SitePoint Sponsor

User Tag List

Results 1 to 6 of 6
  1. #1
    SitePoint Member
    Join Date
    Jul 2005
    Posts
    9
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Question Hash Function: possible to brute force?

    I've got a piece of JavaScript code that seems to be creating a primitive hash. My task is to find what password will compute to the hash shown (part of a hacking competition my friends and I are having amongst ourselves on our own web apps). Is there any way to reverse it through JS (probably not since hashes are one-way)? If not that, does anyone know of a way of constructing a brute forcer (in JS, Perl, PHP, etc.) to try combinations until finding it? I got a preliminary one running in PHP but I can't load my dictionary file into it (too much memory). Any ideas are great!

    Code:
    function submitentry()
    {
         password = document.password1.password2.value.toLowerCase()
         username = document.password1.username2.value.toLowerCase()
         passcode = 1
         usercode = 1
         for (i = 0; i < password.length; i++)
         {
              passcode *= password.charCodeAt(i);
         }
         for (x = 0; x < username.length; x++)
         {
              usercode *= username.charCodeAt(x);
         }
         if (usercode==201147083280000 && passcode==2170888043757300)
         {
              window.location=password+"URL REMOVED"
         }
         else
         {
              alert("password/username combination wrong")
         }
    }
    edit: formatted the code a bit to make it look prettier and bit easier on your eyes :-)
    Last edited by LoganK; Mar 2, 2007 at 13:59.

  2. #2
    SitePoint Wizard
    Join Date
    Nov 2004
    Location
    Nelson BC
    Posts
    2,310
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Figuring out the characters shouldn't be too hard, but the order of the characters isn't easily findable.

    If you start with a known character set, you can eliminate any character who's charcode is not an even divisor of (usercode) or (passcode). That should take out a lot of the guesswork. For example, I ran a test and, assuming the username and password are only using 0-9,A-Z,a-z and space, the username can only possibly be comprised of
    [ 0247ABEHKNPWXZcdehnstux]
    and the password [126EFKTZabdegils]

    I think the password might be some combination of [1EaeegFZ] (when you multiply the codes for those together you get the passcode, there ARE other combinations though)

  3. #3
    SitePoint Member
    Join Date
    Jul 2005
    Posts
    9
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I'm glad the list of possible password characters is less than the username, since I only need to know the password as indicated by the redirect URL. I'll focus on solving it for the time being. I really like your technique of finding out the possible characters: I would've never though of it; that's why I asked for some help from some smart guys like you! Just out of curiosity, what sorts of tests did you run to determine the information you did find? I may be able to take them and adapt them for my needs, or at least find some insight in them! Thanks!

  4. #4
    SitePoint Wizard
    Join Date
    Nov 2004
    Location
    Nelson BC
    Posts
    2,310
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Here's the (ugly) code I wrote to mess around. It's extremely incomplete though. Basically once the page loads you select a character set and click the narrow down button to display the possible combinations. Then you start entering allowed characters into the [hack attempt] boxes - the goal is to get the username/password code down to exactly 1.

    have fun
    Code:
    <html>
    <head>
    <script type="text/javascript">
    var charsets = [];
    charsets[0] = [32,48,49,50,51,52,53,54,55,56,57,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,97,98,99,100,101,102,103,104,105,106,107,108,109,110,111,112,113,114,115,116,117,118,119,120,121,122];
    var initusercode;
    var initpasscode;
    var tempusercode;
    var temppasscode;
    
    function getCharList() {
    	var cs = charsets[document.getElementById("charset").value];
    	if (!initusercode) {
    		initusercode = Number(document.getElementById("usercode").value);
    		tempusercode = initusercode;
    	}
    	
    	var out = document.getElementById("possuser");
    
    	out.value = "";	
    	for (var i=0; i < cs.length; i++) {
    		if (tempusercode &#37; cs[i] == 0) {
    			out.value += String.fromCharCode(cs[i]);
    		}
    	}
    
    	if (!initpasscode) {
    		initpasscode = Number(document.getElementById("passcode").value);
    		temppasscode = initpasscode;
    	}
    	var out = document.getElementById("posspass");
    
    	out.value = "";	
    	for (var i=0; i < cs.length; i++) {
    		if (temppasscode % cs[i] == 0) {
    			out.value += String.fromCharCode(cs[i]);
    		}
    	}
    
    
    }
    function keyed(thing) {
    	var initCode;
    	var code;
    	var pchars;
    	var chars;
    	var hack;
    	if (thing == "user") {
    		initCode = initusercode;
    		code = document.getElementById("usercode");
    		pchars = document.getElementById("possuser"); 
    		chars = pchars.value;
    		hack = document.getElementById("hackuser");
    	} else if (thing == "pass") {
    		initCode = initpasscode;
    		code = document.getElementById("passcode");
    		pchars = document.getElementById("posspass"); 
    		chars = pchars.value;
    		hack = document.getElementById("hackpass");
    	}
    	
    	var tempCode = initCode;
    	
    	for (var i=0; i < hack.value.length; i++) {
    		tempCode /= hack.value.charCodeAt(i);
    	}
    	code.value = tempCode;
    
    	if (parseInt(tempCode) != tempCode) {
    		hack.style.backgroundColor = "red";
    	} else {
    		hack.style.backgroundColor = "";
    	}
    
    
    	if (thing == "user") {
    		tempusercode = tempCode;
    	} else if (thing == "pass") {
    		temppasscode = tempCode;
    	}	
    
    	getCharList();
    }
    
    </script>
    </head>
    <body>
    initial character set: 
    <select id="charset">
    <option value="0">0-9 A-Z a-z [space]</option>
    </select><br>
    username code:<input type="text" id="usercode" value="201147083280000"> possible characters:<input type="text" id="possuser"> hack attempt:<input type="text" id="hackuser" onkeyup="keyed('user');"><br>
    password code:<input type="text" id="passcode" value="2170888043757300"> possible characters:<input type="text" id="posspass"> hack attempt:<input type="text" id="hackpass" onkeyup="keyed('pass');"><br>
    <button onclick="getCharList();">narrow down</button>
    </body>
    </html>

  5. #5
    SitePoint Member
    Join Date
    Jul 2005
    Posts
    9
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I definitely will have fun! ;-) It's a very nice program! Quick question: while perusing the code again I noticed that the JS converts the pass entered to lowercase - wouldn't that effectively negate any capital letter possibilities since, when lowercased, they'd no longer have the same charcode? So, wouldn't that mean that the only possible letters for the password are now: 126abdegils

    Thanks again!

    Edit: it may not have been only A-Za-z0-9 - the only recognizable word that I got out of the letters (ignoring capitals according to above) was "eagles"; typing that left me with only one possible character (1), but "eagles1" left the hash at 35 or so. By adding a pound sign # (eagles#1) it got down to exactly one. Now, does that mean that that's the right phrase, or just that combination of characters?

    Edit 2: I got the username and password combo! User turned out to be "student" and pass "eagles#1". Thanks for all your help! I'll definitely be coming back to these forums, and probably participating more when I get some more time.

  6. #6
    SitePoint Wizard
    Join Date
    Nov 2004
    Location
    Nelson BC
    Posts
    2,310
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Looks like you sorted it all out yourself

    Good job, glad I could help, was fun.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •