Javascript online massive social password cracking ?


In these days I was using John the Ripper ( the most famous password cracking software tool ) to test robustness of a set of passwords … of mine ;-)

While my new wonderful Sony Vaio TZ was overheating and fans seemed to get my laptop flying I had this unhealthy thought: what about a javascript online massive social password cracking ? ( first definition was only javascript password cracking but I needed to add some cooler keyword to gain more audience :-D )

Yes, I know there’s a very useful tool called djohn , but I haven’t a cluster ( only two laptops ) nor a botnet. So… how could I setup a network of computers to distribute cracking task ?

Social networks seem to be very popular today and people have a lot of computer idle to waste !! :-) However this article will not focus on the philosophical or social facet but only on the technical feasibility study of a Javascript DES cypher implementation and its performance running on modern browsers ( Mozilla Firefox, Opera and Konqueror )

A simple first implementation came in my mind:

  • DES and Triple DES encrypted password cracking
  • Brute force/incremental method : all possible character combinations as passwords
  • Password’s space divided in work packets by a web server that coordinates the effort among the clients ( browsers )

Other cracking methods, such as wordlist, are very much faster than brute force, but more complex, than password’s space subdivision, to coordinate via AJAX.
I had a quick look to JTR source to understand its cracking procedure, so I decided to port its Triple DES cipher implementation to javascript. Writing this article I found this one that seems to be a bit faster than mine.

Had you ever benchmarked John The Ripper on your machine? Here are results of the 3DES on my Sony Vaio TZ ( Intel Core 2 – ULV U7600 1.20ghz ) :

~# john –test

Benchmarking: Traditional DES [128/128 BS SSE2]… DONE
Many salts: 1019K c/s real, 1019K c/s virtual
Only one salt: 815539 c/s real, 839032 c/s virtual

Wow! 1019K cracks per second!!

How many days do we need, at most, to crack a weak 8 bytes ASCII password with a brute force attack? ( Note: read about password strength )

  • assuming to know that it is 8 byte ASCII password
  • 64^8 : are the permutations with repetitions
  • 64^8 / ( 1019 * 10^3 ) = 276226669 secs = 3197 days needed to cover all the key space

Having a wide set of computers, a lan with some good machine, the cracking time will fly down quickly.

Ok, these are the results of a C compiled Triple DES. An xyssl library based solution gave me a proof of the validity of JTR results.

Clearly we all know that interpreted languages are slower than compiled ones… so I was expecting that an interpreted implementation of the algorithm could be 30, 50, 100 times slower …

No! it’s from 2000 to 4000 times slower !!!

Here are my browsers’ tests ( on Gentoo with an Intel Core 2 – ULV U7600 1.20ghz ) :

  • Mozilla Firefox 2.0.12 : ~250 cracks per second
  • Mozilla Firefox 3.0 beta3 : ~250 cracks per second ( … I was expecting better results than 2.0 version … )
  • Konqueror 4.0 : ~500 cracks per second ( I love it !! )
  • Opera 9.25 : ~370 cracks per second
  • Safar 3 : results should be similar to Konqueror, because both use Webkit
  • Internet Explorer : data unavailable

Test Javascript 3DES performances on your browser and please comment this post to report them (including your hardware, CPU at least)

Then I tested mcrypt PHP implementation ( with the code below ) and results weren’t better : ~1000 cracks per second.

$ts_start = gettimeofday();while(1) {
  $ts_end = gettimeofday();
  if(($ts_end["sec"] - $ts_start["sec"] == 1) && $ts_end["usec"] > $ts_start["usec"]) break;
  @mcrypt_encrypt(MCRYPT_3DES, "cialfklweflkwnelfkw", "Prova", MCRYPT_MODE_ECB);
  $cnt++;
}
echo "Cracks per second: ".$cnt++;

Another test to compare web browser is a simple addition. The C compiled version performs up to 100000000 additions per second and here are results of the Javascript implementation on browsers :

  • Firefox 2.0.12 : ~33000 additions per second
  • Firefox 3.0 beta3 : ~96000 additions per second ( fortunately, here it’s faster than 2.0.x )
  • Konqueror 4.0 : ~130000 additions per second
  • Opera 9.25 : 153000 ( good! )

Conclusion…

Performances of Javascript engines are still not good enough and I think this could be a very hard limit to Web2.0 that should be overtaken as soon as possible.

56 Comments Javascript online massive social password cracking ?

  1. Alantin

    Results:
    Firefox 2.0.0.12: 249
    Firefox 3.0 beta 3: 392
    Internet Explorer 6: 565
    Internet Explorer 7: 545
    Opera 9.24: 534
    Safari 3.0.4: 324

    Specs:
    Pentium D 3.0 Ghz
    2 GB RAM

  2. thajeztah

    Webkit nightly 26.02.2008 (WebKit-r30573):

    Javascript 3DES performances on your browser: 866 cracks per second

    Windows XP Sp2, Pentium 4, 3.00 GHz, 1 GB Ram

  3. thajeztah

    Same PC, Firefox 2.0.0.12:
    250 crack per second

    Almost seems like Firefox is ‘throttling’ performance?

  4. Paolo Ardoino

    Wow! Internet Explorer is faster than Firefox.
    But Opera and Webkit have the best performances on all platforms.

    Firefox should switch to webkit :D

  5. Claudio

    Firefox 3 beta 3: 467, 441, 458 cps
    Intel Core 2 Duo T7300, 2GB RAM, Ubuntu Hardy 8.04b5 ;P

  6. Ciccio

    Firefox 2.0.0.12: 378 per second
    Webkit 30966: 1293 per second (pretty good i think)

    on Mac OSX 10.4.11, Macbook 2.0Ghz and 1GB Ram

    bye

  7. chefdvd

    Internet Explorer 8 Beta1: 644 per second

    on Windows Vista SP1, Pentium4 mobile and 1,25GB RAM

  8. J.C. Bize

    1975, 1980, 1979, 1929, 1973 per second.

    Firefox 3 beta 5, Core 2 Duo 6300 (1.86ghz), 2 GB RAM. I could probably get better numbers if I closed down some of my currently open apps (~15 windows open) but I think this already gives you a good idea how fast FF3b5 is :)

    Cheers,
    JC

  9. Drake

    Firefox: 2300
    Chrome: 10300 (yep, not a typo, 8000 more)
    IE: 733

    Q9300 @ 2.5 Ghz (while running John the Ripper, eclipse, two browsers…)

  10. mulander

    Windows Vista SP1

    Google Chrome 1.0.154.48 (Oficjalna wersja 9043)
    WebKit 525.19
    V8 0.3.9.4
    User Agent Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US) AppleWebKit/525.19 (KHTML, like Gecko) Chrome/1.0.154.48 Safari/525.19

    Intel Core2 Duo T7250 @ 2.00GHz 2.00 GHz
    RAM 4,00 GB

    Cracks:
    5423
    5373
    5364
    5317
    5351
    5322
    5325
    5339
    5410
    5412
    5409
    5305
    5357

  11. mulander

    Iphone 3G firmware 02.30.03

    cracks: 41

    This could actually be interesting since if You take only the highest result of everyone who posted here and sum it up You would get 38924 cracks per second.

    Btw I believe that You misunderstood John the rippers c/s notation. Doesn’t it stand for combinations per second?

    http://www.openwall.com/john/doc/FAQ.shtml
    “Q: Why does John display meaningless c/s values while cracking, instead of real “crypts per second” rate?
    A: The values displayed by John mean combinations (of username and password) per second, not crypts per second. This is the effective cracking speed that you get on a particular set of password hashes, and it may be useful, for example, to tune the “–salts=…” threshold and other settings. If you want a benchmark of the low-level password hashing routines only, use “–test”. (Future versions of John the Ripper might report effective and raw c/s rates for different time intervals. These won’t fit on the current status line, though.)”

    Many salts: 1019K c/s real, 1019K c/s virtual
    Only one salt: 815539 c/s real, 839032 c/s virtual

  12. myak

    Q6600 2.4 GHz @ 3.04 GHz, 4 GB RAM, Windows 7 x64 beta (b. 7000)

    Firefox 3.0.6: ~3100 c/s
    Songbird 1.0.0 (b. 860): ~2900 c/s
    IE 8 (32 bit): ~1600 c/s
    IE 8 (64 bit): ~1750 c/s

  13. Noc

    5694 on firefox 3.1b3 QX9650 Quad Core Extreme, also 8gb ddr2 ram

    also i have current top spot =D

  14. Kinslayer

    Firefox 3.07 2550 cracks per second (my girlfriend with same hardware had 2850)
    Firefox 3.1 Beta 2 8501 cracks per second

    Im running Windows 7 build 7000
    Intel Core 2 Duo T9300(2.50GHz)
    4GB DDR2

  15. Jordan

    2899 Cracks per Second with Firefox 3.0.8
    833 Cracks per Second With IE7 32-bit
    1016 With IE7 64-bit
    Intel Core 2 Duo E7200
    4GB DDR2
    Windows XP X64 Edition

  16. Jordan

    Sorry for the double post…forgot Chrome in my first one
    Google Chrome: 7553 Cracks Per Second
    Intel Core 2 Duo E7200 2.53ghz
    4GB DDR2
    Windows XP X64 Edition

  17. Leroy

    Mozilla Firefox 3.5.1

    alert box showed:

    Cracks per second: 10101

    Windows XP Professional Version 2002, Service pack 3
    Intel Pentium M 2.00 GHz, 1.99 Ghz 1.00 GB of RAM

  18. Artur Martins

    Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 Glue/4.5

    1885, 2063, 4179, 5098, 4485, 5190, 4552, 5126 seconds

    Model Name: MacBook
    Model Identifier: MacBook2,1
    Processor Name: Intel Core 2 Duo
    Processor Speed: 2 GHz
    L2 Cache: 4 MB
    Memory: 4 GB
    Bus Speed: 667 MHz

    Computer overloaded with other applications.

  19. Jaume

    Cracks per second: 12314

    Ubuntu ff 3.6.8

    model name : Intel(R) Core(TM)2 Duo CPU T7250 @ 2.00GHz
    cache size : 2048 KB

    2 GB ram

  20. matt kaufman

    well, …

    nvidia gpu video cards with CUDA can even crack md5′s etc in a few seconds….. a piece.

    And a lot more stuff.

    hydra and medusa are also interesting distributed (or threaded) http or other protocol brute forcing security tools.

  21. witek

    With Opera 11.60, I have 11,000 cracks/s.
    Firefox 8.0, I have 12,200 cracks/s.
    Cannot test Chromium, due some library problems, but it is probably even faster.

    And this is Linux versions. Windows versions are probably faster due better compilation options, and profiling.

    And this is very old 32-bit single core system (Athlon 64 1800MHz). Also there are already better (faster) crypto libraries for JS.

    So, we can easily have about 50,000 cracks/s on high end multi-core system (using WebWorkers).

  22. Archi

    Browsing your blog while generating some primes for my bachelor thesis (thanks for the neat GPL tool :)).

    Chromium 18.0.1025.168 (Developer-Build 134367 Linux) Ubuntu 12.04 on a Xeon E3-1235 (4×3.2GHz with Hyper-Threading enabled).

    161,635 cracks per second – and that though I was generating/testing primes on one of the four cores :P

  23. Archi

    P.S.: Seems to become feasible ;-)

    Oh, and as I need more primes for a set of test runs, here is my Galaxy S2 performance with an not-quite-up-to-date CM9:
    13894 with Chrome
    9102 with built-in browser (CM9)
    4200 with Firefox

  24. Pingback: Online social (and unaware) CAPTCHA cracking | Paolo Ardoino

  25. Pingback: Online social (and unaware) CAPTCHA cracking - Paolo Ardoino

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>