Go Down

Topic: password checker 'Brute Force' (Read 2845 times) previous topic - next topic

mikel0829

Oct 23, 2013, 08:05 am Last Edit: Oct 23, 2013, 08:13 am by Coding Badly Reason: 1
so i have this code i have used before in C++ but i can not figure out how to get it to work on the arduino. im trying to "see how secure my passwords are" and im using the arduino as a dedicated processor to see how fast it can crack my password:


Code: [Select]
#include "stdafx.h"
#include <iostream>
#include <string>
using namespace std;
char chars[]={'a','b','c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z','0','1','2','3','4','5','6','7','8','9','A','B','C','D','E','F','G','H','I','J','K','L','M','N','O','P','Q','R','S','T','U','V','W','X','Y','Z'};
string t="mysuperpassword417938";
int s=0;
void checkPassword(string password);
void recurse(int width, int position, string baseString);

int  main() {
 // cout << "Enter a string: " << endl;
 //cin >> t;
 
 int maxChars = 13;
 for(int i=0;i<maxChars+1;i++) {
   cout << "checking passwords width [" << i << "]..." << endl;
   recurse(i,0,"");
 }
 return 0;
}
void recurse(int width, int position, string baseString) {
 for(int i=0;i<10;i++) {
   if (position < width-1) {
     recurse(width, position + 1, baseString+chars[i]);
   }
   checkPassword(baseString+chars[i]);
 }
}
void checkPassword(string password) {
if (password==t) {
 cout << "match [" << password << "]" << endl;
  // exit(1);
 }
}


any sugestions? :~ :~ :~


Moderator edit: [code] [/code] tags added.

Nick Gammon

Standard template library:

http://www.gammon.com.au/forum/?id=11119
Please post technical questions on the forum, not by personal message. Thanks!

More info:
http://www.gammon.com.au/electronics

HazardsMind

#2
Oct 23, 2013, 09:01 am Last Edit: Oct 23, 2013, 10:11 am by HazardsMind Reason: 1
Do you mean something like this?

Slight edit.
Code: [Select]
char input[30];
char output[30];
unsigned long startTime = 0, endTime = 0;
uint8_t i = 0, j = 0, Clear = 0;
void setup(){
  Serial.begin(9600);
  Serial.println("Enter password followed by a period ' . ' ");
}

void loop() {
  if(Serial.available() > 0)
  {
    input[i] = Serial.read();
    //Serial.println(input);
    if(input[i] != '.') i++;
    else
    {
      for(int j = 0; j < i; j++)
      {
        startTime = micros();
        for(char k = 48; k < 123; k++)
        {
          if(input[j] == k)
          {
            output[j] = k;
            endTime += micros() - startTime;
            break;
          }
        }
      }
      Serial.print("You entered: ");
      Serial.println(input);

      Serial.print("Code breaker found: ");
      Serial.println(output);

      Serial.print("Microseconds: ");
      Serial.println(endTime);

      i = 0, startTime = 0, endTime = 0, Clear = 0;
      while(Clear != 29)
      {
        input[Clear] = '\0';
        output[Clear] = '\0';
        Clear++;
      } 
    }
  }
}
My GitHub:
https://github.com/AndrewMascolo?tab=repositories

el_supremo

The stack space required for each level of recursion is going to rapidly use up the limited amount of static ram on an Arduino. Using the String library makes the problem even worse.

Pete

radman

Quote
im trying to "see how secure my passwords are"


You would be better to look at existing password crackers.
In most cases the hacker does not have to find the exact password he only has to find a password that generates the same hash as your actual password.

As passwords are often words, perhaps with numbers substituting for some characters, cracking is often done by pre-generating hashes for words from dictionaries. Those hashes are then compared with the hash of the real password. You should also lookup Rainbow Tables which are not dictionary based.


cjdelphi

Also any decent server should have some form of delay, for example Incorrect password.. Delay(2000); this ensures that if an attack too place you may as well use a gameboy to hack with.

radman

Quote
Also any decent server should have some form of delay

Delays certainly make sense to protect the front door. However a lot of password hacking would be done by getting hold of the password file which might be accessible from an account to which the hacker already has access. Once that file has been obtained the hacker can then use brute force to try and find a string that generates the hash of other accounts such as the Administrator. Armed with a string that generates the same hash as the Administrator password (note the string and the password need not be the same) the hacker can then use the string at the front door and the delay offers no protection.

mikel0829


Also any decent server should have some form of delay, for example Incorrect password.. Delay(2000); this ensures that if an attack too place you may as well use a gameboy to hack with.


so your saying any account can be hacked with any password as long as the password provided creates the same hash as yours does?

then wtf?!? why is it so easy 2 break in i am working on this because i have been identity thefted and am trying to make a better password.
so how do i check what hash is created by my password??

Nick Gammon

There are password checking sites:

http://www.passwordmeter.com/

Don't use your actual password, but something of a similar design.

Nixie Pixel has an interesting chat about passwords:

http://www.youtube.com/watch?v=cWPhebDXRHg

Quote

so your saying any account can be hacked with any password as long as the password provided creates the same hash as yours does?


If you have a good password it is unlikely the hash will match another one, because hashes tend to be long.
Please post technical questions on the forum, not by personal message. Thanks!

More info:
http://www.gammon.com.au/electronics

cjdelphi

Md5, base64 etc

Generally create a hash, a long "unique" string.

However, it's not somewhere some you'll get duplicate hash values but don't worry even so it's going to be difficult to crack.


Best way is to exploit the server (as suggested)

SirNickity

No hash is guaranteed to be 100% unique.  Afterall, if you're using a 64-bit hash, how could it possibly produce unique hashes for all inputs longer than 64-bits?  The security is based on the fact that a collision in a 64-bit space is statistically very unlikely.  Basically, you can try every brute-force combination of characters looking for an input that happens to generate the same hash, but you're statistically just as likely to have generated the actual original content if and when your brute force attack actually succeeds.

Obviously, if your "hash" is a 7-bit CRC, the chance of collision is way higher.  This is why SHA-1 and its ilk are better than MD5.  SHA-1 produces a 160-bit hash.  Good luck finding a collision in your lifetime.

BTW, using an Arduino to brute-force passwords will be nothing more than an academic exercise.  I tried to recover a password on a router once, having the config file but not the original password.  I didn't want to erase the config because it was a production device.  I didn't want to reset the password because it was used for VPNs and I would have to change all the remote ends too.  So I tried to brute-force it using a well-optimized cracker on a dual-core 2.4GHz CPU.  It went for days and days and days when I finally gave up.  I don't remember exactly how many digits it had gotten up to, but it wasn't very many.  Not nearly enough for the length of passwords I was using.

Using a 10-digit long password for example makes it unlikely for an individual with limited patience to crack.  A server farm or botnet can increase the possibility of finding a match, but every digit beyond that makes it increasingly closer to impossible using current technology.  An Arduino is wholly unsuited for that kind of task.  (If it ever finds a match, you really need to reconsider your method of creating passwords.)

radman

Brute Force and Dictionary attacks attempt to create a password that generates the same hash as your actual password.

Rainbow Tables work in reverse. They look at the hash and then attempt to generate a password.

This link gives good background;
http://en.wikipedia.org/wiki/Rainbow_table

Quote
how do i check what hash is created by my password??

Don't worry about that, just make your password strong.
To make it strong don't use words or names.
Do make it long, mix upper and lower case and include digits and other special characters.

That of course makes it difficult to remember your password!

To get round that a good strategy is to use a phrase that you can remember easily then change and add characters. For example you might use a line of poetry, a book title, or a film title.
e.g. you might start with "Autumn season of mist" and create the password "Autumn_5ea50n_0f_m15t#"

Another strategy is to hide your password in plain view, for example "emw122AE!!" is my monitor model written backwards with a couple of exclamations on the end. It cannot be cracked by a Dictionary attack as it is not word based, and it would be difficult to Brute Force because it a resonably long alphanumeric with upper and lower case and special characters. At the same time I could easily remember it because it is more or less written right in front of me.

Do not use the same password on several sites. A site owner may well be able to see your password in plaintext. Once somebody knows your password for one site they will try it on others e.g. gmail, twitter, facebook.

Identity theft is a bit different from getting your password. Keep your personal information private. You can give madeup info to sites as long as you keep a record of what you gave  ]:)



SirNickity

It bears repeating to use long and obvious-to-you passwords.  They may be "simple", but they're much harder to crack than complicated, short passwords.

For the first few days of using a new password, I'll often write it down amidst some notes.  I know where to look for it, but everyone else would just see it as a random scrawl.  One example from long ago, on a printed sheet of a Windows Updates MSKB article:  "C:\Windows\System32".  That was my password.  No one would've thought twice.  It's long, and it uses uppercase, lowercase, numbers, and symbols.

Nick Gammon

Great idea! I have a good one, too:

Code: [Select]

avrdude: stk500_getsync(): not in sync: resp=0x00


Most people will have that lying around ... and who would guess, eh?
Please post technical questions on the forum, not by personal message. Thanks!

More info:
http://www.gammon.com.au/electronics

PeterH


so i have this code i have used before in C++ but i can not figure out how to get it to work on the arduino. im trying to "see how secure my passwords are" and im using the arduino as a dedicated processor to see how fast it can crack my password:


Unless you're expecting somebody to use an Arduino to crack your password (which would be a weird thing for them to do), is there any reason to do this on an Arduino? The algorithm would be easier and quicker to develop on a PC and would run massively faster.
I only provide help via the forum - please do not contact me for private consultancy.

Go Up