Since my last post showed how to check a salted password, I figured this time we can look over some example code for brute forcing a salted password. Of course this is just proof of concept and should not be used on any password you do not have access to.
The code I tossed together is using a bit of some examples I found online, and is no where near optimized for speed, but as I will show it will work.
First lets check out the code:
#!/usr/bin/env python import sys from md5 import md5 from crypt import crypt def nextChar(): '''create a generator for spitting out our chars''' chars = range(97,124) # Lower case range chars = map(chr, chars) for char in chars: yield char def passRecurse(width, position, baseString): '''Loop over all characters using width''' for c in nextChar(): if (position < width - 1): thisPassword = baseString + c passRecurse(width, position + 1, baseString + c) thisPassword = baseString + c # link in to external function here newhash = SHA512Salt(thisPassword, salt) if newhash == hash: print 'Password hash matached: %s' % thisPassword sys.exit() def SHA512Salt(password, salt): output = crypt(password, '$6$%s$' % salt) return output.split('$')[-1] # Set up some variables and start the Brute width = 3 salt = sys.argv hash = sys.argv passRecurse(width, 0, '')
I was not able to find or think of a better way to create passwords using a character map other than calling the function within the function (eww….), if you have any examples or suggestion please let me know.
This time I set the password for the dummy user to bat (save some time and CPU cycles I suppose):
# cat /etc/shadow| grep dummy dummy:$6$cIYtIxDs$XzsdCG1TD3hO3qpEtUardUbVPQRsEOgq.1yqWl8iFp0DCF4ZSbppuj63sXHwzEj7Faz5MRoVf2LxtD9kUwpG5.:15313:0:99999:7:::
Using the Python script above works as so (and ran in 3.690s):
$ ./brute.py cIYtIxDs "XzsdCG1TD3hO3qpEtUardUbVPQRsEOgq.1yqWl8iFp0DCF4ZSbppuj63sXHwzEj7Faz5MRoVf2LxtD9kUwpG5." Password hash matached: bat