MorxCrack - CMS password cracking tool

[Fi8sVrs]

Description:

MorxCrack is a cracking tool written in Perl to perform a dictionary-based attack on various hashing algorithm and CMS salted-passwords.

As of version 1.1 MorxCrack supports the following algorithms:

• MD5
  
• MD5 (Twice)
  
• MD5 (PasswordSalt)
  
• MD5 (SaltPassword)
  
• SHA1
  
• SHA1 (Twice)
  
• SHA1 (PasswordSalt)
  
• SHA1 (SaltPassword)
  
• SHA2 (256 Bits)
  
• SHA2 (512 Bits)
  
• MySQL (4.1+)
  
• Crypt UNIX (Shadow)
  

And the following CMS:

• Joomla
  
• Wordpress (PHPass)
  
• VBulletin
  
• InvisionPowerBoard
  

Author:

Simo Ben youssef <Simo_at_morxploit_dot_com>

MorXploit Research

Version:

MorXCrack V1.1 Beta

MD5: 14d0295d3c9b7fd96f5ff2e8b9ca43a8

Release date:

April 08 2013

Download:

#!/usr/bin/perl -w

#

# Tool: MorxCrack v1.1

# Author: Simo Ben youssef

# Contact: simo_at_morxploit_dot_com

# Release date: 24 March 2013

# MorXploit Research

# http://www.morxploit.com

#

# Download:

# http://www.morxploit.com/morxcrack

#

# v1.1 Changes:

# Added crack stats.

#

# Description:

# Tool written in perl to perform a dictionary-based attack on various hashing algorithm and CMS salted-passwords.

#

# Currently supports the following algorithms:

# MD5

# MD5 (twice)

# SHA1

# SHA2 (256/512)

# MySQL (4.1+)

# Crypt UNIX (Shadow)

#

# Currently supports the following CMS:

# Joomla

# Wordpress (PHPass)

# VBulletin

# InvisionPowerBoard

#

# Usage:

# perl morxcrack.pl <algorithm> <hash> <wordlist> <salt>

# perl morxcrack.pl sha hash wordlist

# perl morxcrack.pl crypt 'hash' wordlist

# perl morxcrack.pl wordpress 'hash' wordlist

# perl morxcrack.pl mysql hash wordlist

# perl morxcrack.pl md5twice hash wordlist

#

# For CMS hashes, a salt is required.

#

# Usage:

# perl morxcrack.pl joomla hash wordlist salt

# perl morxcrack.pl vb hash wordlist salt

# perl morxcrack.pl ipb hash wordlist salt

#

# Except for wordpress

# perl morxcrack.pl wordpress 'hash' wordlist

#

# Important note:

# Shadow file and Wordpress hashes need to be put between single quotes to avoid shell interpretation of $ character

#

# Modules:

# Requires SHA, MD5 and PHPass modules.

#

# Install if missing:

# perl -MCPAN -e 'install Authen::Passphrase::PHPass'

# perl -MCPAN -e 'install Digest::SHA'

# perl -MCPAN -e 'install Digest::MD5'

#

# Test on a Pentium® Dual-Core CPU T4500 @ 2.30GHz * 2 processor using md5 and a 3917096 wordlist:

#

# perl morxcrack.pl md5 83583d2b5ea4078b9b83f82254e5d564 all.txt

#

# [*] Hashed password set to 83583d2b5ea4078b9b83f82254e5d564

# [*] Algorithm/CMS set to md5

# [*] Wordlist set to all.txt

#

# [+] Cracking ...

#

############################################################

# [+] Your password is morxploit

# [+] found at line 3917096

# [+] Job took 16 seconds

############################################################

#

#

# Author discolaimer:

# This code and all information contained in this entire document is for educational and demonstration purposes only.

# Modification, use and publishing this information is entirely on your own risk.

# I cannot be held responsible for any malicious use. Use at your own risk.

use strict;

use Digest::SHA;

use Digest::MD5;

use Authen::Passphrase::PHPass;

system ('clear');

if(!defined ($ARGV[0]&& $ARGV[1]&& $ARGV[2])) {

usage();

}

sub usage{

print "\n--- MorxCrack Multi-Algorithm/CMS password cracking tool\n";

print "--- By Simo Ben youssef\n";

print "--- www.morxploit.com\n\n";

print "[-] An algorithm, a hash and a wordlist are required\n\n";

print "Usage: perl $0 <algorithm> <hash> <wordlist> <salt>\n\n";

print "Example:\n";

print "perl $0 sha hash wordlist\n";

print "perl $0 sha256 hash wordlist\n";

print "perl $0 sha512 hash wordlist\n";

print "perl $0 md5 hash wordlist\n";

print "perl $0 mysql hash wordlist\n";

print "perl $0 crypt 'hash' wordlist\n";

print "perl $0 wordpress 'hash' wordlist\n";

print "perl $0 md5twice hash wordlist\n";

print "\nFor CMS salt-hashed passwords:\n";

print "perl $0 joomla hash wordlist salt\n";

print "perl $0 vb hash wordlist salt\n";

print "perl $0 wordpress 'hash' wordlist\n";

print "perl $0 ipb hash wordlist salt\n\n";

exit; }

sub saltusage{

print "\n--- MorxCrack Multi-Algorithm/CMS password cracking tool\n";

print "--- By Simo Ben youssef\n";

print "--- www.morxploit.com\n\n";

print "[-] You need to specifiy a salt\n\n";

print "Usage: perl $0 <algorithm> <hash> <wordlist> <salt>\n";

print "perl $0 joomla hash wordlist salt\n";

print "perl $0 vb hash wordlist salt\n";

print "perl $0 ipb hash wordlist salt\n\n";

exit; }

my $algo = $ARGV[0];

my $hash = $ARGV[1];

my $wordlist = $ARGV[2];

my $salt = $ARGV[3];

my $algoname = $algo;

my $subalgo = \&$algoname;

my $password;

my $digest;

my $timestart;

$SIG{'INT'} = \&sigIntHandler;

$SIG{TSTP} = \&sigTSTPHandler;

if (grep { $algo eq $_ && $salt eq ""} qw{joomla vb ibp})

{

saltusage();

}

elsif (!grep { $algo eq $_} qw{md5 mysql crypt sha sha256 sha512 joomla md5twice wordpress vb ibp})

{

usage();

}

else

{

&crack();

}

sub crack{

system ('clear');

open (LIST, $wordlist) || die "\n[-] Can't find/open $wordlist\n";

print "\n[*] Hashed password set to $hash\n";

print "[*] Algorithm/CMS set to $algo\n";

print "[*] Wordlist set to $wordlist\n";

print "[*] Control+c to check stats\n";

print "[*] Control+z to exit the program\n\n";

sleep(2);

print "[+] Cracking ...\n\n";

$timestart = time();

while ($password = <LIST>) {

chomp ($password);

&$subalgo();

if ($digest eq $hash)

{

my $timeend = time();

my $runtime = $timeend - $timestart;

print "############################################################\n";

print "[+] Your password is $password\n";

print "[+] Found at line $. of $wordlist\n";

print "[+] Cracked in $runtime seconds\n";

print "############################################################\n\n";

close(LIST);

exit;

}

}

my $timeend = time();

my $runtime = $timeend - $timestart;

print "############################################################\n";

print "[-] Failed: Couldn't crack the password!\n";

print "[+] Processed $. passwords in $runtime seconds\n";

print "############################################################\n\n";

exit;

}

sub sha{

use Digest::SHA;

my $sha = Digest::SHA->new;

$sha->add($password);

$digest = $sha->hexdigest;

}

sub sha256{

my $sha = Digest::SHA->new(256);

$sha->add($password);

$digest = $sha->hexdigest;

}

sub sha512{

my $sha = Digest::SHA->new(512);

$sha->add($password);

$digest = $sha->hexdigest;

}

sub mysql{

# round 1 hashing

my $sha1 = Digest::SHA1->new;

$sha1->add($password);

my $digest1 = $sha1->digest;

# round 2 hashing

my $sha1_2 = Digest::SHA1->new;

$sha1_2->add($digest1);

$digest = $sha1_2->hexdigest;

}

sub crypt{

$digest = crypt($password, $hash);

}

sub md5{

my $md5 = Digest::MD5->new;

$md5->add($password);

$digest = $md5->hexdigest;

}

sub joomla{

my $key = $password.$salt;

my $md5 = Digest::MD5->new;

$md5->add($key);

$digest = $md5->hexdigest;

}

sub md5twice{

#round 1

my $md5 = Digest::MD5->new;

$md5->add($password);

my $digest1 = $md5->hexdigest;

#round 2

my $md52 = Digest::MD5->new;

$md52->add($digest1);

$digest = $md52->hexdigest;

}

sub vb {

# round 1

my $md5 = Digest::MD5->new;

$md5->add($password);

my $digest1 = $md5->hexdigest;

# round 2

my $key = $digest1.$salt;

my $md52 = Digest::MD5->new;

$md5->add($key);

$digest = $md5->hexdigest;

}

sub ibp {

#round 1

my $md5 = Digest::MD5->new;

$md5->add($password);

my $digest1 = $md5->hexdigest;

#round 2

my $md52 = Digest::MD5->new;

$md52->add($salt);

my $digest2 = $md52->hexdigest;

my $key = $digest2.$digest1;

# round 3

my $final = Digest::MD5->new;

$final->add($key);

$digest = $md5->hexdigest;

}

sub wordpress{

my ($h, $wpsalt, $hash2)=$hash=~m/^(.{4})(.{8})(.+)/;

my $ppr = Authen::Passphrase::PHPass->new(

cost => 11,

salt => "$wpsalt",

passphrase => "$password");

my $userpassword = $ppr->as_rfc2307;

$digest = substr ($userpassword, 7);

}

sub sigIntHandler {

my $sigtime = time();

my $cctime = $sigtime - $timestart;

my $speed = $. / $cctime;

print "\n############################################################\n";

print "[*] Current pwd: $password\n";

print "[*] Line number: $.\n";

print "[*] Time elapsed: $cctime\n";

print "[*] Speed: $speed pwd per second\n";

print "############################################################\n";

print "\n[+] Cracking ...\n";

}

sub sigTSTPHandler {

print "\n############################################################\n";

print "[+] Exiting at line $.\n";

print "[+] Aurevoir!\n";

print "############################################################\n\n";

sleep(2);

close(LIST);

exit;

}

Requirements:

Perl 5 or older

Additional modules:

Authen::Passphrase::PHPass

Usage:

Usage for non-salted passwords:

perl morxcrack.pl <algorithm> <’hash’> <wordlist>
perl morxploit md5 ’83583d2b5ea4078b9b83f82254e5d564? wordlist.txt

Usage for salted passwords:

perl morxcrack.pl <algorithm> <’hash’> <wordlist> <salt>
perl morxploit.pl joomla ‘a87248e5fc69972804f5bb93c873ee9d’ wordlist.txt 9W11uZafPxbe9xpL

Demo:

Test on a Pentium® Dual-Core CPU T4500 @ 2.30GHz * 2 processor using md5 and a 3917096 wordlist (43.4 MB):

perl morxcrack.pl md5 ’83583d2b5ea4078b9b83f82254e5d564? all.txt

[*] Hashed password set to 83583d2b5ea4078b9b83f82254e5d564
[*] Algorithm/CMS set to md5
[*] Wordlist set to all.txt

[+] Cracking …

############################################################
# [+] Your password is morxploit
# [+] found at line 3917096
# [+] Job took 16 seconds
############################################################

TODO:

Get rid of PHPass module

Support for more CMS

Contribute:

Your contribution is needed! Please submit your CMS password hashing methods to simo_at_morxploit_com

Make sure to include software details such as name and version number.

Also please feel free to submit all your suggestions and bugs.

Thanks.

Source: MorXCrack Multi-Algorithm/CMS password cracking tool | MorXploit Research