Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 21 Oct 2019 20:31:55 +0200
From: magnum <>
Subject: Re: How to increase Max Length? / Very long passwords

On 2019-10-21 14:43, Sebastian Hudson wrote:
> Hi, so I’m aware that what I’m trying to do might actually be impossible but I still want to try and find a way because it’s just for fun so why not.
> I hope I can explain this all well.
> I’m trying to crack an sha256 hash, but the password itself is an sha256 hash.
> For example:
> If the hash is e0bc614e4fd035a488619799853b075143deea596c477b8dc077e309c0fe42e9
> then the actually password would be 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b.

This is not terribly weird if the target has is actually something like 
sha256(sha256(password)), and then you'd attack it like that (with 
human-generated words as input) but if it's not, it *is* terribly weird.

> The main problem I’ve come across is just the length of it. Prince mode won’t try to crack anything with a Max Length of 32 and Markov won’t try anything over 30.
> Is there a way to change the Max Length to more?

This approach is so terribly flawed I'm not sure where to start explaining.

> The reason I tried to use prince was I made a wordlist that broke up the permutations into groups of 8. Eg: aab3d7ef. If I could get it to try every combination of 8 of these (8x8=64) randomly then maybe it would just stumble on the password.

This one too.

You might want to read up on "cryptographic hash function" (try google 
or wikipedia). Pay attention to keywords like "avalanche".

> Ideally I think if there was a way to just keep hashing the last attempt over and over it might stumbled on the password too. Eg: if it tried
> e0bc614e4fd035a488619799853b075143deea596c477b8dc077e309c0fe42e9
> then
> d6a804981ea7ce374acc21c9a8bf82f50b684b0ea4bdf8b26a7a775291aaf7a6
> then
> ad376767fc04814220cc25c79b2777cd14704f23f1830318b5bd9eb97e4fedf6
> perhaps that would be quicker?

Errr... but what would be your starting point (for generating that first 
hash)? In case you are attacking something like 
sha256(sha256(sha256(sha256((...)passphrase)))) it might be a good way, 
but only if the actual original password was based on a human generated 
string and you just don't know how many iterations of sha256 was used.

Good luck with this ;-)

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.