Medussa: A distributed password cracking system


QUICKSTART
----------
Well, you've obviously got the software since you're reading this. To compile, it ought to
be as easy as:
 o ./configure --with-ssl=/usr/local/ssl --with-gmp=/usr/local
 o make

Obviously you need to change the paths to the OpenSSL and gmp libraries to suit your
system. Assuming the compile went ok, you'll end up with 5 binaries:

 o medussa
 o tentacle
 o mecon
 o testcrypt
 o showspace

We have to start up the scheduler now. Let's set an admin password so that we can use
mecon to administer it (this is normally in a configuration file, .medussarc):
$ ./medussa 
Medussa 0.6 starting up, loglevel 2, pid 18684
medussa console> set adminpassword foo
medussa console> set motd JoinTheFun

Let's give it a client, localhost:
$ /tentacle -v0 &

So now we have a scheduler which has nothing to do, and a client attached to it. Next step
is to feed this thing something to crack! Suppose you have a unix password hash like
this: "aahCNDDoS3ijE". This is basically a unix crypt of the password "testzz", with a
salt of aa. Plug it in to medussa using mecon:

$ ./mecon
mecon> o
Implementation 0.6 [i686-pc-linux-gnu], ready and willing
mecon@localhost> admin foo
mecon@localhost> add hash victim0 unixcrypt aahCNDDoS3ijE
mecon@localhost> add schedule victim0 bruteforce poss=abcdefghijklmnopqrstuvwxyz,maxlen=6

So, we're adding a password hash named victim0, type unixcrypt. Next, we're defining how
this hash will be attacked. For starters, something that completes quickly: Password tests
consisting of all lowercase characters from length 1 to length 6. You should be able to
see the load on your machine going up by now :)

So, lets check on what the status is:
mecon@localhost> sh n
node                   cps       start time       total time   current slice
juan                 R 17500    2000/11/16 21:33  0:00:00:22   70000:420000

One node named juan, doing 17500 cracks per second, and their current keyspace slice. To
get an estimate of how much time this will take:

mecon@localhost> stat
eta: 0:05:05:34
percent: 0.131
totalcps: 17500

So this experiment will take 5 hours, 5 minuts and 34 seconds more. We're 0.131% done
through the keyspace and our total cracks per sec is 17500. Not very exciting. Of course
this is the worse case scenario corresponding to the correct key being at the very end of
the keyspace we're working with. Have some more boxes lying around? Lets make them work.

gonzo:~$ ./tentacle -v0 -s juan &
[1] 2013

Checking the nodes again:
mecon@localhost> sh n
node                   cps       start time       total time   current slice
juan                 R 16666    2000/11/16 21:33  0:00:00:45   1332591:1665924
gonzo                R 12962    2000/11/16 21:33  0:00:00:44   1665924:1925182

If we check the statistics, we can see a much better situation:
mecon@localhost> stat
eta: 0:02:57:51
percent: 1.339
totalcps: 29703

To check the status of keys found, use the key command:
mecon@localhost> key
hash victim0: None




EXTENDED TUTORIAL
-----------------

For the more patient reader, I'll try to explain some of the capabilities of this code,
and hopefully enable you to use it more fully. The basic idea is that, in brute force
cracking we have:
 o a function generating possible keys
 o a function converting them to password hashes

So the major parameters of this process are those two functions. I've tried to make things
easy for expansion and coverage of new ways of both testing for weak passwords and of more
password hashing functions, and this is the reason for the two abstractions. 

GENERATORS
----------
You can always get a list of possible key generating functions using showspace:

$ showspace -l
Available generators: bruteforce dictionary binary random obfuscate 

bruteforce: This is your run-of-the-mill bruteforce generator, given a list of ASCII
characters and the maximum and minimum key length, it will give you all possible keys that
use that criteria. It's very handy for testing whether a password fits certain weakness
factor, and that was the primary driver for writing this thing :) It accepts a bunch of
parameters, "poss" for the list of possible characters, "minlen", "maxlen" are self
explanatory.

dictionary: Another popular generator, given a list of words and a list of rules on how to
permutate those words, it will create all possible combinations. The rule logic is taken
from john the ripper 1.6, and is an extended version of Crack 1.5 rulelist format. If in
doubt, there are some very well thought out lists of rules on how to combine dictionary
words as part of the john or Crack tarball. Takes a bunch of parameters:

 o words: Path to the file containing the dictionary
 o rules: Path to the file containing the rules 
 o fileserver: Hostname of the box serving those files. Normally medussa serves them.
 o tempdir: The local path that nodes will cache the two files

This generator is smart enough to not download files unless it has to, so that nodes
trying to get dictionary files won't swamp your network. In general, I've tried to make
network communication minimal..

binary: This is a last resort type of generator, it will try all possible binary
combinations up to a certain length. It was meant to be used with SSL session cracking,
but I never got round to implementing the cracking part. Yet. Takes one parameter, "len".

random: This is not very useful for password cracking since it will *not* cover all the
keyspace necessarily. It usually does eventually, so if you're feeling lucky you might try
it. The reason for its existence is my wanting to use the parallel computing framework
that medussa gives for purposes other than cracking passwords. Har, har.

obfuscate: Basically the same thing as a binary generator, only this will conceal that
there is something linear happening behind the scenes. It will cover all of the keyspace
you ask it to cover. Takes "seed", the initial seed for obfuscation and "len" as
parameters.


METHODS
-------
Password hashing functions can be listed using testcrypt:
$ ./testcrypt -l
Available methods: unixcrypt md5raw md2raw md5 sharaw

unixcrypt: Your basic DES based unix crypt() function. I use the OpenSSL internal crypt
which in my tests is roughly the same or better than any other portable crypt
implementation. This is a full crypt, not bitsliced. Volunteers welcome.

md5: This is the FreeBSD/Linux/cisco md5 based password hash. I use the reference
implementation (or something very close to it), so this is dreadfully slow.

sharaw: This works on SHA1 based hashes that use no salting. It achieves ridiculous speeds
and demonstrates exactly how bad an idea it was to use it for Netscape's directory
server. I've had to clamp down the block size of this guy so that nodes wouldn't have to
take up oodles of memory buffering up possible keys, feel free to tweak this.

md5raw, md2raw are just for testing for now.


SCHEDULER
---------
In general, medussa tries to be an adaptive system. The scheduler tries to meet its goal
of having the clients communicate back every 20 seconds or so (configurable), and adjusts
the key slice it hands out dynamically until they comply. It keeps extensive timing and
performance information so that this is done as accurately as possible. To keep things
from spiralling, there's an upper and lower clamp on how much keyspace we'll hand out to
each node, parameters "max_keyslice" and "min_keyslice" respectively. Use the parameter
command on mecon to toy with these things.

In the interest of error recovery, medussa will flag nodes as dead and resend the keyspace
to another willing node. It will also checkpoint its status periodically and can be made
to recover from a stop by using the -r option.


$Id: README,v 1.2 2000/11/17 03:15:23 kos Exp $