0

I recently got into trying to learn about cryptography and found out about SHA-2 (SHA-256 in particular) and am unable to find an actual algorithm that goes through the hashing steps in particular. If someone has a working algorithm for JavaScript to put a string through SHA-256 hashing that would be helpful.

I know it may not be possible, but I am attempting to learn how SHA-256 hashes strings in order to attempt to try to reverse SHA-256.

NOTE: I realize that this is the most common form of security hashing and in no way am I attempting to do harmful acts with this knowledge (if I succeed).

Edit1: If possible, I'd like the SHA-256 algorithm to fit within a single .js file. I am implementing the SHA-256 into a Tampermonkey script for myself, and want to also try to learn to reverse it.

Eric Oleen
  • 9
  • 1
  • 5
  • 5
    Here's how you reverse SHA: you don't. People who spend their careers on this kind of stuff can't break it, so chances are you're setting yourself up for disappointment. Also: if you do break those things, you'll get accolades for that, not chastisement. – G. Bach Mar 30 '16 at 23:39
  • 1
    It's impossible for you to reverse the hash; hash cracking is instead focused of 1. finding the hash algorithm 2. brute-forcing hashing probable passwords and attempting to match the resulting hash with some hash that you intend to "crack". There's no harm in roughly learning"the hows", I suggest reading [this excellent Ars Technica](http://arstechnica.com/security/2013/03/how-i-became-a-password-cracker/) article on the subject; at the very least it might make you look over your password strengths :0) – dfrib Mar 30 '16 at 23:39
  • @G.Bach Yea, I realize that it's probably not gonna happen, but it's a fun little side project to try. I didn't realize that it would be a good thing because as to what I've found, the government currently uses things such as SHA-256 so I figured it would be bad. – Eric Oleen Mar 31 '16 at 00:06
  • It's nice to have goals, but maybe start a little smaller? SHA-1 was somewhat recently partially broken; maybe see if you can follow the process used there? (Note - the "256" in SHA-256 is not the same as the "1" in SHA-1. 256 refers to the size, 1 to the generation; I believe SHA-256 is a member of the SHA-2 generation of algorithms.) – Edward Peters Mar 31 '16 at 00:28
  • see [Are there any SHA-256 javascript implementations that are generally considered trustworthy?](http://stackoverflow.com/q/18338890/2521214) – Spektre Mar 31 '16 at 10:51
  • @dfri you should convert your comment into answer. – Spektre Mar 31 '16 at 10:53

3 Answers3

4

Here is an implementation of SHA-256 in JS. Let me know when you crack it.

Sha-256 is a one way hashing function meaning that it uses your input as a seed and returns an output of fixed length (in this case 256 bits). The algorithm is deterministic and seemingly random. This means that for any given input it will return the same output but when put up against statistical testing there is no correlation between the input and output.

Thus, there is no way to reverse a sha256 hash without using a brute force method of hashing random inputs. With current computing power this is not really a feasible option.

joemillervi
  • 1,009
  • 1
  • 8
  • 18
  • 2
    Consider expanding this answer, e.g. explaining for the OP why he'll never reverse-engineer a hash, or include a simple overview of why cracking a hash is a trial and error brute-force testing rather than approaching the hash algorithm itself. In it's current form (taking into account the risk of broken links in the future), [this answer says nothing on its own](http://meta.stackexchange.com/questions/8231/are-answers-that-just-contain-links-elsewhere-really-good-answers), and would be more suitable as a comment. – dfrib Mar 31 '16 at 00:00
  • 1
    @dfri i do realize that it's either 1) impossible or 2) highly improbably to reverse-engineering a hash, especially one such as SHA-256. In my own research, I found this post. If anyone else ever sees this post of mine, here is a good reference as to why hashes are one-way. http://security.stackexchange.com/questions/11717/why-are-hash-functions-one-way-if-i-know-the-algorithm-why-cant-i-calculate-t – Eric Oleen Mar 31 '16 at 00:04
1

(Prompted by @Spectre, I'll post my initial comment as well as as additional relevant information (provided my @Spectre as well as the OP himself) as an answer)

Reversing the actual SHA-256 algorithm: not feasible, and not the way to go around when attempting to crack a given hashed password

It's (near) impossible for you to reverse the hash; hash cracking is instead focused of

  1. finding the hash algorithm, including salts,
  2. followed by the brute-force method of hashing probable passwords and attempting to match the resulting hashes with some hash that you intend to "crack".

If we'll, for the discussion, assume all hash algorithms as non-reversable, and instantly identifiable, the the strength of the hash will roughly depend of the complexity of the hashing algorithm; in the sense that re-hashing (as performed when attempting dictionary attacks etc) with a more sophisticated hash method such as SHA-256 will be orders of time slower than when re-hashing is performed using a naive non-salted hashing algorithm, say non-salted MD5.

There's no harm in roughly learning "the hows", and I suggest reading this excellent Ars Technica article on the subject:

As well as this excellent security.SE Q&A

Additional references

Collecting relevant additional information from the comments to your question (as these might not persist the tide of time):

  1. As @Specte points out, a relevant thread worth visting is:

  2. Regarding the subject of why reversing hash algorithms is infeasible, you've pointed to a relevant security.SE thread yourself:

Community
  • 1
  • 1
dfrib
  • 70,367
  • 12
  • 127
  • 192
  • Thanks for expanding your original comment. This made a lot more sense than a small comment. What I decided to try to do, and what seems like the more feasible option is to notice any patterns directly within to help eliminate possibilities of the brute-force method. But I think I get now why reversing it is more of an "impossible" task than I may have realized. I'll just try to find a more simplified method that is slightly faster than straight brute-force (eliminating some options). – Eric Oleen Apr 01 '16 at 18:03
  • @EricOleen Happy to help. I think the ARS Techicha article is a good place to start, is it explains that "cracking refinement" is by no means algorithmic refinement, but rather clever use of rules, filters and dictionaries that take precedence in the brute-force hashing, prior to attempting the full set of permutations for a given set of different characters/numbers at a given length (feasible---w.r.t. execution time---for a standard GPU only up to a length of 6, possibly 7, i.e., very limited as compared to clever dictionary hash attacks). – dfrib Apr 01 '16 at 18:10
-1

I recently use crypto-js/sha256. You can install it using nodejs by this command: 

npm install --save crypto-js
dmigo
  • 2,849
  • 4
  • 41
  • 62
user12231721
  • 1