Javascript online massive social password cracking ?
In these days I was using John the Ripper ( the most famous password cracking software tool ) to test robustness of a set of passwords … of mine ;-)
While my new wonderful Sony Vaio TZ was overheating and fans seemed to get my laptop flying I had this unhealthy thought: what about a javascript online massive social password cracking ? ( first definition was only javascript password cracking but I needed to add some cooler keyword to gain more audience :-D )
Yes, I know there’s a very useful tool called djohn , but I haven’t a cluster ( only two laptops ) nor a botnet. So… how could I setup a network of computers to distribute cracking task ?
Social networks seem to be very popular today and people have a lot of computer idle to waste !! :-) However this article will not focus on the philosophical or social facet but only on the technical feasibility study of a Javascript DES cypher implementation and its performance running on modern browsers ( Mozilla Firefox, Opera and Konqueror )
A simple first implementation came in my mind:
- DES and Triple DES encrypted password cracking
- Brute force/incremental method : all possible character combinations as passwords
- Password’s space divided in work packets by a web server that coordinates the effort among the clients ( browsers )
Other cracking methods, such as wordlist, are very much faster than brute force, but more complex, than password’s space subdivision, to coordinate via AJAX.
I had a quick look to JTR source to understand its cracking procedure, so I decided to port its Triple DES cipher implementation to javascript. Writing this article I found this one that seems to be a bit faster than mine.
Had you ever benchmarked John The Ripper on your machine? Here are results of the 3DES on my Sony Vaio TZ ( Intel Core 2 – ULV U7600 1.20ghz ) :
~# john –test
Benchmarking: Traditional DES [128/128 BS SSE2]… DONE
Many salts: 1019K c/s real, 1019K c/s virtual
Only one salt: 815539 c/s real, 839032 c/s virtual
Wow! 1019K cracks per second!!
How many days do we need, at most, to crack a weak 8 bytes ASCII password with a brute force attack? ( Note: read about password strength )
- assuming to know that it is 8 byte ASCII password
- 64^8 : are the permutations with repetitions
- 64^8 / ( 1019 * 10^3 ) = 276226669 secs = 3197 days needed to cover all the key space
Having a wide set of computers, a lan with some good machine, the cracking time will fly down quickly.
Ok, these are the results of a C compiled Triple DES. An xyssl library based solution gave me a proof of the validity of JTR results.
Clearly we all know that interpreted languages are slower than compiled ones… so I was expecting that an interpreted implementation of the algorithm could be 30, 50, 100 times slower …
No! it’s from 2000 to 4000 times slower !!!
Here are my browsers’ tests ( on Gentoo with an Intel Core 2 – ULV U7600 1.20ghz ) :
- Mozilla Firefox 2.0.12 : ~250 cracks per second
- Mozilla Firefox 3.0 beta3 : ~250 cracks per second ( … I was expecting better results than 2.0 version … )
- Konqueror 4.0 : ~500 cracks per second ( I love it !! )
- Opera 9.25 : ~370 cracks per second
- Safar 3 : results should be similar to Konqueror, because both use Webkit
- Internet Explorer : data unavailable
Test Javascript 3DES performances on your browser and please comment this post to report them (including your hardware, CPU at least)
Then I tested mcrypt PHP implementation ( with the code below ) and results weren’t better : ~1000 cracks per second.
$ts_start = gettimeofday();while(1) { $ts_end = gettimeofday(); if(($ts_end["sec"] - $ts_start["sec"] == 1) && $ts_end["usec"] > $ts_start["usec"]) break; @mcrypt_encrypt(MCRYPT_3DES, "cialfklweflkwnelfkw", "Prova", MCRYPT_MODE_ECB); $cnt++; } echo "Cracks per second: ".$cnt++;
Another test to compare web browser is a simple addition. The C compiled version performs up to 100000000 additions per second and here are results of the Javascript implementation on browsers :
- Firefox 2.0.12 : ~33000 additions per second
- Firefox 3.0 beta3 : ~96000 additions per second ( fortunately, here it’s faster than 2.0.x )
- Konqueror 4.0 : ~130000 additions per second
- Opera 9.25 : 153000 ( good! )
Conclusion…
Performances of Javascript engines are still not good enough and I think this could be a very hard limit to Web2.0 that should be overtaken as soon as possible.
Opera 9.5 build 9815
511 crack per second
Results:
Firefox 2.0.0.12: 249
Firefox 3.0 beta 3: 392
Internet Explorer 6: 565
Internet Explorer 7: 545
Opera 9.24: 534
Safari 3.0.4: 324
Specs:
Pentium D 3.0 Ghz
2 GB RAM
Webkit nightly 26.02.2008 (WebKit-r30573):
Javascript 3DES performances on your browser: 866 cracks per second
Windows XP Sp2, Pentium 4, 3.00 GHz, 1 GB Ram
Same PC, Firefox 2.0.0.12:
250 crack per second
Almost seems like Firefox is ‘throttling’ performance?
Wow! Internet Explorer is faster than Firefox.
But Opera and Webkit have the best performances on all platforms.
Firefox should switch to webkit :D
915, 914, 920, 915, 917.
Firefox 3.0b4pre (current trunk nightly)
MacBook Pro 2 GHz Core Duo / 2GB RAM.
Bunch of other crap running…
Firefox 3 beta 3: 467, 441, 458 cps
Intel Core 2 Duo T7300, 2GB RAM, Ubuntu Hardy 8.04b5 ;P
Firefox 2.0.0.12: 378 per second
Webkit 30966: 1293 per second (pretty good i think)
on Mac OSX 10.4.11, Macbook 2.0Ghz and 1GB Ram
bye
Wow! Webkit is growing very fast!
Internet Explorer 8 Beta1: 644 per second
on Windows Vista SP1, Pentium4 mobile and 1,25GB RAM
1975, 1980, 1979, 1929, 1973 per second.
Firefox 3 beta 5, Core 2 Duo 6300 (1.86ghz), 2 GB RAM. I could probably get better numbers if I closed down some of my currently open apps (~15 windows open) but I think this already gives you a good idea how fast FF3b5 is :)
Cheers,
JC
Latest Opera 9.5 beta2 does 725 on winxp
about 2400 on a Core 2 duo 2.2Ghz machine and FF3.0B5
i’ve got 1182 cracks per secund with MOzilla firefox 3 Beta 5 ;)
as you see opera rulez ^_^
Can anyone compile ” john the ripper ” for my windows xp service pack 2. Because i unable to do that. My email is zishanzin@yahoo.com
Firefox 3.0.1 – 2508
Opera 9.51 – 1734
IE 7.0.6 – 774
Core 2 Duo 2.4GHz
2GB RAM
Whatever it’s important or not…. Google Chrome just showed me 4128 cracks/sec.
:P
Firefox: 2300
Chrome: 10300 (yep, not a typo, 8000 more)
IE: 733
Q9300 @ 2.5 Ghz (while running John the Ripper, eclipse, two browsers…)
2608 cracks per second on a q8500 quad core 2.5ghz with 6 gigs of ram
firefox 3.0.5
Dell Latitude D530
Duo 2.0
2gb Ram
XP Pro SP3
FireFox 3.05
Cracks per second: 2159
2.6GHz Dual Core Athlon, 4GBs, XP Pro SP3
Chrome Latest Stable 1.0.something: 2877
FF 3.1B2: 1760
Windows Vista SP1
Google Chrome 1.0.154.48 (Oficjalna wersja 9043)
WebKit 525.19
V8 0.3.9.4
User Agent Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US) AppleWebKit/525.19 (KHTML, like Gecko) Chrome/1.0.154.48 Safari/525.19
Intel Core2 Duo T7250 @ 2.00GHz 2.00 GHz
RAM 4,00 GB
Cracks:
5423
5373
5364
5317
5351
5322
5325
5339
5410
5412
5409
5305
5357
Iphone 3G firmware 02.30.03
cracks: 41
This could actually be interesting since if You take only the highest result of everyone who posted here and sum it up You would get 38924 cracks per second.
Btw I believe that You misunderstood John the rippers c/s notation. Doesn’t it stand for combinations per second?
http://www.openwall.com/john/doc/FAQ.shtml
“Q: Why does John display meaningless c/s values while cracking, instead of real “crypts per second” rate?
A: The values displayed by John mean combinations (of username and password) per second, not crypts per second. This is the effective cracking speed that you get on a particular set of password hashes, and it may be useful, for example, to tune the “–salts=…” threshold and other settings. If you want a benchmark of the low-level password hashing routines only, use “–test”. (Future versions of John the Ripper might report effective and raw c/s rates for different time intervals. These won’t fit on the current status line, though.)”
Many salts: 1019K c/s real, 1019K c/s virtual
Only one salt: 815539 c/s real, 839032 c/s virtual
Q6600 2.4 GHz @ 3.04 GHz, 4 GB RAM, Windows 7 x64 beta (b. 7000)
Firefox 3.0.6: ~3100 c/s
Songbird 1.0.0 (b. 860): ~2900 c/s
IE 8 (32 bit): ~1600 c/s
IE 8 (64 bit): ~1750 c/s
Intel Core2 @1.86ghz 3GB RAM
Google Chrome 4961
Firefox Nightly Minefield 7428
5694 on firefox 3.1b3 QX9650 Quad Core Extreme, also 8gb ddr2 ram
also i have current top spot =D
Firefox 3.07 2550 cracks per second (my girlfriend with same hardware had 2850)
Firefox 3.1 Beta 2 8501 cracks per second
Im running Windows 7 build 7000
Intel Core 2 Duo T9300(2.50GHz)
4GB DDR2
Google Chrome 2162 cracks p/sec
Firefox 3.0.8 : 858 cracks p/sec
2899 Cracks per Second with Firefox 3.0.8
833 Cracks per Second With IE7 32-bit
1016 With IE7 64-bit
Intel Core 2 Duo E7200
4GB DDR2
Windows XP X64 Edition
Sorry for the double post…forgot Chrome in my first one
Google Chrome: 7553 Cracks Per Second
Intel Core 2 Duo E7200 2.53ghz
4GB DDR2
Windows XP X64 Edition
~11000 cracks here FF 3.5b4, Phenom X4 9650
http://valid.canardpc.com/show_oc.php?id=480065
Windows XP X64
What about flash, which everyone seems to have?
amd athlon 3000 firefox 3.0.10
1281 crackz
1502 cracks per second in Firefox 3.0.10 on W7 RC1 Core 2 Duo 1.6 Ghz with 2GB of RAM.
1639 c/s
Firefox 3.0.10
Ubuntu 9.04
Intel Centrino Duo 1.16 GHz, 2GB RAM
ff v3.0 3347
vista 64 2×3.0 GHz Xeon 8gb ram