HackMe4 – Timing
HackMe4:
This password crack should be hacked by timing analysis. A timing analysis is the time variation a program needs to check the password.
Download File: HackMe4(Linux)
Download File: HackMe4(Windows)
Theory:
Some password comparison functions are implemented by checking every single letter in a loop and abort it if a letter does not match. For example the c++ string compare function “strcmp” is implemented like this. This is shown in the following code examples.
#include "stdio.h" #include "strings.h" int main (void){ char* inputpw = "passtest"; char* rightpw = "password"; int valid=0; valid = strcmp(inputpw, rightpw); if(0==valid){ printf("Right password\n"); } else printf("Wrong password\n"); return 0; }
The string compare function can be also written as below. With a for loop, which will be executed until the two strings do not match. As a result of this, it takes more time to compare two strings if they are matching at the beginning. It will loop until the fifth letter is compared (“t” differ “w”).
#include "stdio.h" #include "strings.h" int main (void){ char* inputpw = "passtest"; char* rightpw = "password"; int valid=0; int i=0; for(i=0; rightpw[i]!='\0'; i++){ if(inputpw[i] != rightpw[i]){ valid=1; break; // every loop needs time } } if(0==valid){ printf("Right password\n"); } else printf("Wrong password\n"); return 0; }
With the above shown example the following figure illustrates the behavior of a string compare fucntion.
Linux:
With Linux it is possible to measure the execution time.
$ time ./hackme4_linux passwordtest Copyright by NM-Projects.de Input: "passwordtest" Wrong password real 0m0.001s user 0m0.000s sys 0m0.000s
Here we see, that the execution time is about 1 ms. By testing different inputs the execution time varies.
$ time ./hackme4_linux testpassword Copyright by NM-Projects.de Input: "testpassword" Wrong password real 0m0.101s user 0m0.000s sys 0m0.000s
With the letter “t” at the beginning it takes 100 ms longer to determine the answer. So with a script it is easy to find the right password.
It is possible to use a small python script to determine the timing. For other passwords change the password in the python script.
import os import timeit start = timeit.default_timer() os.system("./hackme4_linux password") stop = timeit.default_timer() print stop - start
Windows:
C:\hackme4.exe passwordtest
Leave a Reply