An experimental password hash cracker written in Golang.
This repository is old and dusty. Files stored with Git LFS probably won't work. Contact me if you're interested in the project, and I'd be glad to hand them over.
Corinda is the product of my MSc. in Computer Engineering @ UFG, Brazil. The Dissertation is available at /docs, however only a Brazilian Portuguese version is available.
Corinda uses concurrent heuristics based on model entropy and relative frequency from sample sets. Currently, Corinda has the following sample sets:
- RockYou
- AntiPublic
The user feeds Corinda a password hash (SHA1 or SHA256), chooses a sample set, and waits while concurrent goroutines try to crack it with computational load balancing for each password model.
Corinda only supports CPU cracking.
Corinda uses a modified version of OWASP's Passfault to train password models.
Related publications on the subject:
- General Framework for Evaluating Password Complexity and Strength: https://goo.gl/uYJsVr
- Passfault: an Open Source Tool for Measuring Password Complexity and Strength: https://goo.gl/mUVlw2
Corinda is released under GNU General Public License v3.0. Corinda is distributed for research purposes only. We believe that people should understand the dangers of simple passwords, and Corinda is an effort to encourage people to protect their privacy with high entropy passwords. And remember, with great powers, come great responsabilitiy!
Contact: [email protected]
- Install Go tools: https://golang.org/doc/install
- Set GOPATH: https://golang.org/doc/code.html#GOPATH
- Clone to GOPATH:
cd $GOPATH
mkdir -p src/github.com/bernardoaraujor/
cd src/github.com/bernardoaraujor
git clone https://github.com/bernardoaraujor/corinda
cd corinda
git submodule update --init --recursive
- Have input file correctly formatted as Comma Separated Values. Each line must be composed of
[frequency,password]
. The .csv must be compressed into .csv.gz, and placed inside the/csv
directory. - Run train command:
$ corinda train <input>
- Make sure you have the trained maps (elementary and composite) in
/maps
. - Make sure you have there is only one file for target list in
/targets
(runmerger.sh
script if necessary) - Run crack command:
$ corinda crack <trained list> <target list> <sha1 or sha256>
This project uses a modified version of OWASP's Passfault as a submodule.
This work is part of my MSc. in Computer Engineering @ UFG, Brazil.
Found at passfault_corinda/src/org/owasp/passfault/wordlists/
.
Generated with help of the Python module wordfreq, maintained by Luminoso Technologies, Inc.. The module gathers information about word usage on different topics at different levels of formality, using data collected from the following sources: LeedsIC, SUBTLEX, OpenSub, Twitter, Wikipedia, Reddit, and CCrawl.
xxPopular contain the 80% head of the Zipf Distribution of words, while xxLongTail contain the 20% long tail.
Downloaded from https://wiki.skullsecurity.org/Passwords.
This list has been compiled by Solar Designer of Openwall Project, http://www.openwall.com/wordlists/ . This list is based on passwords most commonly seen on a set of Unix systems in mid-1990's, sorted for decreasing number of occurrences (that is, more common passwords are listed first). It has been revised to also include common website passwords from public lists of "top N passwords" from major community website compromises that occurred in 2006 through 2010. Last update: 2011/11/20 (3546 entries).
Downloaded from https://wiki.skullsecurity.org/Passwords.
Downloaded from https://github.com/danielmiessler/SecLists/tree/master/Passwords.
Downloaded from https://github.com/danielmiessler/SecLists/tree/master/Passwords.
Copyright Rhett Butler of Mongay.com
This OWASP Passfault word list is licensed under a Creative Commons Attribution 4.0 International Licence. This list was compiled by Brandon Lyew, Georgina Matias, Kevin Sealy, Michael Glassman, and Scott Sands as part of their Capstone/Winter-code-sprint project. The information was collected from public voting records.
Downloaded from the US Social Security website: https://www.ssa.gov/oact/babynames/limits.html
Downloaded from the US Census of 2000: https://www.census.gov/topics/population/genealogy/data/2000_surnames.html
- doc dependencies
- (jnigi check /usr/lib/jvm/..., sym link include/linux/jni_md.h to include/jni_md.h)
- future work:
- go tests
- support salting
- support l337 (Passfault)
- misspelling (Passfault)
- support toggle case (Passfault)
- entropy guess sorting