0

We have a set of hashes and we want to compare them with the passwords contained in the famous rockyou.txt.

We have written a code which iteratively converts each entry in rockyou.txt to hash and compares it with our single hash using: 

passlib.pbkdf2_sha256.verify(password_string_in_rockyou, my_hash)

The issue is that we have to convert the entire 15 million entries in rock you to hashes to check against a single hash we have. So, if we have 1000 hashes we have to compute the hashes 1000 * 15 million times.

Is there any way store the 15 million hashes converted one time and leverage the same for cracking all hashes?

Ralf
  • 16,086
  • 4
  • 44
  • 68
user1
  • 336
  • 1
  • 6
  • 17
  • Can't you just write all the obtained hashes to a file and read/compare from there (instead of converting each time)? The faster option could be to store the hashes in a database and using an index speed up lookups. – Ralf Oct 08 '18 at 14:57
  • 2
    The point of hashing this way is pretty much that you will have to try each individual permutation to feasibly prevent brute forcing it. – deceze Oct 08 '18 at 15:01
  • @Ralf The hashes generated are different every time and may not match character wise. For example, a password "ABC" can have a hash "ahhhdjhXx1" and "aslajsjdiiiaoxx2". So, they cannot be compared as a string. I wanted to ask if there is any function which takes 2 parameters as hashes and checks if they belong to the same password. – user1 Oct 08 '18 at 15:13
  • 1
    Ah, you seem to have salted hashes. Yeah, thats better security, and there is no quick way around it. So the answer to your question is: no, I know of no easy way to speed up your search. – Ralf Oct 08 '18 at 15:35

1 Answers1

0

Unfortunately doing this in Python (or any language) is going to be painfully slow. The correct tool for the job is Hashcat. You'll want to run it on a machine with a decent graphics card that has either an Intel, ATI, or NVIDIA chipset and the latest and greatest video card drivers installed.

Hashcat leverages all of the cores in your video card which will greatly outnumber the number of cores available on your CPU.

Jason
  • 475
  • 2
  • 4
  • I am already running Hashcat on one Ubuntu instance, but no luck. As Hashcat did not give me any result, I went the other way. – user1 Oct 08 '18 at 20:56
  • No result meaning none of the hashes you have use the passwords in rockyou? – Jason Oct 09 '18 at 13:58
  • I was able to crack a few but the count did not increase even after running hashcat over night. – user1 Oct 09 '18 at 16:28
  • @Json but the count has not increased since last 28 hours hence I was thinking for opting for another way. – user1 Oct 10 '18 at 01:06
  • 1
    Understandable. I did the same thing but found Hashcat could do in seconds what took hours with Python. I found the standard library hashing to be faster than Passlib. Hashed the passwords to try when reading them then passed in copies to apply the salt. That was my 2 biggest performance bumps. Golang was twice as fast as python for home-brewed solution. – Jason Oct 10 '18 at 14:14