Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 9 Sep 2019 08:09:12 +0200
From: magnum <>
Subject: Re: SHA256(XOR(salt+pass, key))

On 2019-09-07 15:05, Marcin Gębarowski wrote:
> Looking for help with using john to crack the hashes I got, the 
> application creates them as follows:
> SHA256(XOR(salt + pass, key))
> Salt and key are both 32 bytes long. I have the key. Hashes are stored 
> in format:
> base64(salt + hash)
> but I can easily change that to anything else.
> The main problem I'm having is the XOR function, which I was unable to 
> find in dynamic scripts library. Having something like:
> sha256(xor($s.$p, $key))
> as dynamic script would definitely solve this...

So is key like a 2nd (fixed) salt (pepper)? What application is that? 
I'm sure Jim could add XOR to dynamic compiler format with ease. Can you 
post a sample or two with known pass and key that we can use as test 

There's a minor optimization possible - we could save state of SHA256 
after the first 8 rounds with a given salt, and reuse that for as many 
password candidates we like.


Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.