A collection of password tools
Dictionary files
- fuzzdb-project/fuzzdb - Dictionary of attack patterns and primitives for black-box application fault injection and resource discovery
- OWASP/OpenDoor - OWASP WEB Directory Scanner (data files)
- droope/pwlist - Password lists obtained from strangers attempting to log in to my server
- Default passwords
Dictionary tools
- pentester-io/commonspeak - Content discovery wordlists generated using BigQuery
- skahwah/wordsmith - The aim of Wordsmith is to assist with creating tailored wordlists
- TgeaUs/Weak-password - 字典大全
- gist: edermi Kerberoast PW list (XZ format) - I made a word list for cracking passwords with complexity requirements (e.g. for Kerberoasting)
- hashcat/kwprocessor - Advanced keyboard-walk generator with configureable basechars, keymap and routes
Password generator
- bit4woo/passmaker
- praetorian-inc/Hob0Rules - Password cracking rules for Hashcat based on statistics and industry patterns
- berzerk0/BEWGor - Bull's Eye Wordlist Generator - Does your password rely on predictable patterns of accessible info
- AlessandroZ/LaZagneForensic - Windows passwords decryption from dump files
- Viralmaniar/Passhunt - a simple tool for searching of default credentials for network devices, web applications and more
- tweksteen/jenkins-decrypt - Credentials dumper for Jenkins
- berzerk0/Probable-Wordlists - Version 2 is live! Wordlists sorted by probability originally created for password generation and testing - make sure your passwords aren't popular
- NotSoSecure/password_cracking_rules - One rule to crack all passwords. or atleast we hope so
- localh0t/m4ngl3m3 - Common password pattern generator using strings list
Password recovery
- AlessandroZ/LaZagne - Credentials recovery project
- twelvesec/passcat - Passwords Recovery Tool (C++)
- Arvanaghi/SessionGopher - a PowerShell tool that uses WMI to extract saved session information for remote access tools such as WinSCP, PuTTY, SuperPuTTY, FileZilla, and Microsoft Remote Desktop
- HarmJ0y/KeeThief - Methods for attacking KeePass 2.X databases, including extracting of encryption key material from memory
Hash dump
- quarkslab/quarkspwdump - Dump various types of Windows credentials without injecting in any process
- highmeh/pentest_scripts - retrieve-osxhash.py - converts the contents of an OSX .plist file to a crackable password hash
Hash lookup / online lookup
- s0md3v/Hash-Buster - Why crack hashes when you can bust them
- thewhiteh4t/pwnedOrNot - Python Script to Find Passwords for Compromised Email Accounts using haveibeenpwned API
Cracking
- hashview - A web front-end for password cracking and analytics
- m4ll0k/iCloudBrutter - a simple python (3.x) script to perform basic bruteforce attack againts AppleID
- x90skysn3k/brutespray - Brute-Forcing from Nmap output - Automatically attempts default creds on found services
- dafthack/DomainPasswordSpray - a tool written in PowerShell to perform a password spray attack against users of a domain
- Moham3dRiahi/XBruteForcer - Brute Force Tool unlock WordPress, Joomla, Drupal, OpenCart, Magento
- MrSqar-Ye/wpCrack - Wordpress offline hash cracker
- Raikia/CredNinja - A multithreaded tool designed to identify if credentials are valid, invalid, or local admin valid credentials within a network at-scale via SMB, plus now with a user hunter
- s3inlc/hashtopolis - A Hashcat wrapper for distributed hashcracking
- deltaclock/go-openssl-bruteforce - A fast multi-threaded tool to bruteforce openssl ciphers with a wordlist against an encrypted file
- TrustedSec/hate_crack - A tool for automating cracking methodologies through Hashcat from the TrustedSec team
- D4Vinci/Cr3dOv3r - Know the dangers of credential reuse attacks
- Hashcat
- Bitlocker
- Router
Decrypter
Uncategorized
- CboeSecurity/password_pwncheck - Kerberos / Windows AD / Linux PAM password change check against breached lists (HIBP), and other rules
- guardicore/azure_password_harvesting - Plaintext Password harvesting from Azure Windows VMs
- thewhiteh4t/pwnedOrNot - Python Script to Find Passwords for Compromised Email Accounts using haveibeenpwned API