Add support for 'Cisco-ISE Hashed Password (SHA256)'

kholia · kholia · commit 80a3952a85c8 · 2026-02-06T11:42:09.000+05:30
diff --git a/src/cisco_ise_sha256_fmt_plug.c b/src/cisco_ise_sha256_fmt_plug.c
@@ -0,0 +1,254 @@
+/*
+ * Cisco-ISE Hashed Password (SHA256)
+ *
+ * This software is Copyright (c) 2026 Dhiru Kholia and it is hereby released
+ * to the general public under the following terms:
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted.
+ *
+ * Algorithm:
+ *   digest = SHA256(salt || password)
+ *   repeat 128 times: digest = SHA256(digest)
+ *
+ * Hash format: 128 hex chars, where first 64 hex is digest and last 64 hex is salt.
+ */
+
+#if FMT_EXTERNS_H
+extern struct fmt_main fmt_cisco_ise_sha256;
+#elif FMT_REGISTERS_H
+john_register_one(&fmt_cisco_ise_sha256);
+#else
+
+#include <string.h>
+
+#ifdef _OPENMP
+#include <omp.h>
+#endif
+
+#define OMP_SCALE               256
+
+#include "common.h"
+#include "formats.h"
+#include "misc.h"
+#include "sha2.h"
+
+#define FORMAT_LABEL            "Cisco-ISE-SHA256"
+#define FORMAT_NAME             "Cisco ISE"
+#define ALGORITHM_NAME          "SHA256 32/" ARCH_BITS_STR
+#define BENCHMARK_COMMENT       ""
+#define BENCHMARK_LENGTH        7
+#define PLAINTEXT_LENGTH        MAX_PLAINTEXT_LENGTH
+#define CIPHERTEXT_LENGTH       128
+#define BINARY_SIZE             32
+#define BINARY_ALIGN            4
+#define SALT_SIZE               32
+#define SALT_ALIGN              4
+#define MIN_KEYS_PER_CRYPT      1
+#define MAX_KEYS_PER_CRYPT      16
+
+#define ISE_ITERATIONS          128
+
+static struct fmt_tests tests[] = {
+	{"465865d4226c4d9696e601f2c99b25ae2c194ec01806bafc93933331acfc1a60e8bdcca8be9fa245a5fa16029bb52480915746f47d1c539d01da7ec6f37468d1", "hashcat"},
+	{"a6c9702dae629b71383eb2819f00464985c2188db7ff83a9cb5137eb6ee975d500112233445566778899aabbccddeeff00112233445566778899aabbccddeeff", "OpenAI2026!"}, // Synthetic test vector
+	{NULL}
+};
+
+static SHA256_CTX ctx_salt;
+
+static char (*saved_key)[PLAINTEXT_LENGTH + 1];
+static int (*saved_len);
+static uint32_t (*crypt_out)[BINARY_SIZE / sizeof(uint32_t)];
+
+static void init(struct fmt_main *self)
+{
+	omp_autotune(self, OMP_SCALE);
+
+	saved_key = mem_calloc(self->params.max_keys_per_crypt,
+	                       sizeof(*saved_key));
+	saved_len = mem_calloc(self->params.max_keys_per_crypt,
+	                       sizeof(*saved_len));
+	crypt_out = mem_calloc(self->params.max_keys_per_crypt,
+	                        sizeof(*crypt_out));
+}
+
+static void done(void)
+{
+	MEM_FREE(crypt_out);
+	MEM_FREE(saved_len);
+	MEM_FREE(saved_key);
+}
+
+static int valid(char *ciphertext, struct fmt_main *self)
+{
+	if (strlen(ciphertext) != CIPHERTEXT_LENGTH)
+		return 0;
+	if (!ishex(ciphertext))
+		return 0;
+	return 1;
+}
+
+static void *get_salt(char *ciphertext)
+{
+	static union {
+		unsigned char b[SALT_SIZE];
+		uint32_t dummy;
+	} out;
+	const char *p = ciphertext + (CIPHERTEXT_LENGTH - (SALT_SIZE * 2));
+	int i;
+
+	for (i = 0; i < SALT_SIZE; i++) {
+		out.b[i] = (atoi16[ARCH_INDEX(p[0])] << 4) | atoi16[ARCH_INDEX(p[1])];
+		p += 2;
+	}
+
+	return out.b;
+}
+
+static void set_salt(void *salt)
+{
+	SHA256_Init(&ctx_salt);
+	SHA256_Update(&ctx_salt, salt, SALT_SIZE);
+}
+
+static void set_key(char *key, int index)
+{
+	saved_len[index] = strnzcpyn(saved_key[index], key, sizeof(*saved_key));
+}
+
+static char *get_key(int index)
+{
+	return saved_key[index];
+}
+
+static void *get_binary(char *ciphertext)
+{
+	static union {
+		unsigned char b[BINARY_SIZE];
+		uint32_t dummy;
+	} out;
+	const char *p = ciphertext;
+	int i;
+
+	for (i = 0; i < BINARY_SIZE; i++) {
+		out.b[i] = (atoi16[ARCH_INDEX(p[0])] << 4) | atoi16[ARCH_INDEX(p[1])];
+		p += 2;
+	}
+
+	return out.b;
+}
+
+static int cmp_all(void *binary, int count)
+{
+	uint32_t b0 = *(uint32_t *)binary;
+	int i;
+
+	for (i = 0; i < count; i++) {
+		if (b0 != crypt_out[i][0])
+			continue;
+		if (!memcmp(binary, crypt_out[i], BINARY_SIZE))
+			return 1;
+	}
+	return 0;
+}
+
+static int cmp_one(void *binary, int index)
+{
+	return !memcmp(binary, crypt_out[index], BINARY_SIZE);
+}
+
+static int cmp_exact(char *source, int index)
+{
+	return 1;
+}
+
+static int crypt_all(int *pcount, struct db_salt *salt)
+{
+	int count = *pcount;
+	int i;
+
+#ifdef _OPENMP
+#pragma omp parallel for default(none) private(i) shared(count, saved_key, saved_len, crypt_out, ctx_salt)
+#endif
+	for (i = 0; i < count; i++) {
+		SHA256_CTX ctx;
+		unsigned char digest[BINARY_SIZE];
+		int r;
+
+		memcpy(&ctx, &ctx_salt, sizeof(ctx));
+		SHA256_Update(&ctx, saved_key[i], saved_len[i]);
+		SHA256_Final(digest, &ctx);
+
+		for (r = 0; r < ISE_ITERATIONS; r++) {
+			SHA256_Init(&ctx);
+			SHA256_Update(&ctx, digest, BINARY_SIZE);
+			SHA256_Final(digest, &ctx);
+		}
+
+		memcpy(crypt_out[i], digest, BINARY_SIZE);
+	}
+
+	return count;
+}
+
+#define COMMON_GET_HASH_VAR crypt_out
+#include "common-get-hash.h"
+
+struct fmt_main fmt_cisco_ise_sha256 = {
+	{
+		FORMAT_LABEL,
+		FORMAT_NAME,
+		ALGORITHM_NAME,
+		BENCHMARK_COMMENT,
+		BENCHMARK_LENGTH,
+		0,
+		PLAINTEXT_LENGTH,
+		BINARY_SIZE,
+		BINARY_ALIGN,
+		SALT_SIZE,
+		SALT_ALIGN,
+		MIN_KEYS_PER_CRYPT,
+		MAX_KEYS_PER_CRYPT,
+		FMT_CASE | FMT_8_BIT | FMT_OMP,
+		{ NULL },
+		{ NULL },
+		tests
+	}, {
+		init,
+		done,
+		fmt_default_reset,
+		fmt_default_prepare,
+		valid,
+		fmt_default_split,
+		get_binary,
+		get_salt,
+		{ NULL },
+		fmt_default_source,
+		{
+			fmt_default_binary_hash_0,
+			fmt_default_binary_hash_1,
+			fmt_default_binary_hash_2,
+			fmt_default_binary_hash_3,
+			fmt_default_binary_hash_4,
+			fmt_default_binary_hash_5,
+			fmt_default_binary_hash_6
+		},
+		fmt_default_salt_hash,
+		NULL,
+		set_salt,
+		set_key,
+		get_key,
+		fmt_default_clear_keys,
+		crypt_all,
+		{
+#define COMMON_GET_HASH_LINK
+#include "common-get-hash.h"
+		},
+		cmp_all,
+		cmp_one,
+		cmp_exact
+	}
+};
+
+#endif
