Skip to content

Archive for June, 2010

Cracking real world salted MD5 passwords in python with several dictionaries

Jun 28 10
by mat

Recently a friend (who will remain unnamed for obvious reasons) asked me to penetration test a website he created. I found a very simple exploit where I could upload an avatar but the file was not checked to ensure it was an image, so I uploaded a php script I wrote an began exploring the server. I printed out all of the usernames, passwords and salts from the database to see how many of the 1,109 passwords could be easily cracked.

The passwords were stored as MD5 hashes with a random 6 character alphanumeric salt. To create the MD5 hash of the password the salt was prefixed to the password and then the combination was hashed. Thanks to this method we can employ a simple bruteforce/dictionary attack on the passwords. I will start with the wordlists creation, then results I obtained to keep your interest, and finally show my python code.

Creating wordlists
I already has two reasnoble sized dictionaries that I use for different things like wordcube. I used john the ripper on my double sized dictionary to create lots of common permutations on words, such as captial first letter, and a number affixed to the end. To do this you run john with the following parameters, where dic.txt is the input dictionary and dic_plus_rules.txt is the output from john with all of the additions it has made.

john –wordlist=dic.txt –rules –stdout > dic_plus_rules.txt

I also download two wordlists from openwall, one which is a list of ~3100 common passwords, and one labelled ALL that has a large amount of words (~4 million) in various languages. Because of the highly compressible nature of text the files are available in small gzip files. ALL is 11.5Mb which unzips to 41.4Mb and password 12kb which unzips to 21.8kb. There are also more wordlists avaliable for different languages, but the ALL file includes these.

The size of all of the wordlists I used is shown below:

Dictionary Combinations
English 42,987
Double-English 80,368
Double+john-rules 3,986,706
Openwall Common Passwords 3,158
Openwall ALL 3,917,116

Results

Dictionary Cracked Percentage Time
English 60 5.41% 80s
Double-English 65 5.86% 170s
Double+john-rules 116 10.46% 2.5hrs (8393s)
Openwall Common Passwords 112 10.10% 7s
Openwall All 210 18.94% 2.45hrs (8829s)
Total Passwords Obtained 254 22.90% ~5hrs

Comical passwords

Here are some of the more amusingly bad passwords, the number in brackets shows the frequency of the password.

Crap passwords: 123456 (18), password (4), 1234567 (4), 123456789 (3) 12345678 (2), 12345 (2), abc123 (2), asdfgh (2), nintendo (2), 123123, abcd1234, abcdefg, qwerty
Self-describing passwords: catholic, cowboy, creator, doger, ginger, killer, maggot, player, princess, skater, smallcock, smooth, super, superman, superstar, tester, veggie, winner, wolverine
Some other passwords:bananas, cheese, cinnamon, hampster ,DRAGON, dribble1, poopie, poopoo

Python Program

# -*- coding: utf-8 -*-
#pymd5cracker.py
import hashlib, sys
from time import time

# Change to commandline swtiches when you have the time!
hash = ""
hash_file = "hash2.csv"
wordlist = "mass_rules.txt"; 


# Read the hash file entered
try:
	hashdocument = open(hash_file,"r")
except IOError:
	print "Invalid file."
	raw_input()
	sys.exit()
else:
	# Read the csv values seperated by colons into an array
	hashes=[]
	for line in hashdocument:
		line=line.replace("\n","")
		inp = line.split(":")
		if (line.count(":")<2):
			inp.append("")
		hashes.append(inp)
	hashdocument.close();


# Read wordlist in
try:
	wordlistfile = open(wordlist,"r")
except IOError:
	print "Invalid file."
	raw_input()
	sys.exit()
else:
	pass

tested=0
cracked=0
tic = time()
for line in wordlistfile:
	
	line = line.replace("\n","")
	tested+=1
	for i in range(0,len(hashes)):
	
		m = hashlib.md5()
		m.update(hashes[i][2]+line)
		word_hash = m.hexdigest()
		if word_hash==hashes[i][1]:
			toc = time()
			cracked+=1
			hashes[i].append(line)
			print hashes[i][0]," : ", line, "\t(",time()-tic,"s)"

	# Show progress evey 1000 passwords tested
	if tested%1000==0:
		print "Cracked: ",cracked," (",tested,") ", line


# Save the output of this program so we can use again 
# with another program/dictionary adding the password 
# to each line we have solved.
crackout = open("pycrackout.txt","w")
for i in hashes:
	s=""
	for j in i:
		if s!="":
			s+=":"
		s+=j
	s+="\n"
	crackout.write(s)
crackout.close()

print "Passwords found: ",cracked,"/",len(hashes)
print "Wordlist Words :", test
print "Hashes computed: ",len(hashes)*tested
print "Total time taken: ",time()-tic,'s' 

Next

  • Play with more dictionaries
  • Speed up code:
    • Add multi-threading: My experience with multi-threading in python is that it doesn't work well for cpu intensive tasks, if you know otherwise please let me know.
    • Have a look at PyCUDA to see if I can use my graphics card to speed up the code significantly (another type of mutli-threading really...) without having to change language like in my previous post of CUDA MD5 cracking
  • Remove hash once found to stop pointless checking
  • Add command line switches to all it to be used like a real program

Android Robot Keychain (for phones)

Jun 27 10
by mat

I just noticed that dealextreme are selling some android memorabilia, in the form of mobile phone strap android robots!

Green Android Robot Keyring (for phones)

Green Android Robot Keyring (for phones)

They cost $2.70 each (£1.80), or for 5+ $2.39 (£1.59), or for 10+ (£2.12). When ordering more than 5 remember to enable bulk rates, this adds a delivery charge but the prices calculated above include this, and you still save more.
Green android product link

You can also get a pack of 4 (one of each colour) for $8.10 (£5.38) shown below:
4 Colour android pack product link

4 Colour pack of Android Robot Keyrings (for phones)

4 Colour pack of Android Robot Keyrings (for phones)

I have ordered lots of the Green android cell phone straps, and I will post an update with images when they arrive!

Cracking MD5 hashes (or passwords) ultra-fast with GPU acceleration

Jun 24 10
by mat

Do you want to crack MD5 hashes in at a rate of ~300MHash/s without a massive rainbow table? Do you have a CUDA enabled GFX card? If you said yes or maybe to these questions then read on for a brief introduction on how to compile and run a CUDA accelerated MD5 cracker (coded by Benjamin “Titan” Vernoux ).

Pre-Requisites and Downloading

Building in Ubuntu 10.04

Extract the archive and do a make on the source code. When doing this I came across two problems that can be fixed by modifying the common.mk file.

Problem 1: (cannot be declared weak)

$ make
/usr/include/string.h:43: error: inline function ‘void* memcpy(void*, const void*, size_t)’ cannot be declared weak
/usr/include/string.h:64: error: inline function ‘void* memset(void*, int, size_t)’ cannot be declared weak
/usr/include/bits/string3.h:49: error: inline function ‘void* memcpy(void*, const void*, size_t)’ cannot be declared weak
/usr/include/bits/string3.h:78: error: inline function ‘void* memset(void*, int, size_t)’ cannot be declared weak
/opt/cuda/bin/../include/common_functions.h:59: error: inline function ‘void* memset(void*, int, size_t)’ cannot be declared weak
/opt/cuda/bin/../include/common_functions.h:62: error: inline function ‘void* memcpy(void*, const void*, size_t)’ cannot be declared weak
/opt/cuda/bin/../include/math_functions.h:422: error: inline function ‘int __signbit(double)’ cannot be declared weak
/opt/cuda/bin/../include/math_functions.h:427: error: inline function ‘int __signbitf(float)’ cannot be declared weak
/opt/cuda/bin/../include/math_functions.h:440: error: inline function ‘int __signbitl(long double)’ cannot be declared weak
/usr/include/bits/mathcalls.h:350: error: inline function ‘int __signbit(double)’ cannot be declared weak
/usr/include/bits/mathcalls.h:350: error: inline function ‘int __signbitf(float)’ cannot be declared weak
/usr/include/bits/mathcalls.h:350: error: inline function ‘int __signbitl(long double)’ cannot be declared weak
/usr/include/bits/mathinline.h:36: error: inline function ‘int __signbitf(float)’ cannot be declared weak
/usr/include/bits/mathinline.h:42: error: inline function ‘int __signbit(double)’ cannot be declared weak
/usr/include/bits/mathinline.h:48: error: inline function ‘int __signbitl(long double)’ cannot be declared weak

Solution 1

# Debug/release configuration
ifeq ($(dbg),1)
COMMONFLAGS += -g
NVCCFLAGS += -D_DEBUG
BINSUBDIR := debug
LIBSUFFIX := D
else
##############Change the following line to have -O0 instead of -O2
COMMONFLAGS += -O0
BINSUBDIR := release
LIBSUFFIX :=
NVCCFLAGS += –compiler-options -fno-strict-aliasing
CXXFLAGS += -fno-strict-aliasing
CFLAGS += -fno-strict-aliasing
endif

Problem 2: (lcudart)

$ make
/usr/bin/ld: skipping incompatible /opt/cuda/lib/libcudart.so when searching for -lcudart
/usr/bin/ld: skipping incompatible /opt/cuda/lib/libcudart.so when searching for -lcudart
/usr/bin/ld: cannot find -lcudart
collect2: ld returned 1 exit status
make: *** [bin/linux/release/gpu_md5_crack_0.2.3] Error 1

Solution 2

############## Change lib to lib64 if using a 64 bit operating system
LIB := -L$(CUDA_INSTALL_PATH)/lib64 -L$(LIBDIR) -L$(COMMONDIR)/lib64/$(OSLOWER) -L$(NVIDIA_SDK_PATH)/lib

Remember that you should “make clean” in-between each attempt to compile.

Benchmarking

Once it has compiled nicely you can give it a testdrive with its build in benchmark (with an NVIDIA 260 GFX card). Just run with the -b option:

./gpu_md5_crack_0.2.3 -b
GPU_MD5_Crack v0.2.3 09 July 2009 LGPL for BackTrack 4.
Copyright (C) 2009 TitanMKD (titanmkd@gmail.com).

Benchmark Start
Using default CUDA GPU device:0
Cuda device ID:0, Device name:GeForce GTX 260, supporting CUDA:1.3,
multiProcessorCount:27, clockRate:1466.00 MHz, TotalMem:895.31 MB
******* Test 0 Start *******
Expected Password: 1234567890
MD5 Hash:e807f1fcf82d132f9bb018ca6738a19f, Start Password:1200000000, Total pwd to check:1000000000
Charset used 0:0123456789
MD5 brute force started

MD5 Cracked pwd=1234567890 hash=e807f1fcf82d132f9bb018ca6738a19f
Instant 200.02 Mhash/s(40.00 ms)
Average 190.49 Mhash/s, Total Time:0.21s(210.00 ms)
MD5 brute force finished
******* Test 0 End *******

******* Test 1 Start *******
Expected Password: azerty
MD5 Hash:ab4f63f9ac65152575886860dde480a1, Start Password:, Total pwd to check:1000000000
Charset used 1:abcdefghijklmnopqrstuvwxyz
MD5 brute force started

MD5 Cracked pwd=azerty hash=ab4f63f9ac65152575886860dde480a1
Instant 200.02 Mhash/s(40.00 ms)
Average 240.02 Mhash/s, Total Time:0.10s(100.00 ms)
MD5 brute force finished
******* Test 1 End *******

******* Test 2 Start *******
Expected Password: azer09
MD5 Hash:41b9cabe6033932eb3037fc933060adc, Start Password:, Total pwd to check:1000000000
Charset used 2:abcdefghijklmnopqrstuvwxyz0123456789
MD5 brute force started
Progress 5%, Pwd:6lmea, Instant 280.02 Mhash/s(28.57 ms)
MD5 Cracked pwd=azer09 hash=41b9cabe6033932eb3037fc933060adc
Instant 266.69 Mhash/s(30.00 ms)
Average 287.20 Mhash/s, Total Time:0.39s(390.00 ms)
MD5 brute force finished
******* Test 2 End *******

******* Test 3 Start *******
Expected Password: AZBVSD
MD5 Hash:fd049008572788d60140aaead79336cc, Start Password:, Total pwd to check:1000000000
Charset used 3:ABCDEFGHIJKLMNOPQRSTUVWXYZ
MD5 brute force started

MD5 Cracked pwd=AZBVSD hash=fd049008572788d60140aaead79336cc
Instant 266.69 Mhash/s(30.00 ms)
Average 240.02 Mhash/s, Total Time:0.10s(100.00 ms)
MD5 brute force finished
******* Test 3 End *******

******* Test 4 Start *******
Expected Password: AZ09AA
MD5 Hash:7a552dd9cdd49acc5320bad9c29c9722, Start Password:, Total pwd to check:1000000000
Charset used 4:ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789
MD5 brute force started
Progress 5%, Pwd:6LMEA, Instant 266.69 Mhash/s(30.00 ms)
MD5 Cracked pwd=AZ09AA hash=7a552dd9cdd49acc5320bad9c29c9722
Instant 266.69 Mhash/s(30.00 ms)
Average 280.02 Mhash/s, Total Time:0.40s(400.00 ms)
MD5 brute force finished
******* Test 4 End *******

******* Test 5 Start *******
Expected Password: zaZAab
MD5 Hash:aef49f70bb7b923b8bc0a018f916ef64, Start Password:zCAAAA, Total pwd to check:1000000000
Charset used 5:ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz
MD5 brute force started
Progress 17%, Pwd:zaDpoA, Instant 280.02 Mhash/s(28.57 ms)
MD5 Cracked pwd=zaZAab hash=aef49f70bb7b923b8bc0a018f916ef64
Instant 266.69 Mhash/s(30.00 ms)
Average 283.10 Mhash/s, Total Time:0.65s(650.00 ms)
MD5 brute force finished
******* Test 5 End *******

******* Test 6 Start *******
Expected Password: za0ZA9
MD5 Hash:062cc3b1302759722f48ac0b95b75803, Start Password:zaAAAA, Total pwd to check:1000000000
Charset used 6:ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789
MD5 brute force started

MD5 Cracked pwd=za0ZA9 hash=062cc3b1302759722f48ac0b95b75803
Instant 266.69 Mhash/s(30.00 ms)
Average 266.69 Mhash/s, Total Time:0.06s(60.00 ms)
MD5 brute force finished
******* Test 6 End *******

******* Test 7 Start *******
Expected Password: a^-*|
MD5 Hash:cf7dcf4c3eeb6255668393242fcce273, Start Password:a0000, Total pwd to check:1000000000
Charset used 7: !”#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
MD5 brute force started

MD5 Cracked pwd=a^-*| hash=cf7dcf4c3eeb6255668393242fcce273
Instant 266.69 Mhash/s(30.00 ms)
Average 266.69 Mhash/s, Total Time:0.15s(150.00 ms)
MD5 brute force finished
******* Test 7 End *******

Benchmark End

So from the benchmark you can see that we are getting between 200 and 300 Mhash/s, that is about 250,000,000 hash attempts per second! AMAZING!!!

Number of combinations for different alphabets

Length 0-9 a-z a-z0-9 a-zA-Z a-zA-Z0-9
1 10 26 36 52 62
2 100 676 1,296 2,704 3,844
3 1,000 17,576 46,656 140,608 238,328
4 10,000 456,976 1,679,616 7,311,616 14,776,336
5 100,000 11,881,376 60,466,176 380,204,032 916,132,832
6 1,000,000 308,915,776 2,176,782,336 19,770,609,664 56,800,235,584
7 10,000,000 8,031,810,176 78,364,164,096 1,028,071,702,528 3,521,614,606,208
8 100,000,000 208,827,064,576 2,821,109,907,456 53,459,728,531,456 218,340,105,584,896
9 1,000,000,000 5,429,503,678,976 101,559,956,668,416 2,779,905,883,635,710 13,537,086,546,263,600
10 10,000,000,000 141,167,095,653,376 3,656,158,440,062,980 144,555,105,949,057,000 839,299,365,868,340,000

Estimated time (in seconds) to crack (at 250MHash/s)

Length 0-9 a-z a-z0-9 a-zA-Z a-zA-Z0-9
1 0.00 0.00 0.00 0.00 0.00
2 0.00 0.00 0.00 0.00 0.00
3 0.00 0.00 0.00 0.00 0.00
4 0.00 0.00 0.00 0.01 0.03
5 0.00 0.02 0.12 0.76 1.83
6 0.00 0.62 4.35 39.54 113.60
7 0.02 16.06 156.73 2,056.14 7,043.23
8 0.20 417.65 5,642.22 106,919.46 436,680.21
9 2.00 10,859.01 203,119.91 5,559,811.77 27,074,173.09
10 20.00 282,334.19 7,312,316.88 289,110,211.90 1,678,598,731.74

Full calculations avaliable here: MD5 hash cracking time using GPU accelerated brute forcing

What now?
Well you can crack MD5’s at an extremely accelerated rate, so enjoy doing so responsibly (let your morals guide you :P). You could also explore the source code and make additions as you see fit, I am planning on modifying it to allow an extra parameter so that prefixes can be added if you already know how the password starts. This can be the case when someone has prefixed the password with a known salt.

Nexus Revamped (free) updated (live wallpaper)

Jun 22 10
by mat

Following the update of nexus revamped pro, I have upgraded the free edition! This upgrade brings many improvements over the last version and should have a considerable performance increase, therefore less lagging and better battery life.

Nexus Revamped Live Wallpaper in action

Nexus Revamped Live Wallpaper in action

Below details what options the Nexus Revamped Live Wallpaper now has to offer:

Theme options

Nexus Revamped Live Wallpaper Theme Settings

Nexus Revamped Live Wallpaper Theme Settings

Background Themes

  • Image – Choose a background image
  • Single Color – Choose a background color

Background Options

  • Background Tint – Give the chosen background a colored tint

Particle Themes

  • Multi-color – Choose a mutli-color theme for the particles
  • Single Color – Choose a single color theme for the particles

Physics Settings

Nexus Revamped Live Wallpaper Physics Settings

Nexus Revamped Live Wallpaper Physics Settings

  • Touch interaction – Enables/disables finger pressing causing spawning of particles
  • Hide spawning – Enables/disables particles only spawning offscreen
  • Speed – Choose the speed of the particles
  • Spawn Density – Choose how often particles are created

Enjoy!

Nexus Revamped Live Wallpaper (com.stealthcopter.nexusrevamped)

Download link

qr

Portal 2 teaser trailer and soundboard updated

Jun 16 10
by mat

Valve have released a teaser trailer for Portal 2 (which is now due for release in 2011) and I have updated the portal soundboard (for android) to feature two new sounds included in this trailer.

Video

Soundboard

Portal 2 soundboard updated to include to new sounds from GLaDOS:
“It’s been a loooooooong time”
“I think we can put our differences behind us… for science… you monster…”

Download
Portal SoundBoard can be downloaded from the market on your android phone either by searching or following the android link below. Alternativly you can download the apk file from this website using the download link

Android: Portal Soundboard market link
Download: Portal Soundboard download link

qrcode

Portal Soundboard for Android released

Jun 15 10
by mat

Follow the success of my other soundboards (Unreal Tournament SoundBoard and Counter-Strike Soundboard ); I have released a Portal soundboard for Android:

Download
Portal SoundBoard can be downloaded from the market on your android phone either by searching or following the android link below. Alternativly you can download the apk file from this website using the download link

Android: Portal Soundboard market link
Download: Portal Soundboard download link

qrcode

Features

  • GLaDOS sounds (Loads of)
  • Extra sounds from the overly friendly turret
  • Still alive song, and the cake reciepe
  • Save sounds as ringtones and notifications
  • Optional Adverts (Menu > toggle ads to hide)

Screenshots

Portal Soundboard Screenshot 1

Portal Soundboard Screenshot 1


Portal Soundboard Screenshot 2

Portal Soundboard Screenshot 2

If you enjoyed this please leave feedback for me either here or on the market. Comments, suggestions and constructive criticism is also welcome.

TFT pixels in focus under high magnification microscope

Jun 11 10
by mat

Whilst working on this post I managed to get some sexy shots of pixels in focus from my TFT screen under the microscope.

Regular pixels from a TFT screen

Regular pixels from a TFT screen


Cool Focusing on pixels from a TFT High magnification

Cool Focusing on pixels from a TFT High magnification


More Cool Focusing on pixels from a TFT High magnification

More Cool Focusing on pixels from a TFT High magnification

Nexus One’s AMOLED Screen under the microscope

Jun 10 10
by mat

After casually browsing this wikipedia article on google’s Nexus One (or HTC’s) I became interested in the AMOLED (Active-matrix OLED (Organic Light Emitting Device) screen due to its interesting pixel structure. Quote from wikipedia:

The Nexus One has a 3.7 inch AMOLED screen with PenTile matrix pixel arrangement. The raster resolution is 800×480 pixels, however each pixel in the PenTile RGBG display has only two subpixels (red and green, or blue and green alternately), rather than the three found in most displays. This gives it a total effective subpixel resolution of a 392×653 RBG display.[40]

So I decided to have a look under the microscope to see what I could find with my nexus one. Enjoy the following images:

Low Zoom

Nexus One's AMOLED screen under the microscope (Low magnification)

Nexus One's AMOLED screen under the microscope (Low magnification)

High zoom

Nexus One's AMOLED screen under the microscope (High magnification)

Nexus One's AMOLED screen under the microscope (High magnification)


Nexus One's AMOLED screen under the microscope (High magnification)

Nexus One's AMOLED screen under the microscope (High magnification)

Regular Pixel

Regular pixels from a TFT screen

Regular pixels from a TFT screen

**Update: New images from better microscope**

Nexus One Screen Under the Microscope

Nexus One Screen Under the Microscope

Nexus Revamped Pro updated (google android live wallpaper)

Jun 8 10
by mat

I thought it was about time for another post about Nexus Revamped Live Wallpaper Pro as a follow up to this post.

Nexus Revampe Pro Update Screenshot

Nexus Revampe Pro Update Screenshot

Following the original release many updates have gone by and I have received numerous emails with feedback and suggestions which are very much appreciated. Several additional features have been added and there are many more on the way.

Changes

  • more themes for background and particles
  • White nexus theme due to popular demand (thanks for the emails)
  • improved performance (still optimising, future upgrades will be even better)
  • Option to change tail length
  • Seperated single-color and multi-color backgrounds/particle colors (more to come soon!)
  • preliminary support for smaller screens

Nexus Revampe Pro Update Screenshot - Colors

Nexus Revampe Pro Update Screenshot - Colors


Nexus Revampe Pro Update - Theme settings

Nexus Revampe Pro Update - Theme settings


Nexus Revampe Pro Update - Black and white theme

Nexus Revampe Pro Update - Black and white theme


Nexus Revampe Pro Update - Tail length

Nexus Revampe Pro Update - Tail length


Nexus Revampe Pro Update - No tails, long tails and short tails

Nexus Revampe Pro Update - No tails, long tails and short tails

I will also push updates down to the free version of this application soon, but some options will be left out to reward the paying customers :)

Android Market Links
Either click the following android market links (in android phone) or search the market for nexus revamped.
Pro Version
Nexus Revamped Pro Live Wallpaper (com.stealthcopter.nexusrevampedpro)

qr

Free Version

Nexus Revamped Live Wallpaper (com.stealthcopter.nexusrevamped)

Download link

qr

Future
I have plans and ideas for the future of this application, please complete the poll below to indicate what you’d like to see in this app or leave feedback (comment) if you have any.

What do you want to see next? (select all that apply)

View Results

Loading ... Loading ...