How to decrypt django hashed sha256 password?

Question

How to decrypt django hashed sha256 password?

I have a encrypted password:

pbkdf2_sha256$12000$laEnG5drNrAt$mFMVBvQh8YF+vriNXbe/Nb8eYEySWwPT5+oSaMPvUiA=

Its equivalent to "admin".

Now I need to decrypt the password. Means I wanted "admin" as output.

Is this possible?

Answer 1

Yes it is possible using hashcat and it takes just a few seconds. Steps after hashcat installation.

1. Add the hash to a file named hash.txt

2. Download the wordlist rockyout.txt which is really big and good for extensive password cracking. This list contains admin.

3. Run .\hashcat.exe -m 10000 hash.txt .\rockyou.txt

4. Run .\hashcat.exe -m 10000 --show -o crack.txt hash.txt

5. Run type crack.txt

Output: pbkdf2_sha256$12000$laEnG5drNrAt$mFMVBvQh8YF+vriNXbe/Nb8eYEySWwPT5+oSaMPvUiA=:admin

DISCLAIMER: use only for educative purposes

Answer 2

How to decrypt django hashed sha256 password?

• SHA256 is not an encryption function, it cannot be decrypted

Is this possible?

• NO

Here is a post you should read.

First, there is a difference between hashing and encryption. SHA256 is a hashing function, not an encryption function.

Secondly, since SHA256 is not an encryption function, it cannot be decrypted. What you mean is probably reversing it. In that case, SHA256 cannot be reversed because it's a one-way function. Reversing it would cause a preimage attack, which defeats its design goal.

Thirdly, SHA256 verification works by computing it again and comparing the result with the result at hand. If both results match, then the verification is successful. The theoretical background is that it's difficult to find another input which gives the same hash result. Violation of this creates a second-preimage attack, which defeats its design goal.

Finally, digital signatures are not simply hash and key combinations. But a hash function may improve its security.