Simple example of C++ and OpenSSL brute force cracking a SHA256 hash

C++/OpnenSSL brute force cracking example. This is a really simple program. Probably the more complicated bits are OpenSSL function and concatenating multiple strings to create a single string variable. Everything else is pretty straight forward. Create a string array and loop each integer variable through it to create the ascii characters we need. You can do this with char() as well if you really want to be dumping char into string is more complicated that concatinating strings so in keeping with keeping thing simple I elected to write the program this way. So basically the program is going to crack a 7character alphalower_numeric password by using nested loops and string array to generate every possible password within that keyspace. For each iteration of the loop the program will generate the SHA256 hash of that plaintext password. It will compare that hash to the hash entered as the command line argument and if the hashes match it will output the plaintext password and tell you the password was found. Pretty simple.


Keep in mind there are a lot of programs that will crack hashes. John The Ripper and OCL Hashcat are great tools. But if you run into a system that uses a hashing algorithm not included with those programs and you have to write your own brute forcing tool this example will give you some idea of a place to start.


Oh yeah almost forgot you can compile it this way. You'll need OpenSSL on another package I can't remember right off the top of my head. So apt-cache search openssl and you'll probably find it.

g++ -o simple /home/steve/Desktop/craigsforce/brutesimple/main.cpp -lssl -lcrypto

Let's have a look at the code:

//simple brute force program C++ and OpenSSL
#include <string>
#include <sstream>
#include <iostream>
#include <cctype>
#include <fstream>
#include <iomanip>
//include our openssl header
#include "/usr/include/openssl/sha.h"
using namespace std;

//variables for iterating through loop
int a;
int b;
int c;
int d;
int e;
int f;
int g;




//string array for characters we will iterate through
string alphanum[] = { "0", "1", "2", "3", "4", "5", "6", "7", "8", "9", "a", "b", "c", "d", "e", "f", "g", "h", "i", "j", "k", "l", "m", "n", "o", "p", "q", "r", "s", "t", "u", "v", "w", "x", "y", "z"};

//begin openssl function
string sha256(const string str)
{
    unsigned char hash[SHA256_DIGEST_LENGTH];
    SHA256_CTX sha256;
    SHA256_Init(&sha256);
    SHA256_Update(&sha256, str.c_str(), str.size());
    SHA256_Final(hash, &sha256);
    stringstream ss;
    for(int i = 0; i < SHA256_DIGEST_LENGTH; i++)
    {
        ss << hex << setw(2) << setfill('0') << (int)hash[i];
    }
    return ss.str();
}
//end openssl function

int main (int argc,char* argv[])

{

std::string crackhash=(argv[1]);


for (a=0; a<=35; a++){
for (b=0; b<=35; b++){
for (c=0; c<=35; c++){
for (d=0; d<=35; d++){
for (e=0; e<=35; e++){
for (f=0; f<=35; f++){
for (g=0; g<=35; g++){

//concatinate strings variables a, b, c, d, e, f, and g into standard string s
std::string s = static_cast<std::ostringstream&>(std::ostringstream().seekp(0) << alphanum[a] << alphanum[b] << alphanum[c] << alphanum[d] << alphanum[e] << alphanum[f] << alphanum[g]).str();
cout << "password " << s << " hash " << sha256(s) << endl;

//begin string comparison
//compare output of sha256(s) with the user input. if they are the same output the plaintext of s and password found

  std::string passhash = sha256(s);
  std::string password = s;

  if ( passhash==crackhash){ std::cout << "\n\n\n\n\n\n\n\n\n" << "password found\n"<< password << "\n" << passhash << "\n\n\n\n";
  return 0;
  }
}

//end string comparison
}
}

}
}
}
}






return 0; }