Python Hybrid Password Cracker

Dictionary attacks are fast and effective, as long as the target password is contained in the dictionary. Brute force attacks are effective, but slow, because they try all possible passwords (given length and character settings). A hybrid attack combines dictionary attacks with brute-force attacks. For example, you might try a dictionary attack, but add a single digit to the end of each word in the dictionary. So, if your dictionary contained the word, "umbrella," the following passwords would be tried:

  • umbrella0
  • umbrella1
  • umbrella2
  • umbrella3
  • umbrella4
  • umbrella5
  • umbrella6
  • umbrella7
  • umbrella8
  • umbrella9

Hybrid attacks can be successful because people often tweak commonly used passwords by adding a couple of characters to the beginning or end of a password.

Learning Objectives

You should be able to:

  • Create a Python hybrid password-cracking script.

Video Walkthrough

Use this video to follow along with the steps in this lab.

Coding the Python Hybrid Password Cracker

You will create a program that will crack passwords using a hybrid attack.

  • The password hash you need to crack is: f6c3079d0108d0c9901e4d82c3ebc6f6f11a973f97eff9cd531d1eecd4a6bbb9
  • The password hash is SHA256.
  • The password is the name of a fruit with a number at the end.

Required: Put your first and last name as one of the elements in the dictionary . I.e., the dictionary will contain a list of fruits and your name.

The following hints will help you write your program.

  • Import the hashing library
  • Store a list of fruits in a variable. Add your full name to the list.
  • Store the target hash as a variable.
  • Create a loop that goes through each fruit in your list.
    • Create a loop that goes through the digits 0-9.
      • Calculate the SHA256 hash of the combination of fruit + the digit.
      • Compare the resulting hash with the target.
      • If they match, you've cracked the password.
  • Write output that summarizes whether you cracked the password or not.

There are two main ways that the script may fail to crack the password:

  • There are bugs in the code.
  • Your dictionary does not contain the target password. Try adding more items to your dictionary.

Reflection

  • Which elements of the assignment were most challenging?
  • How would you code a brute-force attack?