Skip to content

Posts tagged ‘hacking’

Review of day 1 of droidcon uk 2010 (barcamp sessions)

Oct 29 10
by mat

Below is a short overview of some of the stuff that I saw a droidcon today (Day 1: Barcamp), I was hoping to write more but it’s late and I can always update this post. Apoloigies to those who I did not manage to get the names of, I can update this post when I find out who you are :P

As this is quite a long post here is a mini table of contents to speed it up:


Barcamp schedule (sorry for crap pic)

Barcamp schedule (sorry for crap pic)

Git on android

This was a really surprising talk, just by the name it’s a little confusing as to why this would be useful but it was a really good talk. A guy from who works at the guardian (need to find name) walked through all the problems he came across when trying to use git on android and how using open source goodness he could simplify a lot of trouble by simply extending pre-written code and even create work arounds for troublesome bugs.

It was a very interesting talk just to see how everything had fitted together and to see a demo of some sexy git-based syncing, including using some ssh agents securely.

Swing me

Draft still…too tired to write.
A single UI widget toolset that can easily be ported to other operating systems. Uses guestures pinch zoom all the things you would be used to. Non-android specific code and can specify protocols nicely to cooperate with different devices. Removes hassle on behalf of developer, debug using xml, then switch to binary mode for performance
Difference between keys on certain phones… assign buttons, like “back” as a button on phones with dedicated back buttons ie nokia soft key hidden and at bottom, android will hide it and use android hardware back button. IE. unhidden back button not hidden (good solving of problem)

Problems with accessing core bits of anroid but private/protected stuff. Radio easy but problem with tick box.
Missing clipboard (almost finished, work on android, symbian, desktop… lol @ apple)
Still use native android based stuff

Google Bootcamp 1

So there were four google guys present to answer the questions and complaints of the developers and one to pass the microphone around.

Google Barcamp 1

Google Barcamp 1

Someone asked when Gingerbread was going to be released and Reto Meier answered by not confirming anything regarding the release date, be it this year or next. He even went as far as to say that he couldn’t confirm gingerbread’s existence, despite the rather large statue outside building 44

Roman was asked a question about the Action bar and if it was going to become a standard widget in the android apk, he said that it wasn’t currently part of the widget set and couldn’t confirm when it would be added.

Reto mentioned about in app purchasing and said google was looking into other method to monetise can’t comment on specifics. However in app purchasing currently is against the google TOS, so you might want to be careful if your app has this and is distributed via the google market. Of course this is fine to do if released on to another app store such as and app, doubtful that orange and vodaphone app stores would be so generous.

Google tv was mentioned and how to write android on it. Currently only html 5 / web stuff but as it is based on android the plan is to be compatible. So we are waiting for compatability hopefully sometime next year. The google tv’s should receive market via OTA updates so there will probably be no need for OEM manufactures to get in the way. Media server such as a upnp server, status is currently unknown.

In app google analytics was mentioned and another barcamp talk was refered to which unfortunatly I missed, if anyone went to this and has written it up I am happy to add the link in here.

In app logic – services/content providers global = bad, shared prefs, instance state mainly for UI shiz. setters/getters saved pref/database on logic. check if its been set etc. roman/reto

Someone briefly asked about adverts without using the internet permission and instead using an addon/plugin which did access the internet. Currently it seems this is not possible at the moment but is something they may look into in the future.

Have I missed off any of the other topics discussed during this bootcamp, if so let me know!

Alternative Markets

Draft still…too tired to write.
Vodaphone – incentive – random draw to win a htc legend. 30 70 split
Orange – 30 70 again (yawn) want good apps, as many as possible pay via phone bill, no registeration, france/uk last year. need several countries/languages arabic/african etc.
Nokia – no alternative operators, content agregator, locilzation/adaptation/uploads etc… Sensing, in app billing

Individual / OS devs fetching market data/pulling to diff apps sotres as we dont have the time to move to diff places

App stores share with other stores, very nice
Orange apps tied to network you lose them if you move :(

Meta-Market Model

This talk tied in very nicely with problems regarding using alternative markets discussed in the previous talk. Mark Murphey (Commonsware) discussed an alternative to writing open letter to google (as was discussed via email) about the android market. He created a brain stroming session on the market problems and what can we can do as a community to help improve this for ourselves (devs) and for users.

Mark Murphey Meta Markets

Mark Murphey Meta Markets

Some of the good problems highlighted by people were:

  • Comment spam, and no way to “Reacting to punters” or dealing with users who are “dissing” all apps
  • Not enough screenshots / descriptions / add videos etc…
  • Searching the market is terrible (My contribution)
  • Analytics
  • Email messages about cancelled users every time
  • Refund policy too leaniant
  • Option to explain the reason behind each permission as users don’t know what’s going on when you can’t fit an explanation in the description
  • Better rating levels, UI/UX etc.
  • Downloads don’t work

The market on android is improving at a “Glacial pace” and even though there was some sexy stuff demonstrated at Google IO 5 months ago we are still waiting to see the improvements, such as a web based market that can push applications to devices.

There was also a good discussion about the websites that scrape data from the android market (appbrain, cryket, androidzoom)which is kinda sketchy territory as it is probably against TOS of android, kinda counting as pirated data. There is even a google code project to fetch the data from the android market.

Data goes in data doesn’t come out
Pirated data not supported by data cant rape data from market.

So what makes this presentation more than just a compaint about the android market?
Market is a closed club, OEM’s who don’t agree to the rule book don’t have access. And simply creating a app store for each carrier/OEM etc. isn’t a viable solution which Mark summarised with a brilliant quote: “those who complain about fragmentation you ain’t seen nothing yet”.

So Mark has come up with an idea about having a single open feed of android applications that all the market applications can hook into. So this would work as some sort of extended atom/rss feed (just add namespace) with open access which could benefit from the standards introduced and the maturity of the software already written. This sounds like a great idea but will obviously need a large amount of momentum to succeed, Mark is obviously a major player in the android field and this proposal was backed up by the developer of AndAppStore.

Mark also mentioned that even market owners who were unwilling could be worked-around using a firefox plugin to remove most of the leg work. So this would mean that developers can have a single place where they have the app description, screen shots, all the minimums required for android market but more for those who support more.

To wrap up mark said that instead of us complaining at google to fix the market we should fix the market problems ourselves. At the end of the session Mark was collecting email addresses to create a mailing list with regards to the start of this process.

How I do it

Kevin McDonagh of Novoda gave some brilliant tips and tricks for writing android applications. I’ve written some of them up, but hopefully he will publish his whole list online (hint hint…)

public void onLowMemory(){
// Code to execute on low memory
// Free up unused drawables etc.
  • Use weak references
  • Avoid Generics, use primitives where possible
  • Clean up drawables onPause()
  • Use the heirachy viewer

Kevin also mentioned some stuff which I’m sure I should have come across before but for some reason I was still oblivious to.

Extending styles to avoid having to retype android:height=”wrap_content” etc. on every item.

There was some good discussion on the conventions for android:versionCode and android:versionName and someone mentioned very helpfully that versionName appears in the market description and is limited only to 255 chars, which means you can add additional versioning changes into this (shown below a screen shot of nexus revamped in the market with the versionName highlighted).

android:versionName displayed in android market

android:versionName displayed in android market

Apps for good
Apps for good is a charity that gets a group of people between the ages of 18 and 25 and gives them the resources and skills required to create an application that can benefit society. Once students have finished the course they often go on to mentor the next batch of students.

The apps they have already produced on this scheme are Stop and Search StudentVoice StudioPhly and they discussed a up and coming app they are working on currently so that the balance of an oyster card can be checked via a android device so that you are never caught out.

They are looking for help so if you are feeling charitable I am sure they would appreciate your input or if you know of anyone 18-25 who would like to go on the course, please inform them of the opportunity.

Google Barcamp 2

Ok, so this barcamp was delayed and I think alot of the better questions were already asked, that in combination with my laptop battery dying mean I have less notes and worse memory about this one.

Google Barcamp day 2

Google Barcamp day 2

Bundling several apps into one installer apk, currently not possible. Could be achieved by having a program that sends intents to install other apps, or by having one large app with serveal launcher items in the app menu.

Tips from tech hub:

  • Devs arn’t always design focussed, should assume users are complete idiots and don’t understand anything.
  • Ported apps don’t act in an android style – back button doesn’t close etc, as devs don’t understand application lifecycle

App Circus
So app circus had a bit of a disappointing number of contestants, about 6 I think it was in total hopefully next time there will be more. The winners were

  • 1st: Swiftkey
  • 2nd: — Blind something? Sorry forgot the proper name
  • 3rd: ProductPay


Coding in a hammock and drinking beer

Coding in a hammock and drinking beer

I also met a lot of very interesting people and plan on meeting a whole load more tomorrow!

Cracking real world salted MD5 passwords in python with several dictionaries

Jun 28 10
by mat

Recently a friend (who will remain unnamed for obvious reasons) asked me to penetration test a website he created. I found a very simple exploit where I could upload an avatar but the file was not checked to ensure it was an image, so I uploaded a php script I wrote an began exploring the server. I printed out all of the usernames, passwords and salts from the database to see how many of the 1,109 passwords could be easily cracked.

The passwords were stored as MD5 hashes with a random 6 character alphanumeric salt. To create the MD5 hash of the password the salt was prefixed to the password and then the combination was hashed. Thanks to this method we can employ a simple bruteforce/dictionary attack on the passwords. I will start with the wordlists creation, then results I obtained to keep your interest, and finally show my python code.

Creating wordlists
I already has two reasnoble sized dictionaries that I use for different things like wordcube. I used john the ripper on my double sized dictionary to create lots of common permutations on words, such as captial first letter, and a number affixed to the end. To do this you run john with the following parameters, where dic.txt is the input dictionary and dic_plus_rules.txt is the output from john with all of the additions it has made.

john –wordlist=dic.txt –rules –stdout > dic_plus_rules.txt

I also download two wordlists from openwall, one which is a list of ~3100 common passwords, and one labelled ALL that has a large amount of words (~4 million) in various languages. Because of the highly compressible nature of text the files are available in small gzip files. ALL is 11.5Mb which unzips to 41.4Mb and password 12kb which unzips to 21.8kb. There are also more wordlists avaliable for different languages, but the ALL file includes these.

The size of all of the wordlists I used is shown below:

Dictionary Combinations
English 42,987
Double-English 80,368
Double+john-rules 3,986,706
Openwall Common Passwords 3,158
Openwall ALL 3,917,116


Dictionary Cracked Percentage Time
English 60 5.41% 80s
Double-English 65 5.86% 170s
Double+john-rules 116 10.46% 2.5hrs (8393s)
Openwall Common Passwords 112 10.10% 7s
Openwall All 210 18.94% 2.45hrs (8829s)
Total Passwords Obtained 254 22.90% ~5hrs

Comical passwords

Here are some of the more amusingly bad passwords, the number in brackets shows the frequency of the password.

Crap passwords: 123456 (18), password (4), 1234567 (4), 123456789 (3) 12345678 (2), 12345 (2), abc123 (2), asdfgh (2), nintendo (2), 123123, abcd1234, abcdefg, qwerty
Self-describing passwords: catholic, cowboy, creator, doger, ginger, killer, maggot, player, princess, skater, smallcock, smooth, super, superman, superstar, tester, veggie, winner, wolverine
Some other passwords:bananas, cheese, cinnamon, hampster ,DRAGON, dribble1, poopie, poopoo

Python Program

# -*- coding: utf-8 -*-
import hashlib, sys
from time import time

# Change to commandline swtiches when you have the time!
hash = ""
hash_file = "hash2.csv"
wordlist = "mass_rules.txt"; 

# Read the hash file entered
	hashdocument = open(hash_file,"r")
except IOError:
	print "Invalid file."
	# Read the csv values seperated by colons into an array
	for line in hashdocument:
		inp = line.split(":")
		if (line.count(":")<2):

# Read wordlist in
	wordlistfile = open(wordlist,"r")
except IOError:
	print "Invalid file."

tic = time()
for line in wordlistfile:
	line = line.replace("\n","")
	for i in range(0,len(hashes)):
		m = hashlib.md5()
		word_hash = m.hexdigest()
		if word_hash==hashes[i][1]:
			toc = time()
			print hashes[i][0]," : ", line, "\t(",time()-tic,"s)"

	# Show progress evey 1000 passwords tested
	if tested%1000==0:
		print "Cracked: ",cracked," (",tested,") ", line

# Save the output of this program so we can use again 
# with another program/dictionary adding the password 
# to each line we have solved.
crackout = open("pycrackout.txt","w")
for i in hashes:
	for j in i:
		if s!="":

print "Passwords found: ",cracked,"/",len(hashes)
print "Wordlist Words :", test
print "Hashes computed: ",len(hashes)*tested
print "Total time taken: ",time()-tic,'s' 


  • Play with more dictionaries
  • Speed up code:
    • Add multi-threading: My experience with multi-threading in python is that it doesn't work well for cpu intensive tasks, if you know otherwise please let me know.
    • Have a look at PyCUDA to see if I can use my graphics card to speed up the code significantly (another type of mutli-threading really...) without having to change language like in my previous post of CUDA MD5 cracking
  • Remove hash once found to stop pointless checking
  • Add command line switches to all it to be used like a real program

Cracking MD5 hashes (or passwords) ultra-fast with GPU acceleration

Jun 24 10
by mat

Do you want to crack MD5 hashes in at a rate of ~300MHash/s without a massive rainbow table? Do you have a CUDA enabled GFX card? If you said yes or maybe to these questions then read on for a brief introduction on how to compile and run a CUDA accelerated MD5 cracker (coded by Benjamin “Titan” Vernoux ).

Pre-Requisites and Downloading

Building in Ubuntu 10.04

Extract the archive and do a make on the source code. When doing this I came across two problems that can be fixed by modifying the file.

Problem 1: (cannot be declared weak)

$ make
/usr/include/string.h:43: error: inline function ‘void* memcpy(void*, const void*, size_t)’ cannot be declared weak
/usr/include/string.h:64: error: inline function ‘void* memset(void*, int, size_t)’ cannot be declared weak
/usr/include/bits/string3.h:49: error: inline function ‘void* memcpy(void*, const void*, size_t)’ cannot be declared weak
/usr/include/bits/string3.h:78: error: inline function ‘void* memset(void*, int, size_t)’ cannot be declared weak
/opt/cuda/bin/../include/common_functions.h:59: error: inline function ‘void* memset(void*, int, size_t)’ cannot be declared weak
/opt/cuda/bin/../include/common_functions.h:62: error: inline function ‘void* memcpy(void*, const void*, size_t)’ cannot be declared weak
/opt/cuda/bin/../include/math_functions.h:422: error: inline function ‘int __signbit(double)’ cannot be declared weak
/opt/cuda/bin/../include/math_functions.h:427: error: inline function ‘int __signbitf(float)’ cannot be declared weak
/opt/cuda/bin/../include/math_functions.h:440: error: inline function ‘int __signbitl(long double)’ cannot be declared weak
/usr/include/bits/mathcalls.h:350: error: inline function ‘int __signbit(double)’ cannot be declared weak
/usr/include/bits/mathcalls.h:350: error: inline function ‘int __signbitf(float)’ cannot be declared weak
/usr/include/bits/mathcalls.h:350: error: inline function ‘int __signbitl(long double)’ cannot be declared weak
/usr/include/bits/mathinline.h:36: error: inline function ‘int __signbitf(float)’ cannot be declared weak
/usr/include/bits/mathinline.h:42: error: inline function ‘int __signbit(double)’ cannot be declared weak
/usr/include/bits/mathinline.h:48: error: inline function ‘int __signbitl(long double)’ cannot be declared weak

Solution 1

# Debug/release configuration
ifeq ($(dbg),1)
BINSUBDIR := debug
##############Change the following line to have -O0 instead of -O2
BINSUBDIR := release
NVCCFLAGS += –compiler-options -fno-strict-aliasing
CXXFLAGS += -fno-strict-aliasing
CFLAGS += -fno-strict-aliasing

Problem 2: (lcudart)

$ make
/usr/bin/ld: skipping incompatible /opt/cuda/lib/ when searching for -lcudart
/usr/bin/ld: skipping incompatible /opt/cuda/lib/ when searching for -lcudart
/usr/bin/ld: cannot find -lcudart
collect2: ld returned 1 exit status
make: *** [bin/linux/release/gpu_md5_crack_0.2.3] Error 1

Solution 2

############## Change lib to lib64 if using a 64 bit operating system

Remember that you should “make clean” in-between each attempt to compile.


Once it has compiled nicely you can give it a testdrive with its build in benchmark (with an NVIDIA 260 GFX card). Just run with the -b option:

./gpu_md5_crack_0.2.3 -b
GPU_MD5_Crack v0.2.3 09 July 2009 LGPL for BackTrack 4.
Copyright (C) 2009 TitanMKD (

Benchmark Start
Using default CUDA GPU device:0
Cuda device ID:0, Device name:GeForce GTX 260, supporting CUDA:1.3,
multiProcessorCount:27, clockRate:1466.00 MHz, TotalMem:895.31 MB
******* Test 0 Start *******
Expected Password: 1234567890
MD5 Hash:e807f1fcf82d132f9bb018ca6738a19f, Start Password:1200000000, Total pwd to check:1000000000
Charset used 0:0123456789
MD5 brute force started

MD5 Cracked pwd=1234567890 hash=e807f1fcf82d132f9bb018ca6738a19f
Instant 200.02 Mhash/s(40.00 ms)
Average 190.49 Mhash/s, Total Time:0.21s(210.00 ms)
MD5 brute force finished
******* Test 0 End *******

******* Test 1 Start *******
Expected Password: azerty
MD5 Hash:ab4f63f9ac65152575886860dde480a1, Start Password:, Total pwd to check:1000000000
Charset used 1:abcdefghijklmnopqrstuvwxyz
MD5 brute force started

MD5 Cracked pwd=azerty hash=ab4f63f9ac65152575886860dde480a1
Instant 200.02 Mhash/s(40.00 ms)
Average 240.02 Mhash/s, Total Time:0.10s(100.00 ms)
MD5 brute force finished
******* Test 1 End *******

******* Test 2 Start *******
Expected Password: azer09
MD5 Hash:41b9cabe6033932eb3037fc933060adc, Start Password:, Total pwd to check:1000000000
Charset used 2:abcdefghijklmnopqrstuvwxyz0123456789
MD5 brute force started
Progress 5%, Pwd:6lmea, Instant 280.02 Mhash/s(28.57 ms)
MD5 Cracked pwd=azer09 hash=41b9cabe6033932eb3037fc933060adc
Instant 266.69 Mhash/s(30.00 ms)
Average 287.20 Mhash/s, Total Time:0.39s(390.00 ms)
MD5 brute force finished
******* Test 2 End *******

******* Test 3 Start *******
Expected Password: AZBVSD
MD5 Hash:fd049008572788d60140aaead79336cc, Start Password:, Total pwd to check:1000000000
MD5 brute force started

MD5 Cracked pwd=AZBVSD hash=fd049008572788d60140aaead79336cc
Instant 266.69 Mhash/s(30.00 ms)
Average 240.02 Mhash/s, Total Time:0.10s(100.00 ms)
MD5 brute force finished
******* Test 3 End *******

******* Test 4 Start *******
Expected Password: AZ09AA
MD5 Hash:7a552dd9cdd49acc5320bad9c29c9722, Start Password:, Total pwd to check:1000000000
MD5 brute force started
Progress 5%, Pwd:6LMEA, Instant 266.69 Mhash/s(30.00 ms)
MD5 Cracked pwd=AZ09AA hash=7a552dd9cdd49acc5320bad9c29c9722
Instant 266.69 Mhash/s(30.00 ms)
Average 280.02 Mhash/s, Total Time:0.40s(400.00 ms)
MD5 brute force finished
******* Test 4 End *******

******* Test 5 Start *******
Expected Password: zaZAab
MD5 Hash:aef49f70bb7b923b8bc0a018f916ef64, Start Password:zCAAAA, Total pwd to check:1000000000
Charset used 5:ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz
MD5 brute force started
Progress 17%, Pwd:zaDpoA, Instant 280.02 Mhash/s(28.57 ms)
MD5 Cracked pwd=zaZAab hash=aef49f70bb7b923b8bc0a018f916ef64
Instant 266.69 Mhash/s(30.00 ms)
Average 283.10 Mhash/s, Total Time:0.65s(650.00 ms)
MD5 brute force finished
******* Test 5 End *******

******* Test 6 Start *******
Expected Password: za0ZA9
MD5 Hash:062cc3b1302759722f48ac0b95b75803, Start Password:zaAAAA, Total pwd to check:1000000000
Charset used 6:ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789
MD5 brute force started

MD5 Cracked pwd=za0ZA9 hash=062cc3b1302759722f48ac0b95b75803
Instant 266.69 Mhash/s(30.00 ms)
Average 266.69 Mhash/s, Total Time:0.06s(60.00 ms)
MD5 brute force finished
******* Test 6 End *******

******* Test 7 Start *******
Expected Password: a^-*|
MD5 Hash:cf7dcf4c3eeb6255668393242fcce273, Start Password:a0000, Total pwd to check:1000000000
Charset used 7: !”#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
MD5 brute force started

MD5 Cracked pwd=a^-*| hash=cf7dcf4c3eeb6255668393242fcce273
Instant 266.69 Mhash/s(30.00 ms)
Average 266.69 Mhash/s, Total Time:0.15s(150.00 ms)
MD5 brute force finished
******* Test 7 End *******

Benchmark End

So from the benchmark you can see that we are getting between 200 and 300 Mhash/s, that is about 250,000,000 hash attempts per second! AMAZING!!!

Number of combinations for different alphabets

Length 0-9 a-z a-z0-9 a-zA-Z a-zA-Z0-9
1 10 26 36 52 62
2 100 676 1,296 2,704 3,844
3 1,000 17,576 46,656 140,608 238,328
4 10,000 456,976 1,679,616 7,311,616 14,776,336
5 100,000 11,881,376 60,466,176 380,204,032 916,132,832
6 1,000,000 308,915,776 2,176,782,336 19,770,609,664 56,800,235,584
7 10,000,000 8,031,810,176 78,364,164,096 1,028,071,702,528 3,521,614,606,208
8 100,000,000 208,827,064,576 2,821,109,907,456 53,459,728,531,456 218,340,105,584,896
9 1,000,000,000 5,429,503,678,976 101,559,956,668,416 2,779,905,883,635,710 13,537,086,546,263,600
10 10,000,000,000 141,167,095,653,376 3,656,158,440,062,980 144,555,105,949,057,000 839,299,365,868,340,000

Estimated time (in seconds) to crack (at 250MHash/s)

Length 0-9 a-z a-z0-9 a-zA-Z a-zA-Z0-9
1 0.00 0.00 0.00 0.00 0.00
2 0.00 0.00 0.00 0.00 0.00
3 0.00 0.00 0.00 0.00 0.00
4 0.00 0.00 0.00 0.01 0.03
5 0.00 0.02 0.12 0.76 1.83
6 0.00 0.62 4.35 39.54 113.60
7 0.02 16.06 156.73 2,056.14 7,043.23
8 0.20 417.65 5,642.22 106,919.46 436,680.21
9 2.00 10,859.01 203,119.91 5,559,811.77 27,074,173.09
10 20.00 282,334.19 7,312,316.88 289,110,211.90 1,678,598,731.74

Full calculations avaliable here: MD5 hash cracking time using GPU accelerated brute forcing

What now?
Well you can crack MD5’s at an extremely accelerated rate, so enjoy doing so responsibly (let your morals guide you :P). You could also explore the source code and make additions as you see fit, I am planning on modifying it to allow an extra parameter so that prefixes can be added if you already know how the password starts. This can be the case when someone has prefixed the password with a known salt.