SHA-512 for digits
#1
Hey guys, 

Developers at my company are wanting to keep something secret by using a SHA512 hash for a 9 digit number. My understanding is that isn't secure (easy to bruteforce). They've asked me to prove I can crack the SHA512 hash they gave me. The issue I'm having though is it seems like the attack modes for SHA512 aren't the same as the results I receive from using shasum -a 512 or sha512sum. I even checked the examples here: https://hashcat.net/wiki/doku.php?id=example_hashes and using shasum -a 512 or sha512sum for the word hashcat returns a value that isn't present anywhere on that page. 

For the value they've given me (using shasum to generate the value) I've been trying with attack mode 1700 and 17600 primarily (though I have tried most other sha 512 modes as well but most have formatting expectations that the value I have doesn't have). 

I want to prove to them the SHA512 isn't secure for what they are wanting to do but I'm having issues getting any SHA512 mode to crack a value I get from shasum or even match based on the examples. 

Is shasum using some method that hashcat doesn't support cracking for? Or can someone point me in the right direction.

Thanks!
Reply
#2
A common mistake with sha512sum is using echo without removing the newline with -n.
Code:
$ echo -n hashcat | sha512sum

82a9dda829eb7f8ffe9fbe49e45d47d2dad9664fbb7adf72492e3c81ebd3e29134d9bc12212bf83c6840f10e8246b9db54a4859b7ccd0123d86e5872c1e5082f  -

As you can see, this hash matches the one on the example page. As for brute forcing 9 characters, you can use a mask attack such as:

Code:
hashcat -m 1700 -a 3 YourHashHere ?d?d?d?d?d?d?d?d?d 
For more info: https://hashcat.net/wiki/doku.php?id=mask_attack
Reply
#3
Thank you as that does explain what I'm seeing when trying to do validation!

If I understand correctly though since I didn't generate this hash they likely generated it with the newline character so if I were to truly make my point I would need them to regenerate it without the new line character OR I would have to use hashcat with 9 digits and then a new line character at the end?
Reply
#4
The answer to my question above is yes I had to add a newline character to my attack. I did so with using

hashcat -m 1700 -a 3 hash ?d?d?d?d?d?d?d?d?d?b

And then I just converted the Hex to text
Reply