Bruteforce Password

[TCO]

Hi,
I have a piece of software written by a colleague who no longer works at the company. The settings for this software are protected with a password (I'm not sure why). I found the following script on a website (viewtopic.php?f=76&t=63551&start=20). I have modified the script to go up to 6 characters instead of the original 4.

I need to add the following to the script:
WinActivate, Login ahk_class WindowsForms10.Window.8.app.0.34f5582_r7_ad1 ; Activates the password window
**** uses the script to enter the password ****
Send, {Tab}{Tab}{NumpadEnter} ; clicks the OK button
**** now one of two things can happen, either a window pop-up with the message "password invalid" or the password is accepted. ****
**** if the "Password Invalid" window pops up ****
Send, {NumpadEnter}
**** retry with new password ****

Code: Select all

;-------------------------------------------------------------------------------
; LuckyDay.ahk - Brute Force 4-digit Password using AHK
; https://www.autohotkey.com/boards/viewtopic.php?p=272076#p272076
;-------------------------------------------------------------------------------



#NoEnv
#SingleInstance Force

    OnExit("Logging")

    Numbers    = 0123456789
    UPPER_CASE = ABCDEFGHIJKLMNOPQRSTUVWXYZ
    lower_case = abcdefghijklmnopqrstuvwxyz
	special_characters = !\/

    global Characters := Numbers UPPER_CASE lower_case special_characters
    global SaveFile := A_ScriptDir "\Password.txt"
    global LastCombination := ""

    Combination := "000000" ; a 6-letter string
    if FileExist(SaveFile) {
        FileRead, Content, %SaveFile%
        if RegExMatch(Content, ".*Last: (.*)\r\n$", Match)
            Combination := Match1
    }
    
    global Combo := [] ; a simple array (built from 4-letter string)
    for each, Char in StrSplit(Combination)
        Combo.Push( InStr(Characters, Char) )

    loop
        Test(getNext())

return ; end of auto-execute section

F5::  Reload
Esc:: ExitApp



;-------------------------------------------------------------------------------
Logging() { ; logging the last combo (super-global variable)
;-------------------------------------------------------------------------------
    FileAppend, % "Last: " LastCombination "`n", %SaveFile%
}



;-------------------------------------------------------------------------------
Test(Combination) { ; test code
;-------------------------------------------------------------------------------

        ; test code for Combination
        MsgBox,,, %Combination%, .5
        sleep, 100

    ; after test code: store this Combination in super-global variable
    LastCombination := Combination
}



;-------------------------------------------------------------------------------
getNext() { ; return the next string to test
;-------------------------------------------------------------------------------

    if StrLen(Characters) > Combo[6]
        Combo[6]++
		
	else if StrLen(Characters) > Combo[5]
        Combo[5]++, Combo[6] := 1
		
	else if StrLen(Characters) > Combo[4]
        Combo[4]++, Combo[5] := 1

    else if StrLen(Characters) > Combo[3]
        Combo[3]++, Combo[4] := 1

    else if StrLen(Characters) > Combo[2]
        Combo[2]++, Combo[3] := Combo[4] := 1

    else if StrLen(Characters) > Combo[1]
        Combo[1]++, Combo[2] := Combo[3] := Combo[4] := Combo[5] := Combo[6] := 1

    else
        MsgBox, Done!

    return SubStr(Characters, Combo[1], 1)
        .  SubStr(Characters, Combo[2], 1)
        .  SubStr(Characters, Combo[3], 1)
        .  SubStr(Characters, Combo[4], 1)
		.  SubStr(Characters, Combo[5], 1)
		.  SubStr(Characters, Combo[6], 1)
}

[RussF]

I was just wondering if you have bothered to do the math here.
Assuming 26 upper case, 26 lower case, 10 digits and 10 special characters = 72 characters.
6-character password is 72^6 or 139,314,069,504 possible combinations.
Assuming 10 possible tries per second (not likely if you're waiting for confirmation windows to pop up, but we'll go with it), and ignoring fractional parts:

Worst case scenario to try all possible combinations:
13,931,406,950 seconds
232,190,115 minutes
3,869,835 hours
161,243 days
441 years

Granted, the password would appear somewhere in the middle of that range, but it could be in an hour or in 440 years.

If the former colleague is not deceased, perhaps a call to them would be better. If they are disgruntled, a ransom may need to be paid if the data is critical - everyone has their price.

Russ

[TCO]

It's a bit worse than that actually. I have no idea if the password is 1 character or 10. I am only guessing that it's 6.
In reality, I don't care or need that password, this is for 2 things: 1; I am curious to see what could possibly be hiding in the settings. 2; more importantly, I attempted to modify the code myself and I only got so far before it failed.
I really want to try to get this to work so that I can learn from people who know what they are doing.
I did realize that it would take about 500 years, if not more.

The entire program has been written in Python, and I have full access to the source code. To bad, I can't read that either. I would have either found out what the password was, or just deleted the line that asks for it.

[AHKStudent]

It's a bit worse than that actually. I have no idea if the password is 1 character or 10. I am only guessing that it's 6.
In reality, I don't care or need that password, this is for 2 things: 1; I am curious to see what could possibly be hiding in the settings. 2; more importantly, I attempted to modify the code myself and I only got so far before it failed.
I really want to try to get this to work so that I can learn from people who know what they are doing.
I did realize that it would take about 500 years, if not more.

The entire program has been written in Python, and I have full access to the source code. To bad, I can't read that either. I would have either found out what the password was, or just deleted the line that asks for it.

since you have access to the program can you look where this password is stored or where the settings file is? There is a chance the setting file can be viewed without a password or the way the password is stored is easy to reverse.

[Chunjee]

I had pretty good luck guessing the router password with ahk

If you know all the possible characters you should put them in a string or array.


It sounds like you have the source code; you could ask a python dev to take a quick look.

[TCO]

I wish I knew where to look for the password inside the python code. This is the only thing that I found, but I don't know what it is referring to:

Code: Select all

from typing import List, Tuple
from uuid import uuid1

from constance import config
from django.conf import settings

from aurora.models import *
from sheet.models import SheetQuote, SheetPart
from ._db_client import MakorDB
from ._web_client import MakorWeb


def makor_db_conn() -> MakorDB:
    return MakorDB(
        host=settings.MAKOR_DB_HOST,
        database=settings.MAKOR_DB,
        username=settings.MAKOR_DB_USERNAME,
        password=settings.MAKOR_DB_PASSWORD,

Would you please tell me how to create a string or array? I really want to try this out.

[Chunjee]

Code: Select all

        username=settings.MAKOR_DB_USERNAME,
        password=settings.MAKOR_DB_PASSWORD,

Makes me think there is a settings file. But I don't see the filepath in your code snippet.

from django.conf import settings perhaps

[FanaticGuru]

Here is an example that I think I posted at some point.

Code: Select all

SetBatchLines, -1 ; ask Windows for maximum processor time allocation

OnExit, SavePosition

; Init Constants
FileName_Save := "Password_SavePosition.txt"
String_Item_Max := 4 ; Max Items of String

; Any Set of Items, Do Not Have to Be Single Characters
Items := ["0","1","2","3","4","5","6","7","8","9","A","B","C","D","E","F","G","H","I","J","K","L","M","N","O","P","Q","R","S","T","U","V","W","X","Y","Z","a","b","c","d","e","f","g","h","i","j","k","l","m","n","o","p","q","r","s","t","u","v","w","x","y","z"]
;~ Items := ["a","b"] ; for Testing

; Restart
Matrix := {}
if FileExist(FileName_Save)
{
	FileRead, File, %FileName_Save%
	Loop, Parse, File, `n, `r
		Matrix.Push(A_LoopField)
}
else
{
	Loop % String_Item_Max
		Matrix[A_Index] := 0
}

; Loop through all combinations
Loop
{
	; Advance the Matrix by 1
	P := 1
	while ((X := Matrix[P] + 1) > Items.MaxIndex())
		Matrix[P++] := 1, X := 1
	Matrix[P] := X
	if (P > String_Item_Max)
		break
	
	; Create Actual String from Matrix and Items
	String := ""
	for key, val in Matrix
		if val
			String := Items[val] String

	; >>> Position to Use the String <<<
	MsgBox % String
	; <<<
} 

^Esc::ExitApp

SavePosition:
	FileDelete, %FileName_Save%
	list := ""
	for key, val in Matrix
		list .= val "`n"
	FileAppend, % Trim(list, "`n"), %FileName_Save%
	ExitApp
return

This goes through all combinations starting at 1 length and going to 4 length. The length and valid characters can be changed. It also autosaves and restarts where left off if exited properly.

It would be great on a computer that is dedicated to this but with proper Control could run somewhat in the background as you use the computer for some things.

But if you have the source code, a little investigation should turn up the password unless the coder was very clever.

FG

[TCO]

This is perfect. I was able to modify the code a bit to make it work for my application. I was wondering if it is possible to make this execute faster.
One more thing, what can I add to this code so that it stops running if "WinActivate, ahk_class #32770" is not found I would like a text box to come up and display the password.

Thank you for sharing and helping.

Code: Select all

SetBatchLines, -1 ; ask Windows for maximum processor time allocation

OnExit, SavePosition

; Init Constants
FileName_Save := "Password_SavePosition.txt"
String_Item_Max := 4 ; Max Items of String

; Any Set of Items, Do Not Have to Be Single Characters
Items := ["0","1","2","3","4","5","6","7","8","9","A","B","C","D","E","F","G","H","I","J","K","L","M","N","O","P","Q","R","S","T","U","V","W","X","Y","Z","a","b","c","d","e","f","g","h","i","j","k","l","m","n","o","p","q","r","s","t","u","v","w","x","y","z"]
;~ Items := ["a","b"] ; for Testing

; Restart
Matrix := {}
if FileExist(FileName_Save)
{
	FileRead, File, %FileName_Save%
	Loop, Parse, File, `n, `r
		Matrix.Push(A_LoopField)
}
else
{
	Loop % String_Item_Max
		Matrix[A_Index] := 0
}

; Loop through all combinations
Loop
{
WinActivate, Login ahk_class WindowsForms10.Window.8.app.0.34f5582_r7_ad1 ; Activates the password window
	; Advance the Matrix by 1
	P := 1
	while ((X := Matrix[P] + 1) > Items.MaxIndex())
		Matrix[P++] := 1, X := 1
	Matrix[P] := X
	if (P > String_Item_Max)
		break
	
	; Create Actual String from Matrix and Items
	String := ""
	for key, val in Matrix
		if val
			String := Items[val] String
WinActivate, Login ahk_class WindowsForms10.Window.8.app.0.34f5582_r7_ad1 ; Activates the password window
	Send, {Tab}
	Send, {LControl Down}{a}{LControl Up}
	Sleep, 10
Send %String%
	Sleep, 5
	Send, {Tab}
	Sleep, 1
	Send, {Tab}
	Sleep, 1
	Send, {NumpadEnter}
	Sleep, 5
WinActivate,  ahk_class #32770
	Send, {NumpadEnter}
} 

^Esc::ExitApp

SavePosition:
	FileDelete, %FileName_Save%
	list := ""
	for key, val in Matrix
		list .= val "`n"
	FileAppend, % Trim(list, "`n"), %FileName_Save%
	ExitApp
return

[RussF]

You'd better hope that the password is 4 characters or less.

Assuming 10 tries per second (generous):

Code: Select all

PW Len    Possible Combinations       Max Time to solve
 1                           72                 7 Seconds
 2                        5,184                 9 Minutes
 3                      373,248                10 Hours
 4                   26,873,856                31 Days
 5                1,934,917,632                 6 Years
 6              139,314,069,504               442 Years
 7           10,030,613,004,288            31,807 Years
 8          722,204,136,308,736         2,290,094 Years  
 9       51,998,697,814,229,000       164,886,789 Years  (Est. age of earth 4.5 Bil Yrs.)
10    3,743,906,242,624,490,000    11,871,848,816 Years  (Est. age of universe 13.7 Bil Yrs.)

Russ

[adrianh]

You'd be better off looking for the settings file.

[HiSoKa]

Hello @RussF .
Does this mean that if we have password from 6 characters, it takes about 446 years to crack it...
Is it possible that to make this period be less or, as you said, it is impossible because It will be difficult to make more than 10 tries per second..

[RussF]

I am basing the estimate on the parameters set by the original poster:

I need to add the following to the script:
WinActivate, Login ahk_class WindowsForms10.Window.8.app.0.34f5582_r7_ad1 ; Activates the password window
**** uses the script to enter the password ****
Send, {Tab}{Tab}{NumpadEnter} ; clicks the OK button
**** now one of two things can happen, either a window pop-up with the message "password invalid" or the password is accepted. ****
**** if the "Password Invalid" window pops up ****
Send, {NumpadEnter}
**** retry with new password ****

If you are using AHK to activate a password window, wait for that window, enter the password, wait for the target program to process/encrypt the password to compare against the stored password, and then wait for a window to pop up that either accepts or rejects said attempt, then yes, I think 10 tries per second is pretty generous.

I don't know anything about the target application, but if it were written properly, it would lock out the user for a given amount of time after a certain number of failed attempts. Was it written this way? I don't know, but probably not. Nevertheless, there is a lot of processing going on in the background between each attempt.

Even so, lets say you had a self-contained program that tried to guess a random 10 character password. All it had to do was loop through the characters and compare the result against the known reference. Let's also say that this program could make 1 million guesses per second. It would still take 11,872 years (worst case) to guess that password. Most likely less than that, but how much less?

The number of possible guesses per second is based solely on the responsiveness of the target application. If you were trying to guess a password on a web based application, forget it. With internet latencies, you'd be lucky to get 1 guess per second.

I am also basing my estimates on 72 possible characters per password character - 26 upper case letters, 26 lower case, 10 digits and 10 symbols. A 1 character password has 72 possibilities. a 2 char password has 72 X 72 possibilities. A 3 char - 72 X 72 X 72. And so on. You can see how quickly the numbers grow.

The original poster first asked for code to guess a 6 character password, then later said it could be up to 10. I wish them luck.

Russ

[RussF]

I have modified @FanaticGuru's code (above) to do nothing but loop through all possible passwords and display those passwords. It's not checking them against anything. Note, that this code only uses 62 possible characters, not 72 as I discussed above. Nevertheless, see how long it takes to get just to a length of 4 characters and I challenge you to watch it until it gets to 5.

Code: Select all

SetBatchLines, -1 ; ask Windows for maximum processor time allocation

String_Item_Max := 10 ; Max Items of String
String := ""
PLen := 0

Gui, Add, Text,, Ctrl-Esc to exit
Gui, Add, Edit, w180 vPLen ReadOnly, %PLen%
Gui, Add, Text,, Password:
Gui, Add, Edit, w180 vString ReadOnly, %String%
Gui, Show

Items := ["0","1","2","3","4","5","6","7","8","9","A","B","C","D","E","F","G","H","I","J","K","L","M","N","O","P","Q","R","S","T","U","V","W","X","Y","Z","a","b","c","d","e","f","g","h","i","j","k","l","m","n","o","p","q","r","s","t","u","v","w","x","y","z"]

Matrix := {}
{
	Loop % String_Item_Max
		Matrix[A_Index] := 0
}

Loop
{
	P := 1
	while ((X := Matrix[P] + 1) > Items.MaxIndex())
		Matrix[P++] := 1, X := 1
	Matrix[P] := X
	if (P > String_Item_Max)
		break
	
	String := ""
	for key, val in Matrix
		if val
			String := Items[val] String

  PLen := "Length: " . StrLen(String)
  GuiControl,, PLen, %PLen%
  GuiControl,, String, %string%
  Gui, Submit, NoHide

} 

^Esc::ExitApp

With no disrespect to @FanaticGuru, no doubt the code could be optimized to run faster. It could certainly run faster if written in C++ or Assembly. Remember, AHK is an interpreted scripting language. Nevertheless, you are still limited by the response time of the target application you are trying to crack.

Russ

[HiSoKa]

see how long it takes to get just to a length of 4 characters and I challenge you to watch it until it gets to 5.

This is really interesting,
I had previously heard that some passwords need many years (as you said before, some of the password need “164,886,789 Years (Est. age of earth 4.5 Bil Yrs.)" to crack and I did not understand the meaning of this and I thought that it was exaggerated..
But your explanation made everything clear to me.. Thank you very much..

I will try the code you wrote to see how long it takes to get all possible characters for to 5 letters...
Of course, it will be a disaster if there are special characters such as "!@#$%^&*)("

[AHKStudent]

You'd better hope that the password is 4 characters or less.

Assuming 10 tries per second (generous):

Code: Select all

PW Len    Possible Combinations       Max Time to solve
 1                           72                 7 Seconds
 2                        5,184                 9 Minutes
 3                      373,248                10 Hours
 4                   26,873,856                31 Days
 5                1,934,917,632                 6 Years
 6              139,314,069,504               442 Years
 7           10,030,613,004,288            31,807 Years
 8          722,204,136,308,736         2,290,094 Years  
 9       51,998,697,814,229,000       164,886,789 Years  (Est. age of earth 4.5 Bil Yrs.)
10    3,743,906,242,624,490,000    11,871,848,816 Years  (Est. age of universe 13.7 Bil Yrs.)

Russ

so interesting. What would happen if 2 billion people united to help and each used their computer. Every second 20 billion tries?

[RussF]

What would happen if 2 billion people united to help and each used their computer. Every second 20 billion tries?

It depends on the target system's ability to respond. If it were an online system, imagine 20 billion server hits per second. Web servers have crashed with far fewer DDOS hits than that.

Russ

[RussF]

For fun:

image.png (49.33 KiB) Viewed 1831 times

An 8 character password is MORE than adequate for most applications.

Russ

[AHKStudent]

What would happen if 2 billion people united to help and each used their computer. Every second 20 billion tries?

It depends on the target system's ability to respond. If it were an online system, imagine 20 billion server hits per second. Web servers have crashed with far fewer DDOS hits than that.

Russ

2 billion people download a program that has a local pw that needs cracking, with each download they get a batch of possible passwords or a range their systems will try

[Chunjee]

Check if you have a "django.conf" file in any of the folders or subfolders.


I littlebit get the feeling you may find a password to a database that may or may not exist. But someone familiar django would be better suited to diagnose this.