Technically speaking SHA256 password hashes are not cracked or decrypted . They are matched using a list of possible passwords, it is more akin to reversing than breaking. A list of possible passwords (dictionary) is computed to generate a list of SHA256 hashes and the one that matches the target hash corresponds with the now known password.
Passwords stored as an SHA256 Hash are usually represented as a 40 character hexadecimal number. The power of modern computers (particularly GPU based) makes SHA256 a password storage function that is not secure.
Using bash on any Linux command line you can get the SHA256 hash of a string simply by echoing the string to the sha256sum utility. Using echo -n ensures the line break is not included in the hash generation.
[email protected]:~$ echo -n password | sha256sum -
5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8 -
In this example we use bash and the sha256sum utility to generate an SHA256 hash of a file. It is interesting to note that a simple text file with the "password" string matches the hash of the string password. As long as there is no line breaks in the file the hash will match. Of course getting the SHA256 sum of a file is often used to confirm a files integrity - that two files from different locations or that have been downloaded match. The hash function can be performed against any file type not only simple text.
[email protected]:~$ echo -n password > test.txt
[email protected]:~$ sha256sum test.txt
5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8 test.txt
Using python from the command line we can generate the SHA256 hash of a string using the hashlib library. Note the use of this library in Python 3.x requires that the string be in byte string format (encoded).
[email protected]:~$ python3
Python 3.8.10 (default, Sep 28 2021, 16:10:42)
[GCC 9.3.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import hashlib
>>> output = hashlib.SHA256(b'password')
>>> print(output)
<SHA256 HASH object @ 0x7ff7a3557f10>
>>> print(output.hexdigest())
5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8
Since Windows 2003 there is tool that can be used to calculate SHA256 hashes of a file. The CertUtil is able to perform this function as shown below. Note that files generated under Windows will be encoded differently to those generated under Linux or OSX.
C:\Users\vagrant\> CertUtil -hashfile test.txt SHA256
SHA256 hash of test.txt
5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8
file command on the Windows generated file. If the result is test.txt: Little-endian UTF-16 Unicode text, with no line terminators then this will account for the difference. You could also run hexdump on the two different files to see the differences in the raw bytes of the files.Using Powershell we can also generate an SHA256 using the Get-File-Hash cmdlet. Note that even plain text files generated under Windows may be encoded differently to those generated under Linux or OSX. See note above.
PS C:\Users\vagrant> Get-FileHash -Algorithm SHA256 linux.txt
Algorithm Hash Path
--------- ---- ----
SHA256 5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8 C:\Users\vagrant\test.txt
A simple SHA256 function within PHP allows the hash to be generated in this example. The string being hashed could also of course be a variable or a binary blob.
[email protected]:~$ echo "<?php print(SHA256('password')) ?>" > test.php
[email protected]:~$ php test.php
5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8
First developed in 1993 the SHA256 algorithm, as far back as 2005 the it was considered insecure against "well funded attackers". The increase in computing power has allowed brute calculations of SHA256 into the billions per second with common consumer hardware.
The algorithm to generate the hash is based on similar principles to MD5 but generates a larger hash value (160 bits vs. 128 bits).
If you are interested in the background and history of SHA256 there is a comprehensive wikipedia article.