The art of password brute forcing

[Fatal1ty]

NOTICE: This article' s intention is not to influence

illegal activity but to educate the user of the theory

behind brute forcing.

This is a very important topic. Many software tools today

utilise brute force techniques to acccomplish their task.

Whether it be a portscanner, ip scanner, phreaking scanner

or finally what interests us most(password cracker). It

has many legitimate uses in society, particularly tools

involved in security analysis. Now before we start, this

paper is not a paper covering a huge topic so it will be

fairly short.

Brute force is simply taken to mean to try every possible

combination of characters or nos in use in what we are

dealing with until theres no more to try. For example say

we have a secret number that has to be 2 nos. To know it

we will need to try every no from 00-99(assuming base 10)

until we encounter the correct one or one of those in the

case of password cracking will be the correct password.

Each digit could have anything from 0-9.

An ip scanner will scan every node in a specific subnet/s.

Each subnet has 255 nodes. That would be brute forcing

the subnet.

Three factors influence how long it will take

to try every combination and they are:

1. The number base (or char range in our ascii passwd)

2. The length of the character string we are cracking

3. What the minimum pass length we start at and end with.

This rule applies to either remote cracking or local.

Obviously cpu speed and bandwidth would account but

the above are more important and should be abided for

any box fast or slow or speed of your communication.

Now lets get to the point.

Password cracking(brute force) is very similar to ip

scanning. Except we increment the ASCII character code

for each character at some point instead of the node no.

In ip scanning, you know the way when the last octet of

ip has reached 255 ? That the octet next to it is

incremented by 1 and last octet set to 0 again and this

continues on until 255 has been reached again and the

whole cycle repeats itself. Checking for 255 is the

condition used to determine when we have to reset the

node back to 1 again. Well thats similar with

password cracking also but because its not directly nos

we are dealing with it will be slightly different.

As a practical example lets try and crack a 3 char pass.

To start off we must set each char to an ASCII code of

32(anything below this is control characters) and then

stop at 127 because this is all our byte allows

us(non extended ASCII), which is all of the possible

chars allowed on our keyboard including

meta-symbols(special chars).

for(x=0; x<=passlen-1; x++)

pass[x]=32;

Now that thats done. Heres an example of what the brute

force cycle must look like. INside the brackets represent

our ASCII code.

char 2(32) char 1(32) char 0(32) <----- first try

char 2(32) char 1(32) char 0(33) <----- second try

*we will skip and assume 127 of char 0 has been reached*

char 2(32) char 1(32) char 0(127) <----- 95th try

^

|________ Max allowed code

char 2(32) char 1(33) char 0(32) <----- 96th try

^ ^

| |

| ------- set back to 32

----------- incremented by 1

char 2(32) char 1(33) char 0(33) <------ 97th try

^

|

------ incremented by 1

*we will now skip and assume char 1 has reached 127*

char 2(32) char 1(127) char 0(127)

char 2(33) char 1(32) char 0(32)

^

|

------------------- Notice the change

Not only have we changed position 2 but we also have

reverted char 0 and 1 to code 32 again. This is how

password cracking must be done in order to try all

possible combinations.

This will keep going in these steps. Once one of the

chars has reached 127 then the char next to the left

will get incremented by one and the char before one

to left and all previous chars set back to 32 again.

Now it should be plain to see that to brute force the

above with a bitta maths in order it would take

approximatelly (127-32)^3= 884736 trys.

As the string length is increased, so is how long it

will take to brute force. Can you imagine cracking

a 12 char pass which would take around..

(127-32)^12= 540360087662636962890625 possible

combinations

And this is assuming you know the password is exactly

12 chars. If you start at a minimum of 8 and try every

possible combination for each string length until 12

has been reached that is:

(127-32)^8

+

(127-32)^9

+

(127-32)^10

+

(127-32)^11

+

(127-32)^12

Now this process is not very considerable if you

intend to make a remote password cracker(but it

is a realistic approach over a period of time), but

if you have a local encryption string you can brute

force it(with the speed of your own cpu cycles) if

you know the encryption scheme being used and

assuming its one way.

You also have to rememeber if the password is stored

in encrypted form then each combination generated in

our iteration must be encrypted, tryed and checked

against the ciphertext to see if it matches correct

pass. This is the only methodology we can make use

since all passwords used in authentication are one

way. Although i do not do this in ma example. I do

however show how to try every possible combination

and the rules involved to achieve this.

You could also reduce the time to brute it by reducing

the char range from 32 - 127 to something like a range

that only has uppercase and lowercase letters of the

alphabet but we will not go into that here. Its just

a possibility.

Heres the final brute force engine i wrote for the

purpose of this example.

---- cut ------

/*

No of trys was 15264728..

Time elapsed = 0.751000 seconds

CPU: intel celeron 1.2ghz

ALso, a 5 char pass took amazingly 75 seconds

No of trys was 1355121658..

Time elapsed = 75.208000 seconds

Trys per second was 18018317.971492

When you add the encryption algorithm the time

required to crack should be drastically

increased.

*/

#include

#include

#include

#include

#include

char *bruteforce(int passmax, int passmin);

int count=0;

char *passwd;

#define MAXCHAR 127

#define MINCHAR 33

/* this code is copyrighted by Hi_tech_assassin, see pscode.com */

char *bruteforce(int passmax, int passmin)

{

char *pass=(char*)malloc(passmin);

int position,x,found;

/* since we can only do one increment per

iteration we need a way of controling this*/

memset(pass, MINCHAR, passmin);

pass[passmin]=' ';

for(x=passmin;x<=passmax;x++)

{

if(x>passmin)

{

realloc(pass, x);

memset(pass, MINCHAR, x);

pass[x]=' ';

}

while(pass[0]

", argv[0]);

return 0;

}

start = clock();

passwd=argv[1];

printf("

Attempting to brute force "%s"

",passwd);

printf("Should take approximatelly around %.0f trys

",pow(MAXCHAR-MINCHAR,strlen(passwd)));

if(pass=bruteforce(strlen(passwd),

strlen(passwd)))printf("The correct password is "%s"", pass);

elseprintf("Hard luck

");

printf("

No of trys was %d

", count);

end = clock();

elapsed = ((double) (end - start)) / CLOCKS_PER_SEC;

printf("Time elapsed = %f seconds

",elapsed);

if(elapsed >= 1)printf("Trys per second was %f

", count / elapsed);

else printf("

");

return 0;

}

---- cut -----

Should give you an idea of what we are talking about.

Do remember when selecting passwords make sure they

are as long as possible. The chars should be both

uppercase and lowercase along with a few meta

symbols.

There is a trick actually that would make it almost

impossible to crack ANY password. Most crackers do

not include chars below 32 in brute force mode. Since

its difficult to include these at any login prompt.

But by doing so you have a way of eluding most brute

force tools today if your password has one of these

but it is very inconvenient.