Brute force password cracker for a specific username on a computer

Would it be feasible to make a brute force password cracker with arduino where I plugged it in in the USB and it could cycle through all the passwords to the computer under a specific username?
What microcontroller would I use, and where could I find the code, and if not, what is the most similar project I could do to familiarize myself with such an area?
Thanks for your time,
goacego

1 Like

It's feasible to make the device (don't expect to get much help with it), but you have to ask yourself how it knows when to stop.

Ok. why would people be reluctant to help me? this isn't a malacious device, a friend and I are having a "hacking" competition, so we are both ok with this.

If the security on the target computer has been done to even the oldest BSI/ISO standards then not in your life time.

Mark

You should probably also try to calculate how many possibilities & permutations there are and estimate how long it's going to take... I assume there is a limit to how fast you can "type" into Windows. The average cracking time is the amount of time it takes to run-through half of the password possibilities. The actual cracking time will have a random "luck" factor.

Many years ago (when computers were slower) I wrote a program to find the "best fit" for a particular situation where there typically 2,000 to 32,000 "binary" possibilities, with some simple calculations for each possibility. It took several hours and I usually ran it overnight.

With case-sensitive alphanumeric passwords (and I think you can have passwords up to 127 characters) there are lots more possibilities. Computers are much faster now, but I think you'll be limited by "keyboard" speed (or possibly by Arduino speed).

Would it be feasible to make a brute force password cracker with arduino where I plugged it in in the USB and it could cycle through all the passwords to the computer under a specific username?

No, an Arduino cannot hold all the passwords...
hint: there are more passwords possible than there are atoms in the universe

If you want a really good hacking contest:
write an Arduino sketch that outputs its own source code.
(so when you compile it you can do it again and again etc)

hint: there are more passwords possible than there are atoms in the universe

This is actually a fact. He's not exaggerating.

Now, if you and your friend are trying to crack each others passwords for kicks and giggles, you could agree to only use 4 letter passwords, and only standard lowercase letters with no symbols. That might be feasible.

Post the results of the competition and let us know how long it took, and what the password was if you would, if you go through with it.

as already said, unless you have very poor easy passwords - it will take a long time. Personally, my method of password generation is one that is cryptic in general, but extremely easy to remember! Sounds like an oxymoron - but I use the first letter of a phrase or sentence - example "Mary had a little lamb" - will yield "mhall" even though it's only 5 letters long - it still would take awhile as most password crackers use dictionaries - although in the above would be bad, in that it does contain a real word "hall".

Take a phrase from your favorite book - easy to remember.

And whatever you do, do not use the same password for everything, this way if someone does crack a password, they only have access to that one area.

and as also stated, how would you know when to stop (when it's successful)? you would also have to put a delay in between each try to allow for time to decide it's wrong, and come back to the login again.

There was a very similar post made about a year ago on brute force password cracking.

See here: http://forum.arduino.cc/index.php?topic=209030.0

goacego:
Ok. why would people be reluctant to help me? this isn't a malacious device, a friend and I are having a "hacking" competition, so we are both ok with this.

If you're a hacker, wouldn't you be able to do this by yourself? By seeking help here, aren't you cheating on this "competition" ?

Anyhow, even if you could connect a NVidia Tesla K80 to a USB port and it starts to break the password immediately, it will still take a few centuries to break a moderately difficult NTLM password.

If you can create a 4-way SLI machine, with 4 x NVidia Titan Z (which totals 23,040 cores), you might reduce that time to a few decades or a century, but you still might run out of luck with slightly more complex passwords.

Where I want to get is: even with heavily parallelized processing, it will take ages (if not eras) to break some complex passwords. With a tiny, weak microcontroller, you can forget about that.

Now, if you're a real hacker - and not to say nobody here gave you any help - you might want to try and port John The Ripper to Arduino. Good luck with that, ' though.

If you and your friend are both using Windows XP, which still uses NTLM v1, you can just use the challenge-response approach (which is a vulnerability in Windows XP and previous versions of NT). The algorithm for it can be easily found on Google. Don't expect it to run on Arduino, however.

Mixed-case-alpha-numeric, exactly eight characters, one password tested each processor clock cycle (which is impossible)...
(((26+26+10)^8)/16000000)/60/60/24 = ~158 days

You and your friend are going to be waiting a long time (years) to finish even this simplified version.

What microcontroller would I use...

Teensy (any AVR processor with a USB pad) is an excellent choice for keyboard / mouse emulation.

Really?

Just boot from the Mint live disk or flash drive.

You can either examine the whole disk, or remove the password to the given account.

{Ooh! Am I telling secrets here? Good use for old 1GB flash drives.}

Or you can take a similar approach that Feynman (yes, that Feynman) used when he was working on the manhatten project at Los Alamos.

Safe Cracking with Feynman - Numberphile - YouTube (Another NumberPhile Video!, thank you HeliBob for my latest addiction!)

TLDR: If there's a chance that your friend used a password that has personal reference to himself, you can create a list possible base passwords, and then cycle through various permutations of each one. You can reduce an inifite list down to a "manageable" one with some intuition.