|
(~Uptime affected by updates)
Please do not abuse or misuse this tool as this is a free tool intended for the large amount of RSPS players who have compromised passwords (~60%).
This tool will allow you to check if a user's password/hash is compromised from a known-list of leaked RSPS databases.
The password will be hashed using SHA-1 by default and sent to an API that will compare the hash. JSON data will be returned, mentioning if the password is in a breach.
All passwords are hashed on the back-end and include around ~800K unique passwords from various RSPS database leaks (from 2009 - present) — Thank you @Co Pure Gs for sharing & compiling these breaches.
You can implement this to your LoginDecoder (on account creation) or a ChangePassword command for example. [THROTTLE THESE REQUESTS]
Calls to the API are not logged and I would HIGHLY recommend sending hashed passwords and NOT plain-text.
API is Cloudflare Rate Limited and is set to 1000 requests a minute (PER IP). If you require more requests per minute, message me. If you are receiving error "429", please adjust your usage.
— Can use HTTP or HTTPS protocol
Supported algorithms:
- MD5
- SHA-1
- SHA-256
- SHA-512
- PLAIN-TEXT
BCrypt is not available. Further hashing algorithms added upon request.
— Data is sorted by most commonly used passwords, then hashed
— Returns hashPos (the line number of the password/hash)— Returns severity (top X most common passwords)
Java:
- Source: View on GitHub
- Download: Download from GitHub
Python:
- Source: View on GitHub
- Download: Download from GitHub
PowerShell Module:
- Source: View on GitHub
- Download: Download from GitHub
Request Example 1. Query if Hash/Password is on Breach List:
Spoiler for Checking if X hash password is listed:
Request Example 2. View/Download X amount of hashes as a JSON, sorted by most commonly used: [New Feature]
Spoiler for Returning top X amount of hashes as JSON (Download Option):
Implement this into a Server Source (Example):
Spoiler for - Ruse -:
TODO:
- Add more hashes from more databases
You can also use other services like haveibeenpwned, if you would rather search for usernames/email addresses.... OR...... @Omar, @Jay Gatsby & @Kris may have a more promising tool in the works!
I have also popped in a good-old .bat in there for anyone who is still not rocking with an IDE. You'll need to edit the .bat file and change "password123" to the password/hash you want to check.
PS - Made this font extra extra small for you Corey + thanks for mentioning about CF Rate Limiting!
Last edited by jet kai; 08-01-2021 at 11:44 PM. Reason: new feature - view/download top x amount of hashes as json
Shouldn't be able to be used maliciously really, the databases are out there - this is just a tool to check if a password/hash has been used & leaked within an RSPS DB.
Hopefully, CF Rate Limiting would help in some-way
PS - Added an example of how to add this to an existing Server Source.
Update to API:
— Added HTTPS support server-side & within GitHub source code (you can pick either HTTP or HTTPS)
— Added SHA-512 to list of supported hashing algorithms
-- Edit 6:12AM BST
— Data is sorted by most commonly used passwords, then hashed
— Returns hashPos (the line number of the password/hash)
— Returns severity (top X most common passwords)
Return Data Updated:
Code:{ "token": "39439e74fa27c09a4", "hash": "ed8779a2222dc578f2cffbf308411b41381a94ef25801f9dfbe04746ea0944cd", "hashPos": 2, "severity": "Top 100 Common Passwords", "databaseBreach": "Stoned 2021 ~800K Unique Passwords (15+ RSPS Databases)", "hashType": "SHA-256", "breached": true }
Last edited by jet kai; 04-29-2021 at 07:12 AM.
Great idea, seems like a really useful tool. With that said, the code snippet provided seems as though it leaves servers susceptible to denial of service attacks by allowing users to trigger thread blocking code arbitrarily... Some form of (server sided) rate-limiting and asynchrony (co-routines or fork-joining) would also be advisable.
Yea, it's up to the servers to throttle this from their-side - this is just some example code. If they send too many requests, they'll just receive error 429 from Cloudflare and will just return false to "isBreached()".
The server shouldn't go off with 500+ requets a second unless the networking is extremely bad. Also, this example code only occurs when a new account is created. But you're right about potential attacks on accounts that haven't been created yet, it's down to the server owner to throttle account creations & requests to the API.
Last edited by jet kai; 04-29-2021 at 08:03 AM. Reason: edit
I thought it was already pretty standard though not to use the same passwords for everything, seems interesting non the less- nice contribution
- Added Python & PowerShell (Module) examples, I am still currently updating the comments on them & readme docs
- Tested response and HTTP is about ~2x faster than HTTPS on initial connection
« Previous Thread | Next Thread » |
Thread Information |
Users Browsing this ThreadThere are currently 1 users browsing this thread. (0 members and 1 guests) |