Brute Forcing Salted Password

Since my last post showed how to check a salted password, I figured this time we can look over some example code for brute forcing a salted password. Of course this is just proof of concept and should not be used on any password you do not have access to.

The code I tossed together is using a bit of some examples I found online, and is no where near optimized for speed, but as I will show it will work.

First lets check out the code:

#!/usr/bin/env python
import sys
from md5 import md5
from crypt import crypt

def nextChar():
    '''create a generator for spitting out our chars'''
    chars = range(97,124) # Lower case range
    chars = map(chr, chars)
    for char in chars:
        yield char

def passRecurse(width, position, baseString):
    '''Loop over all characters using width'''
    for c in nextChar():
        if (position < width - 1):
            thisPassword = baseString + c
            passRecurse(width, position + 1, baseString + c)
        thisPassword = baseString + c

        # link in to external function here
        newhash = SHA512Salt(thisPassword, salt)
        if newhash == hash:
            print 'Password hash matached: %s' % thisPassword

def SHA512Salt(password, salt):
    output = crypt(password, '$6$%s$' % salt)
    return output.split('$')[-1]

# Set up some variables and start the Brute
width = 3
salt = sys.argv[1]
hash = sys.argv[2]
passRecurse(width, 0, '')

I was not able to find or think of a better way to create passwords using a character map other than calling the function within the function (eww….), if you have any examples or suggestion please let me know.

This time I set the password for the dummy user to bat (save some time and CPU cycles I suppose):

# cat /etc/shadow| grep dummy

Using the Python script above works as so (and ran in 3.690s):

$ ./ cIYtIxDs "XzsdCG1TD3hO3qpEtUardUbVPQRsEOgq.1yqWl8iFp0DCF4ZSbppuj63sXHwzEj7Faz5MRoVf2LxtD9kUwpG5."
Password hash matached: bat