Brute Forcing Salted Password
Since my last post showed how to check a salted password, I figured this time we can look over some example code for brute forcing a salted password. Of course this is just proof of concept and should not be used on any password you do not have access to.
The code I tossed together is using a bit of some examples I found online, and is no where near optimized for speed, but as I will show it will work.
First lets check out the code:
#!/usr/bin/env python
import sys
from md5 import md5
from crypt import crypt
def nextChar():
'''create a generator for spitting out our chars'''
chars = range(97,124) # Lower case range
chars = map(chr, chars)
for char in chars:
yield char
def passRecurse(width, position, baseString):
'''Loop over all characters using width'''
for c in nextChar():
if (position < width - 1):
thisPassword = baseString + c
passRecurse(width, position + 1, baseString + c)
thisPassword = baseString + c
# link in to external function here
newhash = SHA512Salt(thisPassword, salt)
if newhash == hash:
print 'Password hash matached: %s' % thisPassword
sys.exit()
def SHA512Salt(password, salt):
output = crypt(password, '$6$%s$' % salt)
return output.split('$')[-1]
# Set up some variables and start the Brute
width = 3
salt = sys.argv[1]
hash = sys.argv[2]
passRecurse(width, 0, '')
I was not able to find or think of a better way to create passwords using a character map other than calling the function within the function (eww….), if you have any examples or suggestion please let me know.
This time I set the password for the dummy user to bat (save some time and CPU cycles I suppose):
# cat /etc/shadow| grep dummy
dummy:$6$cIYtIxDs$XzsdCG1TD3hO3qpEtUardUbVPQRsEOgq.1yqWl8iFp0DCF4ZSbppuj63sXHwzEj7Faz5MRoVf2LxtD9kUwpG5.:15313:0:99999:7:::
Using the Python script above works as so (and ran in 3.690s):
$ ./brute.py cIYtIxDs "XzsdCG1TD3hO3qpEtUardUbVPQRsEOgq.1yqWl8iFp0DCF4ZSbppuj63sXHwzEj7Faz5MRoVf2LxtD9kUwpG5."
Password hash matached: bat