Skip to content
/ dictionary-attack Public
forked from npapernot/dictionary-attack

A simple example of a dictionary attack coded in Java

0 stars 19 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

cmentor/dictionary-attack

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2 Commits
DictionaryAttack.java
DictionaryAttack.java
 
 
README.md
README.md
 
 
english.0
english.0
 
 
password.txt
password.txt
 
 

Repository files navigation

Dictionary Attack

This repository contains a simple example of a dictionary attack coded in Java.

Description of Repository Content

Here are the files you can find in this repository:

  • password.txt contains a list of passwords that we recover using the attack
  • DictionaryAttack.java is the source code for the attack
  • english.0 is the dictionary used during the attack to recover passwords

Description of the password.txt file format

The list of passwords that we recover using the attack is a text file in which each line contains a user account name followed by a password. There are two possible line formats: the first one contains an unsalted password while the second contains a salted password along with the salt.

username 0 unsaltedpassword
username 1 salt saltedpassword

The passwords are hashed using SHA-1 (see attack source code for implementation in the Java Cryptography Extension). When a salt is used, it is simply concatenated together with the passwords as follows: salt || password.

Description of the attack

The attack simply reads the dictionary line by line and computes 6 different possible hashed passwords for the word contained in each line. These 6 possible hashes are compared to each of the passwords contained in the password.txt file for a match. If there is a match, we recovered a password. If not, we simply keep reading the dictionary line by line.

The 6 possible hashes computed for each word from the dictionary are:

  • SHA1(word)
  • SHA1(drow) (reversed word)
  • SHA1(wrd) (word without vowels)
  • SHA1(salt||word) (salted word)
  • SHA1(salt||drow) (salted reversed word)
  • SHA1(salt||wrd) (salted word without vowels)

Note that the salts used in salted hashes are the ones includes in the password.txt file.

How to run the attack

To run the attack, simply compile and run the DictionaryAttack.java file. All paths are hardcoded in the file so you will need to update them before you compile the source code.

The output should be the following:

Let's get things started.
joe's password is 'December'
alice's password is 'tfosorciM'
mary's password is 'Monday'
john's password is 'brosba'
bob's password is 'yllacitebahpla'
guy's password is 'ntrstwrthnss'
nick's password is 'uplifting'
adam's password is 'vsblts'
eve's password is 'wrrsm'
andrew's password is 'kcitsdray'
The program terminated.

Note on complexity

Note that this attack is a simple example and could be made far more efficient using various strategies. One of them would be to precompute the possible hashes before checking the password list for matches. Since our password list and dictionary are fairly small in this example, I did not implement this feature.

About

A simple example of a dictionary attack coded in Java

Resources

Readme
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages

  • Java 100.0%