Skip to content

Add generic support for Iterated-SHA256 hashes#5948

Open
kholia wants to merge 1 commit intoopenwall:bleeding-jumbofrom
kholia:cisco-ise-sha256
Open

Add generic support for Iterated-SHA256 hashes#5948
kholia wants to merge 1 commit intoopenwall:bleeding-jumbofrom
kholia:cisco-ise-sha256

Conversation

@kholia
Copy link
Member

@kholia kholia commented Feb 6, 2026
edited
Loading

Tests:

$ ../run/john --format=Iterated-SHA256-OpenCL --test
Device 1: NVIDIA GeForce RTX 3060 Laptop GPU
Benchmarking: Iterated-SHA256-opencl, salted [SHA256 ($s.$p) OpenCL]... LWS=128 GWS=2097152 DONE
Speed for cost 1 (iterations) of 129
Warning: "Many salts" test limited: 16/256
Many salts:	16054K c/s real, 15978K c/s virtual, Dev#1 util: 100%
Only one salt:	13170K c/s real, 13170K c/s virtual, Dev#1 util: 69%

$ OMP_NUM_THREADS=4 ../run/john --format=Iterated-SHA256 --test
Will run 4 OpenMP threads
Benchmarking: Iterated-SHA256, salted [SHA256 ($s.$p) 256/256 AVX2 8x]... (4xOMP) DONE
Speed for cost 1 (iterations) of 129
Warning: "Many salts" test limited: 2/256
Many salts:	673783 c/s real, 169227 c/s virtual
Only one salt:	682000 c/s real, 171686 c/s virtual

It has been a while... ;)

PS: I am trying out Codex CLI to auto-generate the code.

@kholia kholia requested a review from Copilot February 6, 2026 06:15
@kholia kholia self-assigned this Feb 6, 2026
Copilot AI reviewed Feb 6, 2026
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This pull request adds support for cracking Cisco-ISE Hashed Password (SHA256) format to John the Ripper. The implementation follows the established conventions for John the Ripper format plugins and correctly implements the algorithm: SHA256(salt || password) repeated 128 times.

Changes:

  • Added new format plugin cisco_ise_sha256_fmt_plug.c with OpenMP support
  • Implemented the Cisco-ISE SHA256 algorithm with 128 iterations
  • Included test vectors for validation

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

magnumripper
magnumripper approved these changes Feb 6, 2026
View reviewed changes
Copy link
Member

@magnumripper magnumripper left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me. Good to see you Dhiru!

@magnumripper
Copy link
Member

magnumripper commented Feb 6, 2026
edited
Loading

For what it's worth I believe adding a generic "iterated-sha256" format trivially modelled after iterated-sha1 would crack these hashes (after adding a tag). That would also give OpenCL support with very little work. We'd have to implement this format's optimization in set_salt(). It may not add a huge performance boost but it would add support for arbitrary length salts while keeping the "single limb" optimizations in iterated-shaXX.

EDIT: There is no sha_final() in set_salt so it doesn't buy as arbitrary length salt. We'd have to limit plaintext length to 23. Or add slightly more logic.

@kholia kholia changed the title Add support for 'Cisco-ISE Hashed Password (SHA256)' Add generic support for Iterated-SHA256 hashes Feb 6, 2026
@kholia
Copy link
Member Author

kholia commented Feb 6, 2026

@magnumripper Neat idea! I have modified the whole PR now to implement your Iterated-SHA256 idea.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@magnumripper magnumripper magnumripper approved these changes

Assignees

@kholia kholia

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@kholia @magnumripper