Brute Forcing And Word List Attack Vector

So in my last post I mentioned brute forcing. I was going to add a password brute force function to try and get into a access point. Well, android doesn’t support the iwconfig command even rooted, so that would be have to be done in java (C++ if using the NDK). Even though I do develop Android apps, my focus here on my blog is in python.

As promised, I am going to go over brute forcing. What is brute forcing? It is when you try every combination of letters and numbers as a password. By doing this, you can break %100 of all passwords. There is a catch though. It can take a very long time and use exponential amounts of computing power. Brute forcing technical term would be permutation of combinations. You can find the background and technical stuff here and here.

What’s the difference between permutations and combinations? Well, a combination will give you every possible way you can group letters and numbers, but it also needs to know how many different combos you want to try. You can group 4 letters into 2’s or 3’s or 4’s. Example 3’s: abcd-> abc, abd, acd, bcd.

What if we needed all the letters in every order they could be in? This is where permutations come in. We need permutations of the combinations in order to get every single last way we could order, combine, and use the letters ever. Example of permutations of abcd with out the combinations: abcd, abdc, adbc, dabc, etc….

You might be thinking, it looks like permutations already does all the possible letter combinations. Well, yes it does, but that is if we have a fixed length of letters, and only 4 different letters to work with. Permutations of abcd isn’t going to contain z or x in it, nor will it give you just 2 combinations of all the letters. This is why we need to do permutation of ever combination we can.

Below is a script that will generate a word list with the supplied characters you give it, and a max length of combinations to try. When I say max length, I mean it will start combining letters from a group of two and work its way up to the max value specified. I.E. abcd-> ab, ac, ad, …. cba, adc, adb, …. dcba, acbd, cbda, etc… Be warned though, the list will grow very quick with large values. On my system 4Gb RAM, Dual Core 2GH each, 64bit Windows 7 it took 30 minutes to generate a text file of  15Gb, and still was not finished generating the list. I was of course trying to do a list of all the letters of the alphabet(lower case) with a length of 7 characters long. I started out by putting all the words into a list instead of writing to a file, but that raped my memory and would crash every time around 3.7Gb of memory being used. The garbage collector would not keep up, even with the forcing of deleting objects on my part.

So before you get too bored reading this here is the script:

import itertools, sys
def combList(charString, maxLength):
    """Genorate inital word list. This is just diff combinations"""
    #var to keepmtrack of how many times we've been through the loop
    times = 0
    #list to hold combinations
    poss = []
    for iteration in range(maxLength):
        #Use try statment to make sure the max length isn't longer
        #than the characters we're going to use
        try:
            #Iter genorator for combos
            comb = itertools.combinations(charString,times+1)
        except ValueError:
            print "Character string larger than max lenght\nplease try again"
            sys.exit()

        #Genorator gives tuple with seporated values ex: ('w','o','r','d')
        for word in comb:
            #join tupe as string and add to list
            s = ''.join(word)
            poss.append(s)
        times += 1

    return poss

def permList(combinations):
    """Genorates permutations of the genorated combonation list"""
    #going to write ultimate list to a file
    #if not, you can run into virtual memory errors if the list gets above 4Gb
    f = open("wordlist.txt","w")
    #var to hold how many words we have
    x = 0
    for word in combinations:
        #loop through combonations and genorate a list of all
        #possable ways to combine letters
        permutation = itertools.permutations(word)
        for permWord in permutation:
            f.write(''.join(permWord)+"\n")
            x += 1
        #del used permutation to free up some memory
        #not so much needed, but this script will rape memory if
		#appending to a list insteady of writing to a file
        del permutation
    #always close file handles
    f.close()
    return x

def main():
    """Main program, gets user info and computes the lists"""
    ch = raw_input("characters to try: ")
    num = input("max length: ")
    combo = combList(ch,num)
    print "list genorated"
    print "doing wordlist now"
    permTotal = permList(combo)
    f = open("wordlist.txt","r")
    print "working..."
    for i in range(permTotal+1):
        word = f.readline().strip()
        #This is where you would be doing the actule brute forcing
        #you could try and log into a website or crack a password protected
        #zip file, genorate md5's and crack a password dump
        #if linux, brute force WPA wifi with iwconfig
        #and any thing else you might need for a password
        print word
    f.close()
    print "done\n"
    raw_input(".....")

main()

Some issues with this method are that it is VERY processor heavy. Yeah it can be done on the GPU like hashcat, but the straight brute force is unreasonable. Other faults include the more characters you try, such as 8-10 password lengths, the longer it will take. Not to mention if the password is cAMel CaSeD and uses $p3c@l characters. That increases processing load 50 fold or more and will gangbang your memory.

A better option would be to generate a “tailored” wordlist. Like one full of birthdays, and 1337 speak. Other methods could be to gather information first, like crawling face book for significant names, dates, cars, hobbies and the like. People are very bad about choosing something easy to remember, like their favorite sports team followed by their favorite players jersey number or something.

The best method I have seen was at Hack3rcon in my home town last year. PureHate gave the lecture and was using hashcat and custom rule-sets to break hundreds of md5’s in 20 minuets. The video is posted at irongeek.com, but I will embed the vide from vimeo here.

Well, I hope you guys learned something. It was a lot of fun writing the script and figuring out how brute forcing works myself. I might extend the program and give it rules and turn it into something other than a teaching tool, but meh we’ll see.

Any way, thanks for reading and enjoy the video.