Violent Ruby: Streaming REST API to Crack Unix Passwords
In my previous post, I went over how to write the core class for Violent Ruby’s Unix Password Cracker. It can be used to do all sorts of different unix password related tasks; and it’s flexible enough as an interface to be able to be implemented in many forms: like, from the command-line, or in a web interface — or how about a REST API?
Unix Password Cracking as a Service? UPCaaS?
In under 20 lines of code, we’ll write a streaming REST API using
To get started, let’s install the following gems:
$ gem install violent_ruby sinatra thin
Writing the API
Sinatra is a Ruby DSL for quickly developing web applications. It can also be used to develop REST APIs, like so:
Starting the API
$ ruby streaming_unix_password_cracking_api.rb
If the command runs successfully, you should see something like this to let you know the server has started — oh, and you want to have Thin installed, trust me:
== Sinatra (v1.4.8) has taken the stage on 4567
Thin web server (v1.7.0 codename Dunder Mifflin)
Maximum connections set to 1024
Listening on localhost:4567, CTRL+C to stop
Using the API
To start using our API, we need to have a
passwords.txt — basically just an
/etc/passwd — and
dictionary.txt file like normal when using Violent Ruby’s Unix Password Cracker.
We can use CURL to test it:
$ curl -X POST -F "firstname.lastname@example.org" -F \ "email@example.com" localhost:4567/crack_passwords
Breaking It Down
While pretty simple, there’s also a lot of magic going on behind the scenes, but nothing overly complicated here:
Require Some Gems
So, before we can have our magic: we need to require three specific gems. These will load the required logic within the context of our application and give us some key ingredients to get started with constructing our API. You will need to install
violent_ruby — and
json is apart of the Ruby standard library, so you should have that if you have Ruby installed.
thin ( a threaded web server ) will be automagically be loaded by Sinatra, though you could also require it here.
Handling a Post
To handle a user’s post request to our web server, we need to write some code to do that. In our case, we want our API to be able to accept two files uploaded from a user. These will be temporary files.
For a user to do this, they will need to make a POST request to the
/crack_password path to our server. To start describing that, we can write this:
A user should provide two files via two specific parameters when making a POST request to the API
dictionary. Note: probably should do some sort of error checking, but, for a simple example, let’s just be silly:
Unix Password Cracker
Using the Unix Password Cracker class, we can use this basic setup to use the files uploaded from the user by shoving them into a config — which is, again, optional, but pretty clean:
Since the Unix Password Class can crack passwords by yielding results in a block, we can stream those results from the
.crack method and use Sinatra’s
stream helper method to stream the results as they happen:
Newlines because Command-Line
While totally unnecessary, but fun for examples and screenshots, we can finish up our Streaming API with a few minor touchups to get our final product:
As I’ve said before — and I’ll say it again — Ruby is awesome!
Hopefully you’ve found some good stuff out of all of this information or learned a little bit more about how awesome Ruby can be for Hackers, Forensic Analysts, Penetration Testers and Security Engineers.
Until next time, that’s all folks!