Password cracking has become a common activity among developers, either for pen testing or malicious reasons. Linux distros such as Kali Linux come with lots of pre-installed penetration tools that would allow any good programmer worth their salt to virtually break into any system.
But today, let’s go a little easy and talk about a much easier way to crack website passwords using user email addresses. This guide is ideal for cracking weak passwords, but unlike using wordlists, this is going to be much faster.
As usual, this tutorial is for learning purposes only. You can test it on your own system to verify if it works. We are not responsible for any damages from the misuse of this guide. Seriously, be cool.
Check if the Email has been Pwned
The first thing you’ll want to do is go to the Have I Been Pwned website or Dehashed to find data breaches. These are special websites that check if your victim’s personal data has been breached and leaked.
Simply enter your victim’s email address on both websites and do a quick free scan. Most people use the same email address to sign up for accounts online, and if they use weak passwords, 9 out of 10 times they will be in at least one data breach. Bingo!
Find Databases they are in
Now you are gonna want to go to https://rf.ws/databases, find the databases they are in, and unlock them. You only need 8 credits to unlock the databases, and you get 1-2 credits from posting in the forums. So this shouldn’t be a problem.
In the databases, prioritize the accounts with weak hashing algorithms or plaintext passwords.
Once you have your databases, download glogg and use it to search for your victim’s email address in your databases.
7 out of 10 times, your victim will be in a breach that stores plaintext passwords, or in Collection #1-5/Antipublic data. If you are not lucky enough to find plaintext passwords, you can use hashcat to extract the passwords for the hashes.
And that’s it! Enjoy