(This is related to the Security Via Obesity talk I’ll be giving at XDC 2014.)

Let’s say I have about 100 hashes that I want to brute-force to the passwords that generated them. I know that PBKDF2 was used to produce a 64-bit hash with SHA512. On the other side, I have 10 salts that were used, so I know that 10 of the 100 hashes are valid and the other 90 are junk. I just don’t know which is which. I also don’t know the iterations used.

I want a tool that will help me figure it out, but the ones I’ve found don’t seem to handle this situation. hashcat will deal with the separate salts and hashes, but doesn’t work on PBKDF2. John The Ripper is supposed to work on PBKDF2, but seems to expect one salt per hash.

Is there a tool out there that will deal with the example I outlined?