Skip to content

Instantly share code, notes, and snippets.

@thijzert

thijzert/bad-passwords.php

Last active February 26, 2018 15:33
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save thijzert/f252ba3ec4416c64f45117e46d05aa55 to your computer and use it in GitHub Desktop.
Save thijzert/f252ba3ec4416c64f45117e46d05aa55 to your computer and use it in GitHub Desktop.
Download ZIP
Bad password generation
Raw
bad-passwords.php
<?php
/**
* Note: from PHP 7.0 and up, rand() is identical to mt_rand().
* In order to test both functions, run this file on PHP 5.6 or below.
*/
$date = 'Tue, 21 Feb 2018 11:21:40 +0100';
$hash = '$1$Wp8cWAg7$stCx1RGCLwwZmYJi9eKRI0';
$keyspaces = [
"8bit" => "",
"7bit" => "",
"printable" => "",
"base64" => "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/",
"urlbase64" => "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_",
"hex" => "0123456789abcdef",
"stackoverflow-1182584" => "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ",
"stackoverflow-8005330" => "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789",
"stackoverflow-9446067" => "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz/+",
"stackoverflow-4795385" => "./ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789",
"stackoverflow-4952160" => "1234567890abcdefghijklmnopqrstuvwxyz",
];
for ( $i = 0; $i < 256; $i++ ) $keyspaces["8bit"] .= chr($i);
for ( $i = 0; $i < 128; $i++ ) $keyspaces["7bit"] .= chr($i);
for ( $i = 33; $i < 127; $i++ ) $keyspaces["printable"] .= chr($i);
$date = strtotime($date);
$salt = substr($hash, 0, 12 );
$i;
for ( $i = $date + 60; $i > $date - 120; $i-- )
{
verify( $i, "raw decimal time" );
verify( dechex($i), "raw hex time" );
verify( hex2bin(dechex($i)), "raw time" );
verify( date("c",$i), "raw c time" );
verify( date("r",$i), "raw r time" );
srand( $i );
mt_srand( $i );
for ( $k = 0; $k < 50; $k++ )
{
$rand = rand();
verify( $rand, "rand()" );
verify( dechex($rand), "hex rand()" );
verify( hex2bin(sprintf("%08x",$rand)), "time rand()" );
verify( date("c",$rand), "c time rand()" );
verify( date("r",$rand), "r time rand()" );
$rand = mt_rand();
verify( $rand, "mt_rand()" );
verify( dechex($rand), "hex mt_rand()" );
verify( hex2bin(sprintf("%08x",$rand)), "time mt_rand()" );
verify( date("c",$rand), "c time mt_rand()" );
verify( date("r",$rand), "r time mt_rand()" );
}
// This format pops up lots of times.
// https://php.net/manual/en/function.crypt.php#102278
for ( $k = 0; $k < 50; $k++ )
{
mt_srand($i);
for ( $j = 0; $j < $k; $j++ )
mt_rand();
$salt = substr(str_replace('+', '.', base64_encode(pack('N4', mt_rand(), mt_rand(), mt_rand(), mt_rand()))), 0, 22);
verify( $salt, "pack-salt" );
}
foreach ( $keyspaces as $spacename => $keyspace )
{
for ( $k = 0; $k < 50; $k++ )
{
srand( $i );
for ( $j = 0; $j < $k; $j++ )
rand();
$c = "";
for ( $j = 1; $j < 30; $j++ )
{
$l = rand(0,strlen($keyspace)-1);
$c .= substr($keyspace,$l,1);
verify( $c, "raw rand() {$spacename} chars of length {$j}" );
if ( $spacename == "8bit" || $spacename == "7bit" )
verify( base64_encode($c), "base64 rand() {$spacename} chars of length {$j}" );
}
mt_srand( $i );
for ( $j = 0; $j < $k; $j++ )
mt_rand();
$c = "";
for ( $j = 1; $j < 30; $j++ )
{
$l = mt_rand(0,strlen($keyspace)-1);
$c .= substr($keyspace,$l,1);
verify( $c, "raw mt_rand() {$spacename} chars of length {$j}" );
if ( $spacename == "8bit" || $spacename == "7bit" )
verify( base64_encode($c), "base64 mt_rand() {$spacename} chars of length {$j}" );
}
}
}
}
function verify( $key, $label )
{
global $hash, $salt, $i;
$crypt = crypt( $key, $salt );
if ( $crypt == $hash )
{
$d = date("Y-m-d H:i:s",$i);
print( "{$label} worked for date {$d}\n" );
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment