Skip to main content

PBKDF2-HMAC-SHA256

Hash Format Details

john --list=format-all-details --format=PBKDF2-HMAC-SHA256
Example ciphertext                   $pbkdf2-sha256$1000$b1dWS2dab3dKQWhPSUg3cg$UY9j5wlyxtsJqhDKTqua8Q3fMp0ojc2pOnErzr8ntLE
                                     ^             ^    ^                      ^
                                     |             |    |                      |_________HASH
                                     |             |    |_________SALT
                                     |             |
                                     |             |_________ITERATIONS
                                     |
                                     |_________ALGORITHM

Example ciphertext shows algorithm, iterations, salt, and hash separated by a $

There are inconsistencies here with the help output for PBKDF2-HMAC-* details, depending on the algorithm. So, consult the cipher examples when attempting to crack hashes.

  • PBKDF2-HMAC-MD5 and PBKDF2-HMAC-SHA256 all fields separated by $ 
  • PBKDF2-HMAC-SHA1 and PBKDF2-HMAC-SHA512 mix of $ and .

Example

Hashes are from a CTF and there are no security concerns with making these hashes public

cat hash.txt

$pbkdf2-sha256$216000$3fIfQIweKGJy$xFHY3JKtPDdn/AktNbAwFKMQnBlrXnJyU04GElJKxEo=
$pbkdf2-sha256$216000$hyUSJhGMRWCz$vZzXiysi8upGO/DlQy+w6mRHf4scq8FMnc1pWufS+Ik=
$pbkdf2-sha256$216000$Em73rE2NCRmU$QtK5Tp9+KKoP00/QV4qhF3TWIi8Ca2q5gFCUdjqw8iE=
$pbkdf2-sha256$216000$oFgeDrdOtvBf$ssR/aID947L0jGSXRrPXTGcYX7UkEBqWBzC+Q2Uq+GY=
john --format=PBKDF2-HMAC-SHA256 --wordlist=~/Pentest/WordLists/rockyou.txt --fork=4 hash.txt

With respect to PBKDF2-HMAC-SHA256 and john -- and the very little success I've had with it recognizing the hash formats -- I'd urge you to just use hashcat instead.

Back to top