Date: Wed, 23 Oct 2019 00:12:41 +1030 From: Sebastian Hudson <s.hudson@...ernode.on.net> To: john-users@...ts.openwall.com Subject: Re: How to increase Max Length? / Very long passwords Thanks Magnum, lots of good advice there, I’ll look into hash functions! How would you go about what I’m trying to do? Cheers /Seb On 22 Oct 2019, at 5:01 am, magnum <john.magnum@...hmail.com> wrote: > On 2019-10-21 14:43, Sebastian Hudson wrote: >> Hi, so I’m aware that what I’m trying to do might actually be impossible but I still want to try and find a way because it’s just for fun so why not. >> I hope I can explain this all well. >> I’m trying to crack an sha256 hash, but the password itself is an sha256 hash. >> For example: >> If the hash is e0bc614e4fd035a488619799853b075143deea596c477b8dc077e309c0fe42e9 >> then the actually password would be 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b. > > This is not terribly weird if the target has is actually something like sha256(sha256(password)), and then you'd attack it like that (with human-generated words as input) but if it's not, it *is* terribly weird. > >> The main problem I’ve come across is just the length of it. Prince mode won’t try to crack anything with a Max Length of 32 and Markov won’t try anything over 30. >> Is there a way to change the Max Length to more? > > This approach is so terribly flawed I'm not sure where to start explaining. > >> The reason I tried to use prince was I made a wordlist that broke up the permutations into groups of 8. Eg: aab3d7ef. If I could get it to try every combination of 8 of these (8x8=64) randomly then maybe it would just stumble on the password. > > This one too. > > You might want to read up on "cryptographic hash function" (try google or wikipedia). Pay attention to keywords like "avalanche". > >> Ideally I think if there was a way to just keep hashing the last attempt over and over it might stumbled on the password too. Eg: if it tried >> e0bc614e4fd035a488619799853b075143deea596c477b8dc077e309c0fe42e9 >> then >> d6a804981ea7ce374acc21c9a8bf82f50b684b0ea4bdf8b26a7a775291aaf7a6 >> then >> ad376767fc04814220cc25c79b2777cd14704f23f1830318b5bd9eb97e4fedf6 >> perhaps that would be quicker? > > Errr... but what would be your starting point (for generating that first hash)? In case you are attacking something like sha256(sha256(sha256(sha256((...)passphrase)))) it might be a good way, but only if the actual original password was based on a human generated string and you just don't know how many iterations of sha256 was used. > > Good luck with this ;-) > magnum >
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.