phpass_crack: Simple tool for cracking WordPress hashes

# Trace: 新版本的WordPress和phpbb已经弃用md5,采用phpass加密了(还有其他一些开源WEB程序)。原来DarkC0de上发布了一个,是配合字典破解的,这个Phpass_Crack也是。PasswordsPro官方下载的最新版本也已经支持phpass的破解,有字典攻击和暴力破解等方式可选(选择md5(phpbb3) Modul)。

I have written a simple tool for cracking Portable PHP password hashes, which WordPress uses to hash user passwords. You pipe passwords to it and pass it a passwd file and it tries to crack the hashes.


Download it here: phpass_crack.tar.gz

phpass_crack v0.1
programmed by m0rebel

[] What is phpass_crack?
phpass_crack is a password cracker for Portable PHP password hashes, which are used by WordPress
and other web apps to hash passwords. See for more info on
Portable PHP hashes, to get the PHP script.

I wanted to test my WordPress passwords and John the Ripper wouldn’t crack them, and I couldn’t
find anything else that could, so I made my own script to do it. I used the python module by
Alexander Chemeris, from I
modified it slightly to use the hashlib python library instead of the depreciated md5 one it was

[] What do I need to run it?
I tested this with Python 2.6 in Windows and Linux. It should run in any operating system though.
I haven’t tested it with Python 3.

[] How do I use it?
You need to pipe passwords into from another source, and supply
with a passwd file with the phpass hashes. If your wordlist is wordlist.txt and your hashes are
stored in hashes.txt, then you would run this by doing:

cat wordlist.txt | python hashes.txt

Or, in Windows:

type wordlist.txt | python hashes.txt

Or you can even use John the Ripper to generate your passwords for you, if you don’t have a good

john –incremental –stdout | python hashes.txt

[] What format should my passwd file be in?
Each line should contain a different user/hash combination. For example, a passwd file with a
single user named “test” with the password “letmein” would look like this:


Posted by m0rebel