######################################################### ######## The art of password brute forcing ############ ######################################################### NOTICE: This article' s intention is not to influence illegal activity but to educate the user of the theory behind brute forcing. This is a very important topic. Many software tools today utilise brute force techniques to acccomplish their task. Whether it be a portscanner, ip scanner, phreaking scanner or finally what interests us most(password cracker). It has many legitimate uses in society, particularly tools involved in security analysis. Now before we start, this paper is not a paper covering a huge topic so it will be fairly short. Brute force is simply taken to mean to try every possible combination of characters or nos in use in what we are dealing with until theres no more to try. For example say we have a secret number that has to be 2 nos. To know it we will need to try every no from 00-99(assuming base 10) until we encounter the correct one or one of those in the case of password cracking will be the correct password. Each digit could have anything from 0-9. An ip scanner will scan every node in a specific subnet/s. Each subnet has 255 nodes. That would be brute forcing the subnet. Three factors influence how long it will take to try every combination and they are: 1. The number base (or char range in our ascii passwd) 2. The length of the character string we are cracking 3. What the minimum pass length we start at and end with. This rule applies to either remote cracking or local. Obviously cpu speed and bandwidth would account but the above are more important and should be abided for any box fast or slow or speed of your communication. Now lets get to the point. Password cracking(brute force) is very similar to ip scanning. Except we increment the ASCII character code for each character at some point instead of the node no. In ip scanning, you know the way when the last octet of ip has reached 255 ? That the octet next to it is incremented by 1 and last octet set to 0 again and this continues on until 255 has been reached again and the whole cycle repeats itself. Checking for 255 is the condition used to determine when we have to reset the node back to 1 again. Well thats similar with password cracking also but because its not directly nos we are dealing with it will be slightly different. As a practical example lets try and crack a 3 char pass. To start off we must set each char to an ASCII code of 32(anything below this is control characters) and then stop at 127 because this is all our byte allows us(non extended ASCII), which is all of the possible chars allowed on our keyboard including meta-symbols(special chars). for(x=0; x<=passlen-1; x++) pass[x]=32; Now that thats done. Heres an example of what the brute force cycle must look like. INside the brackets represent our ASCII code. char 2(32) char 1(32) char 0(32) <----- first try char 2(32) char 1(32) char 0(33) <----- second try *we will skip and assume 127 of char 0 has been reached* char 2(32) char 1(32) char 0(127) <----- 95th try ^ |________ Max allowed code char 2(32) char 1(33) char 0(32) <----- 96th try ^ ^ | | | ------- set back to 32 ----------- incremented by 1 char 2(32) char 1(33) char 0(33) <------ 97th try ^ | ------ incremented by 1 *we will now skip and assume char 1 has reached 127* char 2(32) char 1(127) char 0(127) char 2(33) char 1(32) char 0(32) ^ | ------------------- Notice the change Not only have we changed position 2 but we also have reverted char 0 and 1 to code 32 again. This is how password cracking must be done in order to try all possible combinations. This will keep going in these steps. Once one of the chars has reached 127 then the char next to the left will get incremented by one and the char before one to left and all previous chars set back to 32 again. Now it should be plain to see that to brute force the above with a bitta maths in order it would take approximatelly (127-32)^3= 884736 trys. As the string length is increased, so is how long it will take to brute force. Can you imagine cracking a 12 char pass which would take around.. (127-32)^12= 540360087662636962890625 possible combinations And this is assuming you know the password is exactly 12 chars. If you start at a minimum of 8 and try every possible combination for each string length until 12 has been reached that is: (127-32)^8 + (127-32)^9 + (127-32)^10 + (127-32)^11 + (127-32)^12 Now this process is not very considerable if you intend to make a remote password cracker(but it is a realistic approach over a period of time), but if you have a local encryption string you can brute force it(with the speed of your own cpu cycles) if you know the encryption scheme being used and assuming its one way. You also have to rememeber if the password is stored in encrypted form then each combination generated in our iteration must be encrypted, tryed and checked against the ciphertext to see if it matches correct pass. This is the only methodology we can make use since all passwords used in authentication are one way. Although i do not do this in ma example. I do however show how to try every possible combination and the rules involved to achieve this. You could also reduce the time to brute it by reducing the char range from 32 - 127 to something like a range that only has uppercase and lowercase letters of the alphabet but we will not go into that here. Its just a possibility. Heres the final brute force engine i wrote for the purpose of this example. ---- cut ------ /* No of trys was 15264728.. Time elapsed = 0.751000 seconds CPU: intel celeron 1.2ghz ALso, a 5 char pass took amazingly 75 seconds No of trys was 1355121658.. Time elapsed = 75.208000 seconds Trys per second was 18018317.971492 When you add the encryption algorithm the time required to crack should be drastically increased. */ #include #include #include #include #include char *bruteforce(int passmax, int passmin); int count=0; char *passwd; #define MAXCHAR 127 #define MINCHAR 33 /* this code is copyrighted by Hi_tech_assassin, see pscode.com */ char *bruteforce(int passmax, int passmin) { char *pass=(char*)malloc(passmin); int position,x,found; /* since we can only do one increment per iteration we need a way of controling this*/ memset(pass, MINCHAR, passmin); pass[passmin]='\0'; for(x=passmin;x<=passmax;x++) { if(x>passmin) { realloc(pass, x); memset(pass, MINCHAR, x); pass[x]='\0'; } while(pass[0]\n\n", argv[0]); return 0; } start = clock(); passwd=argv[1]; printf("\nAttempting to brute force \"%s\"\n",passwd); printf("Should take approximatelly around %.0f trys\n\n",pow(MAXCHAR-MINCHAR,strlen(passwd))); if(pass=bruteforce(strlen(passwd), strlen(passwd)))printf("The correct password is \"%s\"", pass); elseprintf("Hard luck\n"); printf("\nNo of trys was %d\n", count); end = clock(); elapsed = ((double) (end - start)) / CLOCKS_PER_SEC; printf("Time elapsed = %f seconds\n",elapsed); if(elapsed >= 1)printf("Trys per second was %f\n\n", count / elapsed); else printf("\n"); return 0; } ---- cut ----- Should give you an idea of what we are talking about. Do remember when selecting passwords make sure they are as long as possible. The chars should be both uppercase and lowercase along with a few meta symbols. There is a trick actually that would make it almost impossible to crack ANY password. Most crackers do not include chars below 32 in brute force mode. Since its difficult to include these at any login prompt. But by doing so you have a way of eluding most brute force tools today if your password has one of these but it is very inconvenient. Still worth a mention though ? For a more comprehensive application and advanced example. Check out the remote multi threaded password cracker i wrote named dirtybrute which can be obtained from packetstorm. If you should notice any errors of mistakes in this text. Contact me below. Peace out ~ Author: Hi_Tech_Assassin Constact: hi_tech_assassin@hackermail.com EOF