Jump to content
puskin

PhpBB3 hash bruteforce

By puskin, in Exploituri

Recommended Posts

puskin Newbie

puskin

Posted
Posted 


#!/usr/bin/php
<?php
set_time_limit(0);

echo "///////////////////////////////////////////////\r\n";
echo "//         PHPBB3 Bruteforce             //\r\n";
echo "//  Original bruteforce script by Tux      //\r\n";
echo "//     Moded for Phpbb3 by Jeforce     //\r\n";
echo "//     [url]http://www.jeforce.net[/url]            //\r\n";
echo "////////////////////////////////////////////\r\n";

if ($argc<2 || $argv[1]=='--help') {
    echo<<<END
USAGE: {$argv[0]} 'hash' chars
    - hash        : The hash to crack
    - chars        : Max length string to attempt to crack

HELP: {$argv[0]} --help


END;
    exit;
}
//Fonction PHPBB3

function _hash_crypt_private($password, $setting, &$itoa64)
{
$output = '*';
// Check for correct hash
if (substr($setting, 0, 3) != '$H$')
{return $output;}

$count_log2 = strpos($itoa64, $setting[3]);
if ($count_log2 < 7 || $count_log2 > 30)
{return $output;}
$count = 1 << $count_log2;
$salt = substr($setting, 4, 8);
if (strlen($salt) != 8)
{return $output;}

$hash = pack('H*', md5($salt . $password));
do
{
$hash = pack('H*', md5($hash . $password));
}
while (--$count);
$output = substr($setting, 0, 12);
$output .= _hash_encode64($hash, 16, $itoa64);
return $output;
}
function _hash_gensalt_private($input, &$itoa64, $iteration_count_log2 = 6)
{
if ($iteration_count_log2 < 4 || $iteration_count_log2 > 31)
{$iteration_count_log2 = 8;}
$output = '$H$';
$output .= $itoa64[min($iteration_count_log2 + ((PHP_VERSION >= 5) ? 5 : 3), 30)];
$output .= _hash_encode64($input, 6, $itoa64);
return $output;
}

/**
* Encode hash
*/
function _hash_encode64($input, $count, &$itoa64)
{
$output = '';
$i = 0;
do
{
$value = ord($input[$i++]);
$output .= $itoa64[$value & 0x3f];
if ($i < $count)
{$value |= ord($input[$i]) << 8;}
$output .= $itoa64[($value >> 6) & 0x3f];
if ($i++ >= $count)
{break;}
if ($i < $count)
{$value |= ord($input[$i]) << 16;}
$output .= $itoa64[($value >> 12) & 0x3f];
if ($i++ >= $count)
{break;}
$output .= $itoa64[($value >> 18) & 0x3f];
}
while ($i < $count);
return $output;
}
function phpbb_check_hash($password, $hash)
{
$itoa64 = './0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz';
if (strlen($hash) == 34)
{
return (_hash_crypt_private($password, $hash, $itoa64) === $hash) ? true : false;
}
return (md5($password) === $hash) ? true : false;
}

//if(isset($argv[4])) $charset=$argv[4];
//else $charset = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789';

$charset = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789';
$charset_beginning = $charset{0};
$charset_end = $charset{strlen($charset)-1};

//$HASH = '$H$99i1.eNyzhGdi5/lAnKnSjU8iIABC80';
// $SIZE = (int) $_GET['chars'];
$HASH = $argv[1];
$SIZE = (int) $argv[2];

$start = time()-1;
$curtotal=0;
$total=0;
for($i=$SIZE; $i>0; $i--) $total+=pow(strlen($charset), $i);
$split=ceil(($total/strlen($charset))/5);


echo " *** MAX SIZE: $SIZE, cracking HASH: $HASH\r\n";
echo " *** TOTAL KEYS: $total\r\n";
echo " *** CHARSET: $charset\r\n";

for($i=1; $i<=$SIZE; $i++) {
    $keyspace = pow(strlen($charset), $i);
    echo "\r\nAttempting to crack with $i characters.\r\n";
    echo " *** Total combinations: $keyspace\r\n";

    $key = '';
    for ($y=0; $y<$i; $y++) $key .= $charset_beginning;

    for ($x=0; $x<$keyspace+1; $x++) {
        $curtotal++;

        if (phpbb_check_hash($key, $HASH)) {
            $time=(time()-$start);
            echo<<<END

Successfully key cracked after $time seconds. The cracker searched a total
of $curtotal keys out of a possible $total in $time seconds.

Found the clear text of '$HASH' is '$key'.\n
END;
            exit;
        }

        if($x%$split == 0) {
            $rate=ceil($curtotal/(time()-$start));
            echo " ... $curtotal/$total ($key) [$rate Keys/second]\r\n";
        }

        for ($y=0; $y<$i; $y++) {
            if ($key[$y] != $charset_end) {
                $key[$y] = $charset{strpos($charset, $key[$y])+1};

                if ($y > 0)  for ($z = 0; $z < $y; $z++) $key[$z] = $charset_beginning;
                break;
            }
        }
    }
}
$time=time()-$start;
echo<<<END
*** SORRY NO MATCHS FOUND
    Time running : $time. Keys searched : $total.\n
END;
?>

Usage:


php script.php 'hash' chars

Example


jeforce@localhost:/var/www$ php5 phpbb3bruteforce.php '$H$9th2E96doaV4kIqYd8tH4kNdSdaXR4.' 4
///////////////////////////////////////////////
// PHPBB3 Bruteforcer //
// Original bruteforce script by Tux //
// Moded for Phpbb3 by Jeforce //
// [url]http://www.jeforce.net[/url] //
////////////////////////////////////////////
*** MAX SIZE: 4, cracking HASH: $H$9th2E96doaV4kIqYd8tH4kNdSdaXR4.
*** TOTAL KEYS: 15018570
*** CHARSET: abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789

Attempting to crack with 1 characters.
*** Total combinations: 62
... 1/15018570 (a) [1 Keys/second]

Attempting to crack with 2 characters.
*** Total combinations: 3844
... 64/15018570 (aa) [64 Keys/second]

Successfully key cracked after 12 seconds. The cracker searched a total
of 3434 keys out of a possible 15018570 in 12 seconds.

Found the clear text of '$H$9th2E96doaV4kIqYd8tH4kNdSdaXR4.' is 'w2'.

Credit:http://www.h4cky0u.org

sau:



<?
function phpbb_hash($password)
{
$itoa64 = './0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz';

$random_state = unique_id();
$random = '';
$count = 6;

if (($fh = @fopen('/dev/urandom', 'rb')))
{
$random = fread($fh, $count);
fclose($fh);
}

if (strlen($random) < $count)
{
$random = '';

for ($i = 0; $i < $count; $i += 16)
{
$random_state = md5(unique_id() . $random_state);
$random .= pack('H*', md5($random_state));
}
$random = substr($random, 0, $count);
}

$hash = _hash_crypt_private($password, _hash_gensalt_private($random, $itoa64), $itoa64);

if (strlen($hash) == 34)
{
return $hash;
}

return md5($password);
}

function unique_id($extra = 'c')
{
static $dss_seeded = false;
global $config;

$val = $config['rand_seed'] . microtime();
$val = md5($val);
$config['rand_seed'] = md5($config['rand_seed'] . $val . $extra);

if ($dss_seeded !== true && ($config['rand_seed_last_update'] < time() - rand(1,10)))
{
$config['rand_seed_last_update']=time();
$dss_seeded = true;
}

return substr($val, 4, 16);
}
function _hash_crypt_private($password, $setting, &$itoa64)
{
$output = '*';

// Check for correct hash
if (substr($setting, 0, 3) != '$H$')
{
return $output;
}

$count_log2 = strpos($itoa64, $setting[3]);

if ($count_log2 < 7 || $count_log2 > 30)
{
return $output;
}

$count = 1 << $count_log2;
$salt = substr($setting, 4, 8);

if (strlen($salt) != 8)
{
return $output;
}

/**
* We're kind of forced to use MD5 here since it's the only
* cryptographic primitive available in all versions of PHP
* currently in use. To implement our own low-level crypto
* in PHP would result in much worse performance and
* consequently in lower iteration counts and hashes that are
* quicker to crack (by non-PHP code).
*/


$hash = pack('H*', md5($salt . $password));
do
{
$hash = pack('H*', md5($hash . $password));
}
while (--$count);


$output = substr($setting, 0, 12);
$output .= _hash_encode64($hash, 16, $itoa64);

return $output;
}
function _hash_gensalt_private($input, &$itoa64, $iteration_count_log2 = 6)
{
if ($iteration_count_log2 < 4 || $iteration_count_log2 > 31)
{
$iteration_count_log2 = 8;
}

$output = '$H$';
$output .= $itoa64[min($iteration_count_log2 + ((PHP_VERSION >= 5) ? 5 : 3), 30)];
$output .= _hash_encode64($input, 6, $itoa64);

return $output;
}

/**
* Encode hash
*/
function _hash_encode64($input, $count, &$itoa64)
{
$output = '';
$i = 0;

do
{
$value = ord($input[$i++]);
$output .= $itoa64[$value & 0x3f];

if ($i < $count)
{
$value |= ord($input[$i]) << 8;
}

$output .= $itoa64[($value >> 6) & 0x3f];

if ($i++ >= $count)
{
break;
}

if ($i < $count)
{
$value |= ord($input[$i]) << 16;
}

$output .= $itoa64[($value >> 12) & 0x3f];

if ($i++ >= $count)
{
break;
}

$output .= $itoa64[($value >> 18) & 0x3f];
}
while ($i < $count);

return $output;
}

function phpbb_check_hash($password, $hash)
{
$itoa64 = './0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz';
if (strlen($hash) == 34)
{
return (_hash_crypt_private($password, $hash, $itoa64) === $hash) ? true : false;
}

return (md5($password) === $hash) ? true : false;
}

$val=phpbb_hash('admin123');

if(phpbb_check_hash("admin123", $val))
{
echo "Value is true";
}
else
{
echo "val is false";
}
#."<br>".phpbb_hash('admin123');

?>
[quote][/quote]

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...