How to crack `salt + SHA256(salt + password)` hashes with JTR?

Question

I have a set of password hashes.

Here is an example:

9e74437e97ff201ff38416138a22a7f3adfa3b9c10e947481bd94b16eed7df6b6e2806

From the source code of the application generating this hash I learned that the salt is prepended as the first 6 characters and the overall algo producing the hash is:

salt + SHA256(salt + password)

Knowing the cleartext password for the above hash (helloworld) I was able to confirm my assumption gleaned from the source code on Linux command line (command + result):

printf 9e7443helloworld | sha256sum
7e97ff201ff38416138a22a7f3adfa3b9c10e947481bd94b16eed7df6b6e2806  -

Now as I said I have a set of those hashes and I'd like to set John The Ripper against them and use dictionary attack. I guess it can be done using --rules flag and supplying custom configuration file with custom rules. But I'm not sure this is the right way and not familiar with JTR's mangling rules.

Can you please show me the way of achieving my goal with JTR?

Answer 1

As far as I know the --rules option only allows you to define rules for the password the user may be using (e.g. foobar, foobar123, f00bar, etc.).

The parameter --format corresponds to the format of the hash. There are many predefined rules, so you can modify your file to the format salt:md5(salt+password), for instance:

9e7443:7e97ff201ff38416138a22a7f3adfa3b9c10e947481bd94b16eed7df6b6e2806

And find a format which processes username:md5(username+password) for example.

Another option would be to use dynamic scripts. This method will be trickier but also more flexible.

Answer 2

The solution was to use predefined dynamic formats. Using the sample from my question I saved it into the hashes.txt in the following format:

username:7e97ff201ff38416138a22a7f3adfa3b9c10e947481bd94b16eed7df6b6e2806$9e7443

And then used the predefined dynamic format:

john --format=dynamic_61 hashes.txt

The command to list all dynamic formats with JTR-jumbo:

john --list=subformats