Question about sha256 and AMD kernels
#1
Hi,

my brain got stuck, even after reading wiki (or is it just "that day")

so ...

i have some sha256 hash to crack ... an example (random example) :

sha256 hash
dbb12ceaf87ceaf87ceaf87ceaf87ceaf8751e29a0257751e29751e29751e291

pasword
21 90 12 12 12 12 4A 21 00 00 00 00 00 00 00 00  - last 8 bytes is always 00

so ...the question is ... how to combine mask attack on this (which range from 0x00 to 0xFF),
since password result have last 8 bytes always 0x00 ? (characters = 0-9, A-F , last 8 bytes can be truncated)

(yeah, you will say - it's simple ... i just cant figure it out at the moment)



and the second question is ...

how to maximise performance of this cracking on AMD RX580 GPU,
Windows7, latest Adrenalin 21.5.2 installed.

Do i need some additional parameters ?
Do i need some other (by Hashcat recommended) drivers ?


Thanks for reading this (and hopefully helping),
and sorry for (maybe for you)  trivial questions.

b.r.
Alex
Reply
#2
first
read forum rules, it is prohibited to post hashes and or passes as long as not asked by the devs/mods

second
your hash and or pass is not matching
even when trying to convert hex to ascii and/or deleting your spaces, nothing will result in what you have posted as sha 256

third
hex 90, 91, 92 reminds me of typical double misconversion between utf-8 and windows charpages so your password canbe / should be malformed
Reply
#3
(09-06-2021, 08:43 PM)Snoopy Wrote: first
read forum rules, it is prohibited to post hashes and or passes as long as not asked by the devs/mods

second
your hash and or pass is not matching
even when trying to convert hex to ascii and/or deleting your spaces, nothing will result in what you have posted as sha 256

third
hex 90, 91, 92 reminds me of typical double misconversion between utf-8 and windows charpages so your password canbe / should be malformed


Hashes/password randomized/faked now ....


***EDIT:

i've come up to something ... but is this correct ... ?

hashcat -m 1400 <HASH> -O -S -w 3 -a 3 -1 0123456789abcdef -2 0 ?1?1?1?1?1?1?1?1?2?2?2?2?2?2?2?2 -o

main problem with this i've come up is that it needs lot of RAM (9.1Gb) ?! is that normal ?

password should be array of 16 times 00-FF strings, but - am I masking it correctly ?
Reply
#4
do we "really" talking about hex like strings?
so in your example:

sha256('ffffffffffffffff0000000000000000') = 9d16bfa811f70a01d13ecbe0bb081c80f89e37b72383566740ef849617e80ab2
sha256('FFFFFFFFFFFFFFFF0000000000000000') = 5219f4e314c19218f9eb9393c077c8858caff6b546e142c8cfc4c936bec769d6

upper / lower case letters possible in such strings? or do we talk about a hex representation of the found password?

even when just appending the 8 times 00 per rule, the first half, 8 times 00 to ff or FF or mixed (as string) is quite a huge keyspace, it is 16^16 and should be result in an overflow by hashcat
Reply
#5
(09-07-2021, 11:34 AM)Snoopy Wrote: do we "really" talking about hex like strings?
so in your example:

sha256('ffffffffffffffff0000000000000000') = 9d16bfa811f70a01d13ecbe0bb081c80f89e37b72383566740ef849617e80ab2
sha256('FFFFFFFFFFFFFFFF0000000000000000') = 5219f4e314c19218f9eb9393c077c8858caff6b546e142c8cfc4c936bec769d6

upper / lower case letters possible in such strings? or do we talk about a hex representation of the found password?

even when just appending the 8 times 00 per rule, the first half, 8 times 00 to ff or FF or mixed (as string) is quite a huge keyspace, it is 16^16 and should be result in an overflow by hashcat

it's just lowercase letters/chars 0123456789abcdef, first 8 bytes of output "array", as in example,
last 8 bytes of array is always 00 00 00 00 00 00 00 00

mask that i put in example, goes pretty quick on hashcat, but results in "exhausted" ...

i'm gonna find some known hash/result and put it in ...
just on thing i'm not sure - is my mask good ?

-a 3 -1 0123456789abcdef -2 0 ?1?1?1?1?1?1?1?1?2?2?2?2?2?2?2?2
or
-a 3 -1 0 ?h?h?h?h?h?h?h?h?1?1?1?1?1?1?1?1

should be basically the same, as "h" = 01234567890abcdef
Reply
#6
(09-07-2021, 06:30 PM)alexxx Wrote: -a 3 -1 0123456789abcdef -2 0 ?1?1?1?1?1?1?1?1?2?2?2?2?2?2?2?2
or
-a 3 -1 0 ?h?h?h?h?h?h?h?h?1?1?1?1?1?1?1?1

should be basically the same, as "h" = 01234567890abcdef

sry but i still dont really get what you try to achieve

your given example (edit: the second example is the same)
-a 3 -1 0123456789abcdef -2 0 ?1?1?1?1?1?1?1?1?2?2?2?2?2?2?2?2
will result in passes like
afafafaf00000000
b1b2b3b400000000
(16 chars total, 8 zeros at the end, no spaces between)

but you said passes always end with  00 00 00 00 00 00 00 00 (these are 16 zeros, so your mask dont fit) the next thing, do these "spaces" belong to the password or not?

shortened example
sha256('ff 00 00') is something complete different than
sha256('ff0000')
Reply
#7
it was mis-interpreted wrongly .... (from my side)

so, here is correct "what-i-want-to-crack" :

- given sha256 hash
- result is actually byte-array ie: 30303930343139323063306134613231

([009041920c0a4a21 = each digit + 30] ,0+30 0+30 9+30 0+30 4+30 1+30 9+30 2+30 0+30 c+30 0+30 a+30 4+30 a+30 2+30 1+30)

via this site (after choosing HEX), correct hash is received (from this example).

so ... how to get correct (cracked) result with hashcat ? is it mask-attack ?
i'm stuck here .... i dunno what to put in hashcat for this

thanks
Reply
#8
i hope i get it right (from your last example), you have data like this

sha256hash:30303930343139323063306134613231

30303930343139323063306134613231 -> hex to ascii = 009041920c0a4a21

009041920c0a4a21 -> interpreted as hex and given as input to sha256-> your searched sha256hash =
eb263129803e19314d6644961[masked]
?

if yes, first prepare a charset-file like this
1. hashcat -a 3 --stdout ?h?h > charset.txt
2. open this file with a good texteditor and remove all newlines, linebreaks, so that there is only one line with all chars
from 00 to ff (512, dont be afraid when your file looks messed up, hashcat randomized the output by default )
3. feed hashcat like this
hashcat.exe -m 1400 -a3 -O --hex-charset -1 charset.txt sha256.txt ?1?1?1?1?1?1?1?1

specify an output-file on your own or leave it, see hashcat.potfile for results, the results will look like this

eb263129803e19314d6644961[masked]:$HEX[009041920c0a4a21]

to get your 30303930343139323063306134613231 you have to interpret 009041920c0a4a21 as ascii to hex
https://www.rapidtables.com/convert/numb...o-hex.html or use another tool

these "double-conversation" or misinterpreting is not related to sha256 so it must be have to to something with the source of your data
Reply
#9
(09-13-2021, 06:47 PM)Snoopy Wrote: i hope i get it right (from your last example), you have data like this

sha256hash:30303930343139323063306134613231

30303930343139323063306134613231 -> hex to ascii = 009041920c0a4a21

009041920c0a4a21 -> interpreted as hex and given as input to sha256-> your searched sha256hash =
eb263129803e19314d6644961[masked]
?

if yes, first prepare a charset-file like this
1. hashcat -a 3 --stdout ?h?h > charset.txt
2. open this file with a good texteditor and remove all newlines, linebreaks, so that there is only one line with all chars
from 00 to ff (512, dont be afraid when your file looks messed up, hashcat randomized the output by default )
3. feed hashcat like this
hashcat.exe -m 1400 -a3 -O --hex-charset -1 charset.txt sha256.txt ?1?1?1?1?1?1?1?1

specify an output-file on your own or leave it, see hashcat.potfile for results, the results will look like this

eb263129803e19314d6644961[masked]:$HEX[009041920c0a4a21]

to get your 30303930343139323063306134613231 you have to interpret 009041920c0a4a21 as ascii to hex
https://www.rapidtables.com/convert/numb...o-hex.html or use another tool

these "double-conversation" or misinterpreting is not related to sha256 so it must be have to to something with the source of your data

Yes, thats it, like in my last example.
hashed result : 30303930343139323063306134613231 - gives correct hash (from example)

Now, i am still stuck - i tried what you suggested

charset.txt is single-line with 000102030405060708090A....FF

and what i got is - "Integer overflow detected in keyspace of mask: ?1?1?1?1?1?1?1?1"

(with space between 00 01 ... FF - "Invalid hex character detected in mask 00 01....FF")

this is some "hard nut" ...
Reply
#10
warg...

yeah sry tried this just with a/your shortened charset of [009041920c0a4a21]

tried something with rules but no success, i think the problem is you have to feed hashcat per pipe and not quite sure wheter these "control chars" are transmitted correctly through pipe (output given by hashcat shows pw candidates with less than 8/16 and i dont know why)

i tried a run with half of the keyspace and it showed me a runtime aof 34 years (so yeah IT IS a huge keyspace)

if you still want to give it a shot, you have to use maskprocessor

https://github.com/hashcat/maskprocessor/releases/

and feed hashcat like this (you can do some "gambling" with how do order -1 and -2)

with this hahscat will start with something like ffffffff00000000

left side will " slowly decrease" to 00... right side will "slowly increase" to ff...

mp64.exe -1 0123456789abcdef -2 fedcba9876543210 ?2?2?2?2?2?2?2?2?1?1?1?1?1?1?1?1 | hashcat.exe --hex-charset -a 0 -O -m 1400 sha256.txt
Reply