




Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
A programming project for CSE231 students in Spring 2017, where they are required to develop a password file cracker using brute force and dictionary methods. The project involves creating functions to implement these methods, opening and closing files, and handling errors. The goal is to crack password-protected zip files by trying all possible combinations of passwords.
Typology: Study notes
1 / 8
This page cannot be seen from the preview
Don't miss anything!





CSE231 Spring 2017
(Edits: changed itertools permutations to productâeither works for these passwords, but product is the correct one. Removed lists and tuples from the forbidden list.) This project is worth 45 points (4.5% of the courses grade). It uses error checking, functions, and opening files and must be completed and turned in before 11:59 PM on Monday, February 27th.
Over the past several decades computer systems have relied on the concept of a password in order to authenticate users and grant access to secure systems. I hope you all are using several different passwords for different systems and websites as that is currently the best security practice. However even when requiring users to use âstrong passwordsâ and change them frequently, passwords inevitably get leaked and people unfortunately use the same password for their bank account as for Facebook. There are a vast array of methods for cracking passwords but this project will introduce you to 2 of them. Brute force and dictionary. A brute force attack is a computer program will generate every possible combination of input then try all possibilities. Take a smartphone as an example, most have a 4 digit pass code so a brute force attack would start by first trying 0000, 0001, 0002, 0003, 0004, so on and so forth, until the correct passcode is found. In the case of a 4 - digit password, there are 10, combinations. When using all the characters on your keyboard, the possible combinations quickly climb into the millions. Given enough time and computing power, a brute force attack will always work. However, keep in mind though that most modern encryption standards would take several thousand years and require a lot of computing power to generate all possible combinations. So, if you're encrypting your devices (as you should be) and using strong passwords youâre probably safe from a brute force attack. A dictionary attack relies on a source file (like the one we provide you) in order to carry out an attack. A source file is simply just a text file containing passwords. Sometimes, when malicious hackers manage to break into a âsecureâ system they release a password dump which is a file containing all the passwords found on that system. This is a good way of seeing the most common passwords. Note: there are several ways of cracking / stealing passwords that can range from tricking people into telling you (known as phishing) to breaking some vulnerability in a website (such as an SQL injection) and many more.
You will be developing a python program that implements the two password cracking methods and allows the user to crack .zip (archive) files. The first task is to implement a driver loop that prompts the user for which file cracking method theyâd like to use (brute force, dictionary, or both). After determining which method the user would like to use, call the respective function(s) and show the time each function took to run. The user should be able to quit by typing âqâ. If the attack is âbothâ, do a dictionary attack first and do a brute force attack only if the dictionary attack failed. Your second task is to develop a brute force function that generates a strings containing a-z (all lowercase) of length 8 or less as the password to attempt (Hint: start small trying small passwords first). For example ,your string should start out with âaâ, then âbâ, then âcâ, so on and so forth. When you get to âzâ change the first character back to âaâ and append another letter so your string becomes âaaâ then âabâ. Once the password is cracked you should display the password to the user. Hint : see notes below about itertools. The third task is to then develop the dictionary function. After you have prompted for the name of the dictionary file and the target .zip file your function should go through every line (one password per line) and try opening the .zip file. If it opens successfully, then again, display the password to the user. If you try all the passwords in the source file, display an appropriate error message. Hint : remember to strip() the word read from the file before trying it as a password! The fourth and final task for this project is a research question. With this project we are providing you with two password protected .zip files. On behalf of the Computer Science Department you have our full permission to attack these two specific files for demonstration and educational purposes only. Breaking into secure computer systems is illegal in the US. (most other countries have similar laws). Your research question is to find out what US federal law youâre breaking if you decide to do this without permission. Your program should warn the user what the name of the law is, and what the maximum penalty is before prompting for input.
You are also not allowed to use sets, or dictionaries. Divide-and-conquer is an important problem solving technique. In fact, inside of every challenging problem is a simpler problem trying to get out. Your challenge is to find those simpler problems and divide the problem into smaller pieces that you can conquer. Functions can assist in this approach. Hint: build the following functions one at a time and test each one before moving on to the next.
We provided two password protected zip files. One that can be cracked with the brute force method and one that can be cracked with the dictionary method. Optional: If you would like to test your program with more than just our two zip files, here are instructions for creating a password protected zip file on Mac and Windows: Mac: http://osxdaily.com/2012/01/07/set-zip-password-mac-os-x/ Windows: (we recommend using the WinRar part of the tutorial) http://www.intowindows.com/how-to-create-zip-file-with-password-in-windows-78/ Note: when password protecting your own zip file, make sure your password is a-z, lowercase, and less than 8 characters long. Youâre welcome to try longer passwords but the time required to break them will increase exponentially.
Python has many, many useful modules and itertools is one that is useful in general and a major effort-savor for this project. To brute force passwords you want to try all permutations of characters. The itertools has a function named product that provides exactly that functionality. However, that function generates tuples of characters, e.g. ('a','b','c'), whereas we need a string, e.g. 'abc'. There is a string method named join that allows you to join characters together with a specified character between each one. For example, '-'.join(('a','b','c'))yields the string 'a-b-c', but we donât want any characters in between so we use an empty string as ''.join(('a','b','c'))to yield 'abc'. Experiment with these in the shell. For example, if we want to generate strings (passwords in this project) of length 3 from a string of characters 'abcdef' we use the following: from itertools import product for items in product('abcdef',repeat=3): print(''.join(items))
To determine time we use yet another module: time. To calculate the time it takes a function to run get the time before calling the function, call time again right after calling the function, and then take the difference and print. Use the time.process_time() function, e.g. to time the dictionary_attack function: start = time.process_time() dictionary_attack(zip_file, dict_file) end = time.process_time()
Then take the difference, round to 4 decimal places and print. The time is in seconds and the individual values have no meaning other than that when you take the difference you get the time that the function took.
Computer Project #06 Scoring Summary General Requirements 0 (5 pts) Coding Standard 1 - 9 (descriptive comments, function header, etc...) Implementation: 0 (10 pts) Pass test1: able to crack a zip file with a dictionary attack and no error in input 0 (10 pts) Pass test2: able to crack a zip file with a brute force attack and no error in input 0 (5 pts) Pass test3 and test4: Control and input: loops as specified and handles errors in input 0 (5 pts) Pass test5: 'both' selection with failed and successful dictionary attacks 0 (5 pts) Script contains warning explaining the US federal law on hacking 0 (5 pts) Cracking times are calculated and posted in seconds TA Comments:
Test Case 1 Cracking zip files. Warning cracking passwords is illegal due to law XXXXX and has a prison term of XXXXX What type of cracking ('brute force','dictionary','both','q'): dictionary Dictionary Cracking Enter dictionary file name: rockyou.txt Enter zip file name: dictionary_attack.zip Dictionary password is XXXXXX Elapsed time (sec): 0.
(In Test Case 5 use the short dictionary and the brute_force.zip file so the dictionary attack fails and doesnât take forever to do soâforcing the brute force attack to be needed.) Cracking zip files. Warning cracking passwords is illegal due to law XXXXX and has a prison term of XXXXX What type of cracking ('brute force','dictionary','both','q'): both Both Brute Force and Dictionary attack. Enter dictionary file name: short_dict.txt Enter zip file name: brute_force.zip No password found. Dictionary Elapsed time (sec): 0. Brute force password is XXXXXX Brute Force Elapsed time (sec): 2. What type of cracking ('brute force','dictionary', 'both', 'q'): both Both Brute Force and Dictionary attack. Enter dictionary file name: rockyou.txt Enter zip file name: dictionary_attack.zip Dictionary password is XXXXXX Dictionary Elapsed time (sec): 0. What type of cracking ('brute force','dictionary', 'both', 'q'): q Optional Testing This test suite five tests for the entire program.
For each of the following statements, please respond with how much they apply to your experience completing the programming project, on the following scale: 1 = Strongly disagree / Not true of me at all 2 3 4 = Neither agree nor disagree / Somewhat true of me 5 6 7 = Strongly agree / Extremely true of me *** Please note that your responses to these questions will not affect your project grade, so please answer as honestly as possible .*** Q1: Upon completing the project, I felt proud/accomplished Q2: While working on the project, I often felt frustrated/annoyed Q3: While working on the project, I felt inadequate/stupid Q4: Considering the difficulty of this course, the teacher, and my skills, I think I will do well in this course. Q5: I ran the optional test cases (choose 7=Yes, 1=No) Please insert your answers into the bottom of your project program as a comment, formatted exactly as follows (so we can write a program to extract them).