09-07-2025, 11:45 AM
(09-07-2025, 02:30 AM)cyclone Wrote: Here's a quick rundown:
1. Parse $wp$2... bcrypt hash to hashcat bridge mode (see python3 code below)
2. Set up hashcat bridge mode (see example in my previous post; make sure to use the correct "bcrypt2x" mode in --bridge-parameter2 which must match your hash -- likely bcrypt2y, but bcrypt2b in my example)
3. Run hashcat which should crack the example hash:plaintext
example wp formatted hash:plain (generated hash)
Code:$wp$2b$12$CnC/yHPQoTI40ISHyVEzCuRXkjDkydxPx.VceRJwUsBji5WDqw5BK:cyclone
example hashcat bridge formatted hash:plain (generated hash)
Code:$2b$12$CnC/yHPQoTI40ISHyVEzCuRXkjDkydxPx.VceRJwUsBji5WDqw5BK*12*CnC/yHPQoTI40ISHyVEzCu:cyclone
./wp2hashcat.py < wp_hash.txt
Code:#!/usr/bin/env python3
import sys
for line in sys.stdin:
s = line.strip().removeprefix("$wp$")
if not s.startswith("$"):
s = "$" + s
_, algo, cost, rest = s.split("$", 3)
print(f"{s}*{cost}*{rest[:22]}")
Thank you for the work you have done. I think many users will need this. Not everyone is aware of this type of encryption yet. And they are trying to find the password for these hashes, just like for regular bcrypt.