{"id":16616684,"url":"https://github.com/xros/py_django_crack","last_synced_at":"2025-08-18T20:35:50.169Z","repository":{"id":20379705,"uuid":"23655279","full_name":"xros/py_django_crack","owner":"xros","description":"Crack the django password on the way. By default Django use pbkdf2 and sha256 method to encrypt user's password. Once get the password stored in the database table, you need to compare it with others if brute force cracking. It is recommended that you use hash table comparison. The tool 'rainbow crack' can generate rainbow hash tables while another tool 'hashcat' brute-force cracks password from a dictionary alive. Because django uses PBKDF2(Password-Based Key Derivation Function), it would take too long to generate a password. ","archived":false,"fork":false,"pushed_at":"2019-07-04T18:52:57.000Z","size":20,"stargazers_count":35,"open_issues_count":0,"forks_count":9,"subscribers_count":2,"default_branch":"master","last_synced_at":"2025-04-09T11:05:06.810Z","etag":null,"topics":["crack","django","django-password","hashcat","password-encryption","pbkdf2","py-django-crack","rainbow-table"],"latest_commit_sha":null,"homepage":null,"language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/xros.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2014-09-04T08:53:26.000Z","updated_at":"2025-01-01T18:44:04.000Z","dependencies_parsed_at":"2022-07-31T18:08:53.623Z","dependency_job_id":null,"html_url":"https://github.com/xros/py_django_crack","commit_stats":null,"previous_names":[],"tags_count":1,"template":false,"template_full_name":null,"purl":"pkg:github/xros/py_django_crack","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/xros%2Fpy_django_crack","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/xros%2Fpy_django_crack/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/xros%2Fpy_django_crack/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/xros%2Fpy_django_crack/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/xros","download_url":"https://codeload.github.com/xros/py_django_crack/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/xros%2Fpy_django_crack/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":271056811,"owners_count":24691824,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-08-18T02:00:08.743Z","response_time":89,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["crack","django","django-password","hashcat","password-encryption","pbkdf2","py-django-crack","rainbow-table"],"created_at":"2024-10-12T02:13:55.009Z","updated_at":"2025-08-18T20:35:50.092Z","avatar_url":"https://github.com/xros.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"py_django_crack\n===============\n\nBy [Alexander Liu](https://github.com/xros)\n\nCrack the django password on the way. By default Django use pbkdf2 and sha256 method to encrypt user's password. Once get the password stored in the database table, you need to compare it with others if brute force cracking. It is recommended that you use hash table comparison. The tool 'rainbow crack' can generate rainbow hash tables while another tool 'hashcat' brute-force cracks password from a dictionary alive. Because django uses PBKDF2(Password-Based Key Derivation Function 2), it would take too long to generate a password. \n\n## jake\n* The ```jake.py``` is the password encryption implementation which is derived from django\n\n**Branch `py2`** is only for Python 2: [releases](https://github.com/xros/py_django_crack/releases/tag/py2fixed) [branch py2](https://github.com/xros/py_django_crack/tree/py2)\n\n**Branch `py3`** and `master` are for Python 3\n\nFor Python3, you need install package promise first. `pip3 install promise` or `pip3 install -r requirments-py3.txt`\n\n### Usage\n\nFor entertainment only :)\n\nTo decrypt the password in the Django framework, you need to get the value which is stored in the database table 'auth_user' column 'password'.\n\nFor example the encryped password is:\n\n    pbkdf2_sha256$12000$Lz8oA7gW43mJ$N/DzMkLc/CX4oKHrU2bSPul3svNOmz8CYthM1JrR4Mo=\n\n    {algorithm}${iteration times}${salt}${encryped password}\n\nIn this case, **pbkdf2_sha256** is the encryption algorithm, and **12000** is the iteration times, \n\n`Lz8oA7gW43mJ` is the salt, \n\n`Lz8oA7gW43mJ$N/DzMkLc/CX4oKHrU2bSPul3svNOmz8CYthM1JrR4Mo=`  is the base64 encoded password\n\n**Note**:\n\n\u003e As of 2011, 10,000 iterations was the recommended default which\n\u003e took 100ms on a 2.2Ghz Core 2 Duo. This is probably the bare\n\u003e minimum for security given 1000 iterations was recommended in 2001.\n\nThis is also a standalone module derived from Django. Pure Python. Any other web framework can use this module.\n\n**When coding**:\n\n```python\n\u003e\u003e\u003e import hashlib\n\u003e\u003e\u003e from jake import give_back_hashed\n\u003e\u003e\u003e from jake import get_base64_hashed\n\u003e\u003e\u003e a = get_base64_hashed('the_password', 'the_salt', 'iteration_times', 'the_hashlib_digest_object(the algorithm)')\n\u003e\u003e\u003e # a = get_base64_hashed('the_password', 'the_salt', 'iteration_times', hashlib.sha256)\n\u003e\u003e\u003e # this is the password which encrypted in the database table 'auth_user' column 'password'\n\u003e\u003e\u003e print a\nN/DzMkLc/CX4oKHrU2bSPul3svNOmz8CYthM1JrR4Mo=\n\u003e\u003e\u003e # or you can do this\n\u003e\u003e\u003e import hashlib\n\u003e\u003e\u003e b = get_base64_hashed('the_password', 'the_salt', 'iteration_times', hashlib.sha256)\n\u003e\u003e\u003e print b\nN/DzMkLc/CX4oKHrU2bSPul3svNOmz8CYthM1JrR4Mo=\n\u003e\u003e\u003e # To get the real sha256 hashed value\n\u003e\u003e\u003e c = give_back_hashed(b)\n\u003e\u003e\u003e print c\n'7\\xf0\\xf32B\\xdc\\xfc%\\xf8\\xa0\\xa1\\xebSf\\xd2\u003e\\xe9w\\xb2\\xf3N\\x9b?\\x02b\\xd8L\\xd4\\x9a\\xd1\\xe0\\xca'\n\u003e\u003e\u003e # you need other tools such as 'hashcat' or 'crack' to generate HASHes from \n\u003e\u003e\u003e # a dictionay to compare them with this.\n```\n\nTools\n-----\n* ```hashcat. This can crack password from hashes based on word dictionaries. There are tones of algorithms built-in. Good dictionary is important. ``` \u003ca href=\"http://www.hashcat.net/\" target=\"_blank\"\u003ehashcat offical link\u003c/a\u003e\n* ```rainbow table generator/cracker: rainbowcrack (rcrack, rt2rtc, rtc2rt, rsort, rtgen) . ```\u003ca href=\"http://project-rainbowcrack.com\" target=\"_blank\"\u003eproject-rainbowcrack link\u003c/a\u003e\n\nExplanation\n------------\n* The rainbow table might be very large. Normally it would be like more than hundreds Giga Bytes. So you could download or make one by own. But sometimes it would take too long to generate the rainbow table. For instance in this case Django uses PBKDF2 and algorithm sha256 to encrypt password iteration by iteration, which means it will take very long to generate a single password or a HASH. So brute-force cracking is somehow lousy. Or you have super computer, things would be better. Sometimes you don't.\n* So the summery here is:  To crack the django's password, there are two ways. 1) brute-force cracking which takes very long and hard-working on computer expense. 2) middle attack which means user's password can be captured alive. This has something to do with the art of deception. Pratical and social engineering.\n\n\nHow did I implant this in some python apps?\n-------------------------------------------\n\n* Use this module\n```python2\nimport hashlib\nfrom jake import get_base64_hashed\nfrom jake import give_back_hashed\n# for setting a new password in database\niter = 2000\nsalt = \"random_salt\"\na = get_base64_hashed('user_passw0rd', salt, iter, hashlib.sha256)\nprint(a)\n\u003e\u003e\u003e u'skqnMhYxGgIsxgz8vnFUMfq780bJo+Z88d+7L2YxGaE='\n# so the full password stored in database actually should be\npw = \"pbkdf2_sha256\" + \"$\" + str(iter) + \"$\" + salt + \"$\" + a\n# save it in database\n\n# to compare\n# 1) get the encrypted password from db and split it\n# e.g. \n# real_encrypted is  pbkdf2_sha256$12000$Lz8oA7gW43mJ$N/DzMkLc/CX4oKHrU2bSPul3svNOmz8CYthM1JrR4Mo=\n# let's store it as realpw\nrp_list = realpw.split(\"$\")\nalgo = rp_list[0]\niter = rp_list[1]\nsalt = rp_list[2]\nsecret = rp_list[3]\n\n# try to create the same secret with the user realtime-input password\nb = get_base64_hashed('user_tried_password', salt, iter, hashlib.sha256)\n\nif give_back_hashed(b) == give_back_hashed(secret):\n    print(\"Password correct\")\nelse:\n    print(\"Password incorrect\")\n```\n\nFor example, you can try this known encrypted password for test.\n\nactual password: abc\n\nalgorithm: pbkdf2_sha256\n\niterations: 2000\n\nsalt: good_salt\n\nsecret: xDb4PWMWoQengkNyzh1IU3jGkZWK+BKManvkeJPunVQ=\n\nThe full pass should be :   pbkdf2_sha256$2000$good_salt$xDb4PWMWoQengkNyzh1IU3jGkZWK+BKManvkeJPunVQ=\n\nUse password abc or xyz to test the phrase\n#### Happy hacking\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fxros%2Fpy_django_crack","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fxros%2Fpy_django_crack","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fxros%2Fpy_django_crack/lists"}