Monday, June 8, 2009

Psebr-md5, the PlayStation 3 (MD5) password brute forcer

So I finally got to cleaning up my mess and release the code! I don't feel like writing much text right now, so I hope to produce some explanations about PS3 coding in the future (could be in one day, could be in a few weeks ;)).

At least to share some links I came across while developing:

* Black Hat presentation slides by Nick Breese
* MD5 code by Nick Breese
* Someone improving part of Nick Breese's code
* G924789's improvements for MD5 ROUND1 and ROUND2
* Some examples on communication between PPU and SPU's
* Someone who implemented AES on PS3
* IBM documentation on Cell
* C/C++ Language Extensions for Cell/B.E. Architecture (somehow IBM killed the link at the moment)

You can get the source code, including binaries, here!

Feel free to comment, improve, share!

31 comments:

  1. HI,
    -first sorry for my bad english
    I want to ask you if only have to change the PPU_md5.h and the SPU_md5.h when I want to bruteforce NTLM-hashes. I'm not so good in cell-programming ^^ so it would be nice if you could give me some tipps or tricks.

    ReplyDelete
  2. Hi MasDie,

    if you want to brute force NTLM hashes with Psebr, you'd best compare EmDebr and EnTibr. Most important changes are the actual MD4 algorithm instead of MD5 and the generation of unicode plaintexts.

    ReplyDelete
  3. thx. I try my best ^^

    ReplyDelete
  4. Hello!

    First of all, i want to say that this is really a great job you did here.
    I was wondering if your script can be adjusted to output all the passwords generated to the stdout, instead to compare them with the md5 hash. I would be grateful if you could show me what to change in your program.
    I'm asking this because i want to pipe all the generated passwords into another program, so i need to output them to the terminal.

    Thx a lot,
    Dan

    ReplyDelete
  5. hi xdanx, i'm really curious what you want to do in the 'other program' :)

    it will seriously slow down a lot if you want to output every hash... and it's gonna be messy, 6 SPU threads, mixed with 2 PPU threads... each thread doing like 12 hashes simultaneously.

    also, as reversing is used, no full md5 hashes are generated... if you still want to print out every hash, you will want to print out the contents of a, a2, a3, b, b2, b3, c, c2, c3, d, d2, d3. Each of these contain 4 parts, so first hash is something like: a[0] b[0] c[0] d[0]
    i guess you'll have to swap some endianness as well (functions are in the code)

    ReplyDelete
  6. The other program is aircrack-ng and i want to bruteforce an WPA key.
    The normal way is to generate the keys with john the ripper, then pipe all the keys to aircrack-ng.
    The problem is that john the ripper [ in it's free version ] is not written for ps3 platforms. So.. i cant unleash full power of ps3.
    This is why i'm asking you about the program. But.. do you know a better way to make such a bruteforcer using the full power of ps3?
    Also.. When i try to crack the wpa key with my computer.. i only generates 1300 keys / s. This is just silly...

    Thx

    ReplyDelete
  7. Psebr generates MD5 hashes, you don't want that for WPA cracking... you'll need SHA-1... and not just 1 time, but like 4096x4 SHA-1 calculations. That explains why you are cracking at such a slow rate.

    It might be interesting to see how fast PS3 will be on WPA, as it's so lengthy, much less branching and such.

    In short, you'd need a full rewrite of Psebr. You might just as well skip using aircrack-ng on that... or the other way around, implement CELL code in aircrack-ng :)

    ReplyDelete
  8. Aha.. i get your point.
    But actuall, this is not what i need.
    Following this howto : http://www.aircrack-ng.org/doku.php?id=cracking_wpa#step_4_-_run_aircrack-ng_to_crack_the_pre-shared_key i need 2 programs :
    1 bruteforce passwords generator [ simple ] and 1 aircrack-ng running on cell [ http://trac.aircrack-ng.org/svn/branch/aircrack-ng-cell/ ].
    Aircrak is doing all the hard jobs [ creating the sha-1 , etc etc.. ] . It only needs the dictionary list of words to try. Here it comes JTR in place. It just creates the list of possible passwords. And because JTR is not meant to run on cell processors... i'm stuck here atm. This is why i was considering using your program ... Or maybe do you know an easier way to modify your program , in this scenario?

    ReplyDelete
  9. ok, then i partially misunderstood your question :)

    can't you just pipe a wordlist to aircrack-ng? you don't want to start real brute forces with WPA for now anyway... speed is far too low for that... i don't think my code will be anywhere useful here.

    ReplyDelete
  10. Indeed, aircrack-ng has the option to use a wordlist. But the problems are :
    1) where can i get the list with all the generated words having length 8 [major issue ]
    2) How can i store it ? This problem is partially solved, because i can mount an NFS partition into the ps3, so i can use the storage space of my actual HDDs.

    Estimating the power of the ps3 cores, and as far as i seen in some presentations, it can achieve the speed of 11 milion passwords / s.

    I'll seach for some dictionary words, but because the target language is romanian, it's tricky. This is why i opt for "live" brute forcing. I'll let you know if i find smth useful

    ReplyDelete
  11. sorry to disappoint you, but no way you'll get 11M passwords/s with WPA... I don't think ps3 will be much faster then a fairly fast Intel core2quad or core i7.

    ReplyDelete
  12. hello. after i change something on psebr because i want to make psetibr ^^ the terminal said me an error no authorization. so first i thought that i must have root privilegies. but it wasnt so. so i cant test my new programm. but also psebr said the same no authorization. please help ^^

    ReplyDelete
  13. hi MasDie, i'm not sure what you mean or what you did. Can you tell me the exect steps that you took after downloading Ps3br-md5.zip and the exact output of the error message?

    ReplyDelete
  14. hi niggebrugge.my first problem is that yesterday i cracked some md5-hashes with psebr-md5; everything was fine. today i cracked one hash, while the second hash the programm told me that he found a virus in the spu threads. after this error message it always tells me the same error mesage when i type in "./Psebr-md5 (md5-hash) -c loweralpha". the error message is "no authorization". okay, i entered su and then the root-password so i had root-privilegies but it is also the same problem "no authorization". I dont know waht i have to do ^^. the second problem is, that i change the psebr-md5 to crack ntlm hashes. today i was finished and want to test it. but it also said "no authorization". maybe you can help me. ^^

    ReplyDelete
  15. i have no idea what is going on, how can psebr tell you it has a virus in the spu threads? are you running some sort of virusscanner in your linux? and please give exact console output. Is the problem solved after rebooting the system? can you never crack 2 hashes in a row? Are there still spu threads running from the first attempt?

    ReplyDelete
  16. first thx for your help. "..."=console in-output
    1. i run psebr-md5 in a terminal "./Psebr-md5 (md5 hash) -c loweralpha"
    2. after some time it (the terminal or whatever-i have yellowdog 6.1 with all updates. i dont know if there is a virusscanner on it) told me that there were found viruses in the spu threads. "virus found on spu threads" nothing else and then it interrupt working.
    3. after trying it again. "./Psebr-md5 (md5-hash) -c loweralpha" it told me "no authorization"
    4. first i rebooted the system but nothing changed after it. then i start the programm with root-privilegies "su"-"root passwort"-"./Psebr-md5 (md5-hash) -c loweralpha"
    5. ten the terminal writes it again "no authorization" so i thought that the programm was damaged, so i copied it from my computer to my ps3.
    6. then i tried it again. but also the error message "no authorization" this is the only thing it writes.

    i dont crack 2 hashes in row. at first hash 1 after cracking, hash 2-and with hash 2 i get this problem. i dont know if yellowdog has a barrier or something like that. i deactivate the firewall but i dont know if there is a virusscanner still running ^^.

    ReplyDelete
  17. sounds like yellowdog is in your way somehow... i have never used yellowdog, so i'm not sure i can help you. Did you compile psebr yourself? or are you running the binary? I built them on ubuntu... i don't think that should be much of a problem, but you never know :)

    ReplyDelete
  18. sry i write psebr-md5 . but its Ps3br-md5. sry my fault ^^

    ReplyDelete
  19. i tried it. "./Makefile". but also the same error message "no authorization". so i think it is a problem with the system-configuration or the user-authorization. but also thx for your help. i'll try my best and i'll send you my Ps3Tibr when i finished it (and tested it) ^^.

    ReplyDelete
  20. if you try to make, you should just type 'make' in that directory...

    ReplyDelete
  21. hi niggebrugge. were can i sent you my version of ntlm-Ps3br ? maybe you can test it and tell me what i could change ^^

    ReplyDelete
  22. you can mail me at:
    neinbrucke
    >at<
    xs4all.nl

    can't promise to look at it soon, but it's great that you managed to make something :)
    do you have any preliminary results? like speed?

    ReplyDelete
  23. thank you for your article.
    i wanna ask. what linux distro do you use on ps3? YDL, or something else.

    ReplyDelete
  24. i'm using ubuntu on it, been a while since i used it, so don't remember the exact version :)

    ReplyDelete
  25. on my ps3 os=yelloedog 6.2 it becomes up to 400-430 mhashes/s (ntlm-hashes)

    ReplyDelete
  26. well that sounds about right.
    i'd like to see your code and maybe even test it some day :)

    ReplyDelete
  27. A shame this code is almost useless now, since Sony dropped Linux support. Can't wait for someone to get around to hacking the PS3 so we can use this again.

    ReplyDelete
  28. mad mother fucker. give us a calculator, without fuck around.

    ReplyDelete
  29. can you upload the source for Psebr-md5? the link is dead.
    thanks.

    ReplyDelete