Thursday, December 19, 2019

Cheap and Cheerful Password Breach Check

Get the HIBP NTLM hashes ordered by hash, and unzip: 

 7z x pwned-passwords-ntlm-ordered-by-hash-v5.7z

Download and compile sgrep: 

Create the following python code: 

$ cat
import hashlib
import fileinput
import subprocess

for line in fileinput.input():
    line=line.rstrip()'md4', line.encode('utf-16le')).hexdigest()
    process = subprocess.Popen(['/home/jamie/sgrep', '-i',ntlmhash,'/home/jamie/pwned-passwords-ntlm-ordered-by-hash-v5.txt'],stdout=subprocess.DEVNULL)
    return_code = process.poll()
    if return_code is not None:
        if return_code == 0:
            print("Found '"+line+"' in breach")

And run with your password list: 

$ echo password | ./
Found 'password' in breach

And you can just omit the ntlmhash bit if you want to look up hashes directly, rather than plaintexts.

No comments:

Post a Comment