BruteForceMD5

Here’s the first of two (planned but maybe more, we’ll see!) scripts around MD5 hash and strings using the function Check-MD5 and nested loops.
We will generate MD5 hashes for each character defined in an array, and compare it with the hash given in parameter. If it matches, the password is decoded… If not, we will try with a second character.
Can decode retrieve passwords up to 8 characters, but it will take a (very!) long time.

<#
.SYNOPSIS
    BruteForceMD5 - BruteForce tool to decode MD5 passwords
.DESCRIPTION
    BruteForceMD5 - BruteForce tool to decode MD5 passwords
    Generate MD5 hashes for each character defined in an array, then add a second character, then a third, etc. Up to 8 characters.
.NOTES
    File Name  : BruteForceMD5.ps1
    Author     : Fabrice ZERROUKI - fabricezerrouki@hotmail.com
.EXAMPLE
    PS D:\>BruteForceMD5.ps1 -testHash 098f6bcd4621d373cade4e832627b4f6
    Generates MD5 hashes until find the corresponding for the hash '098f6bcd4621d373cade4e832627b4f6' ('test')
#>
Param(
    [Parameter(Mandatory=$true, HelpMessage="You must provide a hash for the password you're looking for.")]
    $testHash
    )
 
$startTime=Get-Date
 
function Check-MD5 ($string) {
[Reflection.Assembly]::LoadWithPartialName("System.Web") | Out-null
[System.Web.Security.FormsAuthentication]::HashPasswordForStoringInConfigFile("$string", "MD5")
}
$string=$null

$commonPwd=@('123456','password','12345678','qwerty','abc123','123456789','111111','1234567','iloveyou','adobe123','123123','admin','1234567890','letmein','photoshop','1234','monkey','shadow','sunshine','12345','password1','princess','azerty','trustno1','000000')
$chars=@('a','b','c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z','A','B','C','D','E','F','G','H','I','J','K','L','M','N','O','P','Q','R','S','T','U','V','W','X','Y','Z','0','1','2','3','4','5','6','7','8','9','&','#','-','+','*','/','\','_','$','£','%','?','!','@')

# First, let's try the most common passwords...
ForEach($password in $commonPwd)
{
$testedHash=Check-MD5 $password
Write-Host $testedHash ">" $password
if ($testedHash -match $testHash) {
    $endTime=Get-Date
    $result=($endTime - $startTime).TotalSeconds
    Write-Host "`nYour password is $password (Found in $result seconds)" -ForegroundColor Yellow ; exit
    }
}

ForEach($char in $chars)
{
$string=$char
$testedHash=Check-MD5 $string
Write-Host $testedHash ">" $string
if ($testedHash -match $testHash) {
$endTime=Get-Date
$result=($endTime - $startTime).TotalSeconds
Write-Host "`nYour password is $string (Found in $result seconds)" -ForegroundColor Yellow ; exit
}
}
 
ForEach($char in $chars)
{
ForEach($char2 in $chars)
{
$string=$char
$string+=$char2
$testedHash=Check-MD5 $string
Write-Host $testedHash ">" $string
if ($testedHash -match $testHash) {
$endTime=Get-Date
$result=($endTime - $startTime).TotalSeconds
Write-Host "`nYour password is $string (Found in $result seconds)" -ForegroundColor Yellow ; exit
}
}}
 
ForEach($char in $chars)
{
ForEach($char2 in $chars)
{
ForEach($char3 in $chars)
{
$string=$char
$string+=$char2
$string+=$char3
$testedHash=Check-MD5 $string
Write-Host $testedHash ">" $string
if ($testedHash -match $testHash) {
$endTime=Get-Date
$result=($endTime - $startTime).TotalSeconds
Write-Host "`nYour password is $string (Found in $result seconds)" -ForegroundColor Yellow ; exit
}
}}}
 
ForEach($char in $chars)
{
ForEach($char2 in $chars)
{
ForEach($char3 in $chars)
{
ForEach($char4 in $chars)
{
$string=$char
$string+=$char2
$string+=$char3
$string+=$char4
$testedHash=Check-MD5 $string
Write-Host $testedHash ">" $string
if ($testedHash -match $testHash) {
$endTime=Get-Date
$result=($endTime - $startTime).TotalSeconds
Write-Host "`nYour password is $string (Found in $result seconds)" -ForegroundColor Yellow ; exit
}
}}}}
 
ForEach($char in $chars)
{
ForEach($char2 in $chars)
{
ForEach($char3 in $chars)
{
ForEach($char4 in $chars)
{
ForEach($char5 in $chars)
{
$string=$char
$string+=$char2
$string+=$char3
$string+=$char4
$string+=$char5
$testedHash=Check-MD5 $string
Write-Host $testedHash ">" $string
if ($testedHash -match $testHash) {
$endTime=Get-Date
$result=($endTime - $startTime).TotalSeconds
Write-Host "`nYour password is $string (Found in $result seconds)" -ForegroundColor Yellow ; exit
}
}}}}}
 
ForEach($char in $chars)
{
ForEach($char2 in $chars)
{
ForEach($char3 in $chars)
{
ForEach($char4 in $chars)
{
ForEach($char5 in $chars)
{
ForEach($char6 in $chars)
{
$string=$char
$string+=$char2
$string+=$char3
$string+=$char4
$string+=$char5
$string+=$char6
$testedHash=Check-MD5 $string
Write-Host $testedHash ">" $string
if ($testedHash -match $testHash) {
$endTime=Get-Date
$result=($endTime - $startTime).TotalSeconds
Write-Host "`nYour password is $string (Found in $result seconds)" -ForegroundColor Yellow ; exit
}
}}}}}}
 
ForEach($char in $chars)
{
$startTime=Get-Date
ForEach($char2 in $chars)
{
ForEach($char3 in $chars)
{
ForEach($char4 in $chars)
{
ForEach($char5 in $chars)
{
ForEach($char6 in $chars)
{
ForEach($char7 in $chars)
{
$string=$char
$string+=$char2
$string+=$char3
$string+=$char4
$string+=$char5
$string+=$char6
$string+=$char7
$testedHash=Check-MD5 $string
Write-Host $testedHash ">" $string
if ($testedHash -match $testHash) {
$endTime=Get-Date
$result=($endTime - $startTime).TotalSeconds
Write-Host "`nYour password is $string (Found in $result seconds)" -ForegroundColor Yellow ; exit
}
}}}}}}}
 
ForEach($char in $chars)
{
ForEach($char2 in $chars)
{
ForEach($char3 in $chars)
{
ForEach($char4 in $chars)
{
ForEach($char5 in $chars)
{
ForEach($char6 in $chars)
{
ForEach($char7 in $chars)
{
ForEach($char8 in $chars)
{
$string=$char
$string+=$char2
$string+=$char3
$string+=$char4
$string+=$char5
$string+=$char6
$string+=$char7
$string+=$char8
$testedHash=Check-MD5 $string
Write-Host $testedHash ">" $string
if ($testedHash -match $testHash) {
$endTime=Get-Date
$result=($endTime - $startTime).TotalSeconds
Write-Host "`nYour password is $string (Found in $result seconds)" -ForegroundColor Yellow ; exit
}
}}}}}}}}

Be carefull again: it could take a very long time to decode some passwords, for example here is the time it take to decode these passwords:

Your password is 5 (Found in 0.27436346 seconds)
Your password is fd (Found in 2.2884624 seconds)
Your password is b0a (Found in 65.0801088 seconds)
Your password is no6$ (Found in 23933.9679747 seconds)

EDIT: in order to possibly gain many hours of processing time, before building test strings character by character, we can start by testing the 25 most used (and worse, by the way!) passwords.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Scroll to Top