1. Online System’s Password Hacking CS 473
Network Security Final Project
Phase 1-A
By
Faisal Aslam
02030006
• Key should also be retrieved
• GUIz should be made whichn should show the current status of the each
process
Table of Contents
1) Project Title
2) Abstract
3) Explanation
4) Architecture
a. Conceptual Diagram
b. Interaction between Concepts
5) List of Deliverables and Milestones
6) Tools and Technologies
7) Team
02030006 Faisal Aslam 1
2. Online System’s Password Hacking CS 473
1) Project Title:
Online System’s Password Hacking
2) Abstract:
An online system password hacking program, which will be using brute force
technique. The program will be able to run in a distributed way on many machines at the
same time (unique password tries in all machines collectively). Also the program will
save its state at regular intervals so that it can start running again from where it left last
time (killed by someone or intentionally stopped). Also make use of probability to first
make combinations that are most likely to be selected as a password.
Program should be independent of site to be hack. Like for example if I want to
hack the password of www.yahoo.com or www.hotmail.com there should be no change in
the logic of program but only few changes in a configuration file (XML file).
The program should accomplish it task in reasonable amount of time (like within
a week).
The program will demonstrate to actually hack the password of any well known
system for example hotmail, yahoo or LUMS registration system.
3) Explanation:
1) XML based Configuration
XML based text file with a define DTD so that user can configure the
password hacking program. Following is the rules that DTD will define in
structured way.
• Will have URL of the site to hack password
• Will have the FAILUREKEY that occur in an html page if password fails
• Will suggest a set of predefined combinations which will have highest
priority (to try as a candidate password). For example one login name,
“root”, “super user”, “password” etc.
• Will specify set of valid characters (alphabets, numbers, special
characters etc) which will combine in different permutation to make a
candidate password.
• The XML file will able user to add probability against every valid
characters. For example “A” with probability “0.2” etc. The value of
probability will start from 0 and will mostly be LESS then 1 (as we can
not mostly say with 100% surety that some character will be part of
password. Unless we have observed one entering his password).
• One can also be able to specify probability against many valid characters
instead of specifying it against every other character. This is named as a
group probability.
02030006 Faisal Aslam 2
3. Online System’s Password Hacking CS 473
2) Sate Of program:
The program will have current state that will be an indication of the all the
combination it has tried so far (and what is left behind).
3) Save and retrieve State
The state of program is saved after regular intervals so that if someone stop
the program (or kill it) and run it later it will start from the last saved state.
4) Probability Calculation
The will use probability to first make combination (from valid character set)
which have higher probability.
5) Failure Key
The failure key (some words/sentence) is the key to identify the html page
(response after a password try) when password is wrong. If an html response
page does not have a failure key then it mean a success and password is
hacked.
6) Distributed and parallel running
The program will be able to run in distributed way on many machine so that
power of many machines can be used for computing password, in less time.
To distribute program one has to make changes in the configuration file so
that unique combination (of candidate password) can be try on different
machines.
02030006 Faisal Aslam 3
4. Online System’s Password Hacking CS 473
4) Architecture:
a. Conceptual Diagram:
The following Conceptual diagram show different concepts and there
interaction with the XML configuration file as state storage. Usually we do not
show interaction of data storage in conceptual diagram but here this is added so
that one can get better understanding of the whole process.
PasswordHacker PasswordGenerator ProbabilityCalculator
1 1 1 1
1 1
1
1
1
1 1 1
Configuration HTMLParser
State
1 FailureKey
1
1 1
ConfigurationLoader
StatePersistent
1 XML
1 Configuration
XMLReader File
State
Storage
b. Concept Interactions:
The “PasswordHacker” Concept will be the main Concept (which will be
the starting concept). That Concept will first load the state of program by calling a
function in State Concept. If this hacking program is executed before then that
saved state is retrieve from storage system otherwise it will start from default null
state (starting state).
The “PasswordHacker” concept then called “PasswordGenerator” which
see if the “Configuration” is already in the memory. If “Configuration” is not in
the memory then “ConfigurationLoader” will load the configuration in the static
“Configuration” concept (memory). The “PasswordGerator” then (using
“Configuration” Concept and “ProbablityCalculator” Concept) finds next valid
Password to try. This candidate password is returned to the “PasswordHacker”.
02030006 Faisal Aslam 4
5. Online System’s Password Hacking CS 473
After getting a candidate Password from “PasswordGenerator” the
“PasswordHacker” put this password in the html form and posts it.
The result of our post is given to “HTMLParser” concept.
“HTMLParser” find FAILUREKEY in the page. If page have a FAILUREKEY
then it return false (which mean continue tries) and if page do not have a
FAILUREKEY then password is hacked successfully and program is stopped. On
every retry (in case of failure) it will update it “State” concept and after every fix
number of tries it will save it “State” in the storage medium (DB/text file).
5) List of Deliverables and Milestones:
Num. Milestone Deliverable Expected
1. Define Document Type Definition DTD document (with 30/12/2002
(DTD): a sample XML) by
email as well a hard
For the configuration of the program one copy.
has to come up with a detailed DTD that
full fill all requirements specified above.
2. Develop a small and simple prototype: Show the working of 12/01/2002
prototype and code is
Make a prototype that work on a submitted.
yahoo/hotmail account whose password is
already known. So the prototype after
trying for 10 time, use the known right
password and save it. The prototype will
demonstrate the project is possible and its
final version correctly, and work to
retrieve unknown password. The
prototype will not use configuration file,
probability or distributed running
capabilities.
3. Develop and complete design using The UML design is 15/01/2002
UML: submitted by email
and hard copy.
The design will include detail class
diagram and a sequential diagram.
4. Develop a complete working version: A working model is 25/01/2002
shown.
The version will full fill all the
requirements stated above.
02030006 Faisal Aslam 5
6. Online System’s Password Hacking CS 473
5. Final Submission after testing The final code 01/02/2002
submission and also
Also submit the proof the program had the password of
worked by actually hacking a already decided
yahoo/hotmail (or any other) account. (unknown) user
yahoo/hotmail is told.
6) Tools and Technologies:
Some technologies/tools might not be used and few addition technologies/tools might
be used during development of the project.
1) Java
2) Network programming in Java
3) Threads (in Java)
4) HTML and Java Script
5) Rational Rose and UML
6) MS Access
7) JDBC
8) XML
9) DOM XML Parser
7) Team:
Faisal Aslam - 2002-03-0006
02030006 Faisal Aslam 6
7. Online System’s Password Hacking CS 473
5. Final Submission after testing The final code 01/02/2002
submission and also
Also submit the proof the program had the password of
worked by actually hacking a already decided
yahoo/hotmail (or any other) account. (unknown) user
yahoo/hotmail is told.
6) Tools and Technologies:
Some technologies/tools might not be used and few addition technologies/tools might
be used during development of the project.
1) Java
2) Network programming in Java
3) Threads (in Java)
4) HTML and Java Script
5) Rational Rose and UML
6) MS Access
7) JDBC
8) XML
9) DOM XML Parser
7) Team:
Faisal Aslam - 2002-03-0006
02030006 Faisal Aslam 6