Can I use Hashcat for checking against HIBP DB?
#1
Question 
Hello,

I would like to perform the opposite of password cracking.

I have a list of several hundreds of plain text passwords and would like to check if they (their hashes) are present in the latest Have I Been Pwned hash dump.

Can Hashcat do that?  And if so, can you please suggest what command-line parameters to use?

Otherwise, can you please point me to a more suitable tool?

Thank you!
Zevel
Reply
#2
Using the list of hashes you want to check as a dictionary and the list of hashes you want to check against as a target, I believe you can make use if the "plaintext" mode in hashcat to do this.

Mode 99999 Plaintext hashcat

Setting -m 99999 _should_ allow you to run the dictionary against the target list and come up with a list of all the hashes that are in your dictionary AND in the HIBP list, though this is not really something that I've seen anyone do.

Example command line: hashcat -m 99999 -a 0 HashesToCheck.txt HIBPlist.txt
Reply
#3
Well, theoretically, you could download the HIBP SHA-1 hashes from https://haveibeenpwned.com/Passwords, and then crack them with hashcat using your list as a wordlist. But since the HIBP list is so large, it may not fit into GPU memory and so hashcat wouldn't be able to crack it without breaking the list up into multiple subsets.

Alternatively, you could simply hash your passwords with SHA-1 and search for them in the list using any of the various command-line tools. At that point, it's just a string-matching exercise.

Either of the above would have the benefit of not disclosing even part of your hash to a third party.

Troy also has an API available - you send just a prefix, and a list of matching hashes are returned.

https://www.troyhunt.com/ive-just-launch...kanonymity
~
Reply
#4
Why is that the opposite? Sounds like a traditional wordlist attack to me.
Reply
#5
Thank you Chick3nman, royce and atom.

I ended up writing a short C++ program to do that using the Crypto++ library.

Thanks again and sorry for bothering you.
Reply