Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Leaked password lists NOT uniq
#1
Hi,
I'm currently playing with two projects related to AI and password cracking.
First one is PassGAN model (https://github.com/brannondorsey/PassGAN) to generate new passwords based on leaked password lists. The first results are quite promising although I have issues with finding good dictionaries that are not uniq.
Verification of results is based on checking how much new passwords can be found in hash list that contain 306m valid hashes (hash sorce: https://haveibeenpwned.com/Passwords V1; 3 Aug 2017).
So for example after generating new password list based on uniq rockyou that contain 1m new passwords, around 11% of them can be found in 306m has list (so from 1m of new passwords, around 100k corresponds with big hash list).
In compere with also rockyou list but one that is not uniq, it gave me around 22% of hits.

So my question is, do you have a password lists that are not uniq? I would be very interested especially in LinkedIn list but of course I'm not limited to this list. And if you have, are you willing to share it with me?
List will be used to build new big dictionary and try this against some hash lists that can be found on hashes.org website. Of course all new cracked passwords will be uploaded.

Second project is about brute force approach of password cracking but this is something not to share yet Smile
Reply
#2
On Hashes.org every hashlist available is made unique and I don't keep track how many times a hash was appearing in a leak. But if you would like to have this information, you can do this when you have the original leak lists (e.g. for Linkedin) and then just go through it with the founds of hashes.org (simple Hashcat dictionary run) and replace all occurrences of the corresponding hashes. So at the end you would have the linkedin list with all passwords (just throw out the hashes which are not found).
Reply
#3
Thanks s3in!c for an interesting idea!
I will check it out today evening.

In the mean time I also found out another way of solving my issue. Posting it here just if anybody else would face similar issue in the future.

On website https://haveibeenpwned.com/Passwords in the bottom you can find list of hashes with corresponding counting. So grab the biggest dictionary that is available from hases.org and revert as many hashes as possible (I was able to find around 95% of passwords).
So now you have plan text passwords, hashes and counter of hashes. Create script that will multiply every passwords from this list based on counter and here you are!

The end product will be very big. Depend what is needed, some tricks will have to be done to make dictionary smaller but this is also very project dependent... Smile
Reply
#4
Yeah good point with the hibp list. Just note that the list contains a large bunch of really bad parsed stuff, emails etc. so depending on what your use case is, it might be not the right thing.

But anyway, at some point the hibp v2 might be available on hashes.org Wink
Reply


Forum Jump:


Users browsing this thread: 3 Guest(s)