Skip to content

Add generic support for Iterated-SHA256 hashes #5948

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
kholia wants to merge 1 commit into
base: bleeding-jumbo
Choose a base branch
from
Open

Add generic support for Iterated-SHA256 hashes #5948

kholia wants to merge 1 commit into from
+1,926 −0

Conversation

@kholia
Copy link
Member

@kholia kholia commented Feb 6, 2026
edited
Loading

Tests:

$ ../run/john --format=Iterated-SHA256-OpenCL --test
Device 1: NVIDIA GeForce RTX 3060 Laptop GPU
Benchmarking: Iterated-SHA256-opencl, salted [SHA256 ($s.$p) OpenCL]... LWS=128 GWS=2097152 DONE
Speed for cost 1 (iterations) of 129
Warning: "Many salts" test limited: 16/256
Many salts:	16054K c/s real, 15978K c/s virtual, Dev#1 util: 100%
Only one salt:	13170K c/s real, 13170K c/s virtual, Dev#1 util: 69%

$ OMP_NUM_THREADS=4 ../run/john --format=Iterated-SHA256 --test
Will run 4 OpenMP threads
Benchmarking: Iterated-SHA256, salted [SHA256 ($s.$p) 256/256 AVX2 8x]... (4xOMP) DONE
Speed for cost 1 (iterations) of 129
Warning: "Many salts" test limited: 2/256
Many salts:	673783 c/s real, 169227 c/s virtual
Only one salt:	682000 c/s real, 171686 c/s virtual

It has been a while... ;)

PS: I am trying out Codex CLI to auto-generate the code.

@kholia kholia requested a review from Copilot February 6, 2026 06:15
@kholia kholia self-assigned this Feb 6, 2026
Copilot AI reviewed Feb 6, 2026
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This pull request adds support for cracking Cisco-ISE Hashed Password (SHA256) format to John the Ripper. The implementation follows the established conventions for John the Ripper format plugins and correctly implements the algorithm: SHA256(salt || password) repeated 128 times.

Changes:

  • Added new format plugin cisco_ise_sha256_fmt_plug.c with OpenMP support
  • Implemented the Cisco-ISE SHA256 algorithm with 128 iterations
  • Included test vectors for validation

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

magnumripper
magnumripper approved these changes Feb 6, 2026
View reviewed changes
Copy link
Member

@magnumripper magnumripper left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me. Good to see you Dhiru!

@magnumripper
Copy link
Member

magnumripper commented Feb 6, 2026
edited
Loading

For what it's worth I believe adding a generic "iterated-sha256" format trivially modelled after iterated-sha1 would crack these hashes (after adding a tag). That would also give OpenCL support with very little work. We'd have to implement this format's optimization in set_salt(). It may not add a huge performance boost but it would add support for arbitrary length salts while keeping the "single limb" optimizations in iterated-shaXX.

EDIT: There is no sha_final() in set_salt so it doesn't buy as arbitrary length salt. We'd have to limit plaintext length to 23. Or add slightly more logic.

@kholia kholia changed the title Add support for 'Cisco-ISE Hashed Password (SHA256)' Add generic support for Iterated-SHA256 hashes Feb 6, 2026
@kholia
Copy link
Member Author

kholia commented Feb 6, 2026

@magnumripper Neat idea! I have modified the whole PR now to implement your Iterated-SHA256 idea.

@magnumripper
Copy link
Member

magnumripper commented Feb 9, 2026

Cool, I'll review it as soon as I can

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@magnumripper magnumripper magnumripper approved these changes

Assignees

@kholia kholia

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@kholia @magnumripper