OSDev.org

Posted: **Sun Jun 24, 2007 5:12 pm**

I'm working on a brute forcer and I have something that can md5 a string, but I need some code that can generate every possible string combination to a specified length given a charset, does anyone know how this can be done?

thx!

Posted: **Sun Jun 24, 2007 5:35 pm**

GLneo wrote:I'm working on a brute forcer and I have something that can md5 a string, but I need some code that can generate every possible string combination to a specified length given a charset, does anyone know how this can be done?

thx!

Go to google and type in "permutations and combinations".

Posted: **Sun Jun 24, 2007 5:45 pm**

On second thoughts, if you have a string six characters long, and the 127 ascii characters, there will be something like:

668665319100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

possible strings. So, even with a modern processor, your program would probably be running for a few milenia before it completed.

Posted: **Sun Jun 24, 2007 5:56 pm**

theres 26 lower letters and ill only goto about 5 or so before i find the pass ( at least in my case ), so thats ... carry the one ... : ~ 1.5 million trillion, thanks for the point in the right direction

, but still doesnt help me do it in c

p.s. how do other crackers do it in like a few days?

Posted: **Sun Jun 24, 2007 6:17 pm**

EDIT: Try Cain & Abel -- Best password cracker ever

This would completely freeze your system on a slower machine because of all of the for loops, but you could try:

Code: Select all

#include <stdio.h>
void calc( int length )
{
	int a, b, c, d, e;
	a = b = c = d = e = 0;
	int x = -1;
	char md5[5];
	
	int i;
	for ( i = 0; i < 5; i++ ) /* Clear the hash string */
		md5[i] = '/0';
	
	for ( x = 0; x < length; x++ )	/* Main loop how long is our string? */
	for ( a = 0; a < 127; a++ )	/* All possible values for first char */
	{
		md5[0] = a;
		//hash();   // Psuedo Code
		//check_against_string;   // Psuedo Code
		printf( "%s\n", md5 );
		for ( b = 0; b < 127; b++ )
		{
			md5[1] = b;
			//hash();   // Psuedo Code
			//check_against_string;   // Psuedo Code
			for ( c = 0; c < 127; c++ )
			{
			md5[2] = c;
			//hash();   // Psuedo Code
			//check_against_string;   // Psuedo Code
				for ( d = 0; d < 127; d++ )
				{
				md5[3] = d;
				//hash();   // Psuedo Code
				//check_against_string;   // Psuedo Code
					for ( e = 0; e < 127; e++ )
					{
						md5[4] = e;
						//hash();   // Psuedo Code
						//check_against_string;   // Psuedo Code
								
						
					}
				}
			}
		}
	}
	
}

Hope that gives you a lead...

--t0xic

Posted: **Sun Jun 24, 2007 6:50 pm**

this just confuses me more

, i would like to enable a infinite crack where i could find all collisions for a giving hash, so unless i didn't understand your code, i don't think that code can do that, i fugue there has to be some way of doing it in like 3 for() loops. hmmm..........

p.s. i like cain + able, but wont help my current situation

Posted: **Sun Jun 24, 2007 7:04 pm**

Code: Select all

bool do_next_sequence(uint8_t *sequence, uint8_t *charset, uint32_t length)
{
	uint32_t x;
	for(x = 0; sequence[x] == chatset_length; ++x)
	{
		if(x == length)
		{
			return false;
		}
		sequence[x] = 0;
	}
	++sequence[x];
	return true;
}

#define SEQUENCE_LENGTH 10
uint8_t *sequence = (uint8_t*)malloc(SEQUENCE_LENGTH);
uint8_t charset = {'a', 'b', 'c'};
memset(sequence, 0, SEQUENCE_LENGTH);
do_next_sequence(sequence, &charset[0], SEQUENCE_LENGTH);
for(uint32_t x = 0; x < SEQUENCE_LENGTH; ++x)
{
printf("%c", charset[sequence[x]]);
}

Posted: **Sun Jun 24, 2007 7:30 pm**

this code doesn't make sense ( or work )

Posted: **Sun Jun 24, 2007 7:31 pm**

My code was just Proof of Concept code, I wouldn't expect it to work =)

Posted: **Sun Jun 24, 2007 7:56 pm**

oops, sorry, wrote it in a rush.

Code: Select all

#include <stdlib.h>
#include <stdio.h>
#include <stdint.h>
#include <string.h>

int32_t do_next_sequence(uint8_t *sequence, uint32_t charset_length, uint32_t length)
{
	uint32_t x;
	for(x = 0; sequence[x] == (charset_length-1); ++x)
	{
		if(x == (length-1))
		{
			return 0;
		}
		sequence[x] = 0;
	}
	++sequence[x];
	return 1;
}

#define SEQUENCE_LENGTH 10

int main(int argc, char *argv[])
{
	uint32_t x;
	uint8_t *sequence = (uint8_t*)malloc(SEQUENCE_LENGTH);
	uint8_t charset[] = {'a', 'b', 'c'};
	memset(sequence, 0, SEQUENCE_LENGTH);

	while(1)
	{
		if(!do_next_sequence(sequence, sizeof(charset), SEQUENCE_LENGTH))
		{
			break;
		}
		for(x = 0; x < SEQUENCE_LENGTH; ++x)
		{
			printf("%c", charset[sequence[x]]);
		}
		printf("\n");
		//sleep(1);
	}
	return 1;
}

Posted: **Mon Jun 25, 2007 11:05 am**

thx!, thats exactly what i want! i took me about 10 minutes to get it

Posted: **Mon Jun 25, 2007 1:32 pm**

well, now i need more help, during the md5 hash calculations it takes the output ( unsigned char digest[16]; ) then converts each unsigned char in to 2 hex digits like this: [243] = [F][3], in the following fashion:

Code: Select all

for (x = 0; x < 16; ++x)
    sprintf(hex_output + x * 2, "%02x", digest[x]);

now what i need is a way to convert the 32 hex output back into the original 16 unsigned char's

is there a simple way of doing this???

thx!

Posted: **Mon Jun 25, 2007 1:54 pm**

not sure if this works, but here it goes.

Code: Select all

char digest[16];
for(int i = 0; i < 16; i++) {
    sscanf(&hex_output[i*2], "%2x", &digest[i])
}

Posted: **Mon Jun 25, 2007 2:52 pm**

thx!, that works great!, now my cracker is 3.26 times faster! back to more optimizing...

Posted: **Mon Jun 25, 2007 4:20 pm**

well for anyone who wants it this is what i've been working on:

Code: Select all

#include "md5.h"
#include <math.h>
#include <time.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>

int do_next_sequence(char *sequence, int charset_length, int length);

int main(int argc, char *argv[])
{
    int x, len, t;
    clock_t start,end;
    float dif;
    int loops = 0;
    char *sequence;
    char *message;
    char temp[2];
    char charset[] = {'a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i', 'j', 'k', \
                        'l', 'm', 'n', 'o', 'p', 'q', 'r', 's', 't', 'u', 'v',\
                         'w', 'x', 'y', 'z'};  // lower_alpha
    
    md5_state_t state;
	md5_byte_t digest[16];
	unsigned char raw_inhash[16];
	
	if( argc < 3 )
        return 1;
    
    len = atoi( argv[2] );
    sequence = (char *)malloc( len );
    message = (char *)malloc( len );
    memset(sequence, 0, len);
    
    for(t = 0; t < 16; t++)
    {
        sscanf(&argv[1][t*2], "%2x", &raw_inhash[t]);
    }
    
    start = clock();
    while( do_next_sequence(sequence, sizeof(charset), len) )
    {
        sprintf(message, "%c", charset[sequence[0]]);
        for(x = 1; x < len; ++x)
        {
            sprintf(temp, "%c", charset[sequence[x]]);
            strcat(message, temp);
        }
        
        //   START md5 string: input message
        md5_init(&state);
        md5_append(&state, (const md5_byte_t *)message, len);
        md5_finish(&state, digest);
        //   END md5 string: output digest
        
        loops++;
        if( memcmp( raw_inhash, digest, 16 ) == 0 )
        {
            end = clock();
            dif = (end - start);
            dif /= CLOCKS_PER_SEC;
            printf("Collision Found!: %s is : %s\n  Cracking took: %.2lfs\n  Average h/s: %.2f h/s\n", argv[1], message, dif, (loops / dif));
            system("pause");
            return 0;
        }    
        
    }
    puts("No collision Found\n");
    system("pause");
    return 1;
}

int do_next_sequence(char *sequence, int charset_length, int length)
{
   int x;
   for(x = 0; sequence[x] == (charset_length-1); ++x)
   {
      if(x == (length-1))
      {
         return 0;
      }
      sequence[x] = 0;
   }
   ++sequence[x];
   return 1;
}

that "while" loops 433k times a second, so if you see even the slightest way to make it faster ( or convert it to ASM

) it will help me alot!

thx!

OSDev.org

brute forcer

brute forcer

Re: brute forcer