server.xml:
<Realm className="org.apache.catalina.realm.LockOutRealm">
<Realm className="org.apache.catalina.realm.UserDatabaseRealm" resourceName="UserDatabase" digest="sha-256" />
</Realm>
tomcat-users.xml (test values from https://www.techpaste.com/2013/05/enable-password-encryption-policy-tomcat-7/):
<tomcat-users xmlns="http://tomcat.apache.org/xml"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://tomcat.apache.org/xml tomcat-users.xsd" version="1.0">
<user username="manager" password="371c8e07f4d7c0ae8b352e675ad67ee3c4e44154a50be700e42c66ed3741c3f4$1$e0f79e487e8c443aff9777d825ffd95d8d29e5b1c45b7a041b3c37ecb1418faa"/>
</tomcat-users>
Above format is:
salt$iteration_count$hash
Where salt and hash are hex-encoded.
SHA256(salt + pass) corresponds to John's dynamic_61 mode. Looking at the doc it appears that the salt is text, so for our hex value it has to be prepended with HEX$
manager:$dynamic_61$e0f79e487e8c443aff9777d825ffd95d8d29e5b1c45b7a041b3c37ecb1418faa$HEX$371c8e07f4d7c0ae8b352e675ad67ee3c4e44154a50be700e42c66ed3741c3f4
john tomcat_test_hash.txt --format=dynamic_61 --wordlist=wordlist
Using default input encoding: UTF-8
Loaded 1 password hash (dynamic_61 [sha256($s.$p) 256/256 AVX2 8x])
Warning: no OpenMP support for this hash type, consider --fork=4
Press 'q' or Ctrl-C to abort, almost any other key for status
Warning: Only 1 candidate left, minimum 48 needed for performance.
mysecret_password (manager)
Happy cracking!