ProgrammingPythonSecurity

Creating a simple MD5 cracker in Python.

Intro

Let me preface this post by saying, in no absolute way am I a master in InfoSec, Cryptography, Programming, or in writing articles about any of these subjects. I myself am just beginning in some of these fields, as I am sure some of you are, and I am assuming that like myself you have stumbled upon these fields out of pure curiosity, which has(if you are anything like myself) risen to become a need to know more, an obsession almost. So by posting this I hope it helps in bridging some technical gaps, or at least gives a solution to a particular problem you are facing, or at minimal gives you a starting point in writing some simple scripts to solve basic(even if outdated) problems. This article is for education purposes only, as we all know we should stay ethical in our studies as well as in life, to the best of our abilities.

What this article will cover.

  • Building a very simple MD5 hash cracker via the Python Programming language

What this article will not cover.

  • Creating a virtual environment for our program(I will cover this in a separate article).
  • Installing necessary dependencies for our program to run(I.E. pip installation of dependencies)
  • Creating custom wordlists to crack specific target hashes(Once again this is a planned future article)
  • Installation of any type of Python IDE(any text editor will work, however for this article I will be using Pycharm CE)

This article is assuming you have basic programming knowledge, as well as a basic Python development environment setup(or atleast the knowledge on how to get said environment setup). This article is covering MD5 hash cracking, which if you are reading this you mostly likely know is not a difficult thing to do, nor is the MD5 algorithm anywhere near the most secure way to hash any type of sensitive data, more so this article is to outline simple methods that can be used to not only write a MD5 cracker, but these same principles can be used to crack more sophisticated password hashes(atleast in theory!). So lets dive in…

We will begin our python script by importing necessary modules.

import hashlib

For this particular example we will keep things extremely simple(in a later article we will look into turning our script into a python CLI application, as well as measuring time it takes to either crack the hash, or to run through our wordlist.).

We simply begin by importing hashlib which is included in the python standard library. If you have not worked with hashlib before or would like to learn more about it please feel free to take a look at the docs at https://docs.python.org/3/library/hashlib.html

Secondly we will define our hash we wish to crack, and wordlist to use.

import hashlib
HASH = '5f4dcc3b5aa765d61d8327deb882cf99'
PASSLIST = [
        'test',
        'name',
        'hello',
        'password',
        'goodbye'
]

After importing our necessary Python module to hash our guesses and test against the original hash, we will supply the MD5 hash we will to crack, as well as a simple Python list “wordlist” to iterate through, hash each guess, and test against our original hash. For this example I am using an extremely simple password which is ‘password’ and I generated the MD5 hash online via https://www.webatic.com/md5-convertor

Next we will write our main function that houses our iteration login.

import hashlib
HASH = '5f4dcc3b5aa765d61d8327deb882cf99'
PASSLIST = [
        'test',
        'name',
        'hello',
        'password',
        'goodbye'
]
def main():
        for word in PASSLIST:
                guess = hashlib.md5(word.encode('utf-8')).hexdigest()
                if guess.upper() == HASH or guess.lower() == HASH:
                        print(f'[+] Password found: {word}')
                        exit(0)
                else:
                        print(f'[-] Guess: {word} incorrect...')
                print('Password not found in wordlist...')

Lets run through this real quick step by step.

  • Define our function in python def main():
  • Create our loop to iterate through our wordlist checking each word against our hash by first hashing that word via hashlib and comparing it to our original hash for word in PASSLIST:
  • Define our guess variable which is the current iteration of our loop through our wordlist hashed in MD5 via hashlib
  • Conditional statement checking to see if our hashed guess matches the original hash(we are using pythons build in functionality upper() and lower() as a sanity check just to make sure we double check the hash with both uppercase characters as well as lowercase character)
  • if we have a match between our hashed guess and our original hash we will print a success message and then exit our script
print(f'[+] Password found: {word}')<br>                        exit(0)
  • Else our guess is not a match we will print a message stating that particular guess was unsucessful, and we will continue our iteration
print(f'[-] Guess: {word} incorrect...')
  • Our final step in the main function will be to simply print a message if we have exhausted our provided “wordlist” without a match.
print('Password not found in wordlist...')

Lastly we will call our main function in our script.

import hashlib
HASH = '5f4dcc3b5aa765d61d8327deb882cf99'
PASSLIST = [
        'test',
        'name',
        'hello',
        'password',
        'goodbye'
]
def main():
        for word in PASSLIST:
                guess = hashlib.md5(word.encode('utf-8')).hexdigest()
                if guess.upper() == HASH or guess.lower() == HASH:
                        print(f'[+] Password found: {word}')
                        exit(0)
                else:
                        print(f'[-] Guess: {word} incorrect... {guess}')
        print(f'Password not found in wordlist...')
if __name__ == '__main__':
        main()

If you are familiar with Python then this last bit of code will come naturally, if you are new to Python and are wondering why this piece of code is in our script I urge you to do some research into the matter, this article is a great jumping off point https://medium.com/python-features/understanding-if-name-main-in-python-a37a3d4ab0c3

If you have been following along this guide, your code should look just as the code above. When the script is run you should get something along the lines of this in your terminal.

[-] Guess: test incorrect...
[-] Guess: name incorrect...
[-] Guess: hello incorrect...
[+] Password found: password

Thank you for reading.

Thank you very much for taking the time to read this article. There will be other steps in this series to show how to turn this script into a CLI application, add additional hash algorithms to crack, and generally make the script more sophisticated. Stay tuned!!!

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button