1
0
Fork 0

INITIAL COMMIT

with checkPasswordList.sh
This commit is contained in:
Joerg Elfring 2019-01-17 21:29:01 +01:00
commit b2907f3bb1
3 changed files with 86 additions and 0 deletions

23
README.md Normal file
View file

@ -0,0 +1,23 @@
# My Have I been pwned scripts
These are my scripts to the haveibeenpwned.com api.
... To be extended ...
## checkPasswordList.sh
This script checks a list of passwords against the api and reports whether they hae been compromised.
The passwords themselfs will NOT be send to the web-api.
haveibeenpwned.com's k-anonymity model is used.
More info can be found here https://haveibeenpwned.com/API/v2#PwnedPasswords
Example:
```
$ ./checkPasswordList.sh passwordlist.txt
Checking passwords from list passwordlist.txt
XX: Password P@ssw0rd has been pwned 51259 times.
__: Password c60e6754-8abf-4c0f-a7a7-2225da28637f has not been pwned.
__: Password c60e6754-8a f-4c0f-a7a -2225da28637f has not been pwned.
==: 1 of 3 passwords have been pwned.
```

60
checkPasswordList.sh Executable file
View file

@ -0,0 +1,60 @@
#!/bin/bash
pfile=$1
cPwned=0
cPswds=0
## Check if the argument is a file we can read
if [ ! -f "$pfile" ]
then
echo "$pfile can not be read."
echo
exit 2
fi
## Check if the list in the argument is an actual ascii file
## and not something crazy like a zip, etc.
filetype=$(file "$pfile")
if [ "$filetype" != "$pfile: ASCII text" ]
then
echo "$pfile is not an ascii password list."
echo
exit 2
fi
## loop through the file and verify against the api
echo "Checking passwords from list $1"
IFS=$'\n'
for p in $(cat < "$pfile"); do
((cPswds++))
## Hash the password, filter non-hashy things (" -" at the end),
## translate to upper for the beauty
pHashed=$(echo -n "$p" | sha1sum | cut --delimiter=' ' --fields=1 | tr '[:lower:]' '[:upper:]')
## Devide into prefix and suffix used by k-anonymity model
## https://haveibeenpwned.com/API/v2#PwnedPasswords
pPrefix=$(echo -n "$pHashed" | cut --characters='-5')
pSuffix=$(echo -n "$pHashed" | cut --characters='6-')
## get a list of pwnedsuffix:pwncount from the webservice
wsResult=$(curl --silent https://api.pwnedpasswords.com/range/$pPrefix)
## Check if our suffix is included and strip characters we can not understand
wsCheck=$(echo -n "$wsResult" | grep $pSuffix | tr -cd [:alnum:][:])
if [ -n "$wsCheck" ]
then
## CheckedResult contains a value --> EVIL
pwnCount=$(echo -n "$wsCheck" | cut --delimiter=':' --fields=2)
echo "XX: Password $p has been pwned $pwnCount times."
((cPwned++))
else
## CheckedResult does not contain a value --> good
echo "__: Password $p has not been pwned."
fi
done
echo "==: $cPwned of $cPswds passwords have been pwned."
echo
if [ $cPwned -gt 0 ]
then
exit 1
fi

3
passwordlist.txt Normal file
View file

@ -0,0 +1,3 @@
P@ssw0rd
c60e6754-8abf-4c0f-a7a7-2225da28637f
c60e6754-8a f-4c0f-a7a -2225da28637f