Creating QR Code with Google

So today I thought I would be neat to show how to quickly create QR codes using Google’s Chart Tools.

Google gives us a extremely easy way to create QR code by sending GET data request via URL:

https://chart.googleapis.com/chart?cht=qr&chs=300×300&chl=nessy

That is nice and easy, but I figured I would wrap this up in a small Python script just because:

#!/usr/bin/env python
from urllib2 import quote, urlopen, Request
from poster.encode import multipart_encode
from poster.streaminghttp import register_openers
import sys

def create(width, heigth, data):
    '''Builds a URL for Google to create us a QR code'''
    # build and make URL request
    google_chart = 'https://chart.googleapis.com'
    url = '%s/chart?cht=qr&chs=%sx%s&chl=%s' % (google_chart, width, heigth, quote(data))
    request = urlopen(url)
    response = request.read()

    # write QR code to file
    f = open('qr.png', 'w')
    f.write(response)
    f.close
    return 'Wrote qr.png..'

def read(qr_file):
    '''Reads a QR code by URL'''
    # post image to decode page
    register_openers()
    datagen, headers = multipart_encode({'f': open(qr_file)})
    request = Request('http://zxing.org/w/decode', datagen, headers)
    response = urlopen(request).read()
    return response

if sys.argv[1] == 'create':
    print create(300, 300, sys.argv[2])

if sys.argv[1] == 'read':
    print read(sys.argv[2])

Basic usage works like so:

$ ./qr.py create "My name is Nessy, Hello"
Wrote qr.png..

Running the create option will write a file named qr.png to your current directory:

$ file qr.png
qr.png: PNG image, 300 x 300, 8-bit/color RGB, non-interlaced

qr

And reading this QR code works just like this:

$ ./qr.py read qr.png
My name is Nessy, Hello

Brute Forcing Salted Password

Since my last post showed how to check a salted password, I figured this time we can look over some example code for brute forcing a salted password. Of course this is just proof of concept and should not be used on any password you do not have access to.

The code I tossed together is using a bit of some examples I found online, and is no where near optimized for speed, but as I will show it will work.

First lets check out the code:

#!/usr/bin/env python
import sys
from md5 import md5
from crypt import crypt

def nextChar():
    '''create a generator for spitting out our chars'''
    chars = range(97,124) # Lower case range
    chars = map(chr, chars)
    for char in chars:
        yield char

def passRecurse(width, position, baseString):
    '''Loop over all characters using width'''
    for c in nextChar():
        if (position < width - 1):
            thisPassword = baseString + c
            passRecurse(width, position + 1, baseString + c)
        thisPassword = baseString + c

        # link in to external function here
        newhash = SHA512Salt(thisPassword, salt)
        if newhash == hash:
            print 'Password hash matached: %s' % thisPassword
            sys.exit()

def SHA512Salt(password, salt):
    output = crypt(password, '$6$%s$' % salt)
    return output.split('$')[-1]

# Set up some variables and start the Brute
width = 3
salt = sys.argv[1]
hash = sys.argv[2]
passRecurse(width, 0, '')

I was not able to find or think of a better way to create passwords using a character map other than calling the function within the function (eww….), if you have any examples or suggestion please let me know.

This time I set the password for the dummy user to bat (save some time and CPU cycles I suppose):

# cat /etc/shadow| grep dummy
dummy:$6$cIYtIxDs$XzsdCG1TD3hO3qpEtUardUbVPQRsEOgq.1yqWl8iFp0DCF4ZSbppuj63sXHwzEj7Faz5MRoVf2LxtD9kUwpG5.:15313:0:99999:7:::

Using the Python script above works as so (and ran in 3.690s):

$ ./brute.py cIYtIxDs "XzsdCG1TD3hO3qpEtUardUbVPQRsEOgq.1yqWl8iFp0DCF4ZSbppuj63sXHwzEj7Faz5MRoVf2LxtD9kUwpG5."
Password hash matached: bat

UNIX SHA-512 Passwords & Python

Well today I spent a bit of time looking up how /etc/shadow created their shadow passwords.

I found a good source for the method at http://www.akkadia.org/drepper/SHA-crypt.txt , and if you take some time to review it you will notice the steps are a bit involved

Lucky for us Python has a Crypt module that works nicely.

First off I started by creating a dummy user with the password of test on one of my Linux computers:

# cat /etc/shadow | grep dummy
dummy:$6$JJ1sbaL/$2P4ZcZ10VjIa9f5.8N/GJukYCg.RJVBTP2h30v2mnh0Q5izqc2rtKZ6qtI0Ewiyji
      0hX9zIVfftOVuJTIsBSKQ/:15310:0:99999:7:::

And like that we have a password we can attempt to validate.

Next I will need to define our salt in Python. A good article explaining the format of /etc/shadow can be found on cyberciti.biz. Like the article says the salt is found between the $ after the username and before the password hash. For comparison I will also extract the hash:

>>> salt = 'JJ1sbaL/'
>>> hash = '2P4ZcZ10VjIa9f5.8N/GJukYCg.RJVBTP2h30v2mnh0Q5izqc2rtKZ6qtI0Ewiyj0hX9zIVfftOVuJTIsBSKQ/'

Now that we have our salt we can create a hash of our password using that salt and verify it matches the hash shown in /etc/shadow:

>>> import crypt
>>> output = crypt.crypt('test', '$6$%s$' % salt)
>>> print output
$6$JJ1sbaL/$2P4ZcZ10VjIa9f5.8N/GJukYCg.RJVBTP2h30v2mnh0Q5izqc2rtKZ6qtI0Ewiyj0hX9zIVfftOVuJTIsBSKQ/

And lastly lets compare the new hash with the one found in /etc/shadow:

>>> newhash = output.split('$')[-1]
>>> print newhash
'2P4ZcZ10VjIa9f5.8N/GJukYCg.RJVBTP2h30v2mnh0Q5izqc2rtKZ6qtI0Ewiyj0hX9zIVfftOVuJTIsBSKQ/'
>>>
>>> newhash == hash
True