Has anyone sucessfully dehashed a bcrypt hash?
by cooluser3 - July 14, 2020 at 05:00 PM
#13
didnt know bcrypt is so strong... ill go change the hashing algo on my website
#14
Yeah.. as others have said, bcrypt is a really strong hash, probably the one I would recommend most people use for their site.

It's a memory heavy hash function, so GPU's are not fast against it.

If you have a dump that is all bcrypt, then you're only going to be able to crack the easy passwords, password123 etc.

However, if you have one or two hashes that you are really interested in cracking, then it can be possible to crack much stronger passwords. The technique is much different than cracking ntlm or other weak hashes though. You really have to optimize your password candidates, you can't just throw raw computing power at the hash, you have to optimize your attacks.

Here are a few tricks you can try:

1. Look up the persons email in other breaches and get those passwords. Then use a rule list like best64 or whatever to "mangle" those passwords, and try those. This will crack it if the target used a variation of one of their other passwords.
2. Use highly optimized wordlists. Take into account their country and interests. If they're interested in soccer, perhaps take some plains from a soccer website dump.
3. Look at the other cracked passwords in the dump and see if you can spot any patterns. Often you can see people choosing similar passwords, such as including the site name in the password etc.
4. Be sure to check out the password requirements of the site before cracking. If the site requires passwords with a minimum of 6 characters, then you know there is no need to try passwords less than 6 characters long.

Most of these things are good tips for cracking any hash, but things like this are incredibly important when attacking bcrypt. It's about creating a small highly optimized list of candidate passwords.

Last tip would be that because GPU's are not significantly faster than CPU's, you can "save" yourself some money by using many CPU's instead of GPU's. Depending on the hashes work factor, and CPU/GPU involved, it may be significantly cheaper to use CPU's.
#15
i guess bcrypt is one of the stronger algorithms as thekilob said above.. take leetdude advices and give it a try!
This forum account is currently banned. Ban Length: Permanent (N/A).
Ban Reason: https://raidforums.com/misc.php?action=help&hid=8 Rule 15
#16
... i dont even know where to begin honestly. Just take this and go

./hashcat -a 0 -m 3200 hash.txt wordlist.txt -w 4 -O
#17
Wait for few years, it will become obsolete like md5

Possibly Related Threads…
Thread Author Replies Views Last Post
how to match email:hash & hash:password omarr0 8 268 January 01, 2021 at 10:32 PM
Last Post: omarr0
Aaron Akhtar is finally banned, OP #banAaron has been a success, now lets #unbanPhi KILLKIKES 23 700 December 22, 2020 at 06:43 AM
Last Post: pacino
(Halloween) has anyone ever conjured up a demon on the ouija board thelinuxnerd 27 923 October 27, 2020 at 10:38 PM
Last Post: NotInsane

 Users browsing this thread: 1 Guest(s)