binascii.unhexlify().decode() returned bytes without the trailing newline
that normal rows inherit from password[-1], so HEX-encoded cracked
passwords concatenated with the next entry in the .passwords file fed to
pipal. Pipal under-counted entries and ranked corrupted mashups as base
words. Re-append \n if missing.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Pushover notifications were silently dropped for Quick Crack, Loopback,
Combinator, PRINCE-LING and N-gram because the handlers prompted under
one name (e.g. "Quick Crack") while the underlying hashcat wrapper
fired with a different label ("Quick Dictionary"). _should_fire keyed
the per-run consent on the prompt name, so the consent check at fire
time always missed.
Threaded the prompt name down to _run_hcat_cmd by:
- Adding attack_name kwargs to hcatQuickDictionary and hcatPrince, the
two wrappers shared by multiple user-facing handlers.
- Relabelling hcatCombination/Combinator3/CombinatorX (all reach the
user via combinator_crack which prompts "Combinator") and hcatNgramX
(single caller: ngram_attack prompting "N-gram").
- Updating quick_crack, loopback_attack, and hcatPrinceLing to pass the
matching attack_name override.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Symptom: user on the `dev` branch upgrading from v2.10.0 to v2.10.2 saw
the "Upgrade now? [y/N]" prompt fire on every restart. Accepting it ran
the install pipeline successfully but the next launch re-prompted the
same way.
Root cause: release tags in this repo live on main-side merge commits
(e.g. v2.10.2 is on the `Merge branch 'dev' into main` commit). That
commit is *downstream* of `dev`, so walking back from dev's HEAD,
setuptools-scm finds only v2.10.0 and reports e.g. `2.10.0.post1.dev9`.
After hate_crack/__init__.py strips the post/dev suffix, `__version__`
is `"2.10.0"` again. check_for_updates() sees `2.10.2 > 2.10.0` and
re-prompts forever. `git pull` on dev is a no-op because dev is fully
synced — the tag just isn't on the branch.
Fix: _run_upgrade() now detects the current branch via `git symbolic-ref
--short HEAD`. If it's not `main`, refuse to clobber uncommitted work
(git status --porcelain), then `git checkout main` before running the
existing pull/install pipeline. The release-tagged commit is now on
HEAD, setuptools-scm regenerates a clean version, and the loop ends.
Safety guards:
- Uncommitted changes: bail with manual-steps message (exit 1) — no
git checkout attempted.
- main checked out in another worktree: surface git's stderr and bail
with manual instructions.
- Detached HEAD (symbolic-ref returncode != 0): skip the switch and
let the existing flow run — no regression for users on a tag.
- Already on main: skip the switch block; behavior unchanged.
Tests (tests/test_version_check.py):
- test_run_upgrade_switches_from_dev_to_main_then_upgrades
- test_run_upgrade_bails_when_non_main_branch_is_dirty
- test_run_upgrade_bails_when_checkout_main_fails
- test_run_upgrade_skips_switch_when_already_on_main
- test_run_upgrade_skips_switch_on_detached_head
Four pre-existing tests updated to thread an extra branch_proc mock
through the new symbolic-ref subprocess call.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Covers the two fingerprint-attack bugfixes shipping in this patch:
the empty-.expanded guard and the LC_ALL=C sort locale fix.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
macOS `sort` is locale-strict: under LC_COLLATE=en_US.UTF-8 (the default
on most macOS shells) it errors out with "sort: Illegal byte sequence"
when stdin contains bytes that are not valid UTF-8. Cracked-password
streams routinely contain such bytes - hex-encoded fields, mixed
encodings, binary garbage from poorly-encoded source hashes - so this
fires in real fingerprint runs whenever the pot already has any non-
ASCII output.
Symptom in the fingerprint attack: the expander -> sort pipeline emits
"sort: Illegal byte sequence" and produces an empty .expanded file. The
empty-.expanded guard added in the previous patch then triggers the
"no candidates to expand" skip message - which is misleading, because
the user does have cracks; they just got dropped on the sort step.
Pass env={**os.environ, "LC_ALL": "C"} to all three subprocess.Popen
calls that invoke `sort -u`:
- _write_field_sorted_unique (main.py:1163)
- hcatFingerprint expander (main.py:1544)
- hcatLMtoNT combinator dedupe (main.py:2995)
LC_ALL=C makes sort byte-collation only. Dedup correctness is
unaffected (byte equality is locale-independent), and hashcat doesn't
care about wordlist order.
Also adds an AST-level test that fails if any future `sort` Popen lacks
an env kwarg, so the locale fix can't silently regress.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Three unrelated test issues were masking the fingerprint regression
above and need to be green for the suite to be trustworthy:
1. tests/test_cli_flags.py: 7 tests monkeypatched input() to return "5",
but in the no-hashfile main menu "5" enters the Wordlist Tools
submenu and then loops forever on "Split by Length" / "File not
found". Changed to "7" (Exit), the documented exit option.
2. tests/test_fingerprint_expander_and_hybrid.py: the iter-based
lineCount mock (iter([1,1,1])) raised StopIteration because
_run_hcat_cmd now also calls lineCount once per invocation when
notifications fire. Replaced with a constant `lambda _p: 1` so the
test no longer couples to internal call counts.
3. tests/test_submodule_hashcat_utils.py: `git submodule update --init`
exits 0 in git worktrees but does not populate submodule
directories. The test failed environmentally for anyone running it
from a worktree. After the init attempt, if the dir is still empty,
pytest.skip with a clear message rather than fail - preserves the
original intent for normal checkouts.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
When no hashes have been cracked yet, the fingerprint attack's expander
pipeline produces an empty {hash}.expanded file. Previously the function
would still launch a hashcat combinator session against two empty
wordlists (and, when invoked via the menu, six more hashcat sessions
from the secondary hybrid pass) - wasting cycles and creating confusing
empty intermediate files.
Add an early-exit guard after the expander pipeline: if .expanded is
empty, print an informative skip message and break out of the loop
before invoking hashcat or hcatHybrid.
Mirrors the existing "if hcatNewPasswords > 0" guard pattern in
hcatRecycle.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Resolves Dependabot alert #1 — vulnerable pytest tmpdir handling
(< 9.0.3) in HashcatRosetta/requirements.txt. Upstream v0.2.0
drops pytest from runtime requirements and now depends on click
for its CLI/formatting module, so add click>=8.0.0 to hate_crack
runtime deps to keep display_rule_opcodes_summary functional.
wordlist_optimize worker called wordlist_subtract_single (rli2.bin), which
requires both files to be lexicographically sorted. splitlen.bin preserves
insertion order, so rli2.bin silently missed duplicates. Switch to
wordlist_subtract (rli.bin), which loads the remove-list into a hash set and
is order-independent. Also add "(comma-separated)" to the input paths prompt.
Update worker tests to patch wordlist_subtract instead of wordlist_subtract_single.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Remove `allow_multiple=True` from wordlist_optimize handler to avoid
AttributeError when the return value is a list rather than a str
- Remove redundant `import tempfile` inside wordlist_optimize worker body
(tempfile is already imported at module level on line 29)
- Add TestWordlistOptimizeWorker with 6 tests covering: fast-path
(empty outdir), merge-path (subtract+append), new-length copy,
splitlen failure, subtract failure, and missing-input skip
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Adds wordlist_optimize worker to main.py that consolidates multiple
wordlists into per-length deduplicated files using splitlen.bin and
rli2.bin. Wires handler in attacks.py and registers it as option 8 in
the Wordlist Tools submenu. Adds 16 tests covering happy path, empty
input, missing files, empty outdir, failure path, and submenu dispatch.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Switch default from simple-term-menu (arrow-key) to plain numbered
input so all keys including 10+ can be selected by typing a number;
arrow-key mode is now opt-in via HATE_CRACK_ARROW_MENU=1
- Right-align key numbers within brackets so single- and multi-digit
items line up: [ 1] through [99]
- Use [key] format consistently in both plain and arrow-key modes
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Menu options jumped from 9 to 13 because items 10-12 were removed
historically but remaining items kept their old numbers. Renumbers
the contiguous attack block to 10-21, closing the gap.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Rule numbers entered as N-M now expand to all integers in that range
before lookup, matching user expectation that 138-141 selects rules
138 through 141 sequentially. Also catches ValueError alongside
IndexError when a token cannot be converted to int.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Move simple-term-menu from the [tui] optional extra into the main
dependencies list so arrow-key menu navigation works out of the box.
Users can still opt into the plain numbered menu with
HATE_CRACK_PLAIN_MENU=1.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
- Add transmission-cli package (provides transmission-remote binary)
- Fix SETUPTOOLS_SCM_PRETEND_VERSION placement before RUN make install
- Fix PATH to use /root/.local/bin and include venv bin
- Switch TransmissionSession.add() from watch-dir polling to transmission-remote -a
- Remove --no-auth flag (unrecognized in transmission-remote 4.1.0)
- Add test_docker_torrent_downloads_wordlists E2E test
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Justin Bollinger