hashcat Forum
bcrypt hash with salt - Printable Version

+- hashcat Forum (https://hashcat.net/forum)
+-- Forum: Support (https://hashcat.net/forum/forum-3.html)
+--- Forum: hashcat (https://hashcat.net/forum/forum-45.html)
+--- Thread: bcrypt hash with salt (/thread-7969.html)

Pages: 1 2


bcrypt hash with salt - sleclerc - 11-21-2018

Hello,  I am new to hashcat and after searching for a little bit I am not able to locate the syntax I would need to get the answer I am looking for. 

I believe the hash name is bcrypt.

I have a hash that starts with the following $2y$12$....(60 total characters) and I have a salt which ends with == but has 32 characters.

the syntax used is
hashcat64.exe -a 0 -m 3200 $2y$12$.....

I then get an error message of "timeout in stdin mode".

any help would be appreciated.


RE: bcrypt hash with salt - undeath - 11-21-2018

https://hashcat.net/forum/thread-7686.html?highlight=stdin


RE: bcrypt hash with salt - Mem5 - 11-22-2018

Read help/wiki/usage.
You missed something do to (dictionnary attack ? mask ? etc.), that's why hashcat is waiting for your input in stdin.


RE: bcrypt hash with salt - sleclerc - 11-22-2018

Thank you for your response, 

If I would like to brute force attack this hashed password what command structure would I used?
-I know nothing about the length or characters used. upper/lower case, special character, numbers

if I use the following command hashcat -m 3200  -a 3 -1 ?a hashes.txt ?1?1?1?1?1?1?1?1?1?1

-m 3200 bcrypt encryption
-a 3 brute force
-1 pattern ?a = upper/lower, special characters and numbers
hashes.txt is my file with the hashes

I get the following message
integer overflow detected in keyspace of mask: ?1?1?1?1?1?1?1?1?1?1?1?1

how do I brute force the password if I don't know the length or characters used, but I do have the salt used.


RE: bcrypt hash with salt - undeath - 11-22-2018

brute-forcing bcrypt is not feasible.


RE: bcrypt hash with salt - sleclerc - 11-22-2018

just to confirm if I have the hash $2y$12$... and the salt I am not able to decrypt bcrypt?


RE: bcrypt hash with salt - undeath - 11-22-2018

Hashing is not encrpytion. You cannot decrypt a hash. There is no guaranteed way ever to crack a hash. I'm not saying you cannot crack bcrypt. But brute-force is not feasible.


RE: bcrypt hash with salt - Mem5 - 11-23-2018

What's your GPU card?
Do some math. Aasssuming you have a GTX 1080 Ti, you will try ~23'000 passwords per seconds.
You said "I don't know the length or characters used".
Assuming mixalpha+digits => 62 characters
62 at length 5 will take 11 hours to bruteforce. You can do it.
62 at length 6 will take 28 days to bruteforce. You still can do it..
62 at length 7 will take ~5 years to bruteforce. Good luck.

Quote:But brute-force is not feasible.
+1


RE: bcrypt hash with salt - undeath - 11-23-2018

(11-23-2018, 12:14 AM)Mem5 Wrote: Assuming you have a GTX 1080 Ti, you will try ~23'000 passwords per seconds.

With cost factor 12? I think you're being a little too optimistic Big Grin


RE: bcrypt hash with salt - epixoip - 11-24-2018

Heh yeah, 23 KH/s is for cost of 5. At cost 12 the speed is 2^7 times slower at roughly 179 H/s.