Investigation into DES cracking with John the Ripper and Ztex FPGA

Posted on Posted in Embedded Security, IT-Security, Linux, Make, Reverse Engineering 6 Comments
Investigation into DES cracking with John the Ripper and Ztex FPGA

DES has not been considered safe for a long time. For some time now, cracking tool John the Ripp has even made it possible to accelerate cracking with FPGAs. Since I find this topic exciting, I tried it with an FPGA board.

System

  • Lenovo Thinkpad X230
  • Ubuntu 18.04 LTS
  • Ztex 1.15y FPGA Board

Install necessary requirements: 

sudo apt install libbz2-1.0 libbz2-dev libgmp-dev libkrb5-dev libnss3-dev libpcap0.8-dev libpcap-dev libssl-dev libusb-dev pkg-config python-usb yasm zlib1g-dev libusb-1.0 git

Clone John the Ripper

mkdir ~/gits
cd ~/gits
git clone https://github.com/magnumripper/JohnTheRipper.git
cd ~/gits/JohnTheRipper/src
./configure --enable-ztex
make -s clean && make -sj4

We generate a new example shadow file, to test the DES cracking

root:roEhj0vy.MdZw:16560:0:99999:7:::
daemon:*:16560:0:99999:7:::
bin:*:16560:0:99999:7:::
sys:*:16560:0:99999:7:::
sync:*:16560:0:99999:7:::
games:*:16560:0:99999:7:::
man:*:16560:0:99999:7:::
lp:*:16560:0:99999:7:::
mail:*:16560:0:99999:7:::
news:*:16560:0:99999:7:::
uucp:*:16560:0:99999:7:::
proxy:*:16560:0:99999:7:::
www-data:*:16560:0:99999:7:::
backup:*:16560:0:99999:7:::
list:*:16560:0:99999:7:::
irc:*:16560:0:99999:7:::
gnats:*:16560:0:99999:7:::
nobody:*:16560:0:99999:7:::
messagebus:!:16560:0:99999:7:::

And test the cracking with the following parameters

sudo ~/gits/JohnTheRipper/run/john -form=descrypt-ztex --progress-every=60 -inc=lower -min-len=8 -max-len=8 -mask='?w?l?l?l?l' shadow

The output should look like this

SN: XXXXXXXXXX productId: 10.15.0.0 "inouttraffic 1.0.0 JtR" busnum:1 devnum:6 
Using default input encoding: UTF-8
Loaded 1 password hash (descrypt-ztex, traditional crypt(3) [DES ZTEX])
SN XXXXXXXXXX FPGA #2 error: pkt_comm_status=0x01, debug=0x0000
SN XXXXXXXXXX error -1 doing r/w of FPGAs (LIBUSB_ERROR_IO)
SN XXXXXXXXXX FPGA #2 error: pkt_comm_status=0x09, debug=0x0000
SN XXXXXXXXXX error -1 doing r/w of FPGAs (LIBUSB_ERROR_IO)
Press 'q' or Ctrl-C to abort, almost any other key for status
testtest         (root)
1g 0:00:00:02 DONE (2020-02-10 14:10) 0.3875g/s 952210Kp/s 952210Kc/s 952210KC/s testtest..tonyaikz
Use the "--show" option to display all of the cracked passwords reliably
Session completed

6 Comments on “Investigation into DES cracking with John the Ripper and Ztex FPGA

  1. Where did you get the board? I wanna make some experiments like yours but finding a compatible board has proven to be a very difficult task. I would really appreciate if you could give directions on how to get one.

  2. I bought it on eBay… When i bought it there were quite a lot of these available… But currently I do not find any boards.

  3. Would you consider selling or analyze a bcrypt hash?

  4. No sorry, because I am not sure if this is legal in Germany.

  5. I used one of eight boards to test, but the following error occurred.

    sudo ./john -form=descrypt-ztex –progress-every=60 -inc=lower -min-len=8 -max-len=8 -mask=’?w?l?l?l?l’ shadow
    SN: 04A39E2D6F productId: 10.15.0.0 “inouttraffic 1.0.0 JtR” busnum:1 devnum:9
    Using default input encoding: UTF-8
    Loaded 1 password hash (descrypt-ztex, traditional crypt(3) [DES ZTEX])
    Press Ctrl-C to abort, or send SIGUSR1 to john process for status
    SN 04A39E2D6F FPGA #2 error: app_status=0x10, debug=0x0000
    SN 04A39E2D6F error -1 doing r/w of FPGAs (LIBUSB_ERROR_IO)
    SN 04A39E2D6F FPGA #2 error: app_status=0x10, debug=0x0000
    SN 04A39E2D6F error -1 doing r/w of FPGAs (LIBUSB_ERROR_IO)
    SN 04A39E2D6F FPGA #3 error: app_status=0x10, debug=0x0000
    SN 04A39E2D6F error -1 doing r/w of FPGAs (LIBUSB_ERROR_IO)

  6. I also get the error message some times. I figured out, that it is important to connect the USB first and if the upload failed, power cycle the board.

    sudo ~/gits/JohnTheRipper/run/john -form=descrypt-ztex –progress-every=60 -inc=lower -min-len=8 -max-len=8 -mask=’?w?l?l?l?l’ shadow
    SN 04A36E36DC: firmware uploaded
    SN: 04A36E36DC productId: 10.15.0.0 “inouttraffic 1.0.0 JtR” busnum:1 devnum:9
    Using default input encoding: UTF-8
    Loaded 1 password hash (descrypt-ztex, traditional crypt(3) [DES ZTEX])
    SN 04A36E36DC: uploading bitstreams.. ok
    SN 04A36E36DC: Timeout.
    Press Ctrl-C to abort, or send SIGUSR1 to john process for status
    SN 04A36E36DC FPGA #1 error: pkt_comm_status=0x01, debug=0x0000
    SN 04A36E36DC error -1 doing r/w of FPGAs (LIBUSB_ERROR_IO)
    testtest (root)
    1g 0:00:00:16 DONE (2021-01-28 13:39) 0.06002g/s 147461Kp/s 147461Kc/s 147461KC/s testtest..tonyaikz
    Use the “–show” option to display all of the cracked passwords reliably
    Session completed.

Leave a Reply

Your email address will not be published. Required fields are marked *

*