nxvl · nxvl · Aug 9, 2019 · Aug 9, 2019 · Aug 21, 2019 · Sep 11, 2019
diff --git a/README.md b/README.md
@@ -1,13 +1,52 @@
 # Secure Coding with Python.
 
 ## Chapter 3: Weak Password Storage
-### Fix
-In order to keep password secure and secret we need to encrypt them before saving. Since we know MD5 has been long broken, we are going to use SHA256.
+### Test
+Every encryption algorithm can be theoretically cracked using brute-force attacks, this attack consist in trying multiple possible strings until one provides de desired hash. Said attacks are fairly expensive to perform as they take some time.
 
-### Vulnerability
-Even though we are storing passwords encrypted, our choice of algorithm allows an attacker to perform rainbow table attacks, given access to the password hashes.
+Given that we know the algorithm used for a hash we can create a very simple dictionary brute-force attack against the hash. We will be using the [RockYou](https://github.com/brannondorsey/naive-hashcat/releases/download/data/rockyou.txt) wordlist.
 
-**Proceed to [next section](https://github.com/nxvl/secure-coding-with-python/tree/3.2-weak-password-storage/test)**
+```text
+> $ time python crackpass.py f75778f7425be4db0369d09af37a6c2b9a83dea0e53e7bd57412e4b060e607f7 rockyou.txt
+Password is: supersecret
+python crackpass.py  rockyou.txt  0.32s user 0.01s system 99% cpu 0.325 total
+
+```
+
+Now that's just 1 password, if we had to crack thousands of passwords, the effort starts getting significant. That's where rainbow tables kick in.
+The [wikipedia definition](https://en.wikipedia.org/wiki/Rainbow_table) describes rainbow tables as: "A rainbow table is a precomputed table for reversing cryptographic hash functions, usually for cracking password hashes."
+
+Let's try to mass crack:
+#### 50 hashes
+```text
+> $ time python rainbow-crack.py rockyou-rainbow.txt hashes-50.txt
+[...]
+password for b'73d07a303cc50a5423ae72081cafe4e50a2fb1a0ef161d55e332e8533c5e25a0' is b"b'vane944218'"
+password for b'2c2d908b313fb71b5592ae4a44dfad2dbedd1832915a97a547d58e4c09a8ee49' is b"b'Robert7681'"
+python rainbow-crack.py rockyou-rainbow.txt   10.98s user 1.50s system 99% cpu 12.484 total
+```
+
+#### 100 hashes
+```text
+> $ time python rainbow-crack.py rockyou-rainbow.txt hashes-100.txt
+[...]
+password for b'37325783f2e3763b14f25d3a28edc90fbd08283fffa9b446d827ad60c0d19272' is b"b'raaces'"
+password for b'6df380dbe975a3bb65a880360e84584fdacea1455c27aa7ffef9a4b639592259' is b"b'mattlvu'"
+python crackers/rainbow-crack.py ~/Downloads/rockyou-rainbow.txt   10.83s user 1.52s system 99% cpu 12.367 total
+```
+
+#### 200 hashes
+```text
+> $ time python rainbow-crack.py rockyou-rainbow.txt hashes-200.txt
+[...]
+password for b'53ad0738f0356042ae89f837767078f39492fc9b29e60fe056be5cefa9e9b510' is b"b'shaiyshaiy'"
+password for b'9459c1e60e359f9f646bfe92a3a1ff1167a3b6d816290d09a33cdf8a565b15c6' is b"b'kuizenga'"
+python crackers/rainbow-crack.py ~/Downloads/rockyou-rainbow.txt   10.99s user 1.53s system 99% cpu 12.541 total
+```
+
+As can be seen with Rainbow tables the cracking time is fairly linear, it takes around 11s for almost any case, most of the time is probably spend on loading up the DB, which can be optimized, but for the sake of this example we have done on a non-ideal way.
+
+**Proceed to [next section](https://github.com/nxvl/secure-coding-with-python/tree/3.2-weak-password-storage/fix)**
 
 ## Index
 ### 1. Vulnerable Components

diff --git a/crackers/crackpass.py b/crackers/crackpass.py
@@ -0,0 +1,16 @@
+from hashlib import sha256
+from sys import argv
+
+
+def crack_hash(pass_hash, wordlist):
+    with open(wordlist, 'rb') as f:
+        for line in f:
+            password = line.strip()
+            calc_hash = sha256(password).hexdigest()
+            if calc_hash == pass_hash:
+                print("Password is: %s" % password.decode())
+                break
+
+
+if __name__ == '__main__':
+    crack_hash(argv[1], argv[2])
diff --git a/crackers/genrt.py b/crackers/genrt.py
@@ -0,0 +1,15 @@
+from hashlib import sha256
+from sys import argv
+
+
+def generate_rainbow_table(wordlist, outfile):
+    with open(outfile, 'w+') as o:
+        with open(wordlist, 'rb') as f:
+            for line in f:
+                password = line.strip()
+                calc_hash = sha256(password).hexdigest()
+                o.write("%s %s\n" % (calc_hash, password))
+
+
+if __name__ == '__main__':
+    generate_rainbow_table(argv[1], argv[2])
diff --git a/crackers/hashes-100.txt b/crackers/hashes-100.txt
@@ -0,0 +1,100 @@
+e81cd702f45e2e7669f4ee46cfd41f55040694d64c84122668199eb46899e1e0
+13c4e3ef8e919e354f4eae07f6c79f152f0dca7f40f090382fcce39d732291d9
+5e8343d3cdcf626fc3e6e5fb959016f1305431fc51f616db2167bb824a54d950
+638fb755dac52011c1a099ffae2bab379f53e2c806db087cbae005aa28fc7ffd
+6506599c146c282c0e9c67610788061d639a10f50661819aa12b69193e962569
+1c80c78a10add2dbce880fa2f3299b223bc1847ed648d1d865b77e7729f55d68
+e26b9469acfbcb572f25bf6776b8b07c37f3c1e1e51941ec5935fe3d8fb9f7a1
+d28fc3e325b9b8ce74cd324f37e8214229b31b4582fdee7136f8fc18ec5789fe
+ee11ac3da67fc9cab0d0ab7d800f604fa4de65b94674702c60d9c9919e0b7dba
+9d1f8c5a611143ebdc17c183483e26b5c6eb15ba97e7bf353352ec75de1233ca
+9cbdfa266904cca7ed403fafbe482837685bf9d089a90b4717d773fc40d4a874
+510b2ccd3053fbf9cbceef311402514f064e94c171481e0c8a4a4e133dc5ebf8
+654c8ea726af816a0124d591663c2691a092ccfa58a1f42849fcdcc3122c2ce6
+e5f864ea0d7269a27468d373be1f9acde13d2304d48a8f8725f780ebbc57f8c0
+219f192e4bd21df39882cc6eafeb8b63c78c50ae0396373b05634f8989be71d5
+8044852b44df7b65e74ee9c9c444ca12070cdf887b4bda37d8f62dcbd7cb8be6
+4ea9a818afe89eb32dba679be4311234227008efe1c3ddf98e09b16a6e6b5816
+398b8dc0bdd30d48c5b8b51573467ca6d530d43ee2c4d7352ec95576ea825998
+51825e4fdc820e546440effc9d273973425538e3b923ebab1e6b0f9d9c586844
+8a3c2a091d2392da9710a39098726191cbf2df191f0fc71f1077c7eb8e326288
+b0015e04819487053e83640ed33b8285672ac59a57e20ebfafd5391fe878ebc0
+2aeb1ed85d64925377d71de0885ec2270d843ca5f89688f25c00f5f9f034bc4f
+8e0624fff2131d37a5a82be817f3c5d046f4e96452360846f03100a02daf03d3
+5c745ca6a66856873151aa989d69430e798c5e5f955ce8f77cb5ca3907912316
+70d1e28adab19e3f4c8b90eb73f00a98da93d9a8957bb0b592357530cc08f9ce
+a671154da7e564bd83734a45a6088d7f079cf8712579db06b3ce9753efd2ed3a
+27654f85b2e2dc3f7a80dd424038bb1b39bb3ba1e3dd6e503daa2c9587557b63
+de4aeb78238e19356785205d3e9c0de7381e38fe2c2f2a670c6bfb8266513445
+43f7b8b0d8d50eb978600b4b7239d7656b2c3f79224eb09fd6dde7e9fd683c6d
+073ead7bd62826e4cdd36d56f2f6aa72a1eb6f7b31aee8739835ef07b2b43326
+bd755bb16bfc19ea376e86fe175a966f3c51abda07214e1b05ec5579b5fd5755
+01fa3f06b9ea8823fbbc69373e7010cd8fa36b0d6c78489e4e72ea25747c1b3c
+e7370ddac4a1aa26e81f35f287b53fb6ca50f367a4406a9f8f6665fc5aeb7c62
+58f06ec2dcb63e7316ba74b7adaa64c770f1dcbd26edb0e7566c609c46c01473
+2906ebb069f2cde331aed104c78cf98c30aa635fb5dd190584a60d9313cd0a71
+d74fe4680680fe000fd59dcf21bbb7a8e86e79dcc0a69a1874ae20d78bb10bc0
+d0ae250011ee689413fbd3ce8787268caab565a21cf5e985dcb38741eab21afc
+8e1cfc3955ac14d87c9187a94e7532927f25641924912d07eb7efe9acb79b3bd
+8ec48e7bcc7cb1e13506dab437073a97370c6b85703e249746da82be01fa393a
+28062ab09fe5dec66c342bd2baa8cb601a0db57f4495634d870aa696dfc278f9
+9d42a5d10a2f330405d0bd5cd9175a9622b5e61e8dd92f2cb63d4f480ae1d755
+0c3c7bca6e9fe8cad77157d6e4baed61c212979fdb5353a43d6b4f815d03f999
+440ff620fc4719bf58ccb4931daa67aacadb383160389c4ee5318bc467bed02c
+ef0d7c11ee91e36beae8eef8e31a24d6f1782c32cfc448d5f344e5d65a9f692b
+f28652874e325644fde887a8d8807ac4ade57c1cf72ad1366fe8d18376ad684b
+8fc6f686750a315627e4b8168ea7d01665a8f4571654cd66b18e06e605de10b0
+1e48b2026fd2121311298200e354e7bdec1a14ccd13ef58c3a15af7d6a5f0421
+095bf0c6a5f3492e3dab986035ec245aafc9f9bfc669db92b05f129dcca2b914
+3177185e8749f54e126dae43e8ebfe28b68326c1bf19b99fd779f79156d61e28
+88fd3c52fb3022ab3c5bb10166a13fb036fe756d1a45ae8c690a3c9447e33085
+f706164ec3d77853813f2160cff075aebdfdd4cb51ac915c47108ff54734aea1
+bb54ac6aa7783208316abc8dbe00a322e122f76c146c0c7ea61bcd8e7adfcc89
+390f6e4a1992690615d59191d48c8a0be461b65013d4d8e7cba19f127dc10ce7
+062b9f8f5ce159a689a8021e0ac2d155b7ce4451508e8554171b75d86a972d69
+c7dc6b33fd3ec31a16f697703296c914aebee4835d8c0e53d80d74bf3c67da2a
+50ea841ae71be7cc1cbf69f078c8e1974ce10bd1ac592ef5c475d2f369a2725b
+9b1ff62aace141258ea096365784fd209f166622a1b129b206d21860f6db952a
+bb21b1599932eb5f54c998b23842f031ca5921470c0e4b9566772199eb2c50f3
+8dddfd7bf3d53481e19fb5f7316abe019231e0839d823ba5c1c4804f120f85ca
+8d57f3c4fef43f7dabeab37a9b88c962ecd8f3f7b96cbb5766e2f4050e86edaf
+a76ac3ade1fd87507c84c24e4d4c26d081bba44160a6012aa9d4c91d3dfff7d3
+6252d24cb9c3c42f4d67734ca1b9f3f74512807b28aa9d55ec02219f5ee57037
+2ee2c170bf1d54cc8af36d1d01c642cefe1a4d106a15311161d6cb6564d4c45c
+52b63ee84483ebd5cd67f9ea1fa06d6097ed2821d3681f77c050d8a4237478b4
+ff6d237c80cbf0367e96afe667d5f063781666b3ab3a816673dd8baa9134496f
+ca1607d07197ae052a4833ae3cdbf71e3c635d91536546067f09809539aae679
+1dde76939123bcedc3fb8dce4402a7537d584c75789e69c320956e11178131e0
+5cb0b990367b54815c419690b04ff9dfd83845ac8d8933fb5041398cc6c5be0e
+5423b768a32955edb9732167abd12168f9c1d7490140ce4d40acf95166f256cb
+a94e483f8ed4650c66a858b1e4ca3557cedfd0af75355b5d8388a9fcdb51d297
+4cdfed51d2656fc5308de4af0f0eb43674b381c4e684ffccae5b8b4dd5ffffa8
+fa9792b52d406ddc35971e7a0cb9d7f8360bbe90d40421a0e385510a2d85dc83
+72a8bae4286d9491f3c648343b94c2b946ea57c22459a144bc0b2d562b04d746
+6e651d72fbbce06c4f90018e31f036cbe2cd5bb8e901ef51ee630e8f70c7e3be
+1a5d3a640d8d74d82323111a8d5b36ccb6b76de703c58e94e0dcbedf610cd803
+758ccf2ec4bbc2b160c8a157085a848ecfa01652c1e2021b681a8087c2526d35
+0597a8321fa1ebee0585ad85b78617a04c6bc1bb3134028d58d36d193ae39730
+d1183eed718b0faf748f64f36f0bdfad81dcfae4f3e72644063598a1e782164b
+93e6a689074df01298b269b69a54ea78dac72e7d79233cf5d129908564a334a7
+a4b4fe0cfb6a0e0d8e33a1f50e6678b2acc0f3d575a5bded1c2f7d2a7e4cb303
+bdef1a799690937938ba84ff766e228d10dddbf26e4a13529313179971a3dbf4
+45240a43716df1397660a63b84c599cefa06dd7b3ce9486fe0e7c85c304727ae
+75a697aa7c2fdf811a29842d7fdc1d9e651c9183ca31640fccb041d5eb46178f
+58a8f045cf8d743637ca74e1c54277660e0a6bc8149d1bed4dc36a3c661a0d34
+548b32b81f83853fdd126f80708c9adcb9c671c5a144bb572a9f9f27e6a15179
+f28c70a7effab15f59edbaf8cc865a98cc7bed6611f62e57900d8975746b9685
+3a8c80cde9ede15d75faffd04ac495231b90a8a35122e43ce47edfc4e7b2796f
+15addf46ad8e277784abf4fef433f34cacf65b463cfc8c0b9259907c736dd0b8
+34bb185f13c5a569a9c4332b448a782d5071781776ccc9af595405e8a8874a26
+f4a405242c1920142f09aa257bd19baeb05148112512ea5eb851ca2490f2cc7b
+06063cb5823237e72e1440e4a73355df788ca2f124e32f7dc30147ecc0f1accc
+04d96988f96027d21d01d1978f3af3b44569079e556e9c3aa78e284827e479b2
+f3885f386f0a9405bad5f7f5116bcfeadb417edd4dac6626f538f9de89ee709a
+5c4d4c64e2e45042d6080640b87782625b38d71107720e3b1a5bf91ed89bbb9f
+5aa283623a291b6bf6b9c986ea2aed29bb921ecc99b77e3864c01d946de76ff6
+701bb3d56a7695c3f8f66fdc2d9a2d210d8eb3c87247455ca18d124a52d534f6
+a2682f5282b3d5867761cdff3e1016d75b268ef1e97a2e25c96d27c2b9cea57a
+68234eb8292e1a1b846e6835d3adff50eedb3c15a41f8f5026c40b768597ad1d
+37325783f2e3763b14f25d3a28edc90fbd08283fffa9b446d827ad60c0d19272
+6df380dbe975a3bb65a880360e84584fdacea1455c27aa7ffef9a4b639592259