In these days I was using John the Ripper ( the most famous password cracking software tool ) to test robustness of a set of passwords … of mine ;-)
While my new wonderful Sony Vaio TZ was overheating and fans seemed to get my laptop flying I had this unhealthy thought: what about a javascript online massive social password cracking ? ( first definition was only javascript password cracking but I needed to add some cooler keyword to gain more audience :-D )
Yes, I know there’s a very useful tool called djohn , but I haven’t a cluster ( only two laptops ) nor a botnet. So… how could I setup a network of computers to distribute cracking task ?
Social networks seem to be very popular today and people have a lot of computer idle to waste !! :-) However this article will not focus on the philosophical or social facet but only on the technical feasibility study of a Javascript DES cypher implementation and its performance running on modern browsers ( Mozilla Firefox, Opera and Konqueror )
A simple first implementation came in my mind:
- DES and Triple DES encrypted password cracking
- Brute force/incremental method : all possible character combinations as passwords
- Password’s space divided in work packets by a web server that coordinates the effort among the clients ( browsers )
Other cracking methods, such as wordlist, are very much faster than brute force, but more complex, than password’s space subdivision, to coordinate via AJAX.
I had a quick look to JTR source to understand its cracking procedure, so I decided to port its Triple DES cipher implementation to javascript. Writing this article I found this one that seems to be a bit faster than mine.
Had you ever benchmarked John The Ripper on your machine? Here are results of the 3DES on my Sony Vaio TZ ( Intel Core 2 - ULV U7600 1.20ghz ) :
~# john –test
Benchmarking: Traditional DES [128/128 BS SSE2]… DONE
Many salts: 1019K c/s real, 1019K c/s virtual
Only one salt: 815539 c/s real, 839032 c/s virtual
Wow! 1019K cracks per second!!
How many days do we need, at most, to crack a weak 8 bytes ASCII password with a brute force attack? ( Note: read about password strength )
- assuming to know that it is 8 byte ASCII password
- 64^8 : are the permutations with repetitions
- 64^8 / ( 1019 * 10^3 ) = 276226669 secs = 3197 days needed to cover all the key space
Having a wide set of computers, a lan with some good machine, the cracking time will fly down quickly.
Ok, these are the results of a C compiled Triple DES. An xyssl library based solution gave me a proof of the validity of JTR results.
Clearly we all know that interpreted languages are slower than compiled ones… so I was expecting that an interpreted implementation of the algorithm could be 30, 50, 100 times slower …
No! it’s from 2000 to 4000 times slower !!!
Here are my browsers’ tests ( on Gentoo with an Intel Core 2 - ULV U7600 1.20ghz ) :
- Mozilla Firefox 2.0.12 : ~250 cracks per second
- Mozilla Firefox 3.0 beta3 : ~250 cracks per second ( … I was expecting better results than 2.0 version … )
- Konqueror 4.0 : ~500 cracks per second ( I love it !! )
- Opera 9.25 : ~370 cracks per second
- Safar 3 : results should be similar to Konqueror, because both use Webkit
- Internet Explorer : data unavailable
Test Javascript 3DES performances on your browser and please comment this post to report them (including your hardware, CPU at least)
Then I tested mcrypt PHP implementation ( with the code below ) and results weren’t better : ~1000 cracks per second.
$ts_start = gettimeofday();while(1) {
$ts_end = gettimeofday();
if(($ts_end["sec"] - $ts_start["sec"] == 1) && $ts_end["usec"] > $ts_start["usec"]) break;
@mcrypt_encrypt(MCRYPT_3DES, "cialfklweflkwnelfkw", "Prova", MCRYPT_MODE_ECB);
$cnt++;
}
echo "Cracks per second: ".$cnt++;Another test to compare web browser is a simple addition. The C compiled version performs up to 100000000 additions per second and here are results of the Javascript implementation on browsers :
- Firefox 2.0.12 : ~33000 additions per second
- Firefox 3.0 beta3 : ~96000 additions per second ( fortunately, here it’s faster than 2.0.x )
- Konqueror 4.0 : ~130000 additions per second
- Opera 9.25 : 153000 ( good! )
Conclusion…
Performances of Javascript engines are still not good enough and I think this could be a very hard limit to Web2.0 that should be overtaken as soon as possible.
