ZeroTrace OSINT
Hash Detector
Identify the algorithm of a hash string from its format alone — with Hashcat / John mode IDs and crackability hints.
The hash detector takes a hash string and identifies which algorithm produced it. It is the right tool when a hash arrives in a report or a log and you need to know what to do with it.
What you get
For any hash string:
| Field | What it tells you |
|---|---|
| Candidate algorithms | Ranked list of algorithms whose output matches this format |
| Length | The length in characters and bytes |
| Encoding | Hex / Base64 / Base32 / other |
| Hashcat mode ID | The numeric mode for Hashcat (per algorithm) |
| John format | The format string for John the Ripper |
| Sample format | A canonical example of the same algorithm's output |
| Crackability hint | Rough order-of-magnitude hashes/sec on commodity GPU |
| bcrypt cost factor | When applicable, parsed from the hash |
How identification works
The detector looks at:
- Length — most hash families have a characteristic length (32 hex chars for MD5, 40 for SHA-1, 64 for SHA-256).
- Character set — hex / base64 / specific-format markers.
- Format-specific prefixes —
$2a$/$2b$/$2y$for bcrypt,$argon2id$for Argon2,$1$/$5$/$6$for Unix crypt,{SSHA}for LDAP, etc. - Internal structure — formats with embedded salt, iterations, or version markers.
Confidence is high for format-specific algorithms (anything with a prefix). Confidence is medium for ambiguous lengths — a 32-character hex string might be MD5, NTLM, MD4, or RIPEMD-128.
Hashcat / John mode IDs
Each candidate algorithm shows the corresponding Hashcat mode and John format. One-click "copy as Hashcat command" / "copy as John command" affordances assemble:
hashcat -m <mode> -a 0 hash.txt wordlist.txtjohn --format=<format> hash.txt
— ready to paste into your terminal in a controlled cracking environment.
Generating cracking commands is for authorised password-recovery use cases — your own systems, agreed-upon engagements, recovery of your own forgotten password. Cracking hashes from systems you do not have permission to test is illegal in most jurisdictions.
bcrypt cost factor
For bcrypt hashes, the cost factor (work factor) is parsed and surfaced:
- Cost 4-8: Fast, low security. Modern recommendation is to upgrade.
- Cost 10-12: Common modern default. Acceptable.
- Cost 13+: High security. Slow.
For OSINT triage, the cost factor tells you how the system was configured — a list of bcrypt-4 hashes implies a misconfigured (or very old) application.
Crackability hint
A rough order-of-magnitude estimate of how many hashes per second a commodity GPU can compute for the algorithm. Useful for sanity-checking expected cracking time:
- MD5 / SHA-1: billions per second. Brute-forceable for short passwords.
- NTLM: billions per second. Same story.
- SHA-256 / SHA-512: hundreds of millions per second. Slower but still fast.
- bcrypt cost 10: hundreds per second. Slow by design.
- Argon2: tens per second. Slow by design, memory-hard.
These are illustrative — actual rates depend heavily on hardware. The hint exists to differentiate "minutes of cracking" from "decades of cracking."
Bulk hash detection
Bulk paste accepts a list of hashes (one per line). The aggregate table shows the candidate algorithm per hash, plus the dominant algorithm across the set if the list is consistent.
For a leak file full of hashes, this tells you immediately what algorithm the source application used.
Pivots
| Click on... | Pivot to |
|---|---|
| Hash | (no pivot — copy and use externally) |
| Hashcat mode | (no pivot — copy command externally) |
| Sample format | (no pivot — informational) |
Sources
All detection is local. The tool ships with a hash-format catalog covering the major algorithms (MD5, SHA family, NTLM, LM, bcrypt, scrypt, Argon2, Unix crypt variants, LDAP variants, vBulletin, MySQL, Postgres, Oracle, SAP, Cisco, Juniper, common WiFi formats, JWT, and more).