Login
PassBreaker is a command-line password cracking tool developed in Python. It allows you to perform various password cracking techniques such as wordlist-based attacks and brute force attacks.Β
Clone the repository:
FreshRSS git clone https://github.com/HalilDeniz/PassBreaker.gitInstall the required dependencies:
pip install -r requirements.txtpython passbreaker.py <password_hash> <wordlist_file> [--algorithm]Replace <password_hash> with the target password hash and <wordlist_file> with the path to the wordlist file containing potential passwords.
--algorithm <algorithm>: Specify the hash algorithm to use (e.g., md5, sha256, sha512).-s, --salt <salt>: Specify a salt value to use.-p, --parallel: Enable parallel processing for faster cracking.-c, --complexity: Evaluate password complexity before cracking.-b, --brute-force: Perform a brute force attack.--min-length <min_length>: Set the minimum password length for brute force attacks.--max-length <max_length>: Set the maximum password length for brute force attacks.--character-set <character_set>: Set the character set to use for brute force attacks.Elbette! Δ°Εte Δ°ngilizce olarak yazΔ±lmΔ±Ε baΕlΔ±k ve küçük bir bilgi ile daha fazla kullanΔ±m ΓΆrneΔi:
python passbreaker.py 5f4dcc3b5aa765d61d8327deb882cf99 passwords.txt --algorithm md5This command attempts to crack the password with the hash value "5f4dcc3b5aa765d61d8327deb882cf99" using the MD5 algorithm and a wordlist from the "passwords.txt" file.
python passbreaker.py 5f4dcc3b5aa765d61d8327deb882cf99 --brute-force --min-length 6 --max-length 8 --character-set abc123This command performs a brute force attack to crack the password with the hash value "5f4dcc3b5aa765d61d8327deb882cf99" by trying all possible combinations of passwords with a length between 6 and 8 characters, using the character set "abc123".
python passbreaker.py 5f4dcc3b5aa765d61d8327deb882cf99 passwords.txt --algorithm sha256 --complexityThis command evaluates the complexity of passwords in the "passwords.txt" file and attempts to crack the password with the hash value "5f4dcc3b5aa765d61d8327deb882cf99" using the SHA-256 algorithm. It only tries passwords that meet the complexity requirements.
python passbreaker.py 5f4dcc3b5aa765d61d8327deb882cf99 passwords.txt --algorithm md5 --salt mysalt123This command uses a specific salt value ("mysalt123") for the password cracking process. Salt is used to enhance the security of passwords.
python passbreaker.py 5f4dcc3b5aa765d61d8327deb882cf99 passwords.txt --algorithm sha512 --parallelThis command performs password cracking with parallel processing for faster cracking. It utilizes multiple processing cores, but it may consume more system resources.
These examples demonstrate different features and use cases of the "PassBreaker" password cracking tool. Users can customize the parameters based on their needs and goals.
This tool is intended for educational and ethical purposes only. Misuse of this tool for any malicious activities is strictly prohibited. The developers assume no liability and are not responsible for any misuse or damage caused by this tool.
Contributions are welcome! To contribute to PassBreaker, follow these steps:
If you have any questions, comments, or suggestions about PassBreaker, please feel free to contact me:
PassBreaker is released under the MIT License. See LICENSE for more information.
This is a command-line tool written in Python that applies one or more transmutation rules to a given password or a list of passwords read from one or more files. The tool can be used to generate transformed passwords for security testing or research purposes. Also, while you doing pentesting it will be very useful tool for you to brute force the passwords!!
How Passmute can also help to secure our passwords more?
PassMute can help to generate strong and complex passwords by applying different transformation rules to the input password. However, password security also depends on other factors such as the length of the password, randomness, and avoiding common phrases or patterns.
The transformation rules include:
reverse: reverses the password string
uppercase: converts the password to uppercase letters
lowercase: converts the password to lowercase letters
swapcase: swaps the case of each letter in the password
capitalize: capitalizes the first letter of the password
leet: replaces some letters in the password with their leet equivalents
strip: removes all whitespace characters from the password
The tool can also write the transformed passwords to an output file and run the transformation process in parallel using multiple threads.
Installation
git clone https://HITH-Hackerinthehouse/PassMute.git
cd PassMute
chmod +x PassMute.py
Usage To use the tool, you need to have Python 3 installed on your system. Then, you can run the tool from the command line using the following options:
python PassMute.py [-h] [-f FILE [FILE ...]] -r RULES [RULES ...] [-v] [-p PASSWORD] [-o OUTPUT] [-t THREAD_TIMEOUT] [--max-threads MAX_THREADS]
Here's a brief explanation of the available options:
-h or --help: shows the help message and exits
-f (FILE) [FILE ...], --file (FILE) [FILE ...]: one or more files to read passwords from
-r (RULES) [RULES ...] or --rules (RULES) [RULES ...]: one or more transformation rules to apply
-v or --verbose: prints verbose output for each password transformation
-p (PASSWORD) or --password (PASSWORD): transforms a single password
-o (OUTPUT) or --output (OUTPUT): output file to save the transformed passwords
-t (THREAD_TIMEOUT) or --thread-timeout (THREAD_TIMEOUT): timeout for threads to complete (in seconds)
--max-threads (MAX_THREADS): maximum number of threads to run simultaneously (default: 10)
NOTE: If you are getting any error regarding argparse module then simply install the module by following command: pip install argparse
Examples
Here are some example commands those read passwords from a file, applies two transformation rules, and saves the transformed passwords to an output file:
Single Password transmutation: python PassMute.py -p HITHHack3r -r leet reverse swapcase -v -t 50
Multiple Password transmutation: python PassMute.py -f testwordlists.txt -r leet reverse -v -t 100 -o testupdatelists.txt
Here Verbose and Thread are recommended to use in case you're transmutating big files and also it depends upon your microprocessor as well, it's not required every time to use threads and verbose mode.
Legal Disclaimer:
You might be super excited to use this tool, we too. But here we need to confirm! Hackerinthehouse, any contributor of this project and Github won't be responsible for any actions made by you. This tool is made for security research and educational purposes only. It is the end user's responsibility to obey all applicable local, state and federal laws.
This tool is only for legally authorized enterprise security construction behaviors and personal learning behaviors. If you need to test the usability of this tool, please build a target drone environment by yourself.
When using this tool for testing, you should ensure that the behavior complies with local laws and regulations and has obtained sufficient authorization. Do not scan unauthorized targets.
We reserve the right to pursue your legal responsibility if the above prohibited behavior is found.
If you have any illegal behavior in the process of using this tool, you shall bear the corresponding consequences by yourself, and we will not bear any legal and joint responsibility.
Before installing and using this tool, please be sure to carefully read and fully understand the terms and conditions.
Unless you have fully read, fully understood and accepted all the terms of this agreement, please do not install and use this tool. Your use behavior or your acceptance of this Agreement in any other express or implied manner shall be deemed that you have read and agreed to be bound by this Agreement.
_ __
|#| /#/ Lightweight Asset Mapping Tool by: kv2
|#|/#/ _____ _____ * _ _
|#.#/ /Edge/ /Forum| /#\ |#\ |#|
|##| |#|___ |#| /###\ |##\|#|
|#.#\ \#####\|#| /#/_\#\ |#.#.#|
|#|\#\ /\___|#||#|____/#/###\#\|#|\##|
|#| \#\\#####/ \#####/#/ \#\#| \#|
Kscan is an asset mapping tool that can perform port scanning, TCP fingerprinting and banner capture for specified assets, and obtain as much port information as possible without sending more packets. It can perform automatic brute force cracking on scan results, and is the first open source RDP brute force cracking tool on the go platform.
At present, there are actually many tools for asset scanning, fingerprint identification, and vulnerability detection, and there are many great tools, but Kscan actually has many different ideas.
Kscan hopes to accept a variety of input formats, and there is no need to classify the scanned objects before use, such as IP, or URL address, etc. This is undoubtedly an unnecessary workload for users, and all entries can be normal Input and identification. If it is a URL address, the path will be reserved for detection. If it is only IP:PORT, the port will be prioritized for protocol identification. Currently Kscan supports three input methods (-t,--target|-f,--fofa|--spy).
Kscan does not seek efficiency by comparing port numbers with common protocols to confirm port protocols, nor does it only detect WEB assets. In this regard, Kscan pays more attention to accuracy and comprehensiveness, and only high-accuracy protocol identification , in order to provide good detection conditions for subsequent application layer identification.
Kscan does not use a modular approach to do pure function stacking, such as a module obtains the title separately, a module obtains SMB information separately, etc., runs independently, and outputs independently, but outputs asset information in units of ports, such as ports If the protocol is HTTP, subsequent fingerprinting and title acquisition will be performed automatically. If the port protocol is RPC, it will try to obtain the host name, etc.
Kscan currently has 3 ways to input targets
IP address: 114.114.114.114
IP address range: 114.114.114.114-115.115.115.115
URL address: https://www.baidu.com
File address: file:/tmp/target.txt
[Empty]: will detect the IP address of the local machine and detect the B segment where the local IP is located
[all]: All private network addresses (192.168/172.32/10, etc.) will be probed
IP address: will detect the B segment where the specified IP address is located
fofa search keywords: will directly return fofa search results
usage: kscan [-h,--help,--fofa-syntax] (-t,--target,-f,--fofa,--spy) [-p,--port|--top] [-o,--output] [-oJ] [--proxy] [--threads] [--path] [--host] [--timeout] [-Pn] [-Cn] [-sV] [--check] [--encoding] [--hydra] [hydra options] [fofa options]
optional arguments:
-h , --help show this help message and exit
-f , --fofa Get the detection object from fofa, you need to configure the environment variables in advance: FOFA_EMAIL, FOFA_KEY
-t , --target Specify the detection target:
IP address: 114.114.114.114
IP address segment: 114.114.114.114/24, subnet mask less than 12 is not recommended
IP address range: 114.114.114.114-115.115.115.115
URL address: https://www.baidu.com
File address: file:/tmp/target.txt
--spy network segment detection mode, in this mode, the internal network segment reachable by the host will be automatically detected. The acceptable parameters are:
(empty), 192, 10, 172, all, specified IP address (the IP address B segment will be detected as the surviving gateway)
--check Fingerprinting the target address, only port detection will not be performed
--scan will perform port scanning and fingerprinting on the target objects provided by --fofa and --spy
-p , --port scan the specified port, TOP400 will be scanned by default, support: 80, 8080, 8088-8090
-eP, --excluded-port skip scanning specified portsοΌsupportοΌ80,8080,8088-8090
-o , --output save scan results to file
-oJ save the scan results to a file in json format
-Pn After using this parameter, intelligent survivability detection will not be performed. Now intelligent survivability detection is enabled by default to improve efficiency.
-Cn With this parameter, the console output will not be colored.
-sV After using this parameter, all ports will be probed with full probes. This parameter greatly affects the efficiency, so use it with caution!
--top Scan the filtered common ports TopX, up to 1000, the default is TOP400
--proxy set proxy (socks5|socks4|https|http)://IP:Port
--threads thread parameter, the default thread is 100, the maximum value is 2048
--path specifies the directory to request access, only a single directory is supported
--host specifies the header Host value for all requests
--timeout set timeout
--encoding Set the terminal output encoding, which can be specified as: gb2312, utf-8
--match returns the banner to the asset for retrieval. If there is a keyword, it will be displayed, otherwise it will not be displayed
--hydra automatic blasting support protocol: ssh, rdp, ftp, smb, mysql, mssql, oracle, postgresql, mongodb, redis, all are enabled by default
hydra options:
--hydra-user custom hydra blasting username: username or user1,user2 or file:username.txt
--hydra-pass Custom hydra blasting password: password or pass1,pass2 or file:password.txt
If there is a comma in the password, use \, to escape, other symbols do not need to be escaped
--hydra-update Customize the user name and password mode. If this parameter is carried, it is a new mode, and the user name and password will be added to the default dictionary. Otherwise the default dictionary will be replaced.
--hydra-mod specifies the automatic brute force cracking module: rdp or rdp, ssh, smb
fofa options:
--fofa-syntax will get fofa search syntax description
--fofa-size will set the number of entries returned by fofa, the default is 100
--fofa-fix-keyword Modifies the keyword, and the {} in this parameter will eventually be replaced with the value of the -f parameter
The function is not complicated, the others are explored by themselves
psudohash is a password list generator for orchestrating brute force attacks. It imitates certain password creation patterns commonly used by humans, like substituting a word's letters with symbols or numbers, using char-case variations, adding a common padding before or after the word and more. It is keyword-based and highly customizable.
System administrators and other employees often use a mutated version of the Company's name to set passwords (e.g. Am@z0n_2022). This is commonly the case for network devices (Wi-Fi access points, switches, routers, etc), application or even domain accounts. With the most basic options, psudohash can generate a wordlist with all possible mutations of one or multiple keywords, based on common character substitution patterns (customizable), case variations, strings commonly used as padding and more. Take a look at the following example:
The script includes a basic character substitution schema. You can add/modify character substitution patterns by editing the source and following the data structure logic presented below (default):
transformations = [
{'a' : '@'},
{'b' : '8'},
{'e' : '3'},
{'g' : ['9', '6']},
{'i' : ['1', '!']},
{'o' : '0'},
{'s' : ['$', '5']},
{'t' : '7'}
]
When it comes to people, i think we all have (more or less) set passwords using a mutation of one or more words that mean something to us e.g., our name or wife/kid/pet/band names, sticking the year we were born at the end or maybe a super secure padding like "!@#". Well, guess what?
No special requirements. Just clone the repo and make the script executable:
git clone https://github.com/t3l3machus/psudohash
cd ./psudohash
chmod +x psudohash.py
./psudohash.py [-h] -w WORDS [-an LEVEL] [-nl LIMIT] [-y YEARS] [-ap VALUES] [-cpb] [-cpa] [-cpo] [-o FILENAME] [-q]
The help dialog [ -h, --help ] includes usage details and examples.
--years and --append-numbering with a --numbering-limit β₯ last two digits of any year input, will most likely produce duplicate words because of the mutation patterns implemented by the tool.I'm gathering information regarding commonly used password creation patterns to enhance the tool's capabilities.
