Is there any SHA1 cracker?
I am trying to figure out weather that any SHA1 cracker hashed password. I have a training database giving hundreds of password hashed.
I have tried to use some online tools to crack them and I have realized that I can only crack relatively simple passwords with them.
For what I know, to crack a hask, you generally use rainbow tables. In that sense, for me, you can only crack simple passwords. But some people online seem to say that tools like John the Ripper or Hashcat can crack anything.
So I was wondering, is it always possible to obtain a SHA1 cracker password (even a really complex one) ?
No, there is no such thing as SHA1 cracker hash. Currently, there are two main issues with using the hash function for security purposes (not specifically password hashing):
It is a very fast hash, meaning a brute force attack will run much more quickly than it would if you were to correctly use a slow KDF. The fact that SHA-1 is fast does not allow you to crack any password, but it does mean you can attempt more guesses per second.
It is vulnerable to collision attacks, as Google showed. A collision attack allows someone to create two inputs with the same hash. However, it does not allow them to reverse a hash or to modify an input without affecting the resulting hash. That would be a different kind of attack called a preimage attack, and SHA-1 is not vulnerable to that attack.
So no, you are not able to crack just any password that has been hashed with SHA-1 unless the password is short or weak. That does not mean you should use it for password hashing however, since it is so fast and is efficiently implemented on a GPU.
Cracking SHA-1 Hashes
Attacking (often referred to as cracking) SHA-1 hashes is most often performed using the same technique as any one-way hashing function. Computing possible matches of the original string as fast as possible to find a matching hash.
See the following chart to get an idea of the weakness in standard hashing algorithms for password storage. These show brute force attempts against a single hash. cudaHashcat is running on an NVIDIA 560 GTX GPU that is a few years old now, so consider these on the low end of what is capable.
Note the difference between hashcat and cudaHashcat against the same SHA-1 hash. You are reading that correctly MD5 hashes being brute forced at 1.8 billion per second.