CSCI 3500: Lab 3

crack - Brute Force Password Cracking

Modern computers overwhelmingly use multi-core architectures. Exploiting this hardware for parallel programming (creating a program that executes simultaneously on more than one processor core) requires the use of multiple threads. We will use one of the most basic threading interfaces, Pthreads, to create a multi-threaded password cracking program.

In this lab, you will:

1. Use crypt() and crypt_r() to guess password hashes
2. Iterate over aribtrary length strings with characters from 'a' to 'z'
3. Create and wait for threads with pthread_create() and pthread_join()
4. Divide work between multiple parallel threads

Parameters

This is a solo assignment. Please do not collaborate with other students on this assignment.

Usage

Description

crack should attempt to find the password associated to the target DES hash. It does this by trying all possible lowercase alphabetic (a-z) passwords of length up to keysize. The program should run with threads concurrent threads for speed.

Linux/Unix user passwords are never stored on the system. Instead, a function called a hash is applied to the password. Then, the hashed password is stored, traditionally in /etc/passwd or more recently in /etc/shadow. The classic hash function on Unix systems is crypt(3). To make things harder on crackers, crypt also uses a two character string called a salt which it combines with the password to create the hash. Schematically:

password + salt => crypt() => hash

The salt is visible in the hash as the first two characters. As an example, a password 'apple' and salt 'na' become the hash 'na3C5487Wz4zw'.

The crack program should extract the salt from the first two characters of target, then repeatedly call crypt() using all possible passwords built of up to keysize lowercase alphabetic characters.

When a match to target is found, the program should print the cracked password and exit immediately. If the entire space of passwords is searched with no match, the program should exit with no output.

Hints

Start by writing a short program that uses crypt() to encrypt a given password and salt. You can also encrypt using the one line perl command: perl -e 'print crypt("apple","na")'

Don't forget to compile with the -lpthread and -lcrypt options.

The maximum allowed keysize is 8 (since crypt only uses the first 8 characters of the password anyway).

You might want to write this first as a single threaded program. Just remember that crypt() won't work with multiple threads - you need to switch to crypt_r().

You need to check passwords of length keysize, but don't forget you also need to check the shorter ones. The simplest way is probably to write a function that checks all passwords which are exactly a given length, and then have main call it in a loop from 1 to keysize.

Useful man pages

pthread_create(3)
pthread_join(3)
pthread_exit(3)
pthread_self(3)
pthread_mutex_init(3)
pthread_mutex_lock(3)
pthread_mutex_unlock(3)
crypt_r(3)
strcmp(3)
strcpy(3)
strncpy(3)

Questions

1. As the answer to the first exercise, list your name.

2. What four-letter password corresponds to the following target: 'abccBcrPOxnLU'?

3. What five-letter password corresponds to the following target: 'xyxMB6gxuiBZg'?

4. The following hash does not correspond to any password, so your program will exhaust the entire search space without finding any match. Use the time command to measure how long your program takes to search the entire space of five-letter passwords. Hash 'nomatchingpass'

5. Re-run the previous experiment but with two threads, four threads, six threads, eight threads, ten threads, and twelve threads. Record how long each run takes.

6. Calculate the speedup your program gets as a result of using multiple threads. The speedup is defined to be the execution time with one thread divided by the execution time with multiple threads. Do this for each of the two, four, six, eight, ten, and twelve threads.

7. Plot your program's speedup versus number of threads on a graph. Save your graph as a graphics file such as png or jpg and submit it alongside these answers.

8. Interpret the results on your graph. Does your program run twice as fast with two threads? Does it run ten times faster with ten threads? How does this relate to the way you have written your program?

9. Use one thread and run your program against the hash 'nomatchingpass' for keysizes of one, two, three, four, and five. Time each execution. Estimate how long it takes to run your program for keysizes of six, seven, and eight.

10. Describe any known bugs or ways that your submission deviates from the above specification.

11. Indicate which, if any, extra credit exercises you have attempted.

Optional Enrichment Exercises

• 2% Extra Credit: Crack the following five-letter password hashes:

  abA.g8pU2Iffo
cdfnIXMyMCpPg
efgC/gw8PDKhs
ghLneTdBMxJP.
ijSsXTgIC7QRU
klr7dT7cAODsk
mn4iWfK0m76t6
opjPsgpXaahxM
qr6ncfvfqecME


• 2% Extra Credit: Explain why password salts are useful, even if they're not secret.

• 2% Extra Credit: Add a fourth paramter to your program which, if present, causes your program to search all uppercase and lowercase characters, plus numbers and symbols. Hint: look at an ASCII table.

Submission

Create a .tgz archive of your lab directory and email it to dferry_submit@slu.edu. Your submission must include a makefile that will compile your program by simply issuing the command make. You must also include a text file with your answers to the required exercises. Please include your name and the names of any partners in the body of your email.

The simple syntax for creating a .tgz archive is as follows:

tar -zvcf new_archive.tgz lab_directory

The syntax for unpacking a .tgz archive is:

tar -zvxf archive.tgz

Note that your archive must not include any binary executable files, meaning any compiled programs or intermediate build objects (.o files, for example). This will cause your email to be rejected by most services.