How To Crack Password Hashes with Python

Python spelled out in front of reporting charts

Because of programmers like myself, and other security enthusiasts, website admins are forced to store their users passwords in hashes. What this means is, when a user registers a new account, and types in their password, that password is stored somewhere. That being said, this password is usually stored in a hashed format as a last ditch effort to thwart would be hackers. So if a hacker does wind up getting a hold of the passwords database, another level of complexity will still have to be overcome in order to crack the passwords.

Theory

So, for example, say you signed up for a site using the username admin, and password “password”, this password would hashed using a algorithm such as SHA-256, and would turn into

5E884898DA28047151D0E56F8DC6292773603D0D6AABBDD62A11EF721D1542D8

A password cracker attempts guess what a password hash is, and iterate through a list of passwords, hashing each one and seeing if they match.

Example:

Say we find the password hash:

9C7DBF730EBE5527EE3D1BA9E5F7D6898D879696E5036DF2A4F11FC831FD04E8

This is “dolphin4” hashed with SHA-256.

And we have our password list:

1 password 
2 hacker123 
3 tomatojuice 
4 dolphin123 
5 dolphin4 
...

Parsing the List

Next, we write the Python to parse this password list. You can download a password list here.

Open the file with Python:

f = open('passwords.txt')

Iterate through each line of the password file:

for line in f.readlines():

Split the word by the space character, so the password number is not included:

word = line.split(' ')[-1]
clean_word = word.strip('\n').strip('\r')

These lines of code will take each line in the password file, and make it a clean string ready to be hashed.

Hashing the Passwords

Finally, we utilize the hashlib Python library that comes standard with all Python installs.

import hashlib
m = hashlib.sha256(clean_word).hexdigest()

The code above takes each clean_word and hashes it with SHA-256

Then, it checks if any of the password hashes with SHA-256 match the target hash of “dolphin4”

if m.upper() == target_hash:
    print "Hash found: " + clean_word
    break
else:
    print "trying: " + str(m)

Putting it all together

import hashlib

target_hash = '`f8316c64124b33fa65cd20865a784604cad395a55657b33c411f5137ea77a535`'
f = open('passwords.txt')

for line in f.readlines():
    word = line.split(' ')[-1]
    clean_word = word.strip('\n').strip('\r')
    m = hashlib.sha256(clean_word).hexdigest()
    if m.upper() == target_hash:
        print "Hash found: " + clean_word
        break
    else:
        print "trying: " + str(m)

If any of the hashed passwords match the target hash, Python will notify you with the password.

You Might Also Like

Leave a Reply

Your email address will not be published. Required fields are marked *