+------------------------------------------------------+
| |
| KILLER CRACKER: Portable Un*x Password Cracker |
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
| Version 8.00 LTD, Dated 7/28/91 |
| |
| Written By Doctor Dissector |
| Copyright (c) 1991, By Doctor Dissector |
| |
+------------------------------------------------------+
*** LIMITED EDITION !!!!! DO NOT DISTRIBUTE !!!!! LIMITED EDITION ***
License
-------
This program is NOT free software BUT may be used without charge or
payment in any form IF your copy is a "registered" distributed version.
You may modify it as much as you please, however, you MAY NOT
re-distribute it, in any shape or for: ie. modified OR unmodified,
without the expressed written consent (ie. e-mail) of Doctor
Dissector. (bbs.doctord@doomsday.spies.com)
This program was initially distributed in the hope that it will be
useful, but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Disclaimer
----------
This program was written and released just to prove that Un*x
accounts can be effectively cracked utilizing modified DES password
encryption (crypt) routines and proper programming skills.
I, Doctor Dissector, the author of Killer Cracker, do not endorse
any type of illegal appropriation of computer accounts using programs
such as this; my goal is only to prove that the Un*x operating
system's greatest weakness in security lies in the /etc/passwd file.
Doctor Dissector will not be held responsible for the actions of
anyone who may misuse this program since he cannot control the actions
of the people who might become exposed to this program's use for illegal
means.
Quick Instructions
------------------
To compile under any operating system using "make", edit the file
"Makefile" included with this package to your needs and type "make".
File Listing & Description
--------------------------
WHATSNEW.800 -- Info on new modifications/additions to this version
KC.DOC -- This document file
KC.EXE -- MS/PC-DOS executable
KC.H -- Killer Cracker source code header file
KC.C -- Killer Cracker source code
MAKEFILE. -- Makefile for KC, edit this and use "make" to compile!
B_ORDER.C -- Determines if your machine is Network Byte Order
BCRYPT.H -- Bcrypt encryption source code header file
BCRYPT.C -- Bcrypt encryption source code
XFDES.H -- XFDES encryption source code header file
XFDES.C -- XFDES encryption source code
GOODWORD.W -- Collection of words from various sources
GIRLWORD.W -- Collection of female first names
Description
-----------
Killer Cracker (KC) is a program which effectively, and quickly,
encrypts a sequence of guesses (words) utilizing a modified form of the
DES Un*x password encryption alogrithm. These encrypted guesses are
then compared to the fields in any typical /etc/passwd file; any matches
are recorded for future reference.
Guesses to KC are read from several sources. The primary source of
guesses to encrypt come from a textfile (ASCII) of words separated by
CR/LF pairs or LFs (depending on operating system). Other guesses are
taken from each individual account in any /etc/passwd file; the login name
and two respective GECOS field entries. In addition, single characters
(a-z, A-Z, 0-9) and "funny" characters (^A-^Z, ESC, SPACE) can be tested
as guesses as well. KC also has the ability to make several combinations
for several guesses from one guess (i.e. test the guess in normal case,
uppercase, lowercase, and backwards) and the option to pre-pend or append
any number of characters to the beginning or end of any guessed word.
KC was also written in C source, which has been released and included
in KC's release package. The source was developed to be highly portable
with most other C compilers, especially the Un*x C compilers.
Execution
---------
Killer Cracker can be invoked using various methods from the command
line (shell prompt). Normally, KC will be called directly from the command
line; thus, usage from the command line will be discussed first. In order
to obtain a brief summary of KC's options from the command line, KC can be
invoked with the '-?' or '/?' flag. Incedentally, all flags to KC must be
either preceded by a '-' or a '/' character. The following info will
discuss KC's command line flags and offer detailed descriptions for each.
Under some Un*x shells, you may have to type the -? in double quotes ("-?")
in order to get the appropriate response.
Usage: kc -?bcfghlostu -<1|2>[:]<chars> -<p|w|v>[:]<filename> -z[:]<minutes>
kc -r[:]<filename>
Parms: -1 prefix chars -p /etc/passwd file -r restore file
-2 suffix chars -w guess word file -v valid account file
Flags: -? explain usage -b test backwards -c test up/low cases
-f test funny chars -g test GECOS fields -h hog resources
-l test login names -o suppress output -s single char test
-t test crypt result -u user based crack -z timeout (minutes)
Brief Summary Of Flags
----------------------
-? KC will print a brief summary of the available command line flags
as shown above.
Description Of Flags
--------------------
-p[:]<file> Filename/path+filename of the /etc/passwd file to be
cracked. The ':' character is optional (can be used to
clarify the command line). If no filename is specified,
KC will prompt you for one.
-w[:]<file> Filename/path+filename of the wordfile where all password
guesses are stored. Format of the words inside this
wordfile must be one word per line, no blank lines are
allowed. The ':' character is optional (can be used to
clarify the command line). If no filename is specified,
KC will prompt you for one.
-v[:]<file> Filename/path+filename of the output file, where all
valid account/password combinations will be saved.
The ':' character is optional (can be used to clarify the
command line). If no filename is specified, KC will
prompt you for one.
-r[:]<file> Filename/path+filename of the restorefile you would like
KC to read options and restoredata from. If this flag is
invoked without a following filename (i.e. "kc -r"), KC
will assume a default filename of "restore". Also note
that if this flag is specified, all other flags from the
command line will be ignored. The ':' character is
optional (can be used to clarify the command line).
-1[:]<char> The characters KC will be instructed to pre-pend to the
front of each word tested, one single character at a time.
For example, if you used the flag "-1:abc", each test
would test each word as "aWORD", "bWORD", and "cWORD".
-2[:]<char> The characters KC will be instructed to append to the
end of each word tested, one single character at a time.
For example, if you used the flag "-1:abc", each test
would test each word as "WORDa", "WORDb", and "WORDc".
-z[:]<time> Under the Un*x environment, this will instruct KC to
abort after the specified <time> in MINUTES.
-b KC will be instructed to create a word combination from the
available guesses as the reverse (backwards) from of the original
guess. KC is intelligent and will not repeat testing of guesses
which are the same foreward and backward (i.e. "MOM" backwards is
"MOM", KC will not test this guess in reverse). Refer to "Examples
Of Guesses" for more information.
-c KC will be instructed to create word combinations from the
available guesses in all uppercase and all lowercase. KC is
intelligent and guesses which are the same in all uppercase or
all lowercase will be skipped from testing in the respective
combination. See "Examples Of Guesses" for more information.
-f KC will be instructed to test the "funny" control characters ^A-^Z,
ESC, and SPACE as guesses before testing guesses from the wordfile.
-g KC will be instructed to test two words from the /etc/passwd GECOS
field of each individual account as guesses for that particular
account. KC will skip over entries in the GECOS field who's second
character is the '.' period character to avoid testing initials.
-h KC will be instructed to hog all available system resources under
(and ONLY under) the BSD Unix system. This means that KC will
attempt to raise the current resource limit of its process to the
maximum allowed value (if it is not at its maximum already). This
could result in dramatic performance increases as well as increased
suspicion to the process, but the end result is for you, the
end user to decide.
-l KC will be instructed to test the login name from the /etc/passwd
GECOS field of each individual account as a guess for that
particular account.
-o KC will be instructed to suppress all output from printing to the
local console/terminal. Normally, information about the current
session is printed to the standard output; however, on the Un*x
operating system where background processing requires output to be
directed away from the local console/terminal, verbose output could
be a problem. Also note that this flag, when executed under the
Un*x operating system, will automatically fork KC into the
background (returning you quickly to the shell prompt) and the
NOHUP flag (HUP signal ignore) will be placed on its process (so
logoff will not result in termination of the current session).
-s KC will be instructed to test the single characters, a-z, A-Z, and
0-9 as guesses before testing guesses from the wordfile.
-t KC will be instructed to test the result of a single, pre-installed,
encrypt/comparison using the default encryption routines. If you
get an encryption error, then your system WILL NOT effectively
crack passwords.
-u KC will be instructed to compare every word from the wordfile
avainst an account before moging to the next account. When
cracking by WORDS, KC will enable same-word-memory which
increses speed over cracking by users up to 40%. Normally,
KC will crack for passwords in the following format:
Default Format
--------------
word #1: test account #1's password
test account #2's password...
word #2: test account #1's password
test account #2's password...
word #3: test account #1's password
test account #2's password... (etc.)
This flag will instruct KC to follow the following format:
Optional Format
---------------
user #1's password: test word #1
test word #2
test word #3...
user #2's password: test word #1
test word #2
test word #3...
user #3's password: test word #1
test word #2
test word #3... (etc.)
Usage Examples
--------------
kc -c -p:passwd.212 -w:dict.txt -v:valid.212
The above command will instruct KC to read encrypted passwords
from the file passwd.212 (/etc/passwd format), read guesses from
the file dict.txt, and write any valid account/password
combinations to the file valid.212. All guesses will be tested
in normal, upper, and lowercase. Output will be verbose to the
console.
kc -cbo -ppwfile.txt -wwords.txt -vresults.txt
The above command will instruct Killer Cracker to read encrypted
passwords from the file pwfile.txt, read guesses from words.txt,
and write all valid account/password combinations into
results.txt. All guesses will be tested in normal, upper,
lowercase and reverse-normal, reverse-upper, and reverse-
lowercase. All output will be suppressed.
kc -glu -ppasswd.txt -wwords.txt -vvalid.txt
The above command will instruct Killer Cracker to read encrypted
passwords from passwd.txt, read guesses from words.txt, and write
valid account/password combinations to valid.txt. In addition,
the account/login names will be tested as passwords for each
account, and the GECOS field strings will be tested as passwords
for each account. When cracking begins, KC will crack passwords
using the optional format. Output will be verbose to the standard
output.
kc -c -p:passwd.txt
The above command will instruct KC to read encrypted passwords
from passwd.txt, interactively request the filenames for the
wordfile and the validfile, and test guesses in normal, upper,
and lowercase.
kc -rOLDCRACK.KC
The above command will instruct KC to read the restorefile
OLDCRACK.KC and restore the session as saved in that file.
Examples Of Guesses
-------------------
Killer Cracker can test words as normal, uppercase, lowercase,
reversed, and with numerical suffixes. The following table displays the
guesses for the words "Guess", "password", "PW", and 'MOM'. The '$' fields
are areas which are skipped because the guess would be a repeat and the
'X' fields are areas which are never accessed.
+-----------------------------------------------------------------------+
| Flags | Normal | Upcase |Lowcase |Reverse |Ureverse|Lreverse| Suffix |
|--------+--------+--------+--------+--------+--------+--------+--------|
| "c" |Guess |GUESS |guess |XXXXXXXX|XXXXXXXX|XXXXXXXX|XXXXXXXX|
| |password|PASSWORD|$$$$$$$$|XXXXXXXX|XXXXXXXX|XXXXXXXX|XXXXXXXX|
| |PW |$$$$$$$$|pw |XXXXXXXX|XXXXXXXX|XXXXXXXX|XXXXXXXX|
| |MOM |$$$$$$$$|mom |XXXXXXXX|XXXXXXXX|XXXXXXXX|XXXXXXXX|
|--------+--------+--------+--------+--------+--------+--------+--------|
| "r" |Guess |XXXXXXXX|XXXXXXXX|sseuG |XXXXXXXX|XXXXXXXX|XXXXXXXX|
| |password|XXXXXXXX|XXXXXXXX|drowssap|XXXXXXXX|XXXXXXXX|XXXXXXXX|
| |PW |XXXXXXXX|XXXXXXXX|WP |XXXXXXXX|XXXXXXXX|XXXXXXXX|
| |MOM |XXXXXXXX|XXXXXXXX|$$$$$$$$|XXXXXXXX|XXXXXXXX|XXXXXXXX|
|--------+--------+--------+--------+--------+--------+--------+--------|
| "rc" |Guess |GUESS |guess |sseuG |SSEUG |sseug |XXXXXXXX|
| |password|PASSWORD|$$$$$$$$|drowssap|DROWSSAP|$$$$$$$$|XXXXXXXX|
| |PW |$$$$$$$$|pw |WP |$$$$$$$$|wp |XXXXXXXX|
| |MOM |$$$$$$$$|mom |$$$$$$$$|$$$$$$$$|$$$$$$$$|XXXXXXXX|
+-----------------------------------------------------------------------+
Killer Cracker's Symbols
------------------------
When Killer Cracker is cracking passwords and output is allowed to the
standard output, KC will print one of three symbols to the console for
each comparison done.
"-" This symbol is printed to the standard output when KC has
completed one encryption/comparison.
"+" This symbol is printed to the standard output when KC has
already cracked the account in question or if the account had
been flagged as "inactive." KC will skip the encryption/
comparison as a result.
"*" This symbol is printed to the standard output when KC is
skipping the particular encryption/comparision because the
guess tested would repeat a previous comparision using the
same word in a different configuration. See "Examples Of
Guesses" for information.
Quitting Killer Cracker
-----------------------
Normally, Killer Cracker will continue cracking until it has
completed the last word (in the default format) or the last account
(in the optional format). If cracking must be aborted in the middle of
a job, the normal terminate key sequence Control-C for MS/DOS machines,
Control-\ for Un*x can be used to stop the job, close all files
properly, and create a restorefile (named "restore") for future
continuation of the crack (if desired). If any other method is used to
terminate the crack job (powerdown, warm/cold boot, kill -9, etc) the
files may not be updated properly and data may be lost. If you are not
familiar with Un*x job control, and KC places itself in the background,
you can either send a SIGQUIT/SIGINT to the KC pid or you can bring
the KC process into the foreground and then type Control-C.
Also note that when KC is running under suppressed output mode,
the response to hitting Control-C may take up to several minutes on
MS/DOS machines; just hit Control-C like three times, then sit back
and wait for KC to abort (patience, my friend!).
Restorefile Format
------------------
Killer Cracker's option to restore aborted sessions or to "read"
options from a normal (ASCII) file can come in handy in many
circumstances.
The following text describes the format of this file and how KC
interprets the information in it. Note that the BASIC format of the
restorefile is "IDENTIFIER=TOKEN<newline>" where <newline> is either
a CR/LF pair or a LF (depending on system implementation). Case is
ignored in the IDENTIFIER but the TOKEN's case may be important in
filenames, accountnames, and words in a particular wordfile.
Example: Filename "restore"
---------------------------
Passwordfile=/etc/passwd
Wordfile=crackwords.txt
Validfile=valid.txt
Prefixes=abc
Suffixes=123
Flags=1rc
Timeout=0
Lastaccount=daemon
Lastword=phoenix
Description Of Identifiers
--------------------------
Passwordfile Filename of the passwordfile (same as -p<file> from
the command line).
Wordfile Filename of the wordfile (same as -w<file> from the
command line).
Validfile Filename of the validfile (same as -v<file> from
the command line).
Prefixes The characters which would be used to prefix the
words being tested (same as -1<chars> from the
command line).
Suffixes The characters which would be used to suffix the
words being tested (same as -2<chars> from the
command line).
Flags Flags which are currently active (same flags as
offered on the command line).
Timeout The minutes before Killer Cracker will abort the
restored session.
Lastaccount Last account cracked during an aborted session; the
first account to begin cracking when the session
begins (skip all preceding accounts). This
identifier is only read if the session is based on
users (if the -u flag is specified). If the -u
flag is specified in the "Flags" identifier and
this field does not exist or the account does not
exist in the passwordfile, KC will yield an error.
Lastword Last word cracked during an aborted session; the
first word to begin cracking from when the session
begines (skip all preceding words in the given
wordfile). This identifier is only read if the
session is based on words (default, no -u flag).
If this identifier is missing and cracking is based
on words, KC will yield an error. If the Lastword
word does not occur in the wordfile, the session
will start and end without cracking anything.
System Dependent Information
----------------------------
Implementation Options/Restrictions
-------------- -------------------------------------------------------
MS/PC-DOS Killer Cracker has an upper account limit of around
2000-3000 accounts per session (max accounts per
passwordfile) depending on how much system memory
you have free at the time of execution.
BSD Un*x If the '-o' flag is used, Killer Cracker will
automatically fork itself into the background and
the NOHUP flag (ignore HUP, hangup signal) will be set.
NOTE: KC has a special command line flag which can
be used ('-h') to "hog" all available system resources
to KC during any given session. This is a flag which
should be used with caution, because when KC hogs
resources, KC HOGS resources! (ie. on one system,
w/o resource hogging, KC got 12 crypts/second... with
hogging on, it got 37 crypts/second) This could arouse
suspicion upon the superuser's part as other users of
the system find they can't do shit while the cracker
is running. The timeout feature is enabled.
SYSV Un*x If the '-o' flag is used, Killer Cracker will fork
itself into the background as in BSD Un*x. The timeout
feature is enabled.
STRIPPED Signal processing (CONTROL-C) is ignored (hitting
CONTROL-C will not save KC's process state,
terminating the session "abruptly").
Notes
-----
1. When using the default format for cracking, Killer Cracker will
skip accounts which already have been cracked in the following
hypothetical format:
Default Format, Hypothetical Situation: 10 words, 10 users.
Word #1, Users Tested: 1,2,3,4,5,6,7,8,9,10
Word #2, Users Tested: 1,2,3,4,5,6,7,8,9,10
Word #3, Users Tested: 1,2,3,4,5,6,7,8,9,10 (Valid For User #3)
Word #4, Users Tested: 1,2,4,5,6,7,8,9,10
Word #5, Users Tested: 1,2,4,5,6,7,8,9,10
Word #6, Users Tested: 1,2,4,5,6,7,8,9,10 (Valid For User #9)
Word #7, Users Tested: 1,2,4,5,6,7,8,10 (Valid For User #5)
Word #8, Users Tested: 1,2,4,6,7,8,10
Word #9, Users Tested: 1,2,4,6,7,8,10
Word #10, Users Tested: 1,2,4,6,7,8,10
When using the [u] option, Killer Cracker will jump to the next
account when (if) a valid password is cracked for the current user.
2. When cracking accounts using Killer Cracking in "by-word" format,
encryption/comparisions take place up to 100% (2x) faster than when
cracking by users. This is due to an optimization in BCRYPT/XFDES which
allows KC to remember the mask of the current word being cracked and
the calculation does not have to be re-done for all other comparisions
with that same word. Note: these optimizations will not be as apparent
when cracking a small amount of users and/or when cracking the login/gecos
fields, as each user is tested against a different guess anyway.
------------------------------------------------------------------------------
Thanx to Razor, So76, Scooter, PLAGUE, VIz, and all others who aided in the
research and development of this password cracker.
-(c) 1991-----------------------------------------------------------------EOF-