So I finally got to cleaning up my mess and release the code! I don't feel like writing much text right now, so I hope to produce some explanations about PS3 coding in the future (could be in one day, could be in a few weeks ;)).
At least to share some links I came across while developing:
* Black Hat presentation slides by Nick Breese
* MD5 code by Nick Breese
* Someone improving part of Nick Breese's code
* G924789's improvements for MD5 ROUND1 and ROUND2
* Some examples on communication between PPU and SPU's
* Someone who implemented AES on PS3
* IBM documentation on Cell
* C/C++ Language Extensions for Cell/B.E. Architecture (somehow IBM killed the link at the moment)
You can get the source code, including binaries, here!
Feel free to comment, improve, share!
Subscribe to:
Post Comments (Atom)
HI,
ReplyDelete-first sorry for my bad english
I want to ask you if only have to change the PPU_md5.h and the SPU_md5.h when I want to bruteforce NTLM-hashes. I'm not so good in cell-programming ^^ so it would be nice if you could give me some tipps or tricks.
Hi MasDie,
ReplyDeleteif you want to brute force NTLM hashes with Psebr, you'd best compare EmDebr and EnTibr. Most important changes are the actual MD4 algorithm instead of MD5 and the generation of unicode plaintexts.
thx. I try my best ^^
ReplyDeleteHello!
ReplyDeleteFirst of all, i want to say that this is really a great job you did here.
I was wondering if your script can be adjusted to output all the passwords generated to the stdout, instead to compare them with the md5 hash. I would be grateful if you could show me what to change in your program.
I'm asking this because i want to pipe all the generated passwords into another program, so i need to output them to the terminal.
Thx a lot,
Dan
hi xdanx, i'm really curious what you want to do in the 'other program' :)
ReplyDeleteit will seriously slow down a lot if you want to output every hash... and it's gonna be messy, 6 SPU threads, mixed with 2 PPU threads... each thread doing like 12 hashes simultaneously.
also, as reversing is used, no full md5 hashes are generated... if you still want to print out every hash, you will want to print out the contents of a, a2, a3, b, b2, b3, c, c2, c3, d, d2, d3. Each of these contain 4 parts, so first hash is something like: a[0] b[0] c[0] d[0]
i guess you'll have to swap some endianness as well (functions are in the code)
The other program is aircrack-ng and i want to bruteforce an WPA key.
ReplyDeleteThe normal way is to generate the keys with john the ripper, then pipe all the keys to aircrack-ng.
The problem is that john the ripper [ in it's free version ] is not written for ps3 platforms. So.. i cant unleash full power of ps3.
This is why i'm asking you about the program. But.. do you know a better way to make such a bruteforcer using the full power of ps3?
Also.. When i try to crack the wpa key with my computer.. i only generates 1300 keys / s. This is just silly...
Thx
Psebr generates MD5 hashes, you don't want that for WPA cracking... you'll need SHA-1... and not just 1 time, but like 4096x4 SHA-1 calculations. That explains why you are cracking at such a slow rate.
ReplyDeleteIt might be interesting to see how fast PS3 will be on WPA, as it's so lengthy, much less branching and such.
In short, you'd need a full rewrite of Psebr. You might just as well skip using aircrack-ng on that... or the other way around, implement CELL code in aircrack-ng :)
Aha.. i get your point.
ReplyDeleteBut actuall, this is not what i need.
Following this howto : http://www.aircrack-ng.org/doku.php?id=cracking_wpa#step_4_-_run_aircrack-ng_to_crack_the_pre-shared_key i need 2 programs :
1 bruteforce passwords generator [ simple ] and 1 aircrack-ng running on cell [ http://trac.aircrack-ng.org/svn/branch/aircrack-ng-cell/ ].
Aircrak is doing all the hard jobs [ creating the sha-1 , etc etc.. ] . It only needs the dictionary list of words to try. Here it comes JTR in place. It just creates the list of possible passwords. And because JTR is not meant to run on cell processors... i'm stuck here atm. This is why i was considering using your program ... Or maybe do you know an easier way to modify your program , in this scenario?
ok, then i partially misunderstood your question :)
ReplyDeletecan't you just pipe a wordlist to aircrack-ng? you don't want to start real brute forces with WPA for now anyway... speed is far too low for that... i don't think my code will be anywhere useful here.
Indeed, aircrack-ng has the option to use a wordlist. But the problems are :
ReplyDelete1) where can i get the list with all the generated words having length 8 [major issue ]
2) How can i store it ? This problem is partially solved, because i can mount an NFS partition into the ps3, so i can use the storage space of my actual HDDs.
Estimating the power of the ps3 cores, and as far as i seen in some presentations, it can achieve the speed of 11 milion passwords / s.
I'll seach for some dictionary words, but because the target language is romanian, it's tricky. This is why i opt for "live" brute forcing. I'll let you know if i find smth useful
sorry to disappoint you, but no way you'll get 11M passwords/s with WPA... I don't think ps3 will be much faster then a fairly fast Intel core2quad or core i7.
ReplyDeletehello. after i change something on psebr because i want to make psetibr ^^ the terminal said me an error no authorization. so first i thought that i must have root privilegies. but it wasnt so. so i cant test my new programm. but also psebr said the same no authorization. please help ^^
ReplyDeletehi MasDie, i'm not sure what you mean or what you did. Can you tell me the exect steps that you took after downloading Ps3br-md5.zip and the exact output of the error message?
ReplyDeletehi niggebrugge.my first problem is that yesterday i cracked some md5-hashes with psebr-md5; everything was fine. today i cracked one hash, while the second hash the programm told me that he found a virus in the spu threads. after this error message it always tells me the same error mesage when i type in "./Psebr-md5 (md5-hash) -c loweralpha". the error message is "no authorization". okay, i entered su and then the root-password so i had root-privilegies but it is also the same problem "no authorization". I dont know waht i have to do ^^. the second problem is, that i change the psebr-md5 to crack ntlm hashes. today i was finished and want to test it. but it also said "no authorization". maybe you can help me. ^^
ReplyDeletei have no idea what is going on, how can psebr tell you it has a virus in the spu threads? are you running some sort of virusscanner in your linux? and please give exact console output. Is the problem solved after rebooting the system? can you never crack 2 hashes in a row? Are there still spu threads running from the first attempt?
ReplyDeletefirst thx for your help. "..."=console in-output
ReplyDelete1. i run psebr-md5 in a terminal "./Psebr-md5 (md5 hash) -c loweralpha"
2. after some time it (the terminal or whatever-i have yellowdog 6.1 with all updates. i dont know if there is a virusscanner on it) told me that there were found viruses in the spu threads. "virus found on spu threads" nothing else and then it interrupt working.
3. after trying it again. "./Psebr-md5 (md5-hash) -c loweralpha" it told me "no authorization"
4. first i rebooted the system but nothing changed after it. then i start the programm with root-privilegies "su"-"root passwort"-"./Psebr-md5 (md5-hash) -c loweralpha"
5. ten the terminal writes it again "no authorization" so i thought that the programm was damaged, so i copied it from my computer to my ps3.
6. then i tried it again. but also the error message "no authorization" this is the only thing it writes.
i dont crack 2 hashes in row. at first hash 1 after cracking, hash 2-and with hash 2 i get this problem. i dont know if yellowdog has a barrier or something like that. i deactivate the firewall but i dont know if there is a virusscanner still running ^^.
sounds like yellowdog is in your way somehow... i have never used yellowdog, so i'm not sure i can help you. Did you compile psebr yourself? or are you running the binary? I built them on ubuntu... i don't think that should be much of a problem, but you never know :)
ReplyDeletesry i write psebr-md5 . but its Ps3br-md5. sry my fault ^^
ReplyDeletei run th binary ^^
ReplyDeletetry compiling it (make)
ReplyDeletei tried it. "./Makefile". but also the same error message "no authorization". so i think it is a problem with the system-configuration or the user-authorization. but also thx for your help. i'll try my best and i'll send you my Ps3Tibr when i finished it (and tested it) ^^.
ReplyDeleteif you try to make, you should just type 'make' in that directory...
ReplyDeletehi niggebrugge. were can i sent you my version of ntlm-Ps3br ? maybe you can test it and tell me what i could change ^^
ReplyDeleteyou can mail me at:
ReplyDeleteneinbrucke
>at<
xs4all.nl
can't promise to look at it soon, but it's great that you managed to make something :)
do you have any preliminary results? like speed?
thank you for your article.
ReplyDeletei wanna ask. what linux distro do you use on ps3? YDL, or something else.
i'm using ubuntu on it, been a while since i used it, so don't remember the exact version :)
ReplyDeleteon my ps3 os=yelloedog 6.2 it becomes up to 400-430 mhashes/s (ntlm-hashes)
ReplyDeletewell that sounds about right.
ReplyDeletei'd like to see your code and maybe even test it some day :)
A shame this code is almost useless now, since Sony dropped Linux support. Can't wait for someone to get around to hacking the PS3 so we can use this again.
ReplyDeletemad mother fucker. give us a calculator, without fuck around.
ReplyDeletecan you upload the source for Psebr-md5? the link is dead.
ReplyDeletethanks.
Or more all, it's greatly shabby. evaluated at under $10.00, it's positively considerably less expensive than going out and purchasing another PlayStation 3 controller.best xbox one external hard drive
ReplyDeleteI'd also been told it would cost me $140 dollars to ship my beloved Xbox to somewhere in Texas Xbox live gold gratis
ReplyDeleteThis comment has been removed by the author.
ReplyDeleteyou should test and get PlayStation 3 from a retail outlet that will give you full an incentive for your cash. free psn codes no survey
ReplyDeleteIn academia we sometimes speak of game theory, in which multiple agents select strategies and tactics in order to maximize their gains within the framework of a well-defined set of game rules. eUnblocked Games
ReplyDeleteIn amusements that require the extra controller,psn code generator 2018 a standard Sixaxis or DualShock 3 can be utilized rather than the route controller, in spite of the fact that usability might be endangered because of the heft of the standard unit.http://www.pcmunkey.net/
ReplyDeleteread more https://www.ilovenaruto.com/
ReplyDeleteThe ascent of cell phones acquainted versatile gaming with the scene. Versatile games are played on phone gadgets or handheld tablets.overwatch safe boost
ReplyDeleteHowever, by and by, it truly relies upon your perspective when you talk about a "video amusement".
ReplyDeleteunblocked
With a work area gaming PC,click this the entire bundle is imperative. A quick focal handling unit and heaps of memory won't be sufficient if the illustrations card is less than impressive.
ReplyDeleteGod of War III is the first game in the series that will be available on the PS3. PS3 reviews tell gamers to expect new weapons and capabilities. unblocked games
ReplyDeleteThe most recent games are an a vital part of our lives. Individuals superfighters unblocked can't think about a contraption without games stacked in it.
ReplyDeleteSuch games also appeal to users of this age group because off the highly graphic content and rapid game-play which tests their reflexes like no other test can.lol accounts for sale
ReplyDeleteHybrid kilts are elegantly sewn down box pleats so pleats stay intact all the time. Contrast camouflage trim and panelling on its side box pleats give it classic ... https://www.ukkilt.com/product-category/mens-kilts/hybrid-kilts/
ReplyDeleteI think this is an informative post and it is very useful and knowledgeable. therefore, I would like to thank you for the efforts you have made in writing this article. ds4windows
ReplyDeleteyou don't need to abruptly work out if something is admissible by the standards and the UI remains steady with the goal that the drenching is generally proficient. Reload
ReplyDeleteBe exceptionally cautious while unveiling your financial subtleties, since certain destinations may camouflage themselves as rental shops however run trick tasks, all things considered. play store pc
ReplyDelete