Hash Function: possible to brute force?

**LoganK** · Mar 2, 2007 12:23

I've got a piece of JavaScript code that seems to be creating a primitive hash. My task is to find what password will compute to the hash shown (part of a hacking competition my friends and I are having amongst ourselves on our own web apps). Is there any way to reverse it through JS (probably not since hashes are one-way)? If not that, does anyone know of a way of constructing a brute forcer (in JS, Perl, PHP, etc.) to try combinations until finding it? I got a preliminary one running in PHP but I can't load my dictionary file into it (too much memory). Any ideas are great!

Code:

function submitentry()
{
     password = document.password1.password2.value.toLowerCase()
     username = document.password1.username2.value.toLowerCase()
     passcode = 1
     usercode = 1
     for (i = 0; i < password.length; i++)
     {
          passcode *= password.charCodeAt(i);
     }
     for (x = 0; x < username.length; x++)
     {
          usercode *= username.charCodeAt(x);
     }
     if (usercode==201147083280000 && passcode==2170888043757300)
     {
          window.location=password+"URL REMOVED"
     }
     else
     {
          alert("password/username combination wrong")
     }
}

edit: formatted the code a bit to make it look prettier and bit easier on your eyes :-)

**jimfraser** · Mar 2, 2007 14:42

Figuring out the characters shouldn't be too hard, but the order of the characters isn't easily findable.

If you start with a known character set, you can eliminate any character who's charcode is not an even divisor of (usercode) or (passcode). That should take out a lot of the guesswork. For example, I ran a test and, assuming the username and password are only using 0-9,A-Z,a-z and space, the username can only possibly be comprised of
[ 0247ABEHKNPWXZcdehnstux]
and the password [126EFKTZabdegils]

I think the password might be some combination of [1EaeegFZ] (when you multiply the codes for those together you get the passcode, there ARE other combinations though)

**LoganK** · Mar 2, 2007 14:56

I'm glad the list of possible password characters is less than the username, since I only need to know the password as indicated by the redirect URL. I'll focus on solving it for the time being. I really like your technique of finding out the possible characters: I would've never though of it; that's why I asked for some help from some smart guys like you! Just out of curiosity, what sorts of tests did you run to determine the information you did find? I may be able to take them and adapt them for my needs, or at least find some insight in them! Thanks!

**jimfraser** · Mar 2, 2007 15:06

Here's the (ugly) code I wrote to mess around. It's extremely incomplete though. Basically once the page loads you select a character set and click the narrow down button to display the possible combinations. Then you start entering allowed characters into the [hack attempt] boxes - the goal is to get the username/password code down to exactly 1.

have fun

Code:

<html>
<head>
<script type="text/javascript">
var charsets = [];
charsets[0] = [32,48,49,50,51,52,53,54,55,56,57,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,97,98,99,100,101,102,103,104,105,106,107,108,109,110,111,112,113,114,115,116,117,118,119,120,121,122];
var initusercode;
var initpasscode;
var tempusercode;
var temppasscode;

function getCharList() {
	var cs = charsets[document.getElementById("charset").value];
	if (!initusercode) {
		initusercode = Number(document.getElementById("usercode").value);
		tempusercode = initusercode;
	}
	
	var out = document.getElementById("possuser");

	out.value = "";	
	for (var i=0; i < cs.length; i++) {
		if (tempusercode &#37; cs[i] == 0) {
			out.value += String.fromCharCode(cs[i]);
		}
	}

	if (!initpasscode) {
		initpasscode = Number(document.getElementById("passcode").value);
		temppasscode = initpasscode;
	}
	var out = document.getElementById("posspass");

	out.value = "";	
	for (var i=0; i < cs.length; i++) {
		if (temppasscode % cs[i] == 0) {
			out.value += String.fromCharCode(cs[i]);
		}
	}


}
function keyed(thing) {
	var initCode;
	var code;
	var pchars;
	var chars;
	var hack;
	if (thing == "user") {
		initCode = initusercode;
		code = document.getElementById("usercode");
		pchars = document.getElementById("possuser"); 
		chars = pchars.value;
		hack = document.getElementById("hackuser");
	} else if (thing == "pass") {
		initCode = initpasscode;
		code = document.getElementById("passcode");
		pchars = document.getElementById("posspass"); 
		chars = pchars.value;
		hack = document.getElementById("hackpass");
	}
	
	var tempCode = initCode;
	
	for (var i=0; i < hack.value.length; i++) {
		tempCode /= hack.value.charCodeAt(i);
	}
	code.value = tempCode;

	if (parseInt(tempCode) != tempCode) {
		hack.style.backgroundColor = "red";
	} else {
		hack.style.backgroundColor = "";
	}


	if (thing == "user") {
		tempusercode = tempCode;
	} else if (thing == "pass") {
		temppasscode = tempCode;
	}	

	getCharList();
}

</script>
</head>
<body>
initial character set: 
<select id="charset">
<option value="0">0-9 A-Z a-z [space]</option>
</select><br>
username code:<input type="text" id="usercode" value="201147083280000"> possible characters:<input type="text" id="possuser"> hack attempt:<input type="text" id="hackuser" onkeyup="keyed('user');"><br>
password code:<input type="text" id="passcode" value="2170888043757300"> possible characters:<input type="text" id="posspass"> hack attempt:<input type="text" id="hackpass" onkeyup="keyed('pass');"><br>
<button onclick="getCharList();">narrow down</button>
</body>
</html>

**LoganK** · Mar 2, 2007 15:25

I definitely will have fun! ;-) It's a very nice program! Quick question: while perusing the code again I noticed that the JS converts the pass entered to lowercase - wouldn't that effectively negate any capital letter possibilities since, when lowercased, they'd no longer have the same charcode? So, wouldn't that mean that the only possible letters for the password are now: 126abdegils

Thanks again!

Edit: it may not have been only A-Za-z0-9 - the only recognizable word that I got out of the letters (ignoring capitals according to above) was "eagles"; typing that left me with only one possible character (1), but "eagles1" left the hash at 35 or so. By adding a pound sign # (eagles#1) it got down to exactly one. Now, does that mean that that's the right phrase, or just that combination of characters?

Edit 2: I got the username and password combo! User turned out to be "student" and pass "eagles#1". Thanks for all your help! I'll definitely be coming back to these forums, and probably participating more when I get some more time.

**jimfraser** · Mar 2, 2007 16:08

Looks like you sorted it all out yourself

Good job, glad I could help, was fun.

User Tag List

Thread: Hash Function: possible to brute force?

Thread Tools

Display

Hash Function: possible to brute force?

Bookmarks

Bookmarks

Posting Permissions