A couple of weeks ago I saw someone mention a little script called BozoCrack on Twitter and I decided to check it out. What caught my attention is that BozoCrack simply “cracks” md5 hashes by doing a search on Google for that hash. Once it finds the hash and the text that goes with it, it spits it back out on the screen. Not really cracking of course, but its pretty dang effective.
Here is the description that Juuso Salonen, the author, gave it.
“BozoCrack is a depressingly effective MD5 password hash cracker with almost zero CPU/GPU load. Instead of rainbow tables, dictionaries, or brute force, BozoCrack simply finds the plaintext password. Specifically, it googles the MD5 hash and hopes the plaintext appears somewhere on the first page of results.
It works way better than it ever should.”
Here’s a quick test run of the script. I did a small list with the following passwords in it.
Save that as md5-list.txt and ran BozoCrack against it. My results came back in a just couple of seconds.

> ruby bozocrack.rb md5-list.txt
Loaded 5 unique hashes

I didn’t get “wtfbbqftw” this time, but who knows it may show up in future Google searches. This is a dead simple script, a great idea and WAY more effective than it should be.
Here’s the link to download it. BozoCrack