A couple of weeks ago I saw someone mention a little script called BozoCrack on Twitter and I decided to check it out. What caught my attention is that BozoCrack simply “cracks” md5 hashes by doing a search on Google for that hash. Once it finds the hash and the text that goes with it, it spits it back out on the screen. Not really cracking of course, but its pretty dang effective.
Here is the description that Juuso Salonen, the author, gave it.
“BozoCrack is a depressingly effective MD5 password hash cracker with almost zero CPU/GPU load. Instead of rainbow tables, dictionaries, or brute force, BozoCrack simply finds the plaintext password. Specifically, it googles the MD5 hash and hopes the plaintext appears somewhere on the first page of results.
It works way better than it ever should.”
Here’s a quick test run of the script. I did a small list with the following passwords in it.
foobar
password
letmein!
password1234
wtfbbqftw
Save that as md5-list.txt and ran BozoCrack against it. My results came back in a just couple of seconds.

> ruby bozocrack.rb md5-list.txt
Loaded 5 unique hashes
3858f62230ac3c915f300c664312c63f:foobar
5f4dcc3b5aa765d61d8327deb882cf99:password
2a5de0f53b1317f7e36afcdb6b5202a4:letmein!
bdc87b9c894da5168059e00ebffb9077:password1234

I didn’t get “wtfbbqftw” this time, but who knows it may show up in future Google searches. This is a dead simple script, a great idea and WAY more effective than it should be.
Here’s the link to download it. BozoCrack