Coming soon.
Upgraded the project to Python 3.4.x. You can install it using pyenv.
- python-dev (e.g.,
$ sudo apt-get install python-devin Debian machine) - Others are given in the
requirement.txt.
Use virtualenv to checkout the code. It has lots of dependencies, so
virtualenv will be useful.
$ virtualenv -py3 ./venv # or
$ python3 -m venv ./venv
$ source ./venv/bin/activate
$ pip install -r requirement.txt Now you shouold have all the required libraries to run nocrack.
The gramar (static/gramar.cfg.gzip) can be rebuilt using any password leak data (password, frequency info).
Password leak files can be found here.
$ python buildPCFG.py --buildG rockyou-withcount.txt.bz2 --parallelThis will take a while depending on the size of the password leak file.
See python buildPCFG.py --help for more info. It will replace the grammar file in static/grammar.cfg.gzip.
Dont forget to activate your virtualvenv and navigate to nocrack/newcode/ directory.
All code is to be run from that directory.
$ source venv/bin/activate
(venv) $The main command interface for nocrack is the hone_client.py file.
It takes several options, explained one by one below.
(venv) $ ./honey_client [OPTION] [parameters]
(venv) $ ./honey_client
-getpass - <function get_pass at 0x1aad0c8>
-import - <function import_vault at 0x1aad140>
-refresh - <function refresh at 0x1aa8ed8>
-genpass - <function gen_pass at 0x1aad230>
-read - <function read at 0x1aa8e60>
-getdomainhash - <function get_static_domains at 0x1aa8f50>
-register - <function register at 0x1aa8cf8>
-write - <function write at 0x1aa8de8>
-addpass - <function add_pass at 0x1aad050>
-export - <function export_vault at 0x1aad1b8>
-default - <function default at 0x1aad2a8>
-verify - <function verify at 0x1aa8d70>NoCrack server simulates the functionality of NoCrack to sync with a server, so that
one can access their password vault from all other machines. The server will run locally
in this demo case. However, you can try to running the server in remote machine and
udpate the URL in honeyvault_config.py file (replacing http://localhost:5000).
TODO: Add HTTPS
To run the nocrack server run,
(venv) $ pwd
/tmp/nocrack/newcode
(venv) $ python -V
Python 3.6.2
(venv) $ python -m server.honey_server(a) Add Password
(venv) $ ./honey_client -addpass
cmd: add password
(venv) $ server/honey_client.py -addpass <master-password> <domain> <password>
e.g. (venv) $ server/honey_client.py -addpass AwesomeS@la google.com 'FckingAwesome!'(b) Get your stored password
(venv) $ ./honey_client -getpass <master-password> <domain>(c) Genrate Random password Remember this also stores the password in the vault. (Careful it might overwrite your old password for that domain.)
(venv) $ ./honey_client -genpass <master-password> <domain>(d) Upload the vault to the Storage service
The vault-file is in /static/vault.db, token is what you have got while you verify your indentity in
the server. See -verify commnad bellow.
If you haven't registered for an account in the server (or you dont remember), follow the registration steps.
(venv) $ ./honey_client -write <email> <token> <vault-file>(e) Retrieve vault form the server Warning! it will overwrite the static/vault.db
(venv) $ ./honey_client -write <email> <token>(f) Register and verify an account at the server
To upload the encrypted vault you have to use a beraer-token, that verifies that you are the genuine owner of the
account. The steps of obtaining the bearer-token is as follows: first, if you haven't registered your account or
forgot the verifier-token, obtain it back by running -register command with an email address. (If you forgot
you verifier-tokne and want to recover the account, please use the same email address as used before.) On registration
the server will send an random token, we call verifier-token, to the registered email address. This will verify taht
you are the genuine owner of the email address. Using the verifier-token you can obtain a what we call bearer-token using
-verify command. For all subsequent communication to the server has to be authenticated using this bearer-token.
So, please keep it safe and secure. May be in some online store.
(venv) $ ./honey_client -register <email>
(venv) $ ./honey_client -verify <email> <token>You can obviously refresh beaere-token if need be.
(g) Refresh bearer token
If you find that your token is leaked to the adversary, you can revoke the access to the token using -refresh command.
You will need the old token to perform the revoke operation. If the adversary has already chagned your token.
You have to go through the registration process again to regain access to your stored vault.
Note, the adversary might have obtained the nocrack vault, but it is still honeyencrypted and not possible to break
without communicating with the server. So don't start changing passwords for the websites right away, take time and change
all of them in one go, plus change your master password as well.
(venv) $ ./honey_client -refresh <email> <token>(h) Get statically-mapped domain hash
Using this command you can update your static/static_domain_hashes.txt file
(venv) $ ./honey_client -getdomainhash <email> <token> > static/static_domain_hashses.txtNote, -import and -export commands are not implemented yet!
You can use the pcfg/pcfg.py to break passwords into chunks.
[nocrack/newcode] $ python -m pcfg.pcfg -ptree "Password@123"
Parse Tree for Password@23
[('G', 'W7,W1,D2'), ('W7', 'password'), ('L', 'Caps'), ('W1', 'a'), ('L', 'l33t'), ('L_a', '@'), ('D2', '23')]
Size: 7You can also look at zxcvbn-python for a simpler parsing into chunks. They don't have an public API, so you have to dig the code little bit.
There are three different PCFG floating around.
-
A password-PCFG, to sample password from this pcfg
- Need procedure to a. train this grammar b. sample from this grammar, and get the parse tree (with probs)
-
A vault-PCFG, to sample vault distribution.
- same as pasword-PCFG
-
A sub-grammar (that is just like password-PCFG but subsampled from the original one)