Dictionary attack

Phrodom
10 years ago | edited 10 years ago

2

I finished that level yesterday when I found that I looked way to deep. I was trying to bruteforce with a C# program but it was way too long for the password and I had too much possibilities in both the username and the password. One of my friend found an algo to reverse the hash (pretty brilliant btw!) and again, too much possibilities and too long (but shorter then brute force). That’s when i found the thing that made me look stupid ;)

Anyway, I came back on my left over code to finish it and I had the Idea to make a dictionary attack on it. I combined about all the dictionnary I could find on http://www.insidepro.com/dictionaries.php in one big file. My algo to crack it is pretty simple:

setting = 7 for username and 9 for password:
```
static void Main(string[] args)
{
StreamReader r = File.OpenText(“completeEnglish.txt”);
string password = “”;
do
{
password = “”;
if (makehash(password = r.ReadLine(), setting) == hash)
Console.WriteLine(password);
} while (!r.EndOfStream);
Console.WriteLine(“Not found”);
Console.ReadLine();
}

     public static long makehash(string str, int mult)  
    {  
        long hash = 0;  

        for (int j = 0; j < str.Length; j++)  

            hash = hash * mult + alpha.IndexOf(str.Substring(j, 1)) + 1;  

        return hash;  
    }  

```

Anyway, I manage to get trough all with that! Usernames and password! And it does'nt event take 10 minutes! I am really proud!! :P

26replies
7voices
464views
[deleted user]
10 years ago

0

Well Phrodom good for you. There is a much simpler way but that’s what this site is all about. All the different ways to pass a level. It’s the same in the real world too. More than on way to do a hack. :)

Phrodom
10 years ago

1

Ahahaha yeah i know, i passed it the simpler way, i did this just for practice :P
As I already knew the username and password, I was able to verify my answer while I was testing my code.

[paulau]
10 years ago

0

if your C# program work , can you share it on tool section? eheh :p

Phrodom
10 years ago

0

Sure but it actually only work for the hash encryption of the “real level 3”. Could be usefull tough.

[deleted user]
10 years ago

0

Is the above code only for Real Level 3 and thanks for sharing this @Phrodom

midnightclub2
10 years ago

0

just a hint :) (before i sleep).

work on the math of the hash encryption. BIG HINT: >> BASE 7!! MUHAHA XD

Reply has been removed
Phrodom
10 years ago

0

@tlotr, same answer as in the other post ;)
@midnightclub2, I made a revert algo but It takes a long time because you can always have more then 1 solution for each hash. Trying all is hard in this case. Using a dictionnary attack you only get the good words.

[deleted user]
10 years ago | edited 10 years ago

-1

All you have to do is read the source code on the level. If you copy the link address to the Login Page you get this:
https://www.hackthis.co.uk/levels/extras/real/3/login.htm
Okay so what to do next? Read the source code it tells you a lot.
Going to put this in a spoiler, so if you don’t want to read it then don’t.

Scroll down and you will see;

So they are using javascript eh?
So click it and see what happens? Because when you click the link you get:

m[m.length]=new Array(“66913”,“78323683”,“Ksrg”,“/oiAguA/ykdp/8?rF=xhyvAttm”);
m[m.length]=new Array(“644543”,“859223813”,“Krteb”,“/ohCeux/rlho/6?ww=wjwzohhw”);
m[m.length]=new Array(“16130”,“78323683”,“Osqqrxz”,“kxyr://FED.mrslnn.kvs”);

Well how does this help? “I hear you ask”. Well it tells me that they are using a link to a javescript file: login.js

So once again look at the source of the login.html file we see this:
if(f.length==0) { alert(“Member Not Found”); return; };

You also see this:

So they are looking for ‘mem’? So I tried: https://www.hackthis.co.uk/levels/extras/real/3/mem.js
No thats a 404 error.

Next tried this where it says Member Not Found. So lets try member.
So I tried:
https://www.hackthis.co.uk/levels/extras/real/3/member.js
No thats a 404 error too..

Next I tried:
https://www.hackthis.co.uk/levels/extras/real/3/members.js
and guess what I get??

m[m.length]=new Array(“”,“”,“”,“/levels/real/3?pw=”);
m[m.length]=new Array(“
”,“”,“”,“/levels/real/3?pw=”);
m[m.length]=new Array(“
”,“
*”,“**”,“http://www.google.com”);

So all I needed to do was try the one after the other until one worked.

That’s how I did the level. :)

P.S. If this is a bit too close to giving it away then moderator or flabby please remove it all. :)

Phrodom
10 years ago

0

Yop, that’s pretty much how I did it to! Then I came back I tried to make a dictionnary attack algo :P and I managed to make one so I am proud :P
I finished all the levels except the last 2 crypt level so I am trying other way to do those kind of levels :P

[deleted user]
10 years ago

0

That’s cool Phrodom good for you and ‘yes’ be proud at least you are trying different things and most of all ‘Learning’ Not like some who only want the answers. More power to you mate! :)

Phrodom
10 years ago

0

Ahaha thanks, you too mate!

I have a server at home so the more I know how to hack, the least chance I get hacked :P

midnightclub2
10 years ago | edited 10 years ago

0

ah nice guessing there :) unfortunately i went to decrypting the hash instead :/

But that itself wasnt too difficult actually, its more or less just math :) dictionary attack/ brute force is probably OP imo

  1. write the recurrence relation for the var hash.
  2. since you know the mult, you can write out the eventual hash as f(n) + g(n, x1, x2, x3, … , xn)
    The functions f and g and x1, x2, … , xn are for you to work out, though feel free to pm me if you want some hints
  3. eventually, you will realise that function g has a trivial solution –> thats where my base 7 (for username) hint from my previous post comes from :)
  4. as a result, i was able to construct one of the solutions using from the letters a to g for username (since its base 7 remember?)
  5. from that solution, you can easily generate more solutions, but thats unnecessary for this level.

edit: all these can be done using pen, paper, and a decent scientific calculater :)

Would like to know what other decryption methods you guys have :)

Phrodom
10 years ago

0

I am not sure that i understand your solution but it seems really brilliant. Can you PM me the solution more detailed?

This is my reverse for username Hash algo. I think it’s similar to your solution:

```
public static String reverseHash(int hash)
{
String line = “”;
String alpha = “abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789abcdefghij”;
int tmp = 0, i = 0;
if (hash < 0)
return line;
else if (hash > 0)
{
do
{
tmp = hash - (alpha.IndexOf(alpha[i])) - 1;
i++;
} while (tmp % 7 != 0);

            line += alpha[i-1];  
            return (reverseHash(tmp / 7) + line);  
        }  

        return line;  
    }```  

I do not take all creds for this code, it’s my friend who found the basic of the Idea, I just corrected the errors in his algo.

midnightclub2
10 years ago

0

hey Phrodom, from the looks of this line tmp % 7 != 0, yeah i think we are using the same concept :)
just that i start from a basic solution and build up, whereas you can generate all in one go with the program :)

Phrodom
10 years ago | edited 10 years ago

0

Yep exactly but in my actual solution, I

get the first result only witch looked something like “eefjg” from “66913” (may not be exact, it’s from memory) and my goal was to find exactly “Admin” so I figured that using a dictionnary attack instead would give me only the human words possibilities (“Admin” included in all the possibilities). I also did an algo that call this one until I get all possible results and I found waayyyyyyy to many possibilities juste for “66913” so imagine “644543” and “859223813” :P

Cyan Wind [freewind1012]
10 years ago | edited 10 years ago

0

@Phrodom: Please don’t be too specific about username / password. I mean, don’t write it down.

midnightclub2
10 years ago

0

im not sure, but in real life, people may not put dictionary words as passwords, and there comes the brute force (oh gawd, but from a refined set of possibilities :D ).

Phrodom
10 years ago

0

@freewind1012 true! Thanks! I wasn’t sure about the “spoiler” tag. I found it :P

@midnightclub2 In real life, 99% of the people uses passwords easy to find by knowing a little of them (like NameDDMM, or Name666, etc.) so with a good dictionnary and a good algo (John the ripper) you can find almost everytime. The 1% of the people left are well protected because the most of the time, there is always a easeyer flaw than the password. For exemple, I went to a shop today, and I noticed that there is a key lock on the automatic door that seems pretty secure. But then I figured that if I really wanted to enter the shop, why botter pick locking the lock when I could just throw something in the big window of the automatic door! :P

[IAmDevil]
10 years ago

0

Ok guys shouldn’t one of these threads be closed!

Cyan Wind [freewind1012]
10 years ago | edited 10 years ago

0

I was wondering where I should post this: here or there. Because it relates to Real Level 3 so…

@Phrodom: Instead of brute-forcing from a dictionary, I found another programming method to solve this level long time ago. I was too lazy to convert it to another versions (JavaScript / PHP…). Check it out.

midnightclub2
10 years ago | edited 10 years ago

0

freewind: just a question: what is the purpose of

[quote=author]
(let [link “kwAp://FBw.ohfnAhrx.cv.Bn/olvnqs/ya.skw?pF=xhllsuBln”
hash (get-hash 9 link “http://www.hackthis”)]
(decrypt-link link hash))

(let [link “kxyr://FED.mrslnn.kvs”
hash (get-hash 8 link “http://www.go”)]
(decrypt-link link hash))[/quote]

at the end of the code?

Phrodom
10 years ago

0

In the real level 3, when you look at the javascript “check” method, after it hash what you give as username and password and compare if it’s the same as they have, it get trough an algo that decrypt (based on what you give) the link saved in m[][]. I think that what this does is that it first bruteforce the usernames and passwords and then decrypt the link directly instead of bruteforce the username and password and put it in the site of real level 3. I did not test it but i am pretty sure that you can pass the level by just going directly to the link in m[][].

Cyan Wind [freewind1012]
10 years ago | edited 10 years ago

0

@Phrodom: Your guess is right. After submitting username and password, we will be redirected to another page with a parameter in the URL. HackThis!! uses this convenience to decide if you can pass the level. Therefore, if you figure out the right URL, you can access to it directly to complete Real Level 3.

midnightclub2
10 years ago

0

i like this discussion :) isnt this a great community?

Phrodom
10 years ago

0

Yep really! It’s really instructive!

Cyan Wind [freewind1012]
10 years ago | edited 10 years ago

0

@midnightclub2: The programmer was trying to decrypt some encrypted URLs with his assumptions. According to his code:

kxyr://FED.mrslnn.kvs is an URL which begins with http://www.go[/spoiler]
[spoiler]kwAp://FBw.ohfnAhrx.cv.Bn/olvnqs/ya.skw?pF=xhllsuBln is an URL which begins with http://www.hackthis

If he decrypted the second URL right, he could type it in the URL bar, hit enter and complete the level.

You must be logged in to reply to this discussion. Login
1 of 27

This site only uses cookies that are essential for the functionality of this website. Cookies are not used for tracking or marketing purposes.

By using our site, you acknowledge that you have read and understand our Privacy Policy, and Terms of Service.

Dismiss