Is it possible to find the salt for a known password?
#1
I have a hash of the form of 64 hex chars (I'm assuming SHA256???)

Im told that it has some form of salt prepended to the string before hashing, and I have the unhashed string, but not the salt.

Is it possible to find the salt?

I have tried:

hashcat -m 1400 -a 1 ./hashfile /usr/share/dict/american-english ./known

(Combination attack mode), where "known" contains the known string. But it only seems to load one dictionary. And of course I don't know that the salt is a dictionary word.

Any advice appreciated - I'm knew to this sort of thing in general, and hashcat specifically!

Thanks!
#2
Easiest way would be to treat it as sha256(pass.salt), use the plaintext password as the salt, and crack the salt as the password.

But this begs the question -- if you already have the password, why do you care what the salt is?
#3
Thanks epixoip.

The reason for needing the salt is that it's static across other unknown passwords.

When I try to use sha256(pass.salt) though it complains about the length. How do I provide the known "salt" (password) in this case? (Sorry if this is beyond basic - still getting to grips with it.)
#4
If it's static across all users then it's not a salt, it's a shared secret -- AKA, "pepper."

But my advice still stands. Use -m 1410 and supply the hash in "hashConfusedalt" format. Or in this case, "hash:pass" format.
#5
Ah, thank-you - the hash:pass had evaded me. How should I deal with a space in the password? Is it simply a case of having hash:pass word on one line in the hash list?

It appeared to run fine, and worked through the dictionary in a second or so (without finding a match), but just want to lake sure I'm not omitting half the password!

Thanks again!
#6
Got it with a mask attack. :-) Thanks again for the help. In case anyone comes across this - the space in the "hash" (password in this example) was fine.
#7
Cool, glad you got it sorted.