Ravan โ€“ JavaScript Distributed Computing System

November 11, 2011, by | Start Discussion

How much computing power do you have?

If your answer is 'my personal laptop/dekstop', you don't yet realise your strength.

How many friends do you have on Facebook? friends of friends? Add up all of their laptops/desktops, that's how much computing power you have at your disposal.
If you think I am exagerrating then let me assure you that you have many times in the past already controlled how some of their computing power is used. And similarly they have controlled how some of your computing power is used. It could probably be happening right now, as you are reading this article. Chances are you never realized this.

Don't worry, I am going to break this down so it is obvious. The Internet has become our new home and we spend increasingly more time online. In the online world, the process of clicking links is as common as breathing. Infact studies have found that an average person clicks on atleast 600 links everyday*. Everytime you click on a link you load a mix of html,css and JavaScript. The part of this mix that we are interested in is – JavaScript, the language of the browsers and the agent that can let you use your friend's computing power.

the past the ability for JavaScript to do process intensive tasks was missing, since it ran on the same thread as the rest of the page, it hung up the browser. And then HTML5 came along and introduced Threading support for JavaScript, it's called as WebWorkers. Using this API JavaScript can be put to work on process intensive tasks by making use of the super-fast JavaScript engines in modern browsers.

JavaScript is an amazing language, it is the most platform neutal language in the world. You can get the same piece of JavaScript code to run on Windows, Linux, OS X, Androids, iPhones, iPads, Windows Phones, everything. And how do you run your JavaScript code on someone's machine? you guessed it, have them click a link! And everytime someone you know clicks a link you send them, you have an opportunity to harness their machine's computing power.

Welcome to the world of JavaScript Distributed Computing! A world with limitless possibilities.

A task that can be easily distributed is cracking of hashes. Imagine being able to use your friends' computing power to build a powerful system of your own to crack hashes. You can do that using Ravan, a JavaScript Distributed Computing System that I built for this very purpose. If it isn't obvious, it gets it's name from the mythical Demon King, Ravana.

Ravan can be used to crack the salted and unsalted versions of MD5, SHA1, SHA256, SHA512 hashes. And all cracking is done in JavaScript across a distributed farm of browsers.



Figure 1

Ravan has three components:


The hash, salt, hashing algorithm, position of the salt (before or after salt) and the charset are submitted by the user. These are submitted to the web backend and it returns a ‘hash id’ which is unique to every submitted hash. It also supplies a ‘worker url’ specific to this hash that must be sent to potential workers.

Once the hash is submitted the master creates arrays of slots (each array contains 5 slots), this is submitted to the web backend. Each slot represents a small part of the keyspace, this is how the entire activity is broken down in to multiple tiny tasks. A single slot represents 1 million combinations.

The master constantly polls the web backend to check on the progress of the cracking process. As the existing list of slots is completed by the workers the master allots more slots. When a worker cracks the hash and returns the clear-text value, the master confirms this and then signals all workers to stop cracking.

Web Backend:

The web backend acts as a proxy between the master and the workers. It does not perform any actual computation but validates the data submitted by both the parties and passes information between them.


The worker performs the actual hard work of cracking the hashes. Each hash has a unique worker URL and this page explicitly asks for the user permission before the cracking process is started. Once the user accepts and clicks ‘Start’ the worker polls the web backend for available slots, the web backend returns an array of slots from its database. The worker cracks each slot and sends the result to the web backend. After completing all the slots it polls the web backend for more slots.


If you would like to crack a hash you head over to http://www.andlabs.org/tools/ravan.html

This is the master page and this is where the hash, the salt and other parameters are entered by the user.

Let's say I want to crack this MD5 salted hash – 227c2db18be2a8c2787b2409f6d0ed48

I already know that the salt is ':rocks' and that the format of the hash is – clear-text + salt.

With this knowledge let's crack this hash using Ravan.

Figure 2

After entering the details the hash is submitted to the server. The server returns a unique URL; this URL must be sent to everyone who would take part in the cracking process.

Figure 3

When someone visits the 'Worker URL' they are asked if they would like to take part in the cracking process, if they agree they could click 'Start' which starts the process of cracking on their browsers.

Figure 4

The workers gets slots of work from the master and submits the results back to the server.

Figure 5

When a worker informs the master that a hash has been cracked, the master confirms this and then stops the cracking process and displays the results to the user.

Figure 6

Try it out for yourself, you will amazed at how fast JavaScript has become.
Now let me ask you again.

How much computing power do you have?

* Ok, I made that up but you must have got the general idea ๐Ÿ˜‰

Lavakumar is the author of IronWASP, the advanced Web Security Testing Platform. He has also authored many other security tools like โ€˜Shell of the Futureโ€™, JS-Recon, Imposter and the HTLM5 based Distributed Computing System โ€“ Ravan. He has spoken at multiple conferences like BlackHat, OWASP AppSec Asia, ClubHack, Securitybyte, Nullcon, etc.

Leave a Reply