
      \$ 8
      \$ [./A-Za-z0-9]{8,16}
      \$ [./A-Za-z0-9]{43}
      )
    pattern_requirements:
      min_digits: 2
    references:
      - https://en.wikipedia.org/wiki/Crypt_(C)#Key_derivation_functions_supported_by_crypt
      - https://hashcat.net/wiki/doku.php?id=example_hashes
    min_entropy: 3.3
    confidence: medium
    examples:
      - '$8$TnGX/fE4KGHOVU$pEhnEvxrvaynpi8j4f.EMHr6M.FzU8xnZnBr/tJdFWk'
      - '$8$mTj4RZG8N9ZDOk$elY/asfm8kD3iDmkBe3hD2r4xcA/0oWS5V3os.O91u.'
  - name: Password Hash (Kerberos 5, etype 23, AS-REP)
    id: kingfisher.krb5.asrep.23.1
    pattern: |
      (?x)
      (
      \$ krb5asrep
      \$ 23
      \$
      (?: [^:]+ : )?
      [0-9a-f]{32}
      \$ [0-9a-f]{64,}
      )
    pattern_requirements:
      min_digits: 2
    references:
      - https://hashcat.net/wiki/doku.php?id=example_hashes
    min_entropy: 3.3
    confidence: medium
    examples: # Kerberos 5, etype 23, AS-REP
      - '$krb5asrep$23$user@domain.com:3e156ada591263b8aab0965f5aebd837$007497cb51b6c8116d6407a782ea0e1c5402b17db7afa6b05a6d30ed164a9933c754d720e279c6c573679bd27128fe77e5fea1f72334c1193c8ff0b370fadc6368bf2d49bbfdba4c5dccab95e8c8ebfdc75f438a0797dbfb2f8a1a5f4c423f9bfc1fea483342a11bd56a216f4d5158ccc4b224b52894fadfba3957dfe4b6b8f5f9f9fe422811a314768673e0c924340b8ccb84775ce9defaa3baa0910b676ad0036d13032b0dd94e3b13903cc738a7b6d00b0b3c210d1f972a6c7cae9bd3c959acf7565be528fc179118f28c679f6deeee1456f0781eb8154e18e49cb27b64bf74cd7112a0ebae2102ac'
      - '$krb5asrep$23$8cf8eb5287e28a4006c064892150c4fb$3e05ecc13548bec8e1eeb900dea5429cc6931bae9b8524490eb3a8801560871fe44355ed556202afbb39872e1bbb5c3c4f1b37dcd68fda89a23ebad917d4bbb0933edd94331598939e5d0c0c98c7e219a2e9dd6b877280d1bd7c51131413be577a167208bcc21e9fe7ae8f393278d740e72ca5c44c42d5cb0bf6bab0a36f1b88b7ddc4abbc6f152e652f6ba35c2955fb4132e11b7e566f3b422c3740f79847b77783d245a4e570b8a621b4ff6ff4815566446af70313ee78133707a76a4e4424783bd7c04920aa822a1a36b29f7e25cef186e6439fc46e42e23d6bd918969ef49b8388aef158e443b3a57dbde7ada631fbef7326f9046a9b'
      - '$krb5asrep$23$c447eddaebf22ebf006a8fc6f986488c$eb3a17eb56287b474cecad5d4e0490d949977ba3f5015220bcd3080444d5601d67b76c5453b678e8527624e40c273bea4cfe4a7303e136b9bc3b9e63b6fb492ee4b4d2f830c5fa5a55466b57a678f708438f6712354a2deb851792b09270f4941966b82a2fd5ad8fa1fbd95a60b0f9bcd57774b3e55467a02ffcb3f1379104c24e468342f83df20b571e6f34f9a9842b43735d58d94514dcefa76719c0f5c7c3a3bfa770380924625aa0a3472d7c02d10dbb278fd946f7efcfe59a4d4cb7bdb9c5dbddc027611fe333d3ac940ec5b4ed43b55ab54b03cd2df0a9a2a7b5d235c226b259bd5ff8e0e49680351d4f0c4d13e258bc8d383cad6fc2711be0'
      - '$krb5asrep$23$771adbc2397abddef676742924414f2b$2df6eb2d9c71820dc3fa2c098e071d920f0e412f5f12411632c5ee70e004da1be6f003b78661f8e4507e173552a52da751c45887c19bc1661ed334e0ccb4ef33975d4bd68b3d24746f281b4ca4fdf98fca0e50a8e845ad7d834e020c05b1495bc473b0295c6e9b94963cb912d3ff0f2f48c9075b0f52d9a31e5f4cc67c7af1d816b6ccfda0da5ccf35820a4d7d79073fa404726407ac840910357ef210fcf19ed81660106dfc3f4d9166a89d59d274f31619ddd9a1e2712c879a4e9c471965098842b44fae7ca6dd389d5d98b7fd7aca566ca399d072025e81cf0ef5075447687f80100307145fade7a8'
      - '$krb5asrep$23$user@domain.com:3e156ada591263b8aab0965f5aebd837$007497cb51b6c8116d6407a782ea0e1c5402b17db7afa6b05a6d30ed164a9933c754d720e279c6c573679bd27128fe77e5fea1f72334c1193c8ff0b370fadc6368bf2d49bbfdba4c5dccab95e8c8ebfdc75f438a0797dbfb2f8a1a5f4c423f9bfc1fea483342a11bd56a216f4d5158ccc4b224b52894fadfba3957dfe4b6b8f5f9f9fe422811a314768673e0c924340b8ccb84775ce9defaa3baa0910b676ad0036d13032b0dd94e3b13903cc738a7b6d00b0b3c210d1f972a6c7cae9bd3c959acf7565be528fc179118f28c679f6deeee1456f0781eb8154e18e49cb27b64bf74cd7112a0ebae2102ac'