The Best Fluffy Pancakes recipe you will fall in love with. Full of tips and tricks to help you make the best pancakes.

Cracking Cryptographic Hashes

Hashing Cryptographic
Cracking Cryptographic Hashes

Hashing is an algorithm that generates a fixed-length string from an input.

Cryptography is the study of secure communications techniques that allow only the sender and intended recipient of a message to view its contents. The term is derived from the Greek word kryptos, which means hidden.

There are many different hash algorithms with different properties, for example, SHA-256.

You can use openssl to generate a SHA-256 hash:

echo -n 'secret' | openssl dgst -sha256

The output is the hash:


Hashes have a special property: they are easy to compute but difficult to reverse: given the hash above, it difficult to find its origin, “secret”.

This makes hashes a good method to verify passwords: Rather than storing the password itself and risking it being stolen, you store the password’s hash and when a user provides a password, you compute its hash and compare it to the stored value, if they match it means that the user entered the correct password.

Cracking a cryptographic SHA-256 Hash

But hashes can be reversed using methods such as dictionary attacks which compares the given hash to the hashes of common words from a dictionary or brute-force which computes the hash of many different combinations of characters until it finds one that matches the given hash. This is, of course, not very efficient, but, with enough compute power and time, it often works.

Let’s see an example:

Suppose you were given the hash above and you want to find its origin. To do that, you can utilize a tool called hashcat.

First you need to install it. I used the following steps to install it on macOS Catalina (requires git and make which you can get with brew):

git clone
mkdir -p hashcat/deps
git clone hashcat/deps/OpenCL
cd hashcat/ && make install

Next you need to find the identifier (Hash mode or Hash-type) of your hash algorithm. For SHA-256 it’s 1400. You can see all codes on this page (or with hashcat –help).

Now run a brute-force attack:

hashcat -m 1400 -a 3 2bb80d537b1da3e38bd30361aa855686bde0eacd7162fef6a25fe97bf527a25b

And after a short while, you should get:

2bb80d537b1da3e38bd30361aa855686bde0eacd7162fef6a25fe97bf527a25b:secretSession..........: hashcat
Status...........: Cracked
Hash.Name........: SHA2-256
Hash.Target......: 2bb80d537b1da3e38bd30361aa855686bde0eacd7162fef6a25...27a25b
Time.Started.....: Tue Sep 22 15:11:41 2020 (10 secs)
Time.Estimated...: Tue Sep 22 15:11:51 2020 (0 secs)
Guess.Mask.......: ?1?2?2?2?2?2 [6]
Guess.Charset....: -1 ?l?d?u, -2 ?l?d, -3 ?l?d*!$@_, -4 Undefined
Guess.Queue......: 6/15 (40.00%)
Speed.#1.........: 55535.2 kH/s (6.90ms) @ Accel:256 Loops:128 Thr:1 Vec:4
Recovered........: 1/1 (100.00%) Digests
Progress.........: 521502720/3748902912 (13.91%)
Rejected.........: 0/521502720 (0.00%)
Restore.Point....: 233472/1679616 (13.90%)
Restore.Sub.#1...: Salt:0 Amplifier:0-128 Iteration:0-128
Candidates.#1....: sacers -> co9ishStarted: Tue Sep 22 15:11:35 2020
Stopped: Tue Sep 22 15:11:51 2020

You can see that the status is “Cracked” and the original “secret” just above that.

Cracking an HMAC SHA-256 Hash

Let’s try a slightly more advanced example. This time we will use a different hash algorithm called HMAC-SHA-256 which requires not only the input string but also another secret key.

First, let’s generate the hash of ‘Lucy in the sky of diamonds’ with a secret key ‘secret’:

echo -n 'Lucy in the sky of diamonds' | openssl dgst -sha256 -hmac 'secret'

This will generate the hash:


Now let’s try to reverse it. The Hash mode of HMAC-SHA-256 is 1450. We pass a string comprising the hash and the original text separated by a colon:

hashcat -m 1450 -a 3 "116fb393a265d0eb638a6070e5b051a2987e33195eef0e13443f9d8d3e5668b5:Lucy in the sky of diamonds"

After a minute or so, you should get the result which is the secret key “secret”:

116fb393a265d0eb638a6070e5b051a2987e33195eef0e13443f9d8d3e5668b5:Lucy in the sky of diamonds:secretSession..........: hashcat
Status...........: Cracked
Hash.Name........: HMAC-SHA256 (key = $pass)
Hash.Target......: 116fb393a265d0eb638a6070e5b051a2987e33195eef0e13443...amonds
Time.Started.....: Tue Sep 22 15:48:15 2020 (41 secs)
Time.Estimated...: Tue Sep 22 15:48:56 2020 (0 secs)
Guess.Mask.......: ?1?2?2?2?2?2 [6]
Guess.Charset....: -1 ?l?d?u, -2 ?l?d, -3 ?l?d*!$@_, -4 Undefined
Guess.Queue......: 6/15 (40.00%)
Speed.#1.........: 12328.6 kH/s (7.00ms) @ Accel:64 Loops:128 Thr:1 Vec:4
Recovered........: 1/1 (100.00%) Digests
Progress.........: 521207808/3748902912 (13.90%)
Rejected.........: 0/521207808 (0.00%)
Restore.Point....: 233472/1679616 (13.90%)
Restore.Sub.#1...: Salt:0 Amplifier:0-128 Iteration:0-128
Candidates.#1....: sacers -> co9ontStarted: Tue Sep 22 15:48:03 2020
Stopped: Tue Sep 22 15:48:56 2020

A few more advanced tricks with hashcat

  1. You can crack multiple hashes by putting them in a file and running:
hashcat -m 1450 -a 3 hash-list.txt

Each line in the file should be in the form of “hash” for SHA-256 or “hash:original text” for HMAC-SHA-256.

2. You can use custom character sets and patterns, for example this command searches for secrets with six lowercase letters only:

hashcat -m 1450 -a 3 -1 abcdefghijklmnopqrstuvwxyz "116fb393a265d0eb638a6070e5b051a2987e33195eef0e13443f9d8d3e5668b5:Lucy in the sky of diamonds" "?1?1?1?1?1?1"

3. After successfully cracking a hash, hashcat stores it in ~/.hashcat/hashcat.potfile. If you want to run the same crack again, you need to remove the result from this file, otherwise hashcat will simply return the cached result.

Finally, let’s talk about Security

First of all, a mandatory word of caution: don’t use this maliciously!

Now how can you protect against malicious attackers:

  1. As a security architect, use an up-to-date and strong hash algorithm with a salt and a strong secret (see detailed explanation). But the best is to use multi-factor-authentication or biometrics so you don’t rely on a password only.
  2. As a user, use long passwords with digits and special characters, store them in a password manager, and don’t trust the application you are connecting to (don’t share passwords between different accounts).

Related Sites

Read More from us

  • How to Know if Your Phone is Under A Malicious Control

    Summary: In this article, we’ll learn, how to tell that your phone’s been hacked. If your phone is hacked, you’ll notice, that your battery draining a lot faster, your phone’s performance rate has gone down, too much of your data is being consumed, and you’re getting a bit too many calls and messages from unknown…

  • Chatbot Issues : Secure Your Chats

    Chatbot are the thing that act as bridge between user to user or user to a organization for communication. When face to face interaction is not possible we use our technology to communicate with others. Auto technology of speech recognition like Alexa and Siri are used for response. Now we are using chatbots for communicating…

  • Password Security – The Most Important Thing in the 21st Century

    Password Security – The Most Important Thing in the 21st Century

    Passwords are the first line of defense that fights against unauthorized access to your computer and your personal data. No other users can read, delete or change your data without knowing your password. But why is password security required? As an ever increasing number of monetary exchanges happen electronically, the difficulties and stakes develop. Its…