BForCoderz
IRCoderZ encryption
IRCoderZ encrypts hostnames with a MD2 and MD5 hash. For example:
Hostname: sunigav.vaginus.org Encrypted: 72CE7A3B.vaginus.org
This is a stupid hostname hash, and if the first char is divisible by 2, we use a MD2 hash, otherwise we use a MD5 hash... From the four uint32, we add them together to get another uint32. Finally, we put its hexadecimal value in the first part of the hostname (before the first '.').
Now we can easily imagine how to decrypt them with a bruteforce attack. We try all strings from 'a' to 'Z' (including digits and '-'), and we go on with 'aa' to 'ZZ', etc.
How it works
Doing a bruteforce can be really long. Another matter is that there are several hostnames for an unique hash.
BForCoderz can create a network to share the workload around with other computers...
The server can get client connections (you) to receive requests. It will send to each `bone' (a BForCoderz client) what range it will have to bruteforce (for example, if this is `aaaaa/2', it will try from `aaaaa' to `aaZZZ').
For example:
3 rom1@nivagus ~ $ telnet sunigav 1337 Trying 192.168.0.2... Connected to sunigav. Escape character is '^]'. > RUN CACA.vaginus.org < STARTED bruteforce on CACA.vaginus.org, with currently 6 bones < FOUND! eo2t2b.vaginus.org (in 513s) < FOUND! bpHCvo.vaginus.org (in 962s) > STOP
Note that < and > only shows here who is sends to who.
You just have to send a RUN command with the encrypted hostname you want to bruteforce. Server answers that it started and with how many bones.
If a bone connects during job, it will be integrated automatically, and receive a range to bruteforce. When a bone is disconnected, his current
job will be lost and forwarded to another bone.
All results sent by a bone will be forwarded to you.
Finally, you can (and you must) use the `STOP' command to tell BForCoderz to stop bruteforcing. Anyway, when you disconnect, it'll stop automatically.
Currently, it isn't possible to launch two simultaneous jobs. It is a possible future feature.
Optimization with masks
As you can see above, it is really slow to bruteforce an encrypted host. If you want to bruteforce a real encrypted host, it will take a long time.
That's why there is the mask system.
When you want to run a bruteforce, you can tell to try only hostnames which matches a specific mask.
A mask is composed by these characters: '%' (a-z), '^' (A-Z), '!' (a-zA-Z), '*' (a-zA-Z0-9-), '$' (0-9), '?' (0-255).
You can also put a length indicator after a character with "{min,max}".
'%', '^', '!' and '*' are string matches. If you put a length indicator, it will represent length of tested strings. For example, with "%{1,3}",
it will test "a" to "z", then "aa" to "zz", and finally "aaa" to "zzz".
'$' and '?' are number matches. '?' is an alias for "${0,255}". The length indicator sets the range. For example, with "${2,50}" it will test from "2" to "50".
Read the "Mask" section of README for more information.
Here an example of a bruteforce try:
2 rom1@nivagus ~ $ telnet sunigav 1337 Trying 192.168.0.2... Connected to sunigav. Escape character is '^]'. RUN 6A9DF01.cust.tele2.fr %?-?-?-? STARTED bruteforce on 6A9DF01.cust.tele2.fr (mask=%?-?-?-?), with currently 6 bones FOUND! b13-145-44-142.cust.tele2.fr (in 1237s) FOUND! c59-182-96-132.cust.tele2.fr (in 2653s) FOUND! c69-64-173-228.cust.tele2.fr (in 2690s) FOUND! c129-147-228-27.cust.tele2.fr (in 2987s) FOUND! c244-162-72-74.cust.tele2.fr (in 3537s) FOUND! d213-103-36-129.cust.tele2.fr (in 4707s) FOUND! f117-170-254-143.cust.tele2.fr (in 6963s)
As you can see, it can find results more quickly, but it is also slow. And there are many results, that's why bruteforce on this encrypted host isn't really reliable.
Download
Get the archive here:
You can also get the last revision from git:
$ git clone git://git.symlink.me/pub/romain/bforcoderz.git
Read the README file for more information.
Installation
Just type `make'.
Use it
Server:
$ ./bforcoderz -s
Now you can launch several bones with:
$ nice -n19 ./bforcoderz -c localhost
It is really recommended to run it with a big nice, to use only unused CPU.
Note that it is useless to run two bones on the same machine (unless you have more than one core or CPU).
Links
(en) IRCoderZ - The IRC Daemon which uses this encryption
(fr) IRCube - A network which uses IRCoderZ and where you can test BForCoderz
Files
| Name | Last modified | Size |
|---|---|---|
| Parent directory | - | - |
| README.txt | 3.6 KiB | |
| bforcoderz1.0.tar.gz | 20.8 KiB |