Networks Course Password Cracking Challenge

During the March 18th, 2014, Networks lecture (CS3C03/SE4C03), I posed the challenge of cracking the password corresponding to the following command:

htpasswd -bnm netsec2014 <password>

which yielded:

netsec2014:$apr1$tWaYGBoQ$v1osblq2UdOs0rNURdUhW0

Note several things about this line:

  • apr1 means the result of an Apache-specific algorithm using an iterated (1,000 times) MD5 digest of various combinations of a random 32-bit salt and the password; you can find more about it here: Apache Password Formats.
  • tWaYGBoQ (i.e., the string between the second and third $‘s) is the salt; a 32 bit binary value encoded in Base64. This salt is randomly generated each time the htpasswd command is invoked, and hence, each time htpasswd is invoked it yields a different output, even though it is invoked on the same login/password pair.
  • v1osblq2UdOs0rNURdUhW0, (i.e., the string following the last $) is the actual hash.

How can you check whether a particular password works? You can do so with the command:

openssl passwd -apr1 -salt tWaYGBoQ <password>

As of March 19, 9am, no one was able to break this password. I expect this to be very difficult. On the other hand, the first challenge was successfully cracked by Adam Brousseau: the crypt password corresponding to seed 3z and hash f2laisA/GQ6 is abracadabra, and since only the first 8 characters count, abracada. Adam used open source C code John The Ripper on his own Linux machine, with processor AMD 4 core 3.4GHz (Single core used; Phenom II X4 965 BE). The crack took 23 minutes 10 seconds.

One thought on “Networks Course Password Cracking Challenge”

  1. For cracking the second hash, when my machine got to attempting 7 bit mask, it said it would take 4 days to cover all of them (open charset).

    I aborted that and started at 8 bit mask with charset 0-9 and a-z. This was based on your past challenges where the password has been 8 bits and has only contained 0-9 and a-z. For this my machine said that it would take 124 days.

    So, I decided to use Amazon EC2. This wasn’t for the purposes of getting that additional 3%, but instead for seeing how long it would take to crack this hash on a powerful machine. It cost me only $4 to try it.

    The Amazon EC2 instance that I worked with was a cluster GPU instance running 2 Nvidia Tesla M2050’s.

    After setting up the environment and setting up CUDA on the instance, I ran oclHashcat on it for 8 bit mask with charset 0-9 and a-z to compare it to my machine. It said it would take 54 days to crack it.

    I didn’t go on with this as it would be very expensive to keep pursuing.

    Few notes from my end:
    1) My friend also tried running the hash against a dictionary that was almost 14 gigs. Didn’t help.
    2) The EC2 runs Nvidia GPUs. ATI is known to give much much better performance for cracking hashes. I believe the performance is 10 fold. I didn’t get to try this yet.
    3) It is clear that this type of Hash may not be hard to break with the available open source software, however it is EXPENSIVE to break (in this case, expensive enough for a student).
    4) Also, as the size of the password increases, the amount of time increases exponentially. For eg. on my machine: all attempts for 7 bit mask ~ 4 days, 8 bit mask ~ 124 days.

    Screen Shot 1
    Screen Shot 2

Leave a Reply

Your email address will not be published.