rhetenor/awesome-awesomeness
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
402629a3301c0f8e8bcd0e9ffc03d8139253e404
awesome-awesomeness/html/passwordcracking.html
Jonas Zeunert 2d63fe63cd Restructure with Makefile + add html output
2024-04-20 19:22:54 +02:00

645 lines
31 KiB
HTML
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
<h1 id="awesome-password-cracking-awesome">Awesome Password Cracking <a
href="https://awesome.re"><img src="https://awesome.re/badge.svg"
alt="Awesome" /></a></h1>
<p>In cryptanalysis and computer security, password cracking is the
process of recovering passwords from data that has been stored in or
transmitted by a computer system in scrambled form. A common approach
(<a href="https://en.wikipedia.org/wiki/Brute-force_attack">brute-force
attack</a>) is to repeatedly try guesses for the password and to check
them against an available cryptographic hash of the password.</p>
<p>This is a curated list of awesome tools, research, papers and other
projects related to password cracking and password security by <a
href="https://infosec.exchange/@n0kovo/?l"><span class="citation"
data-cites="n0kovo">@n0kovo</span><span class="citation"
data-cites="infosec.exchange">@infosec.exchange</span></a>.</p>
<p>Read <a
href="https://github.com/narkopolo/awesome-password-cracking/blob/main/CONTRIBUTING.md">CONTRIBUTING.md</a>
before contributing! In short:</p>
<ul>
<li>List is alphabetically sorted</li>
<li>If in doubt, use <a
href="https://github.com/sindresorhus/awesome-lint">awesome-lint</a></li>
<li>If you think an item shouldnt be here <a
href="https://github.com/narkopolo/awesome-password-cracking/issues/new">open
an issue</a></li>
</ul>
<h2 id="contents">Contents</h2>
<ul>
<li><a href="#books">Books</a></li>
<li><a href="#cloud">Cloud</a></li>
<li><a href="#conversion">Conversion</a></li>
<li><a href="#hashcat">Hashcat</a>
<ul>
<li><a href="#automation">Automation</a></li>
<li><a href="#distributed-cracking">Distributed cracking</a></li>
<li><a href="#rules">Rules</a></li>
<li><a href="#rule-tools">Rule tools</a></li>
<li><a href="#web-interfaces">Web interfaces</a></li>
</ul></li>
<li><a href="#john-the-ripper">John the Ripper</a></li>
<li><a href="#misc">Misc</a>
<ul>
<li><a href="#notable-people">Notable People</a></li>
</ul></li>
<li><a href="#websites">Websites</a>
<ul>
<li><a href="#communities">Communities</a></li>
<li><a href="#lookup-services">Lookup services</a></li>
</ul></li>
<li><a href="#wordlist-tools">Wordlist tools</a>
<ul>
<li><a href="#analysis">Analysis</a></li>
<li><a href="#generationmanipulation">Generation/Manipulation</a></li>
</ul></li>
<li><a href="#wordlists">Wordlists</a>
<ul>
<li><a href="#laguage-specific">Laguage specific</a></li>
<li><a href="#other">Other</a></li>
</ul></li>
<li><a href="#specific-file-formats">Specific file formats</a>
<ul>
<li><a href="#pdf">PDF</a></li>
<li><a href="#pem">PEM</a></li>
<li><a href="#jks">JKS</a></li>
<li><a href="#zip">ZIP</a></li>
</ul></li>
<li><a href="#artificial-intelligence">Artificial Intelligence</a></li>
<li><a href="#research">Research</a>
<ul>
<li><a href="#articles-and-blog-posts">Articles and Blog Posts</a></li>
<li><a href="#papers">Papers</a></li>
<li><a href="#talks">Talks</a></li>
</ul></li>
</ul>
<h2 id="books">Books</h2>
<ul>
<li><a
href="https://www.amazon.com/-/en/Joshua-Picolet/dp/1793458618">Hash
Crack: Password Cracking Manual (v3)</a> - Password Cracking Manual v3
is an expanded reference guide for password recovery (cracking) methods,
tools, and analysis techniques.</li>
</ul>
<h2 id="cloud">Cloud</h2>
<ul>
<li><a href="https://github.com/lordsaibat/Cloud_crack">Cloud_crack</a>
- Crack passwords using Terraform and AWS.</li>
<li><a href="https://github.com/stormfleet/cloudcat">Cloudcat</a> - A
script to automate the creation of cloud infrastructure for hash
cracking.</li>
<li><a href="https://github.com/Fmstrat/cloudstomp">Cloudstomp</a> -
Automated deployment of instances on EC2 via plugin for high CPU/GPU
applications at the lowest price.</li>
<li><a href="https://github.com/JoelGMSec/Cloudtopolis">Cloudtopolis</a>
- A tool that facilitates the installation and provisioning of
Hashtopolis on the Google Cloud Shell platform, quickly and completely
unattended (and also, free!).</li>
<li><a href="https://github.com/c6fc/npk">NPK</a> - NPK is a distributed
hash-cracking platform built entirely of serverless components in AWS
including Cognito, DynamoDB, and S3.</li>
<li><a href="https://github.com/mxrch/penglab">Penglab</a> - Abuse of
Google Colab for cracking hashes.</li>
<li><a href="https://github.com/JumpsecLabs/Rook">Rook</a> - Automates
the creation of AWS p3 instances for use in GPU-based password
cracking.</li>
</ul>
<h2 id="conversion">Conversion</h2>
<ul>
<li><a href="https://github.com/philsmd/7z2hashcat">7z2hashcat</a> -
Extract information from password-protected .7z archives (and .sfx
files) such that you can crack these “hashes” with hashcat.</li>
<li><a href="https://github.com/jmagers/MacinHash">MacinHash</a> -
Convert macOS plist password file to hash file for password
crackers.</li>
<li><a
href="https://github.com/ins1gn1a/NetNTLM-Hashcat">NetNTLM-Hashcat</a> -
Converts John The Ripper/Cain format hashes (singular, or in bulk) to
HashCat compatible hash format.</li>
<li><a
href="https://github.com/PwnDexter/Rubeus-to-Hashcat">Rubeus-to-Hashcat</a>
- Converts / formats Rubeus kerberoasting output into hashcat readable
format.</li>
<li><a
href="https://github.com/Banaanhangwagen/WINHELLO2hashcat">WINHELLO2hashcat</a>
- With this tool one can extract the “hash” from a WINDOWS HELLO PIN.
This hash can be cracked with Hashcat.</li>
<li><a
href="https://github.com/0x6470/bitwarden2hashcat">bitwarden2hashcat</a>
- A tool that converts Bitwardens data into a hashcat-suitable
hash.</li>
<li><a href="https://github.com/philsmd/hc_to_7z">hc_to_7z</a> - Convert
7-Zip hashcat hashes back to 7z archives.</li>
<li><a href="https://github.com/ZerBea/hcxtools">hcxtools</a> - Portable
solution for conversion of cap/pcap/pcapng (gz compressed) WiFi dump
files to hashcat formats.</li>
<li><a
href="https://github.com/philsmd/itunes_backup2hashcat">itunes_backup2hashcat</a>
- Extract the information needed from the Manifest.plist files to
convert it to hashes compatible with hashcat.</li>
<li><a
href="https://github.com/philsmd/mongodb2hashcat">mongodb2hashcat</a> -
Extract hashes from the MongoDB database server to a hash format that
hashcat accepts: -m 24100 (SCRAM-SHA-1) or -m 24200
(SCRAM-SHA-256).</li>
</ul>
<h2 id="hashcat">Hashcat</h2>
<p><em><a href="https://github.com/hashcat/hashcat">Hashcat</a> is the
“Worlds fastest and most advanced password recovery utility.” The
following are projects directly related to Hashcat in one way or
another.</em></p>
<ul>
<li><a href="https://github.com/pry0cc/autocrack">Autocrack</a> - A set
of client and server tools for automatically, and lightly automatically
cracking hashes.</li>
<li><a
href="https://github.com/dizcza/docker-hashcat">docker-hashcat</a> -
Latest hashcat docker for Ubuntu 18.04 CUDA, OpenCL, and POCL.</li>
<li><a
href="https://github.com/s77rt/hashcat.launcher">hashcat.launcher</a> -
Hashcat.launcher is a cross-platform GUI app that run and control
hashcat.</li>
<li><a
href="https://github.com/xfox64x/Hashcat-Stuffs">Hashcat-Stuffs</a> -
Collection of hashcat lists and things.</li>
<li><a
href="https://github.com/hashcat/hashcat-utils/">hashcat-utils</a> -
Small utilities that are useful in advanced password cracking.</li>
<li><a href="https://github.com/bharshbarger/Hashfilter">Hashfilter</a>
- Read a hashcat potfile and parse different types into a sqlite
database.</li>
<li><a
href="https://github.com/chris408/known_hosts-hashcat">known_hosts-hashcat</a>
- A guide and tool for cracking ssh known_hosts files with hashcat.</li>
<li><a href="https://github.com/f0cker/pyhashcat">pyhashcat</a> - Python
C API binding to libhashcat.</li>
</ul>
<h3 id="automation">Automation</h3>
<ul>
<li><a href="https://github.com/timbo05sec/autocrack">autocrack</a> -
Hashcat wrapper to help automate the cracking process.</li>
<li><a href="https://github.com/sp00ks-git/hat">hat</a> - An Automated
Hashcat Tool for common wordlists and rules to speed up the process of
cracking hashes during engagements.</li>
<li><a href="https://github.com/trustedsec/hate_crack">hate_crack</a> -
A tool for automating cracking methodologies through Hashcat from the
TrustedSec team.</li>
<li><a href="https://github.com/brannondorsey/naive-hashcat">Naive
hashcat</a> - Naive hashcat is a plug-and-play script that is
pre-configured with naive, emperically-tested, “good enough”
parameters/attack types.</li>
</ul>
<h3 id="distributed-cracking">Distributed cracking</h3>
<ul>
<li><a href="https://github.com/jmmcatee/cracklord">CrackLord</a> -
Queue and resource system for cracking passwords.</li>
<li><a href="https://github.com/nesfit/fitcrack">fitcrack</a> - A
hashcat-based distributed password cracking system.</li>
<li><a href="https://github.com/hashstation/hashstation">Hashstation</a>
- Hashstation is a BOINC-based distributed password cracking system with
a built-in web interface.</li>
<li><a href="https://github.com/hashtopolis/server">Hashtopolis</a> - A
multi-platform client-server tool for distributing hashcat tasks to
multiple computers.</li>
<li><a href="https://github.com/jakewnuk/HashtopoCLI">HashtopoloCLI</a>
- CLI tool for Hashtopolis API incorporating some of the API
functionality into a dynamic Python wrapper.</li>
<li><a href="https://github.com/arcaneiceman/kraken">Kraken</a> - A
multi-platform distributed brute-force password cracking system.</li>
</ul>
<h3 id="rules">Rules</h3>
<ul>
<li><a href="https://github.com/clem9669/hashcat-rule">clem9669
rules</a> - Rule for hashcat or john.</li>
<li><a
href="https://github.com/narkopolo/hashcat-rules-collection">hashcat
rules collection</a> - Probably the largest collection of hashcat rules
out there.</li>
<li><a href="https://github.com/praetorian-inc/Hob0Rules">Hob0Rules</a>
- Password cracking rules for Hashcat based on statistics and industry
patterns.</li>
<li><a
href="https://github.com/kaonashi-passwords/Kaonashi">Kaonashi</a> -
Wordlist, rules and masks from Kaonashi project (RootedCON 2019).</li>
<li><a href="https://github.com/NSAKEY/nsa-rules">nsa-rules</a> -
Password cracking rules and masks for hashcat generated from cracked
passwords.</li>
<li><a href="https://github.com/nyxgeek/nyxgeek-rules">nyxgeek-rules</a>
- Custom password cracking rules for Hashcat and John the Ripper.</li>
<li><a
href="https://github.com/NotSoSecure/password_cracking_rules">OneRuleToRuleThemAll</a>
- “One rule to crack all passwords. or atleast we hope so.”</li>
<li><a
href="https://github.com/stealthsploit/OneRuleToRuleThemStill">OneRuleToRuleThemStill</a>
- “A revamped and updated version of my original OneRuleToRuleThemAll
hashcat rule.”</li>
<li><a href="https://github.com/rarecoil/pantagrule">pantagrule</a> -
Large hashcat rulesets generated from real-world compromised
passwords.</li>
<li><a href="https://github.com/jakewnuk/HIBP-578M">squid rules</a> -
Hashcat rules ordered by effectiveness from testing HIBPv7.</li>
</ul>
<h3 id="rule-tools">Rule tools</h3>
<ul>
<li><a href="https://github.com/mhasbini/duprule">duprule</a> - Detect
&amp; filter duplicate hashcat rules.</li>
<li><a
href="https://github.com/TheWorkingDeveloper/ruleprocessorY">ruleprocessorY</a>
- A next-gen Rule processor with complex multibyte character support
built to support Hashcat.</li>
</ul>
<h3 id="web-interfaces">Web interfaces</h3>
<ul>
<li><a href="https://github.com/ctxis/crackerjack">crackerjack</a> -
CrackerJack is a Web GUI for Hashcat developed in Python.</li>
<li><a href="https://github.com/f0cker/crackq">CrackQ</a> - A Python
Hashcat cracking queue system.</li>
<li><a href="https://github.com/dj-zombie/hashpass">hashpass</a> - Hash
cracking WebApp &amp; Server for hashcat.</li>
<li><a href="https://github.com/hashview/hashview">Hashview</a> - A web
front-end for password cracking and analytics.</li>
<li><a href="https://github.com/wavestone-cdt/wavecrack">Wavecrack</a> -
Wavestones web interface for password cracking with hashcat.</li>
<li><a href="https://github.com/hegusung/WebHashcat">WebHashCat</a> -
WebHashcat is a very simple but efficient web interface for hashcat
password cracking tool.</li>
</ul>
<h2 id="john-the-ripper">John the Ripper</h2>
<p><em><a href="https://github.com/openwall/john">John the Ripper</a> is
“an Open Source password security auditing and password recovery tool
available for many operating systems.” The following are projects
directly related to John the Ripper in one way or another.</em></p>
<ul>
<li><a href="https://github.com/e-ago/bitcracker">BitCracker</a> -
BitCracker is the first open source password cracking tool for memory
units encrypted with BitLocker.</li>
<li><a href="https://github.com/openwall/johnny">johnny</a> - GUI
frontend to John the Ripper.</li>
</ul>
<h2 id="misc">Misc</h2>
<ul>
<li><a
href="https://github.com/jakewnuk/920mPasswordMasks">920mPasswordMasks</a>
- Hashcat password masks from 920 million breach passwords filtered into
groups.</li>
<li><a href="https://github.com/cyclone-github/hashgen">hashgen</a> -
Hashgen is a simple yet very fast CLI hash generator written in Go and
cross compiled for Linux, Windows &amp; Mac.</li>
<li><a href="https://github.com/psypanda/hashID">hashID</a> - Software
to identify the different types of hashes.</li>
<li><a href="https://github.com/HashPals/Name-That-Hash">Name That
Hash</a> - Dont know what type of hash it is? Name That Hash will name
that hash type! Identify MD5, SHA256 and 300+ other hashes. Comes with a
neat web app.</li>
</ul>
<h3 id="notable-people">Notable People</h3>
<ul>
<li>Alotdv - <a href="https://twitter.com/AlongExc">Twitter</a>.</li>
<li>Clem9669 - <a href="https://github.com/clem9669">GitHub</a>.</li>
<li>Coolbry95 - <a href="https://github.com/coolbry95">GitHub</a> / <a
href="https://twitter.com/coolbry95">Twitter</a>.</li>
<li>Dakykilla - <a href="https://github.com/dakykilla">GitHub</a> / <a
href="https://twitter.com/dakykilla">Twitter</a>.</li>
<li>Dropdeadfu - <a href="https://github.com/dropdeadfu">GitHub</a> / <a
href="https://twitter.com/dropdeadfu">Twitter</a>.</li>
<li>Epixoip - <a href="https://github.com/epixoip">GitHub</a> / <a
href="https://infosec.exchange/@epixoip">Mastodon</a> / <a
href="https://twitter.com/jmgosney">Twitter</a>.</li>
<li>Evilmog - <a href="https://github.com/evilmog/">GitHub</a> / <a
href="https://infosec.exchange/@evilmog">Mastodon</a> / <a
href="https://twitter.com/Evil_Mog">Twitter</a>.</li>
<li>Hydraze - <a href="https://github.com/Hydraze">GitHub</a> / <a
href="https://infosec.exchange/@hydraze">Mastodon</a> / <a
href="https://twitter.com/Hydraze">Twitter</a>.</li>
<li>JakeWnuk - <a href="https://github.com/jakewnuk">GitHub</a> / <a
href="https://infosec.exchange/@JakeWnuk">Mastodon</a>.</li>
<li>Kontrast23 - <a href="https://github.com/kontrast23">GitHub</a> / <a
href="https://twitter.com/marco_preuss">Twitter</a>.</li>
<li>M3g9tr0n - <a href="https://github.com/m3g9tr0n">GitHub</a> / <a
href="https://twitter.com/m3g9tr0n">Twitter</a>.</li>
<li>Matrix - <a href="https://github.com/matrix">GitHub</a> / <a
href="https://twitter.com/gm4tr1x">Twitter</a>.</li>
<li>Minga - <a href="https://twitter.com/mingadotcom">Twitter</a>.</li>
<li>N0kovo - <a href="https://github.com/n0kovo">GitHub</a> / <a
href="https://infosec.exchange/@n0kovo">Mastodon</a> / <a
href="https://twitter.com/n0kovos">Twitter</a>.</li>
<li>NSAKEY - <a href="https://github.com/NSAKEY">GitHub</a> / <a
href="https://twitter.com/_NSAKEY">Twitter</a> / <a
href="https://abigisp.com/">Website</a>.</li>
<li>NullMode - <a href="https://github.com/NullMode">GitHub</a> / <a
href="https://infosec.exchange/@nullmode_@twtr.plus">Mastodon</a> / <a
href="https://twitter.com/nullmode_">Twitter</a>.</li>
<li>Paule965 - <a href="https://twitter.com/paule965">Twitter</a>.</li>
<li>Philsmd - <a href="https://github.com/philsmd">GitHub</a> / <a
href="https://twitter.com/philsmd">Twitter</a>.</li>
<li>Roycewilliams - <a
href="https://github.com/roycewilliams">GitHub</a> / <a
href="https://infosec.exchange/@tychotithonus">Mastodon</a> / <a
href="https://twitter.com/TychoTithonus">Twitter</a>.</li>
<li>RuraPenthe - <a href="https://github.com/bitcrackcyber">GitHub</a> /
<a href="https://infosec.exchange/@rurapenthe">Mastodon</a> / <a
href="https://twitter.com/RuraPenthe0">Twitter</a>.</li>
<li>S3in!c - <a href="https://github.com/s3inlc">GitHub</a> / <a
href="https://infosec.exchange/@s3inlc">Mastodon</a> / <a
href="https://twitter.com/s3inlc">Twitter</a>.</li>
<li>Tehnlulz - <a href="https://github.com/tehnlulz">GitHub</a> / <a
href="https://twitter.com/tehnlulz">Twitter</a>.</li>
<li>The_Mechanic - <a href="https://github.com/th3mechanic">GitHub</a> /
<a href="https://twitter.com/th3_m3chan1c">Twitter</a>.</li>
<li>ToXiC - <a href="https://twitter.com/yiannistox">Twitter</a>.</li>
<li>Undeath - <a href="https://github.com/undeath">GitHub</a>.</li>
<li>Unix-ninja - <a href="https://github.com/unix-ninja">GitHub</a> / <a
href="https://infosec.exchange/@unix_ninja@twitterbridge.jannis.rocks">Mastodon</a>
/ <a href="https://twitter.com/unix_ninja">Twitter</a>.</li>
<li>Xan - <a href="https://github.com/Xanadrel">GitHub</a> / <a
href="https://infosec.exchange/@Xanadrel">Mastodon</a> / <a
href="https://twitter.com/Xanadrel">Twitter</a>.</li>
</ul>
<h2 id="websites">Websites</h2>
<h3 id="communities">Communities</h3>
<ul>
<li><a href="https://hashcat.net/forum/">hashcat Forum</a> - Forum by
the developers of hashcat.</li>
<li><a href="https://hashmob.net/">Hashmob</a> - A growing password
recovery community aimed towards being a center point of collaboration
for cryptography enthusiasts. Huge wordlist collection and a lookup
service too.</li>
<li><a href="https://forum.hashkiller.io/">Hashkiller Forum</a> - A
password cracking forum with over 20,000 registered users.</li>
</ul>
<h3 id="lookup-services">Lookup services</h3>
<ul>
<li><a href="https://www.cmd5.org/">CMD5</a> - Provides online MD5 /
sha1/ mysql / sha256 encryption and decryption services.</li>
<li><a href="https://crackstation.net/">CrackStation</a> - Free hash
lookup service supplying wordlists as well.</li>
<li><a href="https://github.com/n0kovo/gohashmob">gohashmob</a> - Go CLI
app to quickly lookup hashes using the HashMob API.</li>
<li><a href="https://hashes.com/">Hashes.com</a> - A hash lookup service
with paid features.</li>
<li><a href="https://hashkiller.io/">Hashkiller</a> - A hash lookup
service with a forum.</li>
<li><a href="https://www.onlinehashcrack.com/">Online Hash Crack</a> -
Cloud password recovery service.</li>
</ul>
<h2 id="wordlist-tools">Wordlist tools</h2>
<p><em>Tools for analyzing, generating and manipulating
wordlists.</em></p>
<h3 id="analysis">Analysis</h3>
<ul>
<li><a href="https://github.com/iphelix/pack">PACK</a> - A collection of
utilities developed to aid in analysis of password lists in order to
enhance password cracking through pattern detection of masks, rules,
character-sets and other password characteristics.</li>
<li><a
href="https://github.com/TheTechromancer/password-smelter">password-smelter</a>
- Ingests passwords from hashcat, etc. and outputs to HTML, Markdown,
XLSX, PNG, JSON. Dark and light themes supported. Compliments
password-stretcher.</li>
<li><a
href="https://github.com/thetechromancer/password-stretcher">password-stretcher</a>
- Generate “disgusting quantities” of passwords from websites, files, or
stdin. Compliments password-smelter.</li>
<li><a href="https://github.com/lakiw/pcfg_cracker">pcfg_cracker</a> -
This project uses machine learning to identify password creation habits
of users.</li>
<li><a href="https://github.com/digininja/pipal">Pipal</a> - THE
password analyser.</li>
<li><a href="https://github.com/jakewnuk/pwdstat">PwdStat</a> - Tool for
identifying systemic password usage, creating password masks, and
analyzing cracked password samples with human readable statistics to
help defenders.</li>
<li><a
href="https://github.com/Orange-Cyberdefense/graphcat">Graphcat</a> -
Generate graphs and charts based on password cracking result.</li>
</ul>
<h3 id="generationmanipulation">Generation/Manipulation</h3>
<ul>
<li><a
href="https://github.com/cyclone-github/accent_permutator">accent_permutator</a>
- A tool to transform characters from ASCII / UTF-8 to accented
characters such as “o” to “ò”.</li>
<li><a href="https://github.com/tomnomnom/anew">anew</a> - Append lines
from stdin to a file, but only if they dont already appear in the file.
Outputs new lines to stdout too, making it a bit like a tee -a that
removes duplicates.</li>
<li><a href="https://github.com/r3nt0n/bopscrk">bopscrk</a> - Generate
smart and powerful wordlists for targeted attacks. Includes song lyrics
fetching and different transforms.</li>
<li><a
href="https://github.com/sensepost/common-substr">common-substr</a> -
Simple tool to extract the most common substrings from an input text.
Built for password cracking.</li>
<li><a
href="https://sourceforge.net/projects/crunch-wordlist/">Crunch</a> -
Crunch is a wordlist generator where you can specify a standard
character set or a character set you specify. Crunch can generate all
possible combinations and permutations.</li>
<li><a href="https://github.com/Mebus/cupp">CUPP</a> - A tool that lets
you generate wordlists by user profiling data such as birthday,
nickname, address, name of a pet or relative etc.</li>
<li><a href="https://github.com/nil0x42/duplicut">duplicut</a> - Remove
duplicates from MASSIVE wordlist, without sorting it (for
dictionary-based password cracking).</li>
<li><a href="https://github.com/d4rckh/gorilla">Gorilla</a> - Tool for
generating wordlists or extending an existing one using mutations.</li>
<li><a href="https://github.com/TheWorkingDeveloper/gramify">Gramify</a>
- Create n-grams of wordlists based on words, characters, or charsets to
use in offline password attacks and data analysis.</li>
<li><a href="https://github.com/D4Vinci/elpscrk">Elpscrk</a> - Elpscrk
is like cupp, but its based on permutations and statistics while being
memory efficient.</li>
<li><a
href="https://github.com/Rich5/Keyboard-Walk-Generators">Keyboard-Walk-Generators</a>
- Generate Keyboard Walk Dictionaries for cracking.</li>
<li><a href="https://github.com/hashcat/kwprocessor">kwprocessor</a> -
Advanced keyboard-walk generator with configureable basechars, keymap
and routes.</li>
<li><a href="https://github.com/jakewnuk/maskcat">maskcat</a> - Utility
tool for Hashcat Masks and Password Cracking.</li>
<li><a
href="https://github.com/hashcat/maskprocessor/">maskprocessor</a> -
High-performance word generator with a per-position configureable
charset.</li>
<li><a href="https://github.com/flbdx/maskuni">maskuni</a> - A
standalone fast word generator in the spirit of hashcats mask generator
with unicode support.</li>
<li><a href="https://github.com/sc0tfree/mentalist">Mentalist</a> -
Mentalist is a graphical tool for custom wordlist generation. It
utilizes common human paradigms for constructing passwords and can
output the full wordlist as well as rules compatible with Hashcat and
John the Ripper.</li>
<li><a href="https://github.com/JakeWnuk/mode">Mode</a> - A program for
quickly aggregating and frequency sorting text from multiple sources and
supports concurency.</li>
<li><a href="https://github.com/Sparell/Phraser">Phraser</a> - Phraser
is a phrase generator using n-grams and Markov chains to generate
phrases for passphrase cracking.</li>
<li><a
href="https://github.com/hashcat/princeprocessor">princeprocessor</a> -
Standalone password candidate generator using the PRINCE algorithm.</li>
<li><a href="https://github.com/travco/rephraser">Rephraser</a> - A
Python-based reimagining of Phraser using Markov-chains for
linguistically-correct password cracking.</li>
<li><a href="https://github.com/Cynosureprime/rling">Rling</a> - RLI
Next Gen (Rling), a faster multi-threaded, feature rich alternative to
rli found in hashcat utilities.</li>
<li><a
href="https://github.com/hashcat/statsprocessor/">statsprocessor</a> -
Word generator based on per-position markov-chains.</li>
<li><a
href="https://github.com/ashvardanian/StringZilla">StringZilla</a> -
Fastest string sort, search, split, and shuffle for long strings and
multi-gigabyte files in Python and C.</li>
<li><a href="https://github.com/tp7309/TTPassGen">TTPassGen</a> -
Flexible and scriptable password dictionary generator which supportss
brute-force, combination, complex rule modes etc.</li>
<li><a
href="https://github.com/dariusztytko/token-reverser">token-reverser</a>
- Words list generator to crack security tokens.</li>
<li><a
href="https://github.com/NorthwaveSecurity/wikiraider">WikiRaider</a> -
WikiRaider enables you to generate wordlists based on country specific
databases of Wikipedia.</li>
</ul>
<h2 id="wordlists">Wordlists</h2>
<h3 id="laguage-specific">Laguage specific</h3>
<ul>
<li><a href="https://github.com/its0x08/albanian-wordlist">Albanian
wordlist</a> - A mix of names, last names and some albanian
literature.</li>
<li><a
href="https://github.com/narkopolo/danish_phone_wordlist_generator">Danish
Phone Wordlist Generator</a> - This tool can generate wordlists of
Danish phone numbers by area and/or usage (Mobile, landline etc.) Useful
for password cracking or fuzzing Danish targets.</li>
<li><a href="https://github.com/narkopolo/danish-wordlists">Danish
Wordlists</a> - Collection of danish wordlists for cracking danish
passwords.</li>
<li><a href="https://github.com/clem9669/wordlists">French Wordlists</a>
- This project aim to provide french word list about everything a person
could use as a base password.</li>
</ul>
<h3 id="other">Other</h3>
<ul>
<li><a
href="https://packetstormsecurity.com/Crackers/wordlists/page1/">Packet
Storm Wordlists</a> - A substantial collection of different wordlists in
multiple languages.</li>
<li><a
href="https://labs.nettitude.com/tools/rocktastic/">Rocktastic</a> -
Includes many permutations of passwords and patterns that have been
observed in the wild.</li>
<li><a
href="https://github.com/ohmybahgosh/RockYou2021.txt">RockYou2021</a> -
RockYou2021.txt is a MASSIVE WORDLIST compiled of various other
wordlists.</li>
<li><a href="https://weakpass.com/">WeakPass</a> - Collection of large
wordlists.</li>
</ul>
<h2 id="specific-file-formats">Specific file formats</h2>
<h3 id="pdf">PDF</h3>
<ul>
<li><a href="https://github.com/mufeedvh/pdfrip">pdfrip</a> - A
multi-threaded PDF password cracking utility equipped with commonly
encountered password format builders and dictionary attacks.</li>
</ul>
<h3 id="pem">PEM</h3>
<ul>
<li><a href="https://github.com/bwall/pemcracker">pemcracker</a> - Tool
to crack encrypted PEM files.</li>
</ul>
<h3 id="jks">JKS</h3>
<ul>
<li><a
href="https://github.com/floyd-fuh/JKS-private-key-cracker-hashcat">JKS
private key cracker</a> - Cracking passwords of private key entries in a
JKS fileCracking passwords of private key entries in a JKS file.</li>
</ul>
<h3 id="zip">ZIP</h3>
<ul>
<li><a href="https://github.com/kimci86/bkcrack">bkcrack</a> - Crack
legacy zip encryption with Biham and Kochers known plaintext
attack.</li>
<li><a href="https://github.com/hyc/fcrackzip">frackzip</a> - Small tool
for cracking encrypted ZIP archives.</li>
</ul>
<h2 id="artificial-intelligence">Artificial Intelligence</h2>
<ul>
<li><a href="https://github.com/TheAdamProject/adams">adams</a> -
Reducing Bias in Modeling Real-world Password Strength via Deep Learning
and Dynamic Dictionaries. <a
href="https://github.com/cupslab/neural_network_cracking"></a> - Code
for cracking passwords with neural networks.</li>
<li><a
href="https://github.com/gehaxelt/RNN-Passwords">RNN-Passwords</a> -
Using the char-rnn to learn and guess passwords.</li>
<li><a href="https://github.com/synacktiv/rulesfinder">rulesfinder</a> -
This tool finds efficient password mangling rules (for John the Ripper
or Hashcat) for a given dictionary and a list of passwords.</li>
<li><a href="https://github.com/javirandor/passgpt">PassGPT</a> -
PassGPT is a GPT-2 model trained from scratch on password leaks.</li>
</ul>
<h2 id="research">Research</h2>
<h3 id="articles-and-blog-posts">Articles and Blog Posts</h3>
<ul>
<li><a
href="https://jakewnuk.com/posts/optimizing-wordlists-w-masks/">Optimizing
Wordlists with Masks</a></li>
<li><a href="https://www.netmux.com/blog/purple-rain-attack">Purple Rain
Attack - Password Cracking With Random Generation</a></li>
<li><a href="https://jakewnuk.com/posts/token-swapping-attack/">Smashing
Hashes with Token Swapping Attacks</a></li>
</ul>
<h3 id="papers">Papers</h3>
<ul>
<li><a href="https://www.mdpi.com/2076-3417/10/20/7306/htm">Generating
Optimized Guessing Candidates toward Better Password Cracking from
Multi-Dictionaries Using Relativistic GAN (2020)</a></li>
<li><a href="https://ieeexplore.ieee.org/document/8422243">GENPass: A
General Deep Learning Model for Password Guessing with PCFG Rules and
Adversarial Generation (2018)</a></li>
<li><a
href="https://www.researchgate.net/publication/220713709_Password_Cracking_Using_Probabilistic_Context-Free_Grammars">Password
Cracking Using Probabilistic Context-Free Grammars (2009)</a></li>
<li><a href="https://arxiv.org/abs/2010.12269">Reducing Bias in Modeling
Real-world Password Strength via Deep Learning and Dynamic Dictionaries
(2020)</a></li>
<li><a
href="https://www.usenix.org/conference/usenixsecurity16/technical-sessions/presentation/melicher">Fast,
Lean, and Accurate: Modeling Password Guessability Using Neural Networks
(2016)</a></li>
<li><a href="https://arxiv.org/pdf/1709.00440">PassGAN: A Deep Learning
Approach for Password Guessing (2017)</a></li>
<li><a href="https://arxiv.org/abs/2306.01545">PassGPT: Password
Modeling and (Guided) Generation with LLMs</a></li>
</ul>
<h3 id="talks">Talks</h3>
<ul>
<li><a
href="https://github.com/JakeWnuk/Security-Conferences/blob/main/BsidesKY2023%20-%20Leveling%20Up%20Password%20Attacks%20with%20Breach%20Data.pdf">BsidesKY2023
- Leveling Up Password Attacks with Breach Data</a></li>
<li><a href="https://www.youtube.com/watch?v=MBTJ8f6Fsmg">DEF CON Safe
Mode Password Village - Getting Started with Hashcat</a></li>
<li><a href="https://www.youtube.com/watch?v=4Ell1Tt23NI">DEF CON Safe
Mode Password Village - Jeremi Gosney - Cracking at Extreme
Scale</a></li>
<li><a href="https://www.youtube.com/watch?v=8FtXntEsZdU">DEF CON 28
Safe Mode Password Village Lets Crack RockYou Without Using rockyou
txt</a></li>
<li><a
href="https://sector.ca/sessions/hashes-hashes-everywhere-but-all-i-see-is-plaintext/">SecTor
2019 - Will Hunt - Hashes, Hashes Everywhere, But All I See Is
Plaintext</a></li>
<li><a href="https://www.youtube.com/watch?v=iK6ZbD6v9Gg">Tailored,
Machine Learning-driven Password Guessing Attacks and Mitigation at
DefCamp</a></li>
<li><a
href="https://media.ccc.de/v/31c3_-_5966_-_en_-_saal_1_-_201412292245_-_unhash_-_methods_for_better_password_cracking_-_tonimir_kisasondi">UNHash
- Methods for better password cracking</a></li>
<li><a href="https://www.youtube.com/watch?v=Jvp3UTdCeag">USENIX
Security 21 - Reducing Bias in Modeling Real-world Password Strength
via Deep Learning and Dynamic Dictionaries</a></li>
<li><a href="https://www.youtube.com/watch?v=GgaZ_LxsL_8">USENIX
Security 16 - Fast, Lean, and Accurate: Modeling Password Guessability
Using Neural Networks</a></li>
</ul>
Reference in New Issue View Git Blame Copy Permalink