CodeProject: A small and elegant bruteforcing class. Free source code and programming help

Report Article

Discuss

Send to a friend

21 votes for this Article.

Popularity: 5.16 Rating: 3.91 out of 5

Download source - 18.6 Kb

Introduction

Many programs that do some kind of brute-forcing and that have to calculate all possible combinations of a given subset of characters or objects, resort to recursion or to some dirty kind of looping mechanism with inner-loops etc... A couple of years ago, I issued a contest on a hacking forum to write some code in whatever language to return all possible combinations of alphabetic characters up to the length of 6. Only two people submitted an entree, including myself. The other solution was - again - a method that used recursion. My method used something else, namely the idea that any combination of letters could be represented by a unique number so that a simple counter mechanism could be used. The program worked fine but was somewhat static. This article is the result of putting the initial idea into a reusable class that was small and easy to use. It might be not super-performing (otherwise it should be written in ASM or something), but it will allow you to write, e.g., a simple password brute-forcer with a few lines of code... I hope you enjoy it and that it's useful. Any improvements are more than welcome.

The code will also be part of a forthcoming project. This project will try to bundle useful classes for creating programs that can be used to test security, such as for pentests etc… Hopefully online soon.

Background

The whole idea is that any combination of a subset of chars - an array of chars, or symbols, or whatever - can be translated in a unique number representing that combination. Maybe an example will clarify this:

Let's say we have an array {"a","b","c","d"}, and we want to check all combinations possible with length 3. This would be aaa, aab, aac, aad etc..., in total 4 to the power of 3 combinations. Each combination can be translated in a number as follows:

aaa= 0, aab=1, aac =2 .... more specifically, what we do is: dac = 4*4^2+1*4^1+3*4^0 (the fourth element in the array (d=4) times the length of the array (4 chars=4) to the power of the length of the string minus one (3-1=2) (3 chars + the first element of the array times...etc...). Just like, e.g., 5420 can be written as 5*10^3 + 4*10^2 + 2*10^1 +0*10^0.

So now, we have a way to translate a combination in a number, and we can easily do it the other way around, which is in fact what we need because we will implement a counter and return the corresponding string. This is the corresponding code snippet from the class that handles this translation. I called the method factoradic, because I found out afterwards that a similar technique was used in an MSDN article, where they called it factoradic.

private string factoradic(ulong l, int power)
{ 
     StringBuilder sb = new StringBuilder(); 
     //set the maximum capacity of our stringbuilder object 

     sb.Capacity = power +1;
     while (power >=0)
     { 
         int len = this.charset.Length;// 

         ulong q = l / (ulong)Math.Pow((double)len,(double)power); 
         ulong m = l % (ulong)Math.Pow((double)len, (double)power); 
         sb = sb.Append(this.charset[(int)q]); 
         l = m;
         power--; 
     } 
     return sb.ToString(); 
}

We use a StringBuilder instead of a string because it's a bit more memory friendly. l is the number we want to translate, and power is the length of the string we want to return -1 (the -1 is done when the function is called). So basically, what we do is make a StringBuilder object and then enter a loop where we do the rundown of the routine where the number gets translated to the corresponding positions in the char array, by decreasing the powers and using the modulus as a re-entree point. I know it sounds complex, but just keep the example above in mind (the 5420 example). The charset that we use is declared earlier in the class. Unfortunately, we have to cast to double for the Math.Pow stuff.

Now that we can translate a number to a string, we have to think of a way on how we can return all the possible combinations in a nice and simple fashion. This is where enumerations come in very handy. First, we make our implement IEnumerable:

public class Bruteforce : IEnumerable

Then our enum routine looks like this:

 public System.Collections.IEnumerator GetEnumerator()
{ 
     for (int x = min; x <= max;x++ ) 
    { 
        ulong counter =0; 
        while (counter < (ulong)
               Math.Pow((double)charset.Length, (double)x)) 
        { 
            string a = factoradic(counter, x-1); 
            yield return a; 
            counter++; 
        } 
    } 
}

The trick here is to reset the counter to zero in the beginning of the loop, otherwise you will just continue with the value when switching bruteforce lengths. So this loop loops between the min length and the max length we want to bruteforce, and then spawns all possible strings, represented by their numeric counterpart which is just a counter that starts at zero and goes up to (ulong)Math.Pow((double)charset.Length, (double)x), which is the number of all possible combinations.

The rest of the code is just a bunch of declarations.

Optimizing the code (update)

Now this code works fine, but lacks some performance. First of all, we use a lot of casts which are expensive, and we also declare some stuff in loops that we could declare earlier (as was pointed out by some readers). Also, it is possible to change the logic in the factoradic method a bit so Math.Pow is no longer needed. So we move up all declarations as much as possible, and we change the factoradic method. I still use a StringbBuilder though. The side effect of changing the factoradic method is that the returned string is brute-forced in reverse order, but this is no problem, since it doesn't affect what we try to achieve. If we change our example and include a Systems.Diagnostics.StopWatch, we can measure the results, which are dramatic:

As you can see, the new code performs about five times better than the old one. It's even more elegant as well ;). Here's the full new code (the download includes comments):

using System; 
using System.Collections; 
using System.Text; 
namespace Hacking 
{ 
    public class Bruteforce : IEnumerable 
    { 
    #region constructors 
        private StringBuilder sb = new StringBuilder();
        //the string we want to permutate 

        public string charset = "abcdefghijklmnopqrstuvwxyz";
        private ulong len;
        private int _max; 
        public int max { get { return _max; } set { _max = value; } }
        private int _min; 
        public int min { get { return _min; } set { _min = value; } } 
        #endregion 
        #region Methods
        public System.Collections.IEnumerator GetEnumerator() 
        { 
            len = (ulong)this.charset.Length;
            for (double x = min; x <= max; x++) 
            { 
                ulong total = (ulong)Math.Pow((double)charset.Length, (double)x); 
                ulong counter = 0; 
                while (counter < total) 
                { 
                    string a = factoradic(counter, x - 1); 
                    yield return a; 
                    counter++; 
                } 
            } 
        }
        private string factoradic(ulong l, double power) 
        { 
            sb.Length = 0; 
            while (power >= 0) 
            { 
                sb = sb.Append(this.charset[(int)(l % len)]); 
                l /= len; 
                power--; 
            } 
            return sb.ToString(); 
        } 
    #endregion 
    } 
}

Thanks for the suggestions!

Using the code

The code is quite simple to use. Import the C# file or the DLL, and then you just set the min and max value, change the charset if you want (default = alphabet), and then start a foreach loop to loop through the enumeration, and do whatever you want in the loop:

using System;
using System.Collections.Generic; 
using System.Text; 
using Hacking; 
namespace example 
{ 
     class Program 
     { 
         static void Main(string[] args) 
         { 
             Bruteforce b = new Bruteforce(); 
             b.min = 2; 
             b.max = 4; 
             b.charset = "abcdefghijklmnopqrstuvwxyz0123456789"; 
             string target= "abc1"; 
             foreach (string result in b) 
             { 
                  Console.Write(result +"\r"); 
                  if (result == target) 
                  { 
                       Console.WriteLine("target found:" + result); 
                       return; 
                  } 
             } 
         } 
     } 
}

We first initialize a new Bruteforce object. Then we set the min and max values and the charset we wish to use. In this example, we are going to loop over our enum until we hit the "abc1" value. Imagine that the target string is a SHA1 hash and that you process each enum value into a SHA1, then you have a simple SHA1 bruteforcer.

Hope you can use the code... Enjoy.

References

License

This article has no explicit license attached to it but may contain usage terms in the article text or the download files themselves. If in doubt please contact the author via the discussion board below.

A list of licenses authors might use can be found here

About the Author

Filip Waeytens

Occupation:	Web Developer
Location:	Belgium

Other popular Cryptography & Security articles:

Understanding .NET Code Access Security
A full length article on .NET Code Access Security
Hiding a text file in a bmp file
How to hide a text file in a bmp file
.NET Encryption Simplified
A simple, string-oriented class for symmetric encryption, asymmetric encryption, and hashing.
Using XML Digital Signatures for Application Licensing
Use XML Digital Signatures for a request- and signing-based licensing mechanism for your applications.
Strong Names Explained
.NET Strong Name technology explained

Article Top

You must Sign In to use this message board.

Msgs 1 to 15 of 15 (Total in Forum: 15) (Refresh)

FirstPrevNext

Subject

Author

Date

is this right class? for best performance...

Pietro_SVK

7:36 13 Jul '07


using System;
using System.Collections;
using System.Text;

namespace CryptoTool
{
    /*Copyright (C) 2006  Filip Waeytens - www.hackingcomponent.net

    This program is free software; you can redistribute it and/or
    modify it under the terms of the GNU General Public License
    as published by the Free Software Foundation; either version 2
    of the License, or (at your option) any later version.

    This program is distributed in the hope that it will be useful,
    but WITHOUT ANY WARRANTY; without even the implied warranty of
    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    GNU General Public License for more details.

    You should have received a copy of the GNU General Public License
    along with this program; if not, write to the Free Software
    Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
     * 
     * http://www.gnu.org/copyleft/gpl.html
     * 
     * 
    */



    public class Bruteforce : IEnumerable
    {

        #region constructors
        private StringBuilder sb = new StringBuilder();
        public string charset = "abcdefghijklmnopqrstuvwxyz";//the string we want to permutate
        private ulong len;
        /// 
        /// the maximum length of chars of what we want to bruteforce
        /// should be more than min
        /// 

        private int _max;
        public int max
        {
            get { return _max; }
            set { _max = value; }
        }
        /// 
        /// the minumum length of chars of what we want to bruteforce
        /// should be less than max
        /// 

        private int _min;
        public int min
        {
            get { return _min; }
            set { _min = value; }
        }
        #endregion
        #region Methods
        /// 
        /// The GetEnumerator function to make our class Ienumerable
        /// 

        /// string x which is the factoradic permutation that corresponds with the enumerator i      
        public System.Collections.IEnumerator GetEnumerator()
        {
            len = (ulong)this.charset.Length;//           
            for (int x = min; x <= max; x++)
            {
                ulong total = (ulong)Math.Pow((double)charset.Length, (double)x);
                ulong counter = 0;
                while (counter < total)
                {
                    string a = factoradic(counter, x - 1);
                    yield return a;
                    counter++;
                }
            }
        }
        /// 
        /// first arg is a number ; second is the length of the string
        /// 
        /// 

        /// 
        /// 
        /// result is the index of the factoradic of length n-1
        /// 
        private char[] chars = new char[10];	// some reasonnable initial size

        private string factoradic(ulong hash, int power)
        {
            ulong len = (ulong)this.charset.Length;
            if (chars.Length <= power) chars = new char[power + 1];
            for (int i = power; i >= 0; i--)
            {
                chars[i] = this.charset[(int)(hash % len)];
                hash /= len;
            }
            return new string(chars, 0, power + 1); // only uses valid characters
        }
        #endregion
    }


}

Doesn't work for very long strings

Martin Hinks

2:24 12 Mar '07

Don't get me wrong, this is a nice way of doing things, but the problem comes when you are creating a very large set (say 16 charset, max=33, min=32) as ulong cannot store the value. The next version of .NET should include a class System.Numeric.BigInteger which hopefully will help solve this. Martin
Sign In·View Thread·PermaLink

Confused

Hokei

8:28 4 Jan '07

The idea of a "factoradic" to index or regenerate a specific sequence of symbols is really interesting. I wonder if it would also make it easier to split up the brute force effort into multiple threads (for multi-core systems).

But, if doing a brute force check with recursion is bad because we can't satisfactorily predict/manage its memory requirements -- isn't the depth of recursion equal only to the length of the string being brute forced? I.e. to brute force check all possible strings of length N, isn't the recursion just N deep? If we set a reasonable limit in our code for N can't we avoid any troubles?

As for nested loops -- it would be the highest performing way to code a brute force check, wouldn't it? However I can't think of how it would be coded -- you'd need to nest the "for" loops N deep, but pick a fixed value for N, or else use recursion.

P.S. Spotted a typo: "Only two people submitted an entree"

Mmmm, entrees.

Looking forward to seeing what you publish at hackingcomponent.net.

Re: Confused

Filip Waeytens

3:08 6 Jan '07

Hi,

Yeah, I also like entrees Wink

.
The problem with nested loops is -like you say - that you generally don't know beforehand how many you need. It might be effective but isn't very scaleable.
I have seen recursive methods but I will have to code one myself to compare the performance. I think the performance cost of calling functions within themselves will be higher than the method that I'm using here. Feel free to code one Wink

Thnks for the feedback

A small detail

Andreas Botsikas

14:55 12 Dec '06

Hi, nice way to solve the brute force enumeration. It reminds me of the chromosomes in genetic algorithms. If I remember well, the power sign is ^ rather than ! (which stands for the Factorial function[^]. The symbol confused me a little bit so I though I could contribute. Other than that, great job.
Sign In·View Thread·PermaLink

Enumeration of items [modified]

Ilíon

13:50 12 Dec '06

Yes, the individual items of any set/class which may be enumerated may be each represented by a unique number -- and therefore it is (theoretically) a very simple matter to calculate all possible combinations of items of the set/class. I have to say 'theoretically,' since one can always conceive such a very large class of items and such a great magnitude of combinations that there would not be enough time in the history of the universe to actually complete the computations.

But, the salient fact is that in such a case the limitation is not mathematical, and thus it's not logically impossible even if it is practically impossible.

This is an interesting and very useful fact which is frequently employed in the modern world.

This leads to the next interesting fact: any set/class which is fully calculable is thereby fully knowable. Even if the calculations are never actually performed in practice, that fact that they can be performed means that all the elements of the set/class are theoretically already known (let's call this "known"). The point is, the limitation(s) on one's particular knowledge about the specific elements of the set/class are not inherent in the individual elements themselves or in the set/class itself as a whole.

[off-topic editorial comment]
Now, another interesting related fact is that some people ... people who not only should know better, but who do know better (since their work makes use of the fact) ... consciously "trick" themselves into not knowing it.

At the moment, I'm thinking specifically of the developers and proponents of the Avida[^] program (which, of course, means nothing to most readers of this post, which merely adds to the off-topicness of this comment).
[/off-topic editorial comment]

-- modified at 19:03 Tuesday 12th December, 2006

Recursion

Robert Rohde

9:38 12 Dec '06

Hi, whats so good about not using recursion? I always find recursive solutions to be rather elegant (which shouldn't mean that yours is not ). Robert
Sign In·View Thread·PermaLink

Re: Recursion

cadi

10:14 12 Dec '06

In some cases recursion simply drill down to deep and the stack will overflow. /cadi 24 hours is not enough
Sign In·View Thread·PermaLink

Re: Recursion

barbsie

11:29 12 Dec '06

http://msdn2.microsoft.com/en-us/library/81tad23s.aspx[^]
Sign In·View Thread·PermaLink

Re: Recursion

peterchen

9:06 19 Apr '07

If you need to break up a lengthy process into an iteration where you can do a single step, "keep" the state, and then continue from there, recursion is not for you. We are a big screwed up dysfunctional psychotic happy family - some more screwed up, others more happy, but everybody's psychotic joint venture definition of CP My first real C# project \| Linkify!\|FoldWithUs! \| sighist
Sign In·View Thread·PermaLink

without Math.Pow

Luc Pattyn

6:11 12 Dec '06

Hi Filip,

I liked the basic idea in your article. I would suggest some changes though to the code of
the factoradic method.

There is no real need for the Math.Pow function, and so the (double)
castings can be avoided too. Also the StringBuilder is not really needed, a char array
can offer the same, and even supports backward filling (to treat the leftmost character as the most significant, or slowest changing, one).

Here is how I would code it:


	private string factoradic(ulong hash, int power) { 
		ulong len=(ulong)this.charset.Length;
		char[] chars=new char[power+1];
		for (int i=power; i>=0; i--) {
			chars[i]=this.charset[(int)(hash % len)];
			hash/=len;
		}
		return new string(chars);
	}

Luc Pattyn

4.77/5 (4 votes)

Re: without Math.Pow

Filip Waeytens

8:53 13 Dec '06

you're right...it's the same method they use in the MSDN article. I will soon update the code for better performance. Thanks for the suggestion. I will have to test what performs better: the stringbuilder or the char array.
Sign In·View Thread·PermaLink

Re: without Math.Pow

Luc Pattyn

11:15 13 Dec '06

For maximum performance you can reuse the char array as long as it is large enough
(be careful not to use any Bruteforce object by more than one thread).
BTW: this reuse remark also applies to the StringBuilder object you had in the
original code.


	private char[] chars=new char[10];	// some reasonnable initial size

	private string factoradic(ulong hash, int power) { 
		ulong len=(ulong)this.charset.Length;
		if (chars.Length<=power) chars=new char[power+1];
		for (int i=power; i>=0; i--) {
			chars[i]=this.charset[(int)(hash % len)];
			hash/=len;
		}
		return new string(chars, 0, power+1); // only uses valid characters
	}

Luc Pattyn

More performance [modified]

dr4cul4

6:08 12 Dec '06

To get more performance out of it move string builder out of the function and put capacity into constructor (yes i know this require some major code changes). Each time you create StringBuilder you kill the performance, to reset string builder use sb.Length = 0;. Second thing is to use double instead of int in len and power. Also you should move (double)charset.Length and (double)x out of counter < (ulong)Math.Pow((double)charset.Length, (double)x). You can do loops using double and I think that is cheaper than casting into double, and also why not use double counter ;?

------
There are 10 kind of people those who understand binary and those who not. - Some binary freak.

Re: More performance

Filip Waeytens

8:54 13 Dec '06

I will adapt the code to be more performant and will post the results soon. thnks
Sign In·View Thread·PermaLink

Last Visit: Thursday, August 28, 2008 4:09 AM Last Update:Thursday, August 28, 2008 4:09 AM

General News Question Answer Joke Rant Admin