How can I crack a werkzeug generate_password_hash() hash with hascat?

Question

I created a SHA256 hash of the password 123456 with this.

from werkzeug.security import generate_password_hash
print(generate_password_hash('123456', "sha256"))

And the output is:

sha256$xq5IdqcV$226e9165e4d2c014939ac591b27418d0e9a668b774a64a3e89b41caab0bee724

I tried searching for the mode to use to crack within hashcat. But I wasn't able to find it. Every mode I tried, gave me a token length exception or Separator unmatched. I thought maybe the format of the hash that should be specified is different.

My final goal is to find the correct mode to crack this hash with hashcat; or any other tool to crack these types of hashes(hashes generated with werkzeug generate_password_hash() function)

Answer 1

First off: SHA256 cannot be "cracked" as in "hacked", by a shortcut or anything, but you can bruteforce SHA256 Hashes.

That means you just try out as many passwords as possible, and look if it matches with the target hash.

To your question: You can crack SHA256 with hashcat in numerous ways, most of the time you want to use a wordlist, a list of passwords it should search through. You can download a lot of them online.

You have to craft your command by following the docs.

hashcat -m 1710 -a 0 {yourHash} {yourList}

-m stands for Mode, 1710 is SHA256

-a Is the attack mode, you can see the different attack modes in the docs above, 0 is Straight

YourHash and Your(Password)List should be self explanatory.