Can I use Hashcat for checking against HIBP DB? - Printable Version +- hashcat Forum (https://hashcat.net/forum) +-- Forum: Developer (https://hashcat.net/forum/forum-39.html) +--- Forum: hashcat (https://hashcat.net/forum/forum-40.html) +--- Thread: Can I use Hashcat for checking against HIBP DB? (/thread-8212.html) |
Can I use Hashcat for checking against HIBP DB? - Zevel - 03-10-2019 Hello, I would like to perform the opposite of password cracking. I have a list of several hundreds of plain text passwords and would like to check if they (their hashes) are present in the latest Have I Been Pwned hash dump. Can Hashcat do that? And if so, can you please suggest what command-line parameters to use? Otherwise, can you please point me to a more suitable tool? Thank you! Zevel RE: Can I use Hashcat for checking against HIBP DB? - Chick3nman - 03-10-2019 Using the list of hashes you want to check as a dictionary and the list of hashes you want to check against as a target, I believe you can make use if the "plaintext" mode in hashcat to do this. Mode 99999 Plaintext hashcat Setting -m 99999 _should_ allow you to run the dictionary against the target list and come up with a list of all the hashes that are in your dictionary AND in the HIBP list, though this is not really something that I've seen anyone do. Example command line: hashcat -m 99999 -a 0 HashesToCheck.txt HIBPlist.txt RE: Can I use Hashcat for checking against HIBP DB? - royce - 03-10-2019 Well, theoretically, you could download the HIBP SHA-1 hashes from https://haveibeenpwned.com/Passwords, and then crack them with hashcat using your list as a wordlist. But since the HIBP list is so large, it may not fit into GPU memory and so hashcat wouldn't be able to crack it without breaking the list up into multiple subsets. Alternatively, you could simply hash your passwords with SHA-1 and search for them in the list using any of the various command-line tools. At that point, it's just a string-matching exercise. Either of the above would have the benefit of not disclosing even part of your hash to a third party. Troy also has an API available - you send just a prefix, and a list of matching hashes are returned. https://www.troyhunt.com/ive-just-launched-pwned-passwords-version-2/#cloudflareprivacyandkanonymity RE: Can I use Hashcat for checking against HIBP DB? - atom - 03-10-2019 Why is that the opposite? Sounds like a traditional wordlist attack to me. RE: Can I use Hashcat for checking against HIBP DB? - Zevel - 03-10-2019 Thank you Chick3nman, royce and atom. I ended up writing a short C++ program to do that using the Crypto++ library. Thanks again and sorry for bothering you. |