1

I am trying to crack a number of passwords that have been hashed using SHA-256.

I have the hashes available and I also have the possibilities in which the password can be. Some of these possibilities include;

  1. a lower case English word
  2. a simple lower case name such as bob or alice.
  3. a combination of 4 alphanumerical values with special characters e.g ro@!, f6&h

So for example I have hash

9F86D081884C7D659A2FEAA0C55AD015A3BF4F1B2B0B822CD15D6C15B0F00A08

and I want to get the password using an algorithm (one which I will code in Java) to get the password:

test

I am asking to see where to start in how I can complete this task.

I first thought to calculate all the hashes for the password possibilities and cross-reference with the hashes given to me but this does not seem to be the right answer as it would take too long.

Is there any other way to go about cracking these passwords?

schroeder
  • 123,438
  • 55
  • 284
  • 319
user193292
  • 11
  • 1
  • 2
  • Are you doing this as an exercise in writing code or simply looking to crack the hash as fast as possible? If the latter, you need to investigate a piece of software called 'Hashcat', specifically, a 'rule-based attack'. https://hashcat.net/wiki/doku.php?id=rule_based_attack –  Dec 10 '18 at 17:18
  • There are databases of English first names (and other language group names), and the 4-character combination is simple to create a wordlist for (82*4 entries). And if you go with the top 10,000 most common English words, you are not talking about a long hash list if you combine them all together – schroeder Dec 10 '18 at 17:47
  • What is the "goal" of the algorithm? Are there requirements or specifications? A straight brute force seems logical here. – schroeder Dec 10 '18 at 17:52
  • 1
    "I first thought to calculate all the hashes for the password possibilities and cross-reference with the hashes given to me but this does not seem to be the right answer as it would take too long." That's generally how it's done. Why do you think it will take too long? You may be underestimating exactly how fast a SHA-256 hash can be calculated on modern hardware. :-) – Ben Dec 10 '18 at 20:02

2 Answers2

1

Hashcat is used to crack specific hashes such as MD5, SHA-256, bcrypt, and a whole lot more. Hashcat has specific rules it can include if it cannot crack the has with the word directory. Hashcat requires a password directory so it can bruteforce the hash. As an example, I did -1 ?l ?1?1?1?1?1?1 to show the custom character set with -1 (you can have 4 i think) ?l is my charset (all lowers) it also allows ?u ?d ?s ?a for uppercase, numbers, special chars, and all ?1?1?1?1?1?1 is a mask.

zucc0nit
  • 203
  • 1
  • 10
  • The OP is asking about the process to do this in their own code, not in a pre-built tool. I'm guessing this is a homework assignment. – schroeder Dec 10 '18 at 20:10
1

Generally, to "crack a password" you have to try many combinations and it will take long if the password is not weak.

For every password candidate you calculate it's hash, look it up in the list of given hashes, if there's no match - discard the calculated hash (you don't need to keep it), try the next candidate.

You can use some kind of hashtable data structure (HashSet in Java) to keep the given hashes: it has O(1) search complexity. It matters if you are given a long list of hashes to crack.

Strigo
  • 86
  • 4