Coding a brute forcer

G'day all

I'm working on a challenge given to me. The Javascript I have been
given parses the user input in two ways.

Firstly it generates two numbers. One is the sum of the CharCodes and
the other is the product of multiply each of the charcodes together
and usisng the Modulus function.

If the text string is correct, the string is then used to decode (via
a relatively simple crypt) another string, which then gives you the
correct target url.

I hope that makes sense - if it doesn't, its pretty unimportant as the
question I have is as follows :

In javascript, how do I code something that allows me to cycle through
all the possible text strings. Ideally, I would like to read from a
dictionary file and then start a brute force.

Throughout each cycle, I imagine you just set input_user (in this
case) to the value of the next line in the file. For a dictionary
attack I imagine. That bit isn't too tricky I don't think but I can't
get my head around it. Maybe more coffee would help?

And I'm sure struggling to put together a brute forcer so I turn to
you guys and gals to ask if you could help me and point me in the
right direction on how to code this.

I'm assuming also that the code we end up with, would be generically
useful too as in we could vary the output (going to input_user) in
this instance to another variable and use it with another script?

Well thanks anyway in advance - I'm off to get my head down!

Thanks

re: Coding a brute forcer

Curious wrote:
[color=blue]
> In javascript, how do I code something that allows me to cycle through
> all the possible text strings.[/color]

You cannot, since AFAIK there is no (general) restriction of length other
than the available memory (and you do not want to allocate that.) What
you can do is to cycle through all strings up to a finite fixed length that
contain a known subset of characters/glyphs. Here is it for up to two ASCII
characters:

for (var i = 0; i < 128; i++)
... String.fromCharCode(i) ...

for (var i = 0; i < 128; i++)
for (var j = 0; j < 128; j++)
{
... String.fromCharCode(i) + String.fromCharCode(j) ...
}

As you see, the general algorithm is a recursive one (take a basic string
and test all concatenations of it with a string of length 1 of the same
subset.) Note that the level of recursion with functions is restricted to
the available stack memory which restricts the length of strings you can
test with it, so it would be best if you find an iterative approach.
[color=blue]
> Ideally, I would like to read from a dictionary file and then start a brute force.[/color]

The dictionary file could be a (generated) JavaScript file that contains a
declaration of a string array `a':

var a = new Array(
"a",
"an",
"abroad",
...
);

After including the file, you could iterate the array as follows:

for (var i = 0; i < a.length; i++)
{
... a[i] ...
}
[color=blue]
> Throughout each cycle, I imagine you just set input_user (in this
> case) to the value of the next line in the file.[/color]

What is input_user?
[color=blue]
> Maybe more coffee would help?[/color]

Maybe. I would take Java beans ;-)


HTH

PointedEars

re: Coding a brute forcer

dispacct@hotmail.com (Curious) writes:
[color=blue]
> I'm working on a challenge given to me. The Javascript I have been
> given parses the user input in two ways.
>
> Firstly it generates two numbers. One is the sum of the CharCodes and
> the other is the product of multiply each of the charcodes together
> and usisng the Modulus function.[/color]

The char codes are 8 bits or 16 bits? What is the modulus? 256?
[color=blue]
> If the text string is correct, the string is then used to decode (via
> a relatively simple crypt) another string, which then gives you the
> correct target url.[/color]

How do you recognize a correct URL?
[color=blue]
> I hope that makes sense - if it doesn't, its pretty unimportant as the
> question I have is as follows :[/color]

You got me curious :) I love a good challenge :=
[color=blue]
> In javascript, how do I code something that allows me to cycle through
> all the possible text strings. Ideally, I would like to read from a
> dictionary file and then start a brute force.[/color]

The dictionary file is harder than just brute forcing, mainly due to
Javscript in browsers having restricted access to file functions.
Ofcourse, you could include the dictionary in the directly.

Iterating through *all* strings will take a while. After all, there
are infinitly many (but in practice restricted to the size of
available memory or browser specific limits). With luck, the string
you are looking for is of limited length, so you won't have to
search *too* long.
[color=blue]
> Throughout each cycle, I imagine you just set input_user (in this
> case) to the value of the next line in the file. For a dictionary
> attack I imagine. That bit isn't too tricky I don't think but I can't
> get my head around it. Maybe more coffee would help?[/color]

Getting the dictionary into the Javascript is the hard part. When you
have it, iterating through it is trivial.
[color=blue]
> And I'm sure struggling to put together a brute forcer so I turn to
> you guys and gals to ask if you could help me and point me in the
> right direction on how to code this.[/color]

First you need to limit the different characters you can use in the
password. If you allow all of the thousands of Unicode characters,
then you will never get anywhere. The smaller the set of characters,
the sooner you will hit the correct string.
---
function StringEnumerator(chars) {
this.characters = chars;
this.stringNumber = 0;
this.stringLength = 0;
this.stringNumberLimit = 1;
}
StringEnumerator.prototype.next = function() {
var res = "";
var idx = this.stringNumber;
var len = this.characters.length;
for (var i=0;i<this.stringLength;i++) {
res += this.characters.charAt(idx%len);
idx = Math.floor(idx/len)
}
this.stringNumber++;
if (this.stringNumber == this.stringNumberLimit) {
this.stringNumber = 0;
this.stringNumberLimit *= len;
this.stringLength ++;
}
return res;
}
---
Example use:
---
var characters = "abcdefghiklmnopqrstuvwxyzABCDEFGHIKLMNOPQRSTUVWXY Z"+
"1234567890 ,.-+/*:;<>!?@#$&"; // or something
var strEnum = new StringEnumerator(characters);

var str1 = strEnum.next();
var str2 = strEnum.next();
var str3 = strEnum.next();
var str4 = strEnum.next();
---

/L
--
Lasse Reichstein Nielsen - lrn@hotpop.com
DHTML Death Colors: <URL:http://www.infimum.dk/HTML/rasterTriangleDOM.html>
'Faith without judgement merely degrades the spirit divine.'

re: Coding a brute forcer

JRS: In article <bodtq8$1co5qf$1@ID-107532.news.uni-berlin.de>, seen in
news:comp.lang.javascript, Thomas 'PointedEars' Lahn
<PointedEars@web.de> posted at Thu, 6 Nov 2003 17:46:33 :-
[color=blue]
> Note that the level of recursion with functions is restricted to
>the available stack memory which restricts the length of strings you can
>test with it, so it would be best if you find an iterative approach.[/color]

Since one can calculate Factorial 170 recursively (well, MSIE 4 can) it
seems likely that, with recursion of one level per character in the
string, stack space would be no problem.

function FF(j) { var S = "some string" ; return j>1 ? FF(j-1)*j : 1 }
FF(170)

gives 7.257415615307994e+306, recursing 170 deep.



Considering only strings of lower-case English letters, generating all
strings of length N for test takes 26^N operations.

Going up to a mere 37 characters takes well over 10^52 of those
operations.

There is no prospect of going faster than one operation per Planck time
(around 10^-34 s) in a non-parallel-processing computer, and the age of
the universe is about 15Ga or 1.5e10 * 3e7 seconds, or 5e51 Planck
times.

It is, therefore, not likely that the depth of recursion would be an
immediate limitation - at present, I can recurse 358 deep, but not 359.


This should generate all strings of A..D and length <=3, including the
empty one ; change 68 to 91 and increase 3 for a fuller test :

var Q = 0 ;
function FF(S, K) { Q++
document.writeln('- ', S, '<br>')
if (K<1) { return }
for (var J=65; J<68; J++) FF(S+String.fromCharCode(J), K-1)
}

FF('', 3)
document.write(Q)

It will, with the writeln commented out, do FF('', 10) in about 3
seconds on a PII/300, which is 88573 strings of A..D; the local
equivalent of the Planck time above is then actually of the order of
50us.

Note that any much larger test may well defeat the system, possibly in
an adverse manner.

--
© John Stockton, Surrey, UK. ?@merlyn.demon.co.uk Turnpike v4.00 IE 4 ©
<URL:http://jibbering.com/faq/> Jim Ley's FAQ for news:comp.lang.javascript
<URL:http://www.merlyn.demon.co.uk/js-index.htm> JS maths, dates, sources.
<URL:http://www.merlyn.demon.co.uk/> TP/BP/Delphi/JS/&c., FAQ topics, links.

re: Coding a brute forcer

Lasse Reichstein Nielsen <lrn@hotpop.com> wrote in message

Firstly - thanks to all for the great replies. I'll spend the weekend
studying them to try and figure out how they all work!!
[color=blue]
>
> The char codes are 8 bits or 16 bits? What is the modulus? 256?[/color]

The actual lines are:

input_user=document.fx.user.value;
v=0;
v1=1;
for(var i=0;i<input_user.length;i++){
v2=input_user.substring(i,i+1);
v=v+input_user.charCodeAt(i);
v1=(ax2*input_user.charCodeAt(i))%65537;

PointedEars asked what input_user was. Its the variable that the text
we enter on the web page that is processed to generate the two numbers
and then used to decrypt the other string.

[color=blue]
> How do you recognize a correct URL?[/color]

If v & v1 are the correct values, another text string is decoded using
another routine to generate the correct url. Anything but the correct
url generates a 'I'm sorry that is not the solution' page.
[color=blue]
> You got me curious :) I love a good challenge :=[/color]

If you are interested, I could email you the whole code. The reason
I'm not posting it in its entirety is that its a challenge and I want
to do the research and find out how its done. And not wishing to be a
party pooper but I would feel unsatisfied if I did a Google search and
just found the answer straight away - hopefully others that attempt
this challenge will learn from what you are helping me with here.

The reason for brute forcing is that I can't think of a way to decode
the correct url!! Simply put, I know what its doing but I can't figure
out a way to do it backwards. I guess that's the point of the
challenge though!!

Thanks to all for their input on this. I'm off to grab some Java beans
and try and understand all the clever stuff you guys have done for me.

Many thanks again!

re: Coding a brute forcer

dispacct@hotmail.com (Curious) writes:
[color=blue]
> The actual lines are:
>
> input_user=document.fx.user.value;
> v=0;
> v1=1;
> for(var i=0;i<input_user.length;i++){
> v2=input_user.substring(i,i+1);
> v=v+input_user.charCodeAt(i);
> v1=(ax2*input_user.charCodeAt(i))%65537;[/color]

Ah.:)
If we assume that the password uses only 8-bit characters, and no
more than 16 of them, then v must lie in the range 0 - 4096.
Since v1 id modulus 65537, that is an upper bound on v1 as well.

That means that v and v1 can contain at most 4096*65537 different
valus, ~2^28. It is a lot, but probably faster to brute force than
goind through all the strings. E.g., "ab" and "ba" gives the same
values for both v and v1.
[color=blue][color=green]
> > How do you recognize a correct URL?[/color]
>
> If v & v1 are the correct values, another text string is decoded using
> another routine to generate the correct url. Anything but the correct
> url generates a 'I'm sorry that is not the solution' page.[/color]

So the server is the one that recognizes the correct URL.
[color=blue][color=green]
> > You got me curious :) I love a good challenge :=[/color]
>
> If you are interested, I could email you the whole code.[/color]

Please do! I promise I won't tell you the answer if I find it :)

/L
--
Lasse Reichstein Nielsen - lrn@hotpop.com
DHTML Death Colors: <URL:http://www.infimum.dk/HTML/rasterTriangleDOM.html>
'Faith without judgement merely degrades the spirit divine.'

re: Coding a brute forcer

JRS: In article <0lBhFGCHlsq$Ewwc@merlyn.demon.co.uk>, seen in
news:comp.lang.javascript, Dr John Stockton <spam@merlyn.demon.co.uk>
posted at Thu, 6 Nov 2003 22:20:55 :-[color=blue]
>
>There is no prospect of going faster than one operation per Planck time
>(around 10^-34 s) in a non-parallel-processing computer, and the age of
>the universe is about 15Ga or 1.5e10 * 3e7 seconds, or 5e51 Planck
>times.[/color]

Correction : for 10^-34 read 10^-43, and so 5e51 to 5e60. The
conclusion is not affected.

--
© John Stockton, Surrey, UK. ?@merlyn.demon.co.uk / ??.Stockton@physics.org ©
Web <URL:http://www.merlyn.demon.co.uk/> - FAQish topics, acronyms, & links.
Correct <= 4-line sig. separator as above, a line precisely "-- " (SoRFC1036)
Do not Mail News to me. Before a reply, quote with ">" or "> " (SoRFC1036)

re: Coding a brute forcer

Lasse Reichstein Nielsen <lrn@hotpop.com> wrote in message

If you are interested, I could email you the whole code.[color=blue]
>
> Please do! I promise I won't tell you the answer if I find it :)
>[/color]

Please check your hotpop account - I have emailed you the code there.
If you do find the answer, please give me some pointers in the right
direction. At least on how I put your code and the original together!!

Cheers and good luck ;)

re: Coding a brute forcer

Lasse / Curious

Was this code ever put together? Can someone post it if it was?

re: Coding a brute forcer

dispacct@hotmail.com (Curious) writes:
[color=blue]
> Please check your hotpop account - I have emailed you the code there.[/color]

It doesn't seem to have arrived, though. Hotpop can sometime eat
messages, especially when burdened by too much spam at the same time.
If I could bother you to send it again to lrn(at)infimum.dk, then I
would be grateful.

/L
--
Lasse Reichstein Nielsen - lrn@hotpop.com
DHTML Death Colors: <URL:http://www.infimum.dk/HTML/rasterTriangleDOM.html>
'Faith without judgement merely degrades the spirit divine.'

re: Coding a brute forcer

Lasse Reichstein Nielsen <lrn@hotpop.com> wrote in message
[color=blue]
> It doesn't seem to have arrived, though. Hotpop can sometime eat
> messages, especially when burdened by too much spam at the same time.
> If I could bother you to send it again to removedtostopspam, then I
> would be grateful.
>
> /L[/color]

Re-sent as requested. I hope it turns up this time