| Bruteforcing: There will always be a need. |
Bruteforcing is something we've learned to take for granted lately. Maybe it's due to the fact that we have so many tools available to brute force passwords for us. Or, maybe we say things like: "Yeah. Bruteforcers are so easy. I'll get around to writing one whenever I feel like it." But then, we never seem to get around to it, and quickly lose focus of why this type of attack is useful for a hacker to learn.
In the real world, I've never been so up to my eyes in the need to crack MD5 hashes, that I've had to use a rainbow table. I'm sure there are scenarios where this could be beneficial. But, for all the purposes I've seen, gaining access to real world systems, involved implementing something custom, on the fly, and off the cuff. Predefined lists of hashed passwords were absolutely no help. And, I found myself coding up simple bruteforcers built around a target specific implementation. Let me give you an example:
Corporate Meatpuppet Jim, is the head peon for the local branch of Big Business Corp LTD (store number 1123), that delivers to you, your never ending supply of useful gadgets. But Jim is just the figurehead, and not the person you see handing you gadgets every week. In fact, you've never even met Jim. Instead, you've become friends with Bill, the guy that drives the truck for Big Business Corp. Bill is a friendly, down to Earth, nine-to-fiver, that's always willing to tell you the kind of crap he's going through at work. It seems there's always some sort of drama going on in the corporate world, and he always has a fresh load of gossip to give. But, they don't treat Bill well at all, and he knows something doesn't look too bright in his future. But, the ties are tied too tight at BBCLTD, and they won't even give Bill a clue whether or not he should be looking for another job. His family could really use that information.
One day, curiosity bites you, and you decide to take the information Bill has given you, and see what's happening at Big Business Corp for yourself. It dawns on you, "Hey! They let school children take tours of the facility on field trips, why wouldn't they allow one of their best customers to come down and take a look as well?" Long story short, you find yourself in Jim's office, talking about lame and contrived corporate BS, that seems to be going in one ear and out the other, when you stumble across some interesting information. It turns out, that Jim is a forgetful guy, and likes to write things down on sticky notes he posts haphardly around the walls of his office. So, as he's filling your deaf ears with useless corporate garbage, you're looking around ... "trying to get a feel for the place" ... when you see, in big bold print:
Big Business Corp LTD - Primary Teleconferencing Hub
1-800-555-1234
user id = 1123
password = 123456#
alternate user id = 11231123
password = 654321#
Your hacker senses start tingling, and you draw some really good conclusions about this information:
1) - Whatever is being said on that hub is so important they needed to password protect the information.
2) - The user id is based on the store number.
3) - The password is extremely easy to replicate.
Now you start examining the problems.
1) - Jim's password may be old, and may have changed.
2) - Even if it's not, using the local branch to gain access may not be the wisest move you could make.
3) - That there's no way Cain, Abel, or your good friend John, are going to help you with this.
There's only one solution now, and that's to whip up a quick and dirty bruteforcer to give us passwords for any branch. In this example, we would need a system to attempt different passwords for a given store number, convert those passwords into DTMF tones, and then either continue, or break, based on what kind of response we get from the system designed to log in to the hub. Since this article isn't about changing strings of characters into DTMF tones, I'm going to simply walk you through the things you'll need to know in order to write the bruteforcer.
First thing we need is a way to plug in each possible combination (technically called a permutation). We have a range of valid characters, in this case 0-9, arranged in an array six characters long, giving us 10 ^ 6 possible combination for the result, since our keyspace (0-9) is ten digits wide. That's only one million, which is a hell of a lot better than the astronomical permutations used for some computer passwords. Anyway, there are two ways we can do this. We have an iterative approach, or a recursive approach.
In most cases, we have to resort to a recursive approach, because we simply don't know how long our passwords may be. In this case that's not necessary, so we could use either. There's a lot to be said about using an iterative vs recursive approach when it comes to speed and memory usage. But, in the real world, all of those concerns tend to be theoretical. In any event, I'll show you both methods, so that you're familiar.
For an iterative approach, we simply nest a set of for loops, like so:
That's a LOT of looping. But that can't really be avoided, even if we use a recursive approach. Iterative approaches are generally faster, but the recursive approach is much more clean, and really only starts to becomes a problem memory wise, when dealing with passwords that are thousands of characters in length. So, a more universal solution might look somthing like this:
In both of the above code examples, the CheckPassword() function is where we would have written the code to convert the password to DTMF tones and monitor the response from the teleconferencing hub. But, this could have been anything, including comparing two MD5 hashes. The function call just makes the code more universal, and much easier to read. Hopefully this all makes sense. ;)
As it turns out, Big Business Corp LTD did have intentions of firing Bill, those sorry bastards. But, thanks to our help, Bill and his family, don't have to worry, since we gave him that bit of information just in time for him to look for a new job. He still comes by every once in a while, but we've since found a better company for our own personal gadget needs.
In the real world, I've never been so up to my eyes in the need to crack MD5 hashes, that I've had to use a rainbow table. I'm sure there are scenarios where this could be beneficial. But, for all the purposes I've seen, gaining access to real world systems, involved implementing something custom, on the fly, and off the cuff. Predefined lists of hashed passwords were absolutely no help. And, I found myself coding up simple bruteforcers built around a target specific implementation. Let me give you an example:
Corporate Meatpuppet Jim, is the head peon for the local branch of Big Business Corp LTD (store number 1123), that delivers to you, your never ending supply of useful gadgets. But Jim is just the figurehead, and not the person you see handing you gadgets every week. In fact, you've never even met Jim. Instead, you've become friends with Bill, the guy that drives the truck for Big Business Corp. Bill is a friendly, down to Earth, nine-to-fiver, that's always willing to tell you the kind of crap he's going through at work. It seems there's always some sort of drama going on in the corporate world, and he always has a fresh load of gossip to give. But, they don't treat Bill well at all, and he knows something doesn't look too bright in his future. But, the ties are tied too tight at BBCLTD, and they won't even give Bill a clue whether or not he should be looking for another job. His family could really use that information.
One day, curiosity bites you, and you decide to take the information Bill has given you, and see what's happening at Big Business Corp for yourself. It dawns on you, "Hey! They let school children take tours of the facility on field trips, why wouldn't they allow one of their best customers to come down and take a look as well?" Long story short, you find yourself in Jim's office, talking about lame and contrived corporate BS, that seems to be going in one ear and out the other, when you stumble across some interesting information. It turns out, that Jim is a forgetful guy, and likes to write things down on sticky notes he posts haphardly around the walls of his office. So, as he's filling your deaf ears with useless corporate garbage, you're looking around ... "trying to get a feel for the place" ... when you see, in big bold print:
Big Business Corp LTD - Primary Teleconferencing Hub
1-800-555-1234
user id = 1123
password = 123456#
alternate user id = 11231123
password = 654321#
Your hacker senses start tingling, and you draw some really good conclusions about this information:
1) - Whatever is being said on that hub is so important they needed to password protect the information.
2) - The user id is based on the store number.
3) - The password is extremely easy to replicate.
Now you start examining the problems.
1) - Jim's password may be old, and may have changed.
2) - Even if it's not, using the local branch to gain access may not be the wisest move you could make.
3) - That there's no way Cain, Abel, or your good friend John, are going to help you with this.
There's only one solution now, and that's to whip up a quick and dirty bruteforcer to give us passwords for any branch. In this example, we would need a system to attempt different passwords for a given store number, convert those passwords into DTMF tones, and then either continue, or break, based on what kind of response we get from the system designed to log in to the hub. Since this article isn't about changing strings of characters into DTMF tones, I'm going to simply walk you through the things you'll need to know in order to write the bruteforcer.
First thing we need is a way to plug in each possible combination (technically called a permutation). We have a range of valid characters, in this case 0-9, arranged in an array six characters long, giving us 10 ^ 6 possible combination for the result, since our keyspace (0-9) is ten digits wide. That's only one million, which is a hell of a lot better than the astronomical permutations used for some computer passwords. Anyway, there are two ways we can do this. We have an iterative approach, or a recursive approach.
In most cases, we have to resort to a recursive approach, because we simply don't know how long our passwords may be. In this case that's not necessary, so we could use either. There's a lot to be said about using an iterative vs recursive approach when it comes to speed and memory usage. But, in the real world, all of those concerns tend to be theoretical. In any event, I'll show you both methods, so that you're familiar.
For an iterative approach, we simply nest a set of for loops, like so:
Code
int lowChar = (int)'0';
int highChar = (int)'9';
for(int i = lowChar; i <= highChar; i++)
{
password[0] = (char)i;
for(int j = lowChar; j <= highChar; j++)
{
password[1] = (char)j;
for(int k = lowChar; k <= highChar; k++)
{
password[2] = (char)k;
for(int l = lowChar; l <= highChar; l++)
{
password[3] = (char)l;
for(int m = lowChar; m <= highChar; m++)
{
password[4] = (char)m;
for(int n = lowChar; n <= highChar; n++)
{
password[5] = (char)n;
password[6] = '#';
password[7] = 'a33;';
CheckPassword( password );
}
}
}
}
}
}
That's a LOT of looping. But that can't really be avoided, even if we use a recursive approach. Iterative approaches are generally faster, but the recursive approach is much more clean, and really only starts to becomes a problem memory wise, when dealing with passwords that are thousands of characters in length. So, a more universal solution might look somthing like this:
Code
int lowChar = (int)'0';
int highChar = (int)'9';
void recurse(int pos, char* password, int length)
{
int i = 0;
for(i = lowChar; i <= highChar; ++i)
{
password[pos] = (char)i;
if(pos < (length - 1))
{
recurse(pos + 1, password ,length);
}
else
{
CheckPassword( password );
}
}
}
void bruteforce(int length)
{
char password[length];
password[length] = 'a33;';
recurse(0, password, length);
}
In both of the above code examples, the CheckPassword() function is where we would have written the code to convert the password to DTMF tones and monitor the response from the teleconferencing hub. But, this could have been anything, including comparing two MD5 hashes. The function call just makes the code more universal, and much easier to read. Hopefully this all makes sense. ;)
As it turns out, Big Business Corp LTD did have intentions of firing Bill, those sorry bastards. But, thanks to our help, Bill and his family, don't have to worry, since we gave him that bit of information just in time for him to look for a new job. He still comes by every once in a while, but we've since found a better company for our own personal gadget needs.
Please Login to Post a Comment.
Rating is available to Members only.
Please login or register to vote.
Please login or register to vote.
| Awesome! |  |
100% | [1 Vote] |
| Very Good | |
0% | [No Votes] |
| Good | |
0% | [No Votes] |
| Average | |
0% | [No Votes] |
| Poor | |
0% | [No Votes] |
