gquere · August 14, 2019 13:44
diff --git a/bla.java b/bla.java
 /**
 * shiro1 cracking snippet
 * So apparently hashcat and JtR don't support these kind of specific hashes
 * with salt and iterations so I needed to code my own.
 * It has shit performance, code is probably retarded; I don't do java so I just
 * hacked this to verify a hash I dumped from Sonatype Nexus wasn't in a basic dictionnary.
 * And if you're here you likely can't afford to be picky...
 * Based on this snippet: https://gist.github.com/mdeggies/cdfd22a9cf28b4e909489b877681a209
 *
 * Usage:
 *  javac -classpath /usr/share/java/shiro-core.jar bla.java
 *  java -classpath /usr/share/java/shiro-core.jar:: bla --arg rockyou.txt
 */
 import org.apache.shiro.crypto.hash.Sha512Hash;
 import java.util.Base64;
 import java.util.stream.*;
 import java.io.IOException;
 import java.nio.file.Files;
 import java.nio.file.Paths;
 import java.nio.charset.StandardCharsets;

 public class bla {

    static byte[] salt;
    static int iteration_count;
    static String b64_hash;

    private static boolean hash(String plaintext_password) {
        try {
            String hash = new Sha512Hash(plaintext_password, salt, iteration_count).toBase64();;

            if (hash.equals(b64_hash)) {
                System.out.println("Found match:");
                System.out.println(plaintext_password);
                return true;
            }
        } catch (Exception e) {
            System.out.println(e);
        }
        return false;
    }   

    public static void main(String[] args) {
        String mcf_string = "$shiro1$SHA-512$500000$ctYP52a2Sp2yIjzzlJAuPg==$ctZ4gQtNd7bKI0SWtktRAiP4Xzgk66sabg3pj0pQBmKZmgG7KAXZqAhBJJ3cCTqenfqi4LTgeZnh4waL6oMH+w=="; //test value = "Jenydoby6!"

        String[] mcf = mcf_string.split("\\$");
        iteration_count = Integer.parseInt(mcf[3]);
        String b64_salt = mcf[4];
        b64_hash = mcf[5];
        salt = Base64.getDecoder().decode(b64_salt.getBytes());

        try {
            Stream<String> lines = Files.lines(Paths.get(args[1]), StandardCharsets.ISO_8859_1);
            lines.parallel().filter(bla::hash).count();
        } catch (Exception e) {
            System.out.println(e);
        }
    }   
 }
	/**
	* shiro1 cracking snippet
	* So apparently hashcat and JtR don't support these kind of specific hashes
	* with salt and iterations so I needed to code my own.
	* It has shit performance, code is probably retarded; I don't do java so I just
	* hacked this to verify a hash I dumped from Sonatype Nexus wasn't in a basic dictionnary.
	* And if you're here you likely can't afford to be picky...
	* Based on this snippet: https://gist.github.com/mdeggies/cdfd22a9cf28b4e909489b877681a209
	*
	* Usage:
	* javac -classpath /usr/share/java/shiro-core.jar bla.java
	* java -classpath /usr/share/java/shiro-core.jar:: bla --arg rockyou.txt
	*/
	import org.apache.shiro.crypto.hash.Sha512Hash;
	import java.util.Base64;
	import java.util.stream.*;
	import java.io.IOException;
	import java.nio.file.Files;
	import java.nio.file.Paths;
	import java.nio.charset.StandardCharsets;

	public class bla {

	static byte[] salt;
	static int iteration_count;
	static String b64_hash;

	private static boolean hash(String plaintext_password) {
	try {
	String hash = new Sha512Hash(plaintext_password, salt, iteration_count).toBase64();;

	if (hash.equals(b64_hash)) {
	System.out.println("Found match:");
	System.out.println(plaintext_password);
	return true;
	}
	} catch (Exception e) {
	System.out.println(e);
	}
	return false;
	}

	public static void main(String[] args) {
	String mcf_string = "$shiro1$SHA-512$500000$ctYP52a2Sp2yIjzzlJAuPg==$ctZ4gQtNd7bKI0SWtktRAiP4Xzgk66sabg3pj0pQBmKZmgG7KAXZqAhBJJ3cCTqenfqi4LTgeZnh4waL6oMH+w=="; //test value = "Jenydoby6!"

	String[] mcf = mcf_string.split("\\$");
	iteration_count = Integer.parseInt(mcf[3]);
	String b64_salt = mcf[4];
	b64_hash = mcf[5];
	salt = Base64.getDecoder().decode(b64_salt.getBytes());

	try {
	Stream<String> lines = Files.lines(Paths.get(args[1]), StandardCharsets.ISO_8859_1);
	lines.parallel().filter(bla::hash).count();
	} catch (Exception e) {
	System.out.println(e);
	}
	}
	}