Cracking passwords using the power of your GPU

Posted on July 12th, 2011 webmaster 1 comment          Print

I read this article a few weeks ago and I just had to try it.  The use of GPUs in high performance computing is becoming very popular nowadays because you get so much computing power at very little cost compared to CPUs.  You can pretty much buy a workstation and put 8 NVIDIA Tesla GPU cards in it and you got yourself a nice little supercomputer that can compete with a big CPU cluster or grid.

You not only save money on the hardware, but also on storage cost (a rack of servers vs. a workstation under your desk), electricity cost (go green!), and manpower to maintain and manage the cluster or grid computing environment.

IGHashGPU, written by Ivan Golubez, is a great example of this.  This application does a pure brute-force of a password hash to retrieve its original value.  It supports multiple hashing algorithms, such as MD4, MD5, and SHA-1, and can run on multiple GPU cards in parallel.

The application also allows you to specify options, such as the minimum and maximum length of the original password and whether the password contains uppercase and lowercase characters, numbers, and special characters to speed up the process.  For example, if you know that there’s a password policy of at least 6 characters then you can save time by setting the minimum length to 6 so the brute-force will start at 6 characters which will save some processing time.

I tested this application on a box that has one Tesla C2050 GPU and cracking a 7-character MD5-hashed password containing numbers, uppercase, and lowercase characters took a mere 9 minutes and 38 seconds at a rate of roughly 1.17 billion comparisons per second!

I haven’t tested this on a CPU but according to the article it would take about 4 days on the CPU.  Pretty cool!

How to set the proxy settings in Windows via command line

Posted on June 11th, 2011 webmaster No comments          Print

Once in a while I need to download and install Python packages at work and having switched to Linux (Ubuntu) at home, I find it quite annoying now to have to go to a website, download the package I need, then manually install.

Fortunately, the pip installer works for Windows as well, allowing the installation of Python packages automatically with a simple command (pip install package_name).  But at work, we’re behind a proxy server so I have to set the HTTP_PROXY environment variable first before pip can connect to download the packages.

You can set this environment variable permanently so you don’t have to keep re-typing it every time you open a cmd window, but since our proxy requires authentication I prefer not to hardcode it (plus I’ll have to remember to update when my password changes).

Simply type this in the cmd window to set it (note that the setting will get deleted once you close the window):

set HTTP_PROXY=http://user:password@proxy.domain.com:port

How to convert a Java keystore (JKS) to PEM format

Posted on May 8th, 2011 webmaster No comments          Print

I’m currently working on a new project where I need to write a service to serve static files to users.  Our web application currently runs on Tomcat alone as we don’t have many users (internal users only) and most of the content is dynamic.  But with this new project it just seems to make sense to put an Apache web server in front of Tomcat and use the mod_xsendfile module to serve the files, which will also allow us to control which users can access which files.

So I started playing with Apache, mod_xsendfile, and mod_proxy and finally got things working.  The last step is to add encryption.  The Java keystore format won’t work with Apache, however, so I needed a way to export the certificate and private key from the Java keystore we used for Tomcat and import it to a new PEM file so I can use it with Apache.

If we’re controlling the Certification Authority (CA) I probably would’ve just generated a new certificate, but this is unfortunately not the case in our environment (big company thing).  I would need to generate a certificate signing request, open a ticket with corporate IT, wait for approval, wait for someone to do it and send it to me, etc.  The process could take a few days so I decided to just do some Googling on how to extract the keys/certificates from the keystore and convert it to PEM which Apache web server will accept.

There doesn’t seem to be a quick way to directly convert from JKS to PEM so I had to convert from JKS to PKCS#12 first, then to PEM.

Here are the steps I took to do the conversion:

1.  Export certificate from the Java keystore and import it to a new PKCS#12 keystore format using the Java keytool (C:\Program Files\Java\jre6\bin\keytool.exe by default on Windows).

keytool -importkeystore -srckeystore myapp.jks -destkeystore myapp.p12 -srcalias myapp-dev -srcstoretype jks -deststoretype pkcs12

2. Convert the new PKCS#12 file (myapp.p12) to PEM using openssl (openssl.exe is in the bin directory of the Apache installation on Windows).

openssl pkcs12 -in myapp.p12 -out myapp.pem

If you’re running Apache on *nix, you’re all set! But if you’re running on Windows (I know, I know), you will need to remove the passphrase from the PEM file.

3. (Optional depending on enviroment) Create a version of the PEM file with the passphrase removed.

You may get this message when using the certificate in Apache running on Windows:

SSLPassPhraseDialog builtin is not supported on Win32.

The solution is to remove the password/passphrase from the PEM file, so let’s create a version of the PEM file without the passphrase.

openssl rsa -in myapp.pem -out myapp_nopassphrase.pem
openssl x509 -in myapp.pem >>myapp_nopassphrase.pem

Reference the myapp_newpassphrase.pem in your httpd.conf, start the Apache service, and you’re good to go!

Sources:

• http://stackoverflow.com/questions/652916/converting-a-java-keystore-into-pem-format
• http://www.madboa.com/geek/openssl/#key-removepass