Kasper: Speeds and Solutions

Brute forcing a password is tough work. You try over and over and hope for the password, or with Stuffit 5 passwords, a hash collision.

Obviously, speed is the key thing in this process, and what machines you can run the software on. Here are some interesting bits on showing speeds.

Kasper-Logo

The original versions of Kasper were Bash and Perl scripts written to call the StuffIt CLI tools over and over. They benched, being generous, about 40 lines/second. And this was on a mighty 2007 dual quad-core Mac Pro at 3GHz.

Kasper-original-runtimes

An attempt at a StuffIt SDK version of Kasper sped up to more along the lines of 500 lines/second.

By removing the CLI tools and going after the raw algorithm, the Perl script then sped up to a monumental 350,000 lines/second. With this move, Kasper started to use Maskprocessor to generate password.

Development then shifted over to my daily workhorse- a 2010 Core i7 Lenovo X201 laptop at 2.67GHz. This machine outperforms the Mac Pro’s Xeon X5365 at single threaded benchmarks- the Mac Pro can edge out with its 8 threads (4 per processor) versus the X201’s 4 threads (2 cores with 2 threads via hyperthreading). Here’s an interesting look at the two over at CPU Boss.

lenovo-x201

A Windows command line version of Kasper was compiled using Visual Studio Express 2012 and OpenSSL. This application was able to execute 550,000-650,000 lines/second.

Moving to Visual Studio Express 2013 and removing loops allowed for another jump to 750,000-830,000 lines/second.

Changing the back-end algorithm to the OpenSSL MD5_Init method gave a small boost to 880,000-900,000 lines/second.

Compiling Kasper as a 64-bit executable, linking to 64-bit OpenSSL libraries, pushed Kasper over the magic 1 million mark, running 1,000,000-1,100,000 lines/second.

Another change, removing a function call with the same functionality via bitshifts, doubled performance to an astounding 2,100,000-2,200,000 lines/second.

The time to run through a 4-character alphabet defined as all lowercase, uppercase, digits, and symbols (95 characters total) is my standard benchmark. This benchmark has now dropped from multiple minutes to barely half a minute as the average lines/second has jumped over and over.

Kasper-Runtimes

 

It’s funny to me that I spend so much time cracking StuffIt on a Windows PC for a primarily Mac format. So I cracked out my Titanium PowerBook G4 that was the last laptop capable of booting Mac OS 9, and can run up to Mac OS X 10.5.8 (slowly!). I’d like to think it’s well treated, with an SSD and maxed out 1GB of RAM.

powerbook-g4-ti

Mac versions of Kasper are compiled by Apple xCode 3.1.4 (the last xCode for PowerPC Macs). John the Ripper 1.7.3.1 is used to generate passwords instead of Maskprocessor, which lacks a PowerPC version. Of course a laptop that is over a decade old isn’t going to compete well with a Core i7 laptop, but it does break six figures per second. This was based off the non 64-bit code (as that won’t work on a 32-bit G4/OS), but before the bitshift update. Perhaps it will bench at 300k in the future!

Kasper-TiBook

This poor PowerBook should live out its days in Mac OS 9 – and I’m going to try to see if I can’t get the code running there- even if it most likely will lack the password generation of John/MaskProcessor. I’m acquiring more Macs to serve as development platforms though!

On the .sitx front, which I know I have half a dozen people asking me about, the so-called KasperX performance, however, has a much worst performance level. On Windows, the Stuffit Deluxe 2010 software (at version 14), has its console_unstuff.exe command line software spammed by a Perl script.

On Mac OS X, the Stuffit Deluxe 2011 software (at version 15), has its console unstuff software spammed by a Perl script.

On the 2007 Mac Pro, KasperX performs at about 5.5-6 lines per second.

I attempted another SDK version, focused on .sitx – and again am benching around 500 lines/second. Needless to say, KasperX (and .sitx files in general) are out of reach for brute force except in very small attacks.

I hope 2014 will bring progress to Stuffit 4 files – I feel the complexity of Stuffit X files are really pushing the limits, and there may be hope for older Stuffit files. And if you have a Stuffit 5 archive, well, there’s an almost positive chance we can get your data freed.

12 thoughts on “Kasper: Speeds and Solutions

    1. I’ll email you. Usually I need some data from the files without needing the whole file. Hopefully we’ll get lucky!

  1. Hi Greg,

    I have an old stuffit 5 archive with the password hash 51 26 c8 bf f0. I’ve run the Mac version of Kasper with no luck. Could you help?

    Thanks,

    Matt

    1. Well, that’s a yes and a no.

      I have devised a successful method of finding Stuffit 4 matches. However, it causes lots of false positives that don’t work (this is unlike Stuffit 5, where false positives do work). I was able to recover a password for a user and it tested good.

      Also, the method only works on passwords 8 characters or less.
      Also, the method runs at only 200,000 a second versus 2,000,000 a second with Stuffit 5.

      This means that to exhaust all possibilities for 6 characters takes 41 days. 7 characters would take almost 11 years. This is using the full alphabet, numberset, and symbols. If your password is 5 characters or less it only takes a day though!

      Do you have a file you need recovered? I have a computing resource I can dedicate to running 24/7 to get through at least the first 6 character sets.

      Thank you for reminding me I need a mid-2014 update on Kasper!

      Greg

  2. I am also interested in the Windows compiled version of the Kasper program. I have a Stuffit 5 file that is encrypted and this is really my only hope of ever opening it.

    1. I’ve been beating my head against the wall that is the PERL script in the Goggle Code repository for Kasper. I haven’t made any progress. I have no idea what I am doing wrong. I must be either giving the PERL script the wrong information or I’m not running it with the Mask Processor correctly.

      1. The old Google Code scripts are both ancient and slow. Unfortunately, Google Code doesn’t allow new uploads. I’ll contact you, it’s pretty simple to get Stuffit 5 passwords recovered nowadays!

Leave a Reply

Your email address will not be published.