Skip to content

bernardoaraujor/corinda

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

157 Commits

analysis

analysis

 
 

cmd

cmd

 
 

composite

composite

 
 

crack

crack

 
 

csv

csv

 
 

docs

docs

 
 

elementary

elementary

 
 

examples

examples

 
 

log_experiments

log_experiments

 
 

main

main

 
 

maps

maps

 
 

passfault_corinda @ d0643a5

passfault_corinda @ d0643a5

 
 

plot

plot

 
 

results

results

 
 

scripts

scripts

 
 

sha1

sha1

 
 

statistics

statistics

 
 

targets

targets

 
 

tests

tests

 
 

train

train

 
 

.gitattributes

.gitattributes

 
 

.gitignore

.gitignore

 
 

.gitmodules

.gitmodules

 
 

LICENSE

LICENSE

 
 

README.md

README.md

 
 

corinda.png

corinda.png

 
 

main.go

main.go

 
 

Repository files navigation


Corinda

An experimental password hash cracker written in Golang.

Disclaimer

This repository is old and dusty. Files stored with Git LFS probably won't work. Contact me if you're interested in the project, and I'd be glad to hand them over.

Introduction

Corinda is the product of my MSc. in Computer Engineering @ UFG, Brazil. The Dissertation is available at /docs, however only a Brazilian Portuguese version is available.

Corinda uses concurrent heuristics based on model entropy and relative frequency from sample sets. Currently, Corinda has the following sample sets:

  • RockYou
  • LinkedIn
  • AntiPublic

The user feeds Corinda a password hash (SHA1 or SHA256), chooses a sample set, and waits while concurrent goroutines try to crack it with computational load balancing for each password model.

Corinda only supports CPU cracking.

Corinda uses a modified version of OWASP's Passfault to train password models.

Related publications on the subject:

Corinda is released under GNU General Public License v3.0. Corinda is distributed for research purposes only. We believe that people should understand the dangers of simple passwords, and Corinda is an effort to encourage people to protect their privacy with high entropy passwords. And remember, with great powers, come great responsabilitiy!

Contact: bernardoaraujor@gmail.com

Installing

  1. Install Go tools: https://golang.org/doc/install
  2. Set GOPATH: https://golang.org/doc/code.html#GOPATH
  3. Clone to GOPATH:
cd $GOPATH
mkdir -p src/github.com/bernardoaraujor/
cd src/github.com/bernardoaraujor
git clone https://github.com/bernardoaraujor/corinda
cd corinda
git submodule update --init --recursive

Training

  1. Have input file correctly formatted as Comma Separated Values. Each line must be composed of [frequency,password]. The .csv must be compressed into .csv.gz, and placed inside the /csv directory.
  2. Run train command:
$ corinda train <input>

Cracking

  1. Make sure you have the trained maps (elementary and composite) in /maps.
  2. Make sure you have there is only one file for target list in /targets (run merger.sh script if necessary)
  3. Run crack command:
$ corinda crack <trained list> <target list> <sha1 or sha256>

Passfault

This project uses a modified version of OWASP's Passfault as a submodule.

Masters

This work is part of my MSc. in Computer Engineering @ UFG, Brazil.

Passfault Wordlists

Found at passfault_corinda/src/org/owasp/passfault/wordlists/.

Language words (xxPopular and xxLongTail):

Generated with help of the Python module wordfreq, maintained by Luminoso Technologies, Inc.. The module gathers information about word usage on different topics at different levels of formality, using data collected from the following sources: LeedsIC, SUBTLEX, OpenSub, Twitter, Wikipedia, Reddit, and CCrawl.

xxPopular contain the 80% head of the Zipf Distribution of words, while xxLongTail contain the 20% long tail.

JohnTheRipper:

Downloaded from https://wiki.skullsecurity.org/Passwords.

This list has been compiled by Solar Designer of Openwall Project, http://www.openwall.com/wordlists/ . This list is based on passwords most commonly seen on a set of Unix systems in mid-1990's, sorted for decreasing number of occurrences (that is, more common passwords are listed first). It has been revised to also include common website passwords from public lists of "top N passwords" from major community website compromises that occurred in 2006 through 2010. Last update: 2011/11/20 (3546 entries).

cain-and-abel:

Downloaded from https://wiki.skullsecurity.org/Passwords.

500-worst-passwords:

Downloaded from https://github.com/danielmiessler/SecLists/tree/master/Passwords.

10k-worst-passwords:

Downloaded from https://github.com/danielmiessler/SecLists/tree/master/Passwords.

spanishNames:

Copyright Rhett Butler of Mongay.com

indiaNames:

This OWASP Passfault word list is licensed under a Creative Commons Attribution 4.0 International Licence. This list was compiled by Brandon Lyew, Georgina Matias, Kevin Sealy, Michael Glassman, and Scott Sands as part of their Capstone/Winter-code-sprint project. The information was collected from public voting records.

usFirstNames:

Downloaded from the US Social Security website: https://www.ssa.gov/oact/babynames/limits.html

usLastNames:

Downloaded from the US Census of 2000: https://www.census.gov/topics/population/genealogy/data/2000_surnames.html

TODO

  • doc dependencies
    • (jnigi check /usr/lib/jvm/..., sym link include/linux/jni_md.h to include/jni_md.h)
  • future work:
    • go tests
    • support salting
    • support l337 (Passfault)
    • misspelling (Passfault)
    • support toggle case (Passfault)
    • entropy guess sorting

Tony Corinda

https://en.wikipedia.org/wiki/Tony_Corinda

About

Corinda: a Concurrency and Entropy based Offline Password Cracker written in Go

Resources

Readme

License

View license
Activity

Stars

2 stars

Watchers

3 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages