HashCheck : Tool To Assist In The Search For Leaked Passwords

HashCheck is a project aims to assist in the search for leaked passwords while maintaining a high level of privacy using the k-anonymity method.

To achieve this, the APIs of different services are used, sending only a part of the Hash of the password we want to check, for example, the first 5 characters.

Prerequisites

The project needs some libraries in order to work, to install it use the next command:

pip install -r requirements

Remember that Python 3 is required.

Usage

passme.py [FUNC] [ELEMENT] -engine [ENGINE] -api_key [API_KEY]

FUNC: The kind of element tha you want to check, it can be -h/–hash or -p/–password
or -f/–file or -l/–list or –help.
ELEMENT: The “Hash”, “Password” or the name of the file that contains a list of
hashes or password separeted by a new line.
ENGINE: The leaks engine that you want to be used, by default it uses HIBP (Have I been PWN).
API_KEY: The API_KEY necessary for some functions of some engines.

Functions

PASSME_HASH

The main project function receives the hashed password, the engine to be used and the API key.

Depending on the engine that is received, both the API key and the hashed password will be sent to one function or another.

If you want to add your own engine or an engine that is not already implemented, simply add one more option here.

passme_hash(hashed_password, engine=”HIBP”, api_key=”0″)

PASSME_PASSWORD

This function hashes the password it receives using SHA-1 and sends the hash to the passme_hash() function.

passme_password(password, engine=”HIBP”, api_key=”0″)

PASSME_FILE

This function reads one by one the lines of the received file to check each password, giving information about the received password and whether it has been filtered or not.

passme_file(filename, engine=”HIBP”, api_key=”0″)

PASSME_LIST

This function reads one by one the lines of the received file to check each hash, giving information about the received hash and whether it has been filtered or not.

passme_list(filename, engine=”HIBP”, api_key=”0″)

PASSME_LIST

The function that deals with the HIBP (Have i been pwned) API, sends the first five characters of the hash, then compares it with the full hash to see if the password/hash has been leaked.

engine_HIBP(hashed_password, engine, api_key)

Test

This project has a series of tests to check the correct operation of all its functions, for this purpose the “pytest” library has been used. To run the tests, install pytest with the following command:

pip install pytest

Once installed, simply run the “pytest” command to have the tests run automatically, any errors encountered will be returned by the terminal.

The results of the test in the lab are the following:

Python VersionFunction HashFunction ListFunction PasswordRANDOM HashRANDOM PasswordComment
3.9
3.8
3.7
3.6
3.5Random.choice is not available in Python 3.5 // Deprecated Python Version
R K

Recent Posts

ROADTools: The Modern Azure AD Exploration Framework

ROADTools is a powerful framework designed for exploring and interacting with Microsoft Azure Active Directory…

9 hours ago

How to Enumerate Microsoft 365 Groups Using PowerShell and Python

Microsoft 365 Groups (also known as M365 Groups or Unified Groups) are at the heart…

10 hours ago

SeamlessPass: Using Kerberos Tickets to Access Microsoft 365

SeamlessPass is a specialized tool designed to leverage on-premises Active Directory Kerberos tickets to obtain…

1 day ago

PPLBlade: Advanced Memory Dumping and Obfuscation Tool

PPLBlade is a powerful Protected Process Dumper designed to capture memory from target processes, hide…

1 day ago

HikPwn : Simple Scanner For Hikvision Devices With Basic Vulnerability Scanning

HikPwn: Comprehensive Guide to Scanning Hikvision Devices for Vulnerabilities If you’re searching for an efficient…

2 days ago

Comments in Bash Scripts

What Are Bash Comments? Comments in Bash scripts, are notes in your code that the…

1 week ago