Skip to content

Instantly share code, notes, and snippets.

Created March 29, 2023 12:34
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
Star You must be signed in to star a gist
What would you like to do?
Crack tomcat-users.xml salted sha256 hash using john


<Realm className="org.apache.catalina.realm.LockOutRealm">
    <Realm className="org.apache.catalina.realm.UserDatabaseRealm" resourceName="UserDatabase" digest="sha-256" />

tomcat-users.xml (test values from

<tomcat-users xmlns=""
    xmlns:xsi="" xsi:schemaLocation=" tomcat-users.xsd" version="1.0">
    <user username="manager" password="371c8e07f4d7c0ae8b352e675ad67ee3c4e44154a50be700e42c66ed3741c3f4$1$e0f79e487e8c443aff9777d825ffd95d8d29e5b1c45b7a041b3c37ecb1418faa"/>

Above format is:


Where salt and hash are hex-encoded.

SHA256(salt + pass) corresponds to John's dynamic_61 mode. Looking at the doc it appears that the salt is text, so for our hex value it has to be prepended with HEX$

john tomcat_test_hash.txt --format=dynamic_61 --wordlist=wordlist 
Using default input encoding: UTF-8
Loaded 1 password hash (dynamic_61 [sha256($s.$p) 256/256 AVX2 8x])
Warning: no OpenMP support for this hash type, consider --fork=4
Press 'q' or Ctrl-C to abort, almost any other key for status
Warning: Only 1 candidate left, minimum 48 needed for performance.
mysecret_password (manager)     

Happy cracking!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment