Brute-force attack

Install hashcat:

brew install hashcat

Write the MD5 hashes that we want hashcat to crack for us to a file:

echo '098f6bcd4621d373cade4e832627b4f6' >> hashes
echo '1a1dc91c907325c69271ddf0c944bc72' >> hashes

Attempt to crack MD5 password hash using brute force (“-a 3” switch):

$ hashcat -a 3 hashes

Show cracked hashes and passwords:

$ hashcat -a 3 hashes --show
098f6bcd4621d373cade4e832627b4f6:test
1a1dc91c907325c69271ddf0c944bc72:pass

Dictionary attack

Download a dictionary:

wget https://raw.githubusercontent.com/berzerk0/Probable-Wordlists/master/Real-Passwords/Top196-probable.txt

Write the MD5 hashes that we want hashcat to crack for us to a file:

echo '5f4dcc3b5aa765d61d8327deb882cf99' >> hashes

Attempt to crack the password using the dictionary:

hashcat -a 0 hashes Top196-probable.txt

Show cracked hashes and passwords:

$ hashcat -a 3 hashes --show
5f4dcc3b5aa765d61d8327deb882cf99:password

How to decode base64 encoded MD5 password hash

To decode a base64 encoded MD5 password hash you can use these commands:

echo -n 'base64-encoded-md5-password' | base64 -D | xxd -g 0 -ps > hashes

Tested with hashcat v4.0.1.

When working with hashing functions and cryptography the pigeonhole principle is essential knowledge: https://en.wikipedia.org/wiki/Pigeonhole_principle

In mathematics, the pigeonhole principle states that if n items are put into m containers, with n > m, then at least one container must contain more than one item.

For example, given that the population of London is greater than the maximum number of hairs that can be present on a human’s head, then the pigeonhole principle requires that there must be at least two people in London who have the same number of hairs on their heads.

This means that in order to create a completely collision-free hashing function, every message would have to have a hashed output of the same length as the input.