Weak admin password detection

[pocallaghan]

Create two new commands for attempting to brute force crack admin
passwords and api keys.

[gwillem]

Nice!! @frosit, would you have a clue about the (possibly unrelated) test error?

[vdloo]

perhaps related to this

[frosit]

nice, @gwillem i will take a look at it later today

[pocallaghan]

As you merged the bootstrap fix, I'll rebase this later today, fingers crossed everything should pass...

[gwillem]

Test with:

mkdir -p ~/.n98-magerun/modules
curl -Lks https://github.com/pocallaghan/hypernode-magerun/archive/feature/password-hacker.tar.gz | tar xz -C ~/.n98-magerun/modules
# for hypernode test only:
alias magerun='/usr/local/bin/magerun --skip-root-check --root-dir=/data/web/public'
magerun hypernode:crack:admin-passwords --help
magerun hypernode:crack:admin-passwords --active --force --rulesets=best64 1000 special vendors -v

Which would yield

+-------+-------------------------------------------------------------------+---------+----------+
| User  | Hash                                                              | Cracked | Password |
+-------+-------------------------------------------------------------------+---------+----------+
| admin | 709e94f1c8d64796a801afc06f714335:keQDOhV2YF3mUoaXxfRpR8mWcHt4CkZc | No      |          |
| user  | fd67b8bb20ceb349a77693f999a140f6:VGTq3WnsqCgYx8tRVY5KA7HCQB3UBmmr | Yes     | test123  |
+-------+-------------------------------------------------------------------+---------+----------+
Cracking Completed in 1 second.

[peterjaap]

Tested it, added some Dutch dictionary files, worked like a charm. Actually already found some easy hackable passwords and notified those customers.

http://www.theargon.com/achilles/wordlists/dutch.txt
http://ftp.cerias.purdue.edu/pub/dict/wordlists/dutch/words.dutch.gz
http://distro.ibiblio.org/pub/linux/distributions/openwall/wordlists/languages/Dutch/1-clean/mixed.gz
http://distro.ibiblio.org/pub/linux/distributions/openwall/wordlists/languages/Dutch/2-extra/mixed.gz
http://www.justpain.com/ut_maps/wordlists/words.dutch.txt
http://word-list.com/data/words.dutch.zip
http://www.insidepro.com/download/dictionary_dutch.zip

Great stuff @pocallaghan !

[peterjaap]

After adding the rockyou.txt word list, the cracking takes a lot longer, thereby hitting a process timeout within Symfony Console component (which throws Symfony\Component\Process\Exception\ProcessTimedOutException), so you need to update Engine/Hashcat.php on line 50 to;

$process->setTimeout(0)->setIdleTimeout(0)->run();

Or similar.

[peterjaap]

I guess that the 'special' list can never contain too much words. Maybe also parse cms_page and cms_block content to words and append those?
Maybe also;

• company address
• sales email addresses (for customer service, general, etc)
• look up Facebook page based on firstname+lastname and parse all their posts

[JeroenBoersma]

generation + show command would be nice...
this would make using docker a lot easier, removes dependency hell

[peterjaap]

@pocallaghan @gwillem so.... are we merging this or what? 😄

[gwillem]

You're right.. let's roll! Will distribute this on our platform shortly. After we fixed the Magereport outage.
Again, kudo's to @pocallaghan for producing this very nice module!

[gwillem]

Both php5 & 7:

Starting test 'Hypernode\PasswordCracker\Mutator\ToggleAtTest::testUMutate with data set #2 ('T6', 'abc', 'abc')'.
E
Time: 1.53 seconds, Memory: 30.00MB
There was 1 error:
1) Hypernode\PasswordCracker\Mutator\ToggleAtTest::testUMutate with data set #2 ('T6', 'abc', 'abc')
Uninitialized string offset: 6
/home/travis/build/Hypernode/hypernode-magerun/src/Hypernode/PasswordCracker/Mutator/ToggleAt.php:33
/home/travis/build/Hypernode/hypernode-magerun/tests/Hypernode/PasswordCracker/Mutator/AbstractMutatorTest.php:30
FAILURES!
Tests: 183, Assertions: 203, Errors: 1.
The command "vendor/bin/phpunit --debug --stop-on-error --stop-on-failure" exited with 2.

@pocallaghan what version did you test with?

Travis has:

$ php --version
PHP 7.0.17 (cli) (built: Mar 17 2017 12:37:36) ( ZTS )
Copyright (c) 1997-2017 The PHP Group
Zend Engine v3.0.0, Copyright (c) 1998-2017 Zend Technologies
    with Zend OPcache v7.0.17, Copyright (c) 1999-2017, by Zend Technologies
    with Xdebug v2.5.0, Copyright (c) 2002-2016, by Derick Rethans
$ composer --version
Composer version 1.4.1 2017-03-10 09:29:45

[peterjaap]

Since #42 fixes this, we can now merge this?

[gwillem]

It was already merged! Yesterday deployed on all Hypernodes. We're preparing a release statement and instructions, stay tuned