+- hashcat Forum (https://hashcat.net/forum)
+-- Forum: Support (https://hashcat.net/forum/forum-3.html)
+--- Forum: hashcat (https://hashcat.net/forum/forum-45.html)
+--- Thread: bcrypt hash with salt (/thread-7969.html)
Pages:
1
2
bcrypt hash with salt - sleclerc - 11-21-2018
Hello, I am new to hashcat and after searching for a little bit I am not able to locate the syntax I would need to get the answer I am looking for.
I believe the hash name is bcrypt.
I have a hash that starts with the following $2y$12$....(60 total characters) and I have a salt which ends with == but has 32 characters.
the syntax used is
hashcat64.exe -a 0 -m 3200 $2y$12$.....
I then get an error message of "timeout in stdin mode".
any help would be appreciated.
RE: bcrypt hash with salt - undeath - 11-21-2018
https://hashcat.net/forum/thread-7686.html?highlight=stdin
RE: bcrypt hash with salt - Mem5 - 11-22-2018
Read help/wiki/usage.
You missed something do to (dictionnary attack ? mask ? etc.), that's why hashcat is waiting for your input in stdin.
RE: bcrypt hash with salt - sleclerc - 11-22-2018
Thank you for your response,
If I would like to brute force attack this hashed password what command structure would I used?
-I know nothing about the length or characters used. upper/lower case, special character, numbers
if I use the following command hashcat -m 3200 -a 3 -1 ?a hashes.txt ?1?1?1?1?1?1?1?1?1?1
-m 3200 bcrypt encryption
-a 3 brute force
-1 pattern ?a = upper/lower, special characters and numbers
hashes.txt is my file with the hashes
I get the following message
integer overflow detected in keyspace of mask: ?1?1?1?1?1?1?1?1?1?1?1?1
how do I brute force the password if I don't know the length or characters used, but I do have the salt used.
RE: bcrypt hash with salt - undeath - 11-22-2018
brute-forcing bcrypt is not feasible.
RE: bcrypt hash with salt - sleclerc - 11-22-2018
just to confirm if I have the hash $2y$12$... and the salt I am not able to decrypt bcrypt?
RE: bcrypt hash with salt - undeath - 11-22-2018
Hashing is not encrpytion. You cannot decrypt a hash. There is no guaranteed way ever to crack a hash. I'm not saying you cannot crack bcrypt. But brute-force is not feasible.
RE: bcrypt hash with salt - Mem5 - 11-23-2018
What's your GPU card?
Do some math. Aasssuming you have a GTX 1080 Ti, you will try ~23'000 passwords per seconds.
You said "I don't know the length or characters used".
Assuming mixalpha+digits => 62 characters
62 at length 5 will take 11 hours to bruteforce. You can do it.
62 at length 6 will take 28 days to bruteforce. You still can do it..
62 at length 7 will take ~5 years to bruteforce. Good luck.
Quote:But brute-force is not feasible.+1
RE: bcrypt hash with salt - undeath - 11-23-2018
(11-23-2018, 12:14 AM)Mem5 Wrote: Assuming you have a GTX 1080 Ti, you will try ~23'000 passwords per seconds.
With cost factor 12? I think you're being a little too optimistic
RE: bcrypt hash with salt - epixoip - 11-24-2018
Heh yeah, 23 KH/s is for cost of 5. At cost 12 the speed is 2^7 times slower at roughly 179 H/s.