Violent Ruby: Streaming REST API to Crack Unix Passwords

In my previous post, I went over how to write the core class for Violent Ruby’s Unix Password Cracker. It can be used to do all sorts of different unix password related tasks; and it’s flexible enough as an interface to be able to be implemented in many forms: like, from the command-line, or in a web interface — or how about a REST API?

Unix Password Cracking as a Service? UPCaaS?

In under 20 lines of code, we’ll write a streaming REST API using violent_ruby , sinatra, and json :

In action!

Required Gems

To get started, let’s install the following gems:

$ gem install violent_ruby sinatra thin

Writing the API

Sinatra is a Ruby DSL for quickly developing web applications. It can also be used to develop REST APIs, like so:

That isn’t too bad at all.

Starting the API

$ ruby streaming_unix_password_cracking_api.rb

If the command runs successfully, you should see something like this to let you know the server has started — oh, and you want to have Thin installed, trust me:

== Sinatra (v1.4.8) has taken the stage on 4567
Thin web server (v1.7.0 codename Dunder Mifflin)
Maximum connections set to 1024
Listening on localhost:4567, CTRL+C to stop

Using the API

To start using our API, we need to have a passwords.txt — basically just an /etc/passwd — and dictionary.txt file like normal when using Violent Ruby’s Unix Password Cracker.

We can use CURL to test it:

$ curl -X POST -F "file=@passwords.txt" -F \ "dictionary=@dictionary.txt" localhost:4567/crack_passwords

Screen Shot

Yup, same screenshot from earlier!

Breaking It Down

While pretty simple, there’s also a lot of magic going on behind the scenes, but nothing overly complicated here:

Require Some Gems

So, before we can have our magic: we need to require three specific gems. These will load the required logic within the context of our application and give us some key ingredients to get started with constructing our API. You will need to install sinatra and violent_ruby — and json is apart of the Ruby standard library, so you should have that if you have Ruby installed. thin ( a threaded web server ) will be automagically be loaded by Sinatra, though you could also require it here.

Your typical stuff.

Handling a Post

To handle a user’s post request to our web server, we need to write some code to do that. In our case, we want our API to be able to accept two files uploaded from a user. These will be temporary files.

For a user to do this, they will need to make a POST request to the /crack_password path to our server. To start describing that, we can write this:

User Parameters

A user should provide two files via two specific parameters when making a POST request to the API file and dictionary. Note: probably should do some sort of error checking, but, for a simple example, let’s just be silly:

Unix Password Cracker

Using the Unix Password Cracker class, we can use this basic setup to use the files uploaded from the user by shoving them into a config — which is, again, optional, but pretty clean:

Streaming Results

Since the Unix Password Class can crack passwords by yielding results in a block, we can stream those results from the .crack method and use Sinatra’s stream helper method to stream the results as they happen:

Newlines because Command-Line

While totally unnecessary, but fun for examples and screenshots, we can finish up our Streaming API with a few minor touchups to get our final product:

And we’re back to where we started!

Conclusion

As I’ve said before — and I’ll say it again — Ruby is awesome!

Hopefully you’ve found some good stuff out of all of this information or learned a little bit more about how awesome Ruby can be for Hackers, Forensic Analysts, Penetration Testers and Security Engineers.

If you want to keep up to date with my research you can check out my GitHub or follow me on Twitter.

Until next time, that’s all folks!

Might as well end with this.