Is it possible to crack a password hashed with sha256 with hashcat? [with screenshots]

Written by Administrator on Wednesday May 6, 2020

SHA256 algorithm was invented to generate 256-bit (or 32-byte) hash. They write it will take you several years to crack it. It's true, but there're cases you can brute-force it (for example, with hashcat tool). At least you can try. In this article I'm using openSUSE Linux distro and openCL framework drivers for my NVIDIA GeForce GTX 1060 Mobile graphic card.

Here's an example, how to crack SHA256-hashed password in several minutes using haschat tool.

Let's take a hash of a password, stored in pass.hash file:

$ cat pass.hash

SHA256 password hash

In case we want use hashcat to brute-force, let's read, what is written in help file (or man). If you are new to linux, remember, that reading --help and man files is very important thing while working in linux.

What we are looking for? Our goal is brute-force attack and our victim is a password hashed with SHA256 algorithm:

-a, --attack-mode    

and then ..

  # | Mode
  0 | Straight
  1 | Combination
  3 | Brute-force
  6 | Hybrid Wordlist + Mask
  7 | Hybrid Mask + Wordlist

Ok, now we know we have to use -a3 flag. Good. Let's find, what we have to do to crack sha256 hashed file..

 -m, --hash-type 

Great, -m parameter for hash-type. Our hash-type is SHA256. Let's read more...

 1400 | SHA-256              | Raw Hash

Now, let's contruct a command to brute-force our sha256 hashed password:

$  sudo ./hashcat -m 1400 -a 3 pass.hash 

and result?

Session..........: hashcat
Status...........: Cracked
Hash.Name........: SHA2-256
Hash.Target......: 6ca13d52ca70c883e0f0bb101e425a89e8624de51db2d239259...118090
Time.Started.....: Wed May  6 21:40:58 2020 (0 secs)
Time.Estimated...: Wed May  6 21:40:58 2020 (0 secs)
Guess.Mask.......: ?1?2?2?2?2?2 [6]
Guess.Charset....: -1 ?l?d?u, -2 ?l?d, -3 ?l?d*!$@_, -4 Undefined 
Guess.Queue......: 6/15 (40.00%)
Speed.#1.........:  1053.0 MH/s (9.61ms) @ Accel:4 Loops:256 Thr:1024 Vec:1
Recovered........: 1/1 (100.00%) Digests
Progress.........: 20971520/3748902912 (0.56%)
Rejected.........: 0/20971520 (0.00%)
Restore.Point....: 0/1679616 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:256-512 Iteration:0-256
Candidates.#1....: lunier -> hshc56
Hardware.Mon.#1..: Temp: 57c Util: 95% Core:1657MHz Mem:3802MHz Bus:16

Started: Wed May  6 21:40:54 2020
Stopped: Wed May  6 21:40:59 2020


Password was cracked in 5 seconds and it's abc123.


In our model case password was generated by me and it was .. very simple, as you see. Password like abc123 is crackable within several seconds even hashed with SHA256 algorithm. I think you see clearly on a real example, what it means to have so simple password (very short, only small letters and digits, no capitals, no special symbols).

Next time, think a little bit more about security and passwords you choose.