Convert a Grafana PBKDF2 password hash into hashcat format with grafana2hashcat, ready for offline auditing. For authorized password recovery only.
grafana2hashcat converts the password hashes Grafana stores into a form hashcat can crack. Grafana hashes passwords with PBKDF2-HMAC-SHA256 (10000 iterations) and keeps the salt and digest as hex in its database. This tool rewrites those values into hashcat's PBKDF2-HMAC-SHA256 layout so a security team can verify password strength offline. Use it only on Grafana instances you administer or are authorized to test.
Input:
Grafana user salt + password (hex)
Output:
sha256:10000:<b64-salt>:<b64-hash>
What iteration count does Grafana use?
Grafana's PBKDF2-HMAC-SHA256 uses 10000 iterations by default, which the converted hash records.
Which hashcat mode is this?
PBKDF2-HMAC-SHA256, mode 10900 - the same family as several other application hashes.
Where is the Grafana hash stored?
In the Grafana database user table (the password and salt fields). Access to that data is required, making this an authorized-audit tool.
This tool converts Grafana password hashes into Hashcat-compatible format, enabling efficient password recovery and analysis.
Supported Tools: