07-03-2018, 09:17 AM
(This post was last modified: 07-03-2018, 10:46 AM by DanielG.
Edit Reason: changed example url just in case hashes should be removed
)
You can just attack it as any other hash? I think you will need to be more specific on what isn't clear.
For example, to attack sha-256 you need mode 1400. As you can see in the example hash, hashcat expects it to be in a hex format. You have a base64 format, so you wil need to convert it first before giving it to hashcat. You could to this like this: Online example how to convert this.
Also you need to know how the hashes are made, if you got this from a program that does not explicitly say it's just raw sha-265 of input then you will first need to find out if they use a static salt, per user salt, multiple iterations or other transformations on the input.
Then you need to choose whether a wordlist, brute force or other attack is most likely to get you results. This depends on your knowledge on where the hashes come from. User passwords of users who aren't tech or privacy savvy will have weak passwords that are relatively easy to guess.
For example, to attack sha-256 you need mode 1400. As you can see in the example hash, hashcat expects it to be in a hex format. You have a base64 format, so you wil need to convert it first before giving it to hashcat. You could to this like this: Online example how to convert this.
Also you need to know how the hashes are made, if you got this from a program that does not explicitly say it's just raw sha-265 of input then you will first need to find out if they use a static salt, per user salt, multiple iterations or other transformations on the input.
Then you need to choose whether a wordlist, brute force or other attack is most likely to get you results. This depends on your knowledge on where the hashes come from. User passwords of users who aren't tech or privacy savvy will have weak passwords that are relatively easy to guess.