Monday, April 23, 2012

Brute forcing IP address with the Cryptohaze Multiforcer

A few weeks ago, phillips321 had a problem.  He wanted to brute force IP addresses.  There was no good tool out there to do this, and brute forcing 4B+ MD5s is a bit slow on a CPU.

So, he wrote a quick dictionary and used Hashcat to crack the IPs.  And, as a good security consultant should do, blogged about it: http://www.phillips321.co.uk/2012/04/04/cracking-an-md5-of-an-ip-address/

I replied that the per-position charsets with the Cryptohaze Multiforcer could do much the same, and then promptly forgot about it until now.

One significant flaw in his approach is that some systems will store IP addresses as "192.168.1.1", and some will store them as "192.168.001.001" - it depends on what type of odd hardware you're bothering.

If you don't care about brute forcing hashes of IP addresses, you can probably go somewhere else now.  Otherwise, onward!


Phillip321 is right in his response to my comment.  You can't do it trivially with the per-position charsets.  But, you can build a bunch of per-position charsets (81, specifically) to cover all possible cases, and a script to run them.  This covers all sane IPv4 address formats - with and without zero padding, with with any length for each octet.

I've zipped up a directory containing the charset files and the bash script here: http://cryptohaze.com/utilities/ip_addresses.tar.bz2

If anyone more comfortable with Windows would like to create a batch file to do the same, that would be awesome, and I'd happily include it with the releases.

The way it works is as follows:

There is a per-position charset for each possible combination of octet lengths (1, 2, or 3).  If the length is 1 or 2, the full range of digits (0-9) are used.  If the length of the octet is 3, the first digit will be either 0, 1, or 2.  This covers all cases, including octets like 000 and 001.  It does have the side effect of including invalid octets like 256 or 299, but the overhead for this is quite low.

Using the script and a GTX580, the total time to crack all possible IP addresses when hashed with straight MD5 is right around 4.5 minutes.  Personally, I think this is quite acceptable.  I'm sure I could optimize much better for it if I cared to, but it would take me far more than the time saved to do so.  However, if anyone wants to optimize it further, I'd be glad to hear what you did.

The bash script (no batch file yet - please make one and I will include it!) is simple to use.

./run_ip_brute.sh [path to multiforcer] [path to IP charsets] [path to IP hash file] [options]


This is a flexible set of options that lets you run it as needed for your environment.


[path to multiforcer] is just a path to the Multiforcer binary you wish to run.  


[path to IP charsets] is the path to the ip_addresses directory containing all the charset files.


[path to IP hash file] is the path to your file containing the hashes.


[options] contains the rest of the options.  You may need to quote this parameter, and it contains things like the hash type (perhaps MD5?) and the output file (highly suggested, otherwise you'll have to scrape the output).  Example: "-h MD5 -o ips.out"


So, an example command line, if you put this in your Cryptohaze download directory:


./ip_addresses/run_ip_brute.sh ./Cryptohaze-Multiforcer ./ip_addresses ./ip_addresses/Random_IP_MD5s.txt "-h MD5 -o ips.out"


Enjoy!


Note: If it's not finding everything, I'm working on a point release built with CUDA 4.2 that fixes a few edge cases with the new drivers.

1 comment: