Online Systems Password Hacking

CS 473

Network Security Final Project

Phase 1-A
By
Faisal Aslam
02030006

Key should also be retrieved

GUIz should be made whichn should show the current status of the each
process

Table of Contents
1) Project Title
2) Abstract
3) Explanation
4) Architecture
a. Conceptual Diagram
b. Interaction between Concepts
5) List of Deliverables and Milestones
6) Tools and Technologies
7) Team

02030006 Faisal Aslam

Online Systems Password Hacking

CS 473

1) Project Title:
Online Systems Password Hacking

2) Abstract:
An online system password hacking program, which will be using brute force
technique. The program will be able to run in a distributed way on many machines at the
same time (unique password tries in all machines collectively). Also the program will
save its state at regular intervals so that it can start running again from where it left last
time (killed by someone or intentionally stopped). Also make use of probability to first
make combinations that are most likely to be selected as a password.
Program should be independent of site to be hack. Like for example if I want to
hack the password of www.yahoo.com or www.hotmail.com there should be no change in
the logic of program but only few changes in a configuration file (XML file).
The program should accomplish it task in reasonable amount of time (like within
a week).
The program will demonstrate to actually hack the password of any well known
system for example hotmail, yahoo or LUMS registration system.

3) Explanation:
1) XML based Configuration
XML based text file with a define DTD so that user can configure the
password hacking program. Following is the rules that DTD will define in
structured way.
Will have URL of the site to hack password
Will have the FAILUREKEY that occur in an html page if password fails
Will suggest a set of predefined combinations which will have highest
priority (to try as a candidate password). For example one login name,
root, super user, password etc.
Will specify set of valid characters (alphabets, numbers, special characters
etc) which will combine in different permutation to make a candidate
password.
The XML file will able user to add probability against every valid
characters. For example A with probability 0.2 etc. The value of
probability will start from 0 and will mostly be LESS then 1 (as we can
not mostly say with 100% surety that some character will be part of
password. Unless we have observed one entering his password).
One can also be able to specify probability against many valid characters
instead of specifying it against every other character. This is named as a
group probability.

02030006 Faisal Aslam

Online Systems Password Hacking

CS 473

2) Sate Of program:
The program will have current state that will be an indication of the all the
combination it has tried so far (and what is left behind).
3) Save and retrieve State
The state of program is saved after regular intervals so that if someone stop
the program (or kill it) and run it later it will start from the last saved state.
4) Probability Calculation
The will use probability to first make combination (from valid character set)
which have higher probability.
5) Failure Key
The failure key (some words/sentence) is the key to identify the html page
(response after a password try) when password is wrong. If an html response
page does not have a failure key then it mean a success and password is
hacked.
6) Distributed and parallel running
The program will be able to run in distributed way on many machine so that
power of many machines can be used for computing password, in less time.
To distribute program one has to make changes in the configuration file so
that unique combination (of candidate password) can be try on different
machines.

02030006 Faisal Aslam

Online Systems Password Hacking

CS 473

4) Architecture:
a. Conceptual Diagram:
The following Conceptual diagram show different concepts and there
interaction with the XML configuration file as state storage. Usually we do not
show interaction of data storage in conceptual diagram but here this is added so
that one can get better understanding of the whole process.

PasswordGenerator

PasswordHacker
1
1

State

StatePersistent

Configuration

1
1

HTMLParser
1

FailureKey

ConfigurationLoader
1

State
Storage

1
1

ProbabilityCalculator

XMLReader

XML
Configuration
File

b. Concept Interactions:
The PasswordHacker Concept will be the main Concept (which will be
the starting concept). That Concept will first load the state of program by calling a
function in State Concept. If this hacking program is executed before then that
saved state is retrieve from storage system otherwise it will start from default null
state (starting state).
The PasswordHacker concept then called PasswordGenerator which
see if the Configuration is already in the memory. If Configuration is not in
the memory then ConfigurationLoader will load the configuration in the static
Configuration concept (memory). The PasswordGerator then (using
Configuration Concept and ProbablityCalculator Concept) finds next valid
Password to try. This candidate password is returned to the PasswordHacker.

02030006 Faisal Aslam

Online Systems Password Hacking

CS 473

After getting a candidate Password from PasswordGenerator the

PasswordHacker put this password in the html form and posts it.
The result of our post is given to HTMLParser concept.
HTMLParser find FAILUREKEY in the page. If page have a FAILUREKEY
then it return false (which mean continue tries) and if page do not have a
FAILUREKEY then password is hacked successfully and program is stopped. On
every retry (in case of failure) it will update it State concept and after every fix
number of tries it will save it State in the storage medium (DB/text file).

5) List of Deliverables and Milestones:

Num.
1.

Milestone
Define Document Type Definition
(DTD):
For the configuration of the program one
has to come up with a detailed DTD that
full fill all requirements specified above.

2.

Develop a small and simple prototype:

Make a prototype that work on a
yahoo/hotmail account whose password is
already known. So the prototype after
trying for 10 time, use the known right
password and save it. The prototype will
demonstrate the project is possible and its
final version correctly, and work to
retrieve unknown password. The
prototype will not use configuration file,
probability or distributed running
capabilities.

3.

Develop and complete design using

UML:

Deliverable
DTD document (with
a sample XML) by
email as well a hard
copy.

Expected
30/12/2002

Show the working of

prototype and code is
submitted.

12/01/2002

The UML design is

submitted by email
and hard copy.

15/01/2002

A working model is
shown.

25/01/2002

The design will include detail class

diagram and a sequential diagram.
4.

Develop a complete working version:

The version will full fill all the
requirements stated above.

02030006 Faisal Aslam

Online Systems Password Hacking

5.

CS 473

Final Submission after testing

Also submit the proof the program had
worked by actually hacking a
yahoo/hotmail (or any other) account.

The final code

submission and also
the password of
already decided
(unknown) user
yahoo/hotmail is told.

01/02/2002

6) Tools and Technologies:

Some technologies/tools might not be used and few addition technologies/tools might
be used during development of the project.
1)
2)
3)
4)
5)
6)
7)
8)
9)

Java
Network programming in Java
Threads (in Java)
HTML and Java Script
Rational Rose and UML
MS Access
JDBC
XML
DOM XML Parser

7) Team:
Faisal Aslam

02030006 Faisal Aslam

2002-03-0006