Tuesday, February 23, 2010

AppSec Challenge 9's solution

Ok, the first one is easy and pwd1=OWASP. Next, it is turn to brute force md2, md4 and md5. Unfortunately, C# does not support md2 and md4 due to its security issue. However, a quick Google search find bouncycastle,
http://www.bouncycastle.org/csharp/.

After downloding their library, now it is time to brute force all the hashes one by one.

1) md2, this one is fast:
16189F5462BF906E9D88CF6F152DE86F
Found a Match
password is:GnuOWASP
hash is: 16189F5462BF906E9D88CF6F152DE86F

so, pwd2=Gnu

2) md4, this one is fast too:
FA8F46A6D347087D6980C3FA77DD4DE9
Found a Match
password is:lOOpGnu
hash is: FA8F46A6D347087D6980C3FA77DD4DE9

so, pwd3 = lOOp

3) md5, this one is fast too:
Found a Match
password is:SthlmlOOp
hash is: 425B33D6F60394C897B8413B5C185845

so, pwd4 = Sthlm

4) RIPEMD160, I use System.Security.Cryptography.RIPEMD160. It is fast
35F34671D30472D403937820DCABC1C78C837071
Found a Match
password is:klueSthlm
hash is: 35F34671D30472D403937820DCABC1C78C837071
so pwd5 =klue

5)SHA1, I use System.Security.Cryptography.SHA1 and it is fast:
AE81A30510B2931921934218636B26A803330EB1
Found a Match
password is:ZaQxklue
hash is: AE81A30510B2931921934218636B26A803330EB1

so pwd6 = ZaQx

6) sha256, SHA256 within System.Security.Cryptography is ready to use. This one does take some more than 10 minutes.
B2FF0269E927C6559804A37590A0688C45DF143F85CEE0E3F239F846B65C9644
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37
Found a Match
password is:pryLZaQx
hash is: B2FF0269E927C6559804A37590A0688C45DF143F85CEE0E3F239F846B65C9644

pwd7 = pryL
7) GOST3411, bouncycastle already implemented it. And it only took about 10 minutes.
0 0 1 2 3 4 5 6 7 8 9 10 11 12 13
Found a Match
password is:winnapryL
hash is: 16CC9F1FF65688E040F5ADA82A41A258FF948769CDA4C4A17D85228A6F358971

pwd8 = winna


In summary, it is pretty easy to brute force these hashes due to limit length (maximum lenght is five) and not so large character set (52 alpha characters). That's another reason why we should enforce password complexity rules.

The following is the code used to crack these hashes. They are not neat.

using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Security.Cryptography;
using Org.BouncyCastle.Crypto.Digests;

namespace hashCrack
{
class Program
{
static String md2Hash(String clearText)
{
MD2Digest md2 = new MD2Digest();
byte[] strBytes = Encoding.Default.GetBytes(clearText);
md2.BlockUpdate(strBytes, 0, strBytes.Length);
byte[] hash = new byte[16];
md2.DoFinal(hash, 0);
StringBuilder sBuilder = new StringBuilder();
for (int i = 0; i < hash.Length; i++)
{
sBuilder.Append(hash[i].ToString("x2"));
}
return sBuilder.ToString().ToUpper();
}

static String md4Hash(String clearText)
{
MD4Digest md4 = new MD4Digest();
byte[] strBytes = Encoding.Default.GetBytes(clearText);
md4.BlockUpdate(strBytes, 0, strBytes.Length);
byte[] hash = new byte[16];
md4.DoFinal(hash, 0);
StringBuilder sBuilder = new StringBuilder();
for (int i = 0; i < hash.Length; i++)
{
sBuilder.Append(hash[i].ToString("x2"));
}
return sBuilder.ToString().ToUpper();
}

static String md5Hash(String clearText)
{
MD5Digest md5 = new MD5Digest();
byte[] strBytes = Encoding.Default.GetBytes(clearText);
md5.BlockUpdate(strBytes, 0, strBytes.Length);
byte[] hash = new byte[16];
md5.DoFinal(hash, 0);
StringBuilder sBuilder = new StringBuilder();
for (int i = 0; i < hash.Length; i++)
{
sBuilder.Append(hash[i].ToString("x2"));
}
return sBuilder.ToString().ToUpper();
}
static String gost3411Hash(String clearText)
{
Gost3411Digest gost = new Gost3411Digest();
byte[] strBytes = Encoding.Default.GetBytes(clearText);
gost.BlockUpdate(strBytes, 0, strBytes.Length);
byte[] hash = new byte[32];
gost.DoFinal(hash, 0);
StringBuilder sBuilder = new StringBuilder();
for (int i = 0; i < hash.Length; i++)
{
sBuilder.Append(hash[i].ToString("x2"));
}
return sBuilder.ToString().ToUpper();
}


static String ripemd160Hash(String clearText)
{
RIPEMD160 myRIPE = RIPEMD160Managed.Create();
byte[] strBytes = Encoding.Default.GetBytes(clearText);

byte[] hash = myRIPE.ComputeHash(strBytes);
StringBuilder sBuilder = new StringBuilder();
for (int i = 0; i < hash.Length; i++)
{
sBuilder.Append(hash[i].ToString("x2"));
}
return sBuilder.ToString().ToUpper();
}


static String sha1Hash(String clearText)
{
byte[] strBytes = Encoding.Default.GetBytes(clearText);
SHA1 sha = new SHA1CryptoServiceProvider();
byte[] hash = sha.ComputeHash(strBytes);
StringBuilder sBuilder = new StringBuilder();
for (int i = 0; i < hash.Length; i++)
{
sBuilder.Append(hash[i].ToString("x2"));
}
return sBuilder.ToString().ToUpper();


}

static String sha256Hash(String clearText)
{
byte[] strBytes = Encoding.Default.GetBytes(clearText);
SHA256 shaM = new SHA256Managed();

byte[] hash = shaM.ComputeHash(strBytes);
StringBuilder sBuilder = new StringBuilder();
for (int i = 0; i < hash.Length; i++)
{
sBuilder.Append(hash[i].ToString("x2"));
}
return sBuilder.ToString().ToUpper();


}


static void crackRipe()
{
String pwd4 = "Sthlm";
String targetHash = "35F34671D30472D403937820DCABC1C78C837071";

Console.WriteLine(targetHash);
String elements = "abcdefghijklmnopqrstuvwxyz";
elements = elements + elements.ToUpper();

//for (int n = 0; n < elements.Length; n++)
//{
//Console.WriteLine(" " + n);

for (int m = 0; m < elements.Length; m++)
{


for (int k = 0; k < elements.Length; k++)
{

for (int j = 0; j < elements.Length; j++)
{

for (int i = 0; i < elements.Length; i++)
{
// String strTest = elements.Substring(i, 1) + elements.Substring(j, 1) + elements.Substring(k, 1) + elements.Substring(m, 1) + elements.Substring(n, 1) + pwd4;
String strTest = elements.Substring(i, 1) + elements.Substring(j, 1) + elements.Substring(k, 1) + elements.Substring(m, 1) + pwd4;

String hash = ripemd160Hash(strTest);

//Console.WriteLine(" " + strTest);
//Console.WriteLine(" " + hash);

if (hash.Equals(targetHash))
{
Console.WriteLine("Found a Match");
Console.WriteLine("password is:" + strTest);
Console.WriteLine("hash is: " + hash);
}


}
}
}
}
//}




//pwd5 = "klue";
//AE81A30510B2931921934218636B26A803330EB1



}

static void crackSha1()
{
String pwd5 = "klue";
String targetHash = "AE81A30510B2931921934218636B26A803330EB1";

Console.WriteLine(targetHash);
String elements = "abcdefghijklmnopqrstuvwxyz";
elements = elements + elements.ToUpper();

//for (int n = 0; n < elements.Length; n++)
//{
//Console.WriteLine(" " + n);

for (int m = 0; m < elements.Length; m++)
{


for (int k = 0; k < elements.Length; k++)
{

for (int j = 0; j < elements.Length; j++)
{

for (int i = 0; i < elements.Length; i++)
{
// String strTest = elements.Substring(i, 1) + elements.Substring(j, 1) + elements.Substring(k, 1) + elements.Substring(m, 1) + elements.Substring(n, 1) + pwd4;
String strTest = elements.Substring(i, 1) + elements.Substring(j, 1) + elements.Substring(k, 1) + elements.Substring(m, 1) + pwd5;

String hash = sha1Hash(strTest);

//Console.WriteLine(" " + strTest);
//Console.WriteLine(" " + hash);

if (hash.Equals(targetHash))
{
Console.WriteLine("Found a Match");
Console.WriteLine("password is:" + strTest);
Console.WriteLine("hash is: " + hash);
}


}
}
}
}
//}




//pwd5 = "klue";
//



}

static void crackSha256()
{
String pwd6 = "ZaQx";
String targetHash = "B2FF0269E927C6559804A37590A0688C45DF143F85CEE0E3F239F846B65C9644";

Console.WriteLine(targetHash);
String elements = "abcdefghijklmnopqrstuvwxyz";
elements = elements + elements.ToUpper();

//for (int n = 0; n < elements.Length; n++)
//{
//Console.WriteLine(" " + n);

for (int m = 0; m < elements.Length; m++)
{
Console.WriteLine(" " + m);

for (int k = 0; k < elements.Length; k++)
{

for (int j = 0; j < elements.Length; j++)
{

for (int i = 0; i < elements.Length; i++)
{
// String strTest = elements.Substring(i, 1) + elements.Substring(j, 1) + elements.Substring(k, 1) + elements.Substring(m, 1) + elements.Substring(n, 1) + pwd4;
String strTest = elements.Substring(i, 1) + elements.Substring(j, 1) + elements.Substring(k, 1) + elements.Substring(m, 1) + pwd6;

String hash = sha256Hash(strTest);

//Console.WriteLine(" " + strTest);
//Console.WriteLine(" " + hash);

if (hash.Equals(targetHash))
{
Console.WriteLine("Found a Match");
Console.WriteLine("password is:" + strTest);
Console.WriteLine("hash is: " + hash);
}


}
}
}
}
//}








}



static void crackGOST3411()
{
String pwd7 = "pryL";
String targetHash = "16CC9F1FF65688E040F5ADA82A41A258FF948769CDA4C4A17D85228A6F358971";

Console.WriteLine(targetHash);
String elements = "abcdefghijklmnopqrstuvwxyz";
elements = elements + elements.ToUpper();

for (int n = 0; n < elements.Length; n++)
{
Console.WriteLine(" " + n);

for (int m = 0; m < elements.Length; m++)
{
Console.Write(" " + m);

for (int k = 0; k < elements.Length; k++)
{

for (int j = 0; j < elements.Length; j++)
{

for (int i = 0; i < elements.Length; i++)
{
String strTest = elements.Substring(i, 1) + elements.Substring(j, 1) + elements.Substring(k, 1) + elements.Substring(m, 1) + elements.Substring(n, 1) + pwd7;
//String strTest = elements.Substring(i, 1) + elements.Substring(j, 1) + elements.Substring(k, 1) + elements.Substring(m, 1) + pwd7;

String hash = gost3411Hash(strTest);

//Console.WriteLine(" " + strTest);
//Console.WriteLine(" " + hash);

if (hash.Equals(targetHash))
{
Console.WriteLine("Found a Match");
Console.WriteLine("password is:" + strTest);
Console.WriteLine("hash is: " + hash);
}


}
}
}
}
}








}


//

static void Main(string[] args)
{
//String pwd1 = "OWASP";
//String pwd2 = "Gnu";
String pwd3 = "lOOp";
//String targetHash = "FA8F46A6D347087D6980C3FA77DD4DE9";
//crackRipe();
//crackSha1();
//crackSha256();
crackGOST3411();

}


}
}
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)