Since my last post showed how to check a salted password, I figured this time we can look over some example code for brute forcing a salted password. Of course this is just proof of concept and should not be used on any password you do not have access to.

The code I tossed together is using a bit of some examples I found online, and is no where near optimized for speed, but as I will show it will work.

First lets check out the code:

#!/usr/bin/env python
import sys
from md5 import md5
from crypt import crypt

def nextChar():
'''create a generator for spitting out our chars'''
chars = range(97,124) # Lower case range
chars = map(chr, chars)
for char in chars:
yield char

def passRecurse(width, position, baseString):
'''Loop over all characters using width'''
for c in nextChar():
if (position < width - 1):
passRecurse(width, position + 1, baseString + c)

# link in to external function here
if newhash == hash:
sys.exit()

output = crypt(password, '$6$%s$' % salt) return output.split('$')[-1]

# Set up some variables and start the Brute
width = 3
salt = sys.argv[1]
hash = sys.argv[2]
passRecurse(width, 0, '')


I was not able to find or think of a better way to create passwords using a character map other than calling the function within the function (eww….), if you have any examples or suggestion please let me know.

This time I set the password for the dummy user to bat (save some time and CPU cycles I suppose):

# cat /etc/shadow| grep dummy
dummy:$6$cIYtIxDs$XzsdCG1TD3hO3qpEtUardUbVPQRsEOgq.1yqWl8iFp0DCF4ZSbppuj63sXHwzEj7Faz5MRoVf2LxtD9kUwpG5.:15313:0:99999:7:::  Using the Python script above works as so (and ran in 3.690s): $ ./brute.py cIYtIxDs "XzsdCG1TD3hO3qpEtUardUbVPQRsEOgq.1yqWl8iFp0DCF4ZSbppuj63sXHwzEj7Faz5MRoVf2LxtD9kUwpG5."