23

I'd like to attack a self-created sha256 hash with john --wordlist=

So far I've done the following:

$ echo 'testpassword' | sha256sum > mypassword

removed the tail of the output with vim

$ cat mypassword
dc460da4ad72c482231e28e688e01f2778a88ce31a08826899d54ef7183998b5

penetrate with john

$ john --wordlist=list.txt --format=raw-sha256 mypassword

result:

Using default input encoding: UTF-8
Loaded 1 password hash (Raw-SHA256 [SHA256 128/128 SSE2 4x])
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:00:06 DONE (2017-01-06 12:47) 0g/s 2347Kp/s 2347Kc/s 2347KC/s
Session completed

show

$ john --show mypassword
0 password hashes cracked, 1 left

What did I do wrong? Is raw-sha256 not the right format? The test password is definitely in the wordlist.

Improve this question

1 Answer 1

Reset to default
42

Your string has an unintended line break at the end. Use -n to omit the trailing newline character:

echo -n 'testpassword' | sha256sum > mypassword

Otherwise you end up with a different hash:

$ echo testpassword | sha256sum
e0d7d338cb1259086d775c964fba50b2a84244ba4cd2815e9f6f4a8d9daaa656  -
$ echo -n testpassword | sha256sum
9f735e0df9a1ddc702bf0a1a7b83033f9f7153a00c29de82cedadc9957289b05  -

Then just proceed as you did.

Demo:

$ echo -n "abc123" | sha256sum | cut -f 1 -d " " > password
$ john --format=raw-sha256 password
$ john --show password
?:abc123

1 password hash cracked, 0 left

(I used cut to remove the hyphen after the hash.)

Improve this answer
5
  • 13
    This issue has bitten me in the ass more times than I wish to admit!
    – Polynomial
    Commented Jan 6, 2017 at 18:19
  • 14
    So basically you're saying we can create impenetrable passwords by adding a line break at the end? ;)
    – Jezzamon
    Commented Jan 6, 2017 at 22:16
  • For increased security any control character should work. But you need U.I. support to enter them.
    – Jasen
    Commented Jan 7, 2017 at 2:08
  • 2
    @Jezzamon Even better - put a NULL byte at the end, john can't handle them
    – Hitechcomputergeek
    Commented Jan 7, 2017 at 3:18
  • 2
    @Jasen I was bitten by this when moving from Win7 to Win10, they removed the ability to type a literal delete char into the password box at login.
    – Οurous
    Commented Jan 12, 2017 at 22:16

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .