|
Viper 1.4 - Cracking UNIX Passwords Brute Force |
|
When I was trying to understand the insecurity of UNIX passwords, I looked for simple password cracking software as an example. Sure, there was the famous Crack, but I found Hale's viper.pl more readable. I wanted to improve the code to measure and print performance and time estimates for brute force attacks, so I contacted Hale about my ideas including re-writing his program in 'C' for maximum speed. |
good reading material about them is <here>. After that, writing a password cracker is not that hard. The basic design of a brute-force password cracker is a loop in which we continuously compute password hashes from incremented password strings of a generic character set - and compare the result to the real password hash until they match. Lets assume the password just contains lowercase letters from 'a' through 'z', we would start hashing and comparing: |
 Console screenshot of viper |
|
I wanted to know how long it takes to check for every possible password combination on different computing platforms, for different character sets and for different password lengths. The results were highly interesting! But first, we need to look into more details how passwords work and how they are generated. Concentrating on UNiX passwords, |
'a', 'b', 'c', 'd'... 'w', 'x', 'y', 'z', then ... continuing to the maximum password length until we find the 'winning' combination. The faster it runs the better, because simple math tells us how many password string <page 2> |
   |