Web Cracker v2.0 Final Copyright 1998 by DiTTo Released 12/02/98 This program MAY NOT BE SOLD! IMPORTANT: Please see the end of this document for Version History and Recent Changes! HOMEPAGE & EMAIL: Visit the Web Cracker Home Page at http://webcrack.home.ml.org for the latest version and release info. Email webcrack@bitsmart.com with suggestions or bugs. DO NOT send requests for hacking utils, sites, passwords, cracks, etc. WHAT IS WEB CRACKER? This program exploits a rather large hole in web site authentication methods. Password protected websites can be easily brute-force hacked, because there is no set limit on the number of time an incorrect password or User ID can be tried. Web Cracker was designed for Web Masters to test the vulnerability of their own sites. It SHOULD NOT be used by unauthorized persons to hack into web sites. Such use is ILLEGAL and could have SEVERE PENALTIES. Neither myself nor anyone involved with the development of Web Cracker will be liable for the misuse of this program. Use Web Cracker ONLY at your own risk, ONLY for lawful purposes, and ONLY on your own web site. USING THE PROGRAM: To use Web Cracker, you will need at least a list of user IDs. If you have a list of users on your system, extract all the user IDs and save them to a text file. Many users who are allowed to choose their own user IDs on a system use their first name, so if you want an attack from an outsider's point of view, try using a list of first names. Optionally, you may include a list of passwords to test. Web Cracker by default will try the userid as the first password, as a lot of people tend to use the same word for both. If your system allows this, you've already got a big security problem. If you have a list of common passwords to test, you can load them into Web Cracker. The program will then run through the entire list of passwords for each user id. Use the File menu to load User ID's and Passwords into Web Cracker. You must at least load a list of user IDs, the password list is optional. Once the files are loaded, you must enter the URL of the site you wish to crack. The easiest way of getting a URL is to use a browser such as Netscape or Internet Exploder to surf to the target site. Then, right click on the link that throws up the "User Login" box. Select "Copy link location" on the popup menu, then paste this URL into WebCracker's "Target URL" box. If you have already loaded your User ID list, you can now click on Start and the cracking will begin. While cracking, you should see the highlight bars in the User ID and Password list boxes move as each new pair is attempted. Any message returned will be shown in the left panel of the status bar at the bottom of the WebCracker window. Usually this panel will read "Code 401: Unauthorized", but it will change (very briefly) if a different error is encountered or if an account was cracked. When an account is cracked, an entry will be made in the Log window and the log will automatically be saved to the log file ("WC-xxx.LOG). At any time during the cracking process you may click on the Stop button and the process will be halted, or you may save the session so you can stop and resume your cracking later, right where you left off. After all user id/password combinations are tried, Web Cracker will display a message box to that effect, and a final log entry will be made. If you click Stop before a cracking session is complete, Webcracker will log the last user id that was attempted. To start from that point onward, save your session so you can load it and continue at a later time. THE SETUP SCREEN: Convert USer ID's/Passwords: Web Cracker will automatically convert the user IDs or Passwords lists to all caps, or all lower case if one of these options is selected. The Default, NONE, is probably satisfactory for most cracking sessions. USE REPLACEMENT VARIABLES: If the option "Use Replacement Variables" is checked, Web Cracker will automatically replace any occurrance of "%USERID" (case sensitive, no quotes) with the current user id being tried. This allows you to create a list of passwords based on the current user id. Example: if the current User ID was mike, then %USERID98 would be sent as password mike98. IMPORTANT: See the Revision History at the end of this document for updated and new features, bug fixes, etc. CREDITS: Web Cracker 2.0 was designed and coded by DiTTo. Thanks to the guys who volunteered their sites as file mirrors: Lee / The house of Ill Compute - http://www.thoic.com Rob Harmon / The Forbidden Zone - http://www.forbidden-zone.net Many thanx and greetz to those who helped Beta test WebCracker 2.0: R0ver, DG, the IC guys in Building 309, Charles, Bartman/Abyss, Anders Nielsen, fried frunk Much thanks goes to Turtle for suggestions, info, and helping me squash that "NetCracker" problem. Web Cracker was written in Delphi 3.02, by Borland (now Inprise) Some code used in Web Cracker was developed by third parties, and released as freeware or shareware. Credits for those VCLs go to: Internet Component Suite: Freeware by François Piette http://www.rtfm.be/fpiette Jan Goyvaerts, JG's Home Page, for his excellent URL Label component. http://www.ping.be/jg/ Tan Qunzhao for his Tfire component that really dresses up the About box. Marcus Tettmar of MJT Software, for his SendKeys component, the heart of Web Cracker 1.0. http://www.mjtnet.com/ (Used only in WebCracker 1.0) REVISION HISTORY - Version 2.0 Final - released 12/02/98 - Hardly anything done on this version. No bug fixes, only a few small cosmetic issues cleared up, and only 1 new feature added - the ability to play a WAV file when a password is cracked or when all the ids and passwords are tried and cracking is complete. To use this feature, just put a .WAV file in the same directory as Webcrack.exe. The files MUST be named WCFOUND.WAV and WCDONE.WAV or they simply won't be played. I've included two small WAVs just for kicks, you can replace them with something better if you wish. This feature was requested. - This version has a few changes to discourage losers from hacking my work and calling it their own. After I saw copies of "NetCracker" floating around, I decided that all future versions would be hack proof, at least for hex-editing lamers. Go ahead lamers, try to hex edit version 2.0. - I think my work on Webcracker is about complete. The program does everything I really wanted it to (and more) right now, and my coding time = nil. If someone is interested in working on the WebCracker project, drop me a line. Does this mean WebCracker is dead? No. As I said, I have no coding time, and I could use some help. One much requested feature is CGI-based attack capability. I don't have time to research and code this feature, but if someone else does, and can provide me with some Delphi code to work this magic, I will put out a new version as soon as it's working. If you want this feature, and your name on the WebCracker credit screen, go write some code. It could be months before *I* have a chance to do it... - Version 2.0 Beta 1.5 - released 09/09/98 - IMPORTANT: SESSION FILES CREATED WITH BETA VERSIONS 1.4, 1.4a or 1.4b ARE NOT COMPATIBLE WITH or 1.5!! You can load them, but if you do make sure you save them to convert them to 1.5 format. - There will probably only be one more "bug fix" release before version 2.0 final. My coding time is getting short, as I'm getting married and moving next month. I've still got a huge list of features I'l love to add, but they probably won't make it into v2.0. In fairness, a TON of new features and fixes have been added. Just keep reading... - Support for Combination User ID/Password files. Numerous people have asked for the ability to load a file in the format userid:password, like mickey:mouse so that the passwords will be tried only with their associated user ids. I thought this was a pretty good idea, so it's now a part of WebCracker. In order to use Combo Cracking, you will need to turn on Combo Mode under the tools menu. This clears the user IDs and passwords and rearranges the menus so you can load in a file in combo format. *** IMPORTANT: The combo file must have a TAB between the user ids and passwords. In other words, it must be a TAB-DELIMITED file, with one user id/password pair PER LINE. If it's not in this exact format, it will not load correctly and you'll send me email wondering why. An example file, COMBO.TXT is included with WebCracker, so you can see what a good file looks like. While in Combo Mode, you can save your session, and when you load it you will automatically be put back in Combo Mode. Use the tools menu to turn Combo Mode on or off manually. There will probably be some bugs with this, since it's all new code. Email me if you find one so I can squish it. - Changed the message given in the log when a valid User ID/Password is found. The message now includes the *size* of the page recieved when the correct id/pass was sent. This makes it extremely easy to determine valid accounts on those systems which expire old accounts, but still allow those users to log in. When you use WebCracker on such a site, you used to recieve only a FOUND: message, and you had to try each user ID and password combination to see which were actually valid, and which were expired. The Page Size number now tells you instantly. If you've never needed this feature, you won't miss it, but if you've ever tried to sort through 50 valid accounts, only to find all but one was expired, you'll LOVE this! (Hint: an expired page and an active account page probably won't be the same size!) - Added another Replacement Variable - %REVUID. This returns the REVERSE of the user id. There seems to be some confusion as to how these replacement variables work. THere are currently 2 variables: %REVUID and %USERID. These can be used in PASSWORD files. When WebCracker sees one of them, it replaces it with the current user ID, or the reverse thereof. This lets you try passwords like joe1, joejoe, joeeoj, eoj1 for the user ID "joe". Many people base passwords on their user id, so these replacement variables allow you to formulate an attack based upon the current user id. To see this in action, load up your favorite user-id list and load in PASSWORDS.TXT (included in the WebCracker archive) as your password file. Start cracking, and it will all make sense. REMEMBER: Replacement variables are CASE SENSITIVE!!! - Fixed the Minimun Password Length checking routine, so it now works. Passwords of equal or greater length than this number will be tried, smaller will be skipped. This setting does not have any affect in Combo mode. If "Try User ID as First Password" is on, and that password is smaller than the minimum, it will still be tried. This will be fixed in a later version. - Changed the "Error" response messges (such as URL moved temporarily, or No Content, etc) to include the user id and password being tried at the time of the error. Requested. - Fixed a bug with the Start/Stop buttons, in that when you were cracking and clicked stop, then clicked start, the session would resume at the next user ID rather than the one you stopped on. This problem also occurred if you saved a session then reloaded it and clicked Start. - Re-enabled the ability to click on a User ID or password in the listboxes, in order to have it become the current one. This feature was missing from version 1.4 for some reason, but is back and seems to work OK. This is handy if you want to jump ahead or jump back in your wordlists. - Fixed problem that arose when all user IDs & passwords were tried. If you clicked on Start, you'd get a "List box out of bounds" error. Now, when cracking is completed, the user ID and Password counters are reset to 0 so if you clicked Start, you'd start from the beginning again. - Certain menu items are now disabled during cracking. You will have to click Stop first if you are currently cracking in order to enable the disabled menus. This fixes a lot of problems, and was long overdue. - Fixed a nasty bug that caused WebCracker to lock up if a crack attempt returned a page that was too large. Certain web sites have large pages, and they literally choked WebCracker's HTTP buffer. I changed the program to dynamically allocate memory as it's needed, and this fixes the problem. Not sure how this affects speed, but it doesn't seem to slow the program down any. - Found and fixed another bug with sessions. If you loaded a password file, then cleared the password list box, then saved your session, the password file would be loaded in again when the session was next loaded, even though it shouldn't have been. Same thing happened with the user id list box. Both are now fixed. - Finally found a use for the Edit menu, which has been disabled since WebCracker was born. You can now use that menu to sort the user IDs and/or password list boxes. By default, the password and user id list boxes are NOT sorted. Every time you clear one of the list boxes, or load a new files into them, they revert to NOT sorted. However, if you sort one or both of them, then save the session, they will remain sorted when you load the session back in. If you sort the listboxes, then turn off sorting, they will STILL remain in sorted order unless you re-load them again (using load Passwords or Load user IDs, NOT Load Session) It's possible to screw yourself up if you sort and start a session, then turn off sorting and save the session. The next time the session is loaded, it won't be sorted, so all the cracking you did will be out of order. The general rule is, if you sort a session, NEVER un-sort it. You'll be missing out or repeating a lot of ID/Password combinations if you do. Remember: Once a session is sorted, KEEP it sorted. - One more time: SESSION FILES CREATED WITH BETA VERSIONS 1.4, 1.4a, or 1.4b ARE NOT COMPATIBLE WITH 1.5!! You can load them, but if you do make sure you save them again to convert them to 1.5 format. - Versions 1.4a Beta and 1.4b Beta - These versions were privately distributed to beta testers for feedback. Not "official" beta releases. If you are using one of these versions, upgrade to beta 1.5. - Version 2.0 Beta 1.4 - Released 08/28/98 - MAJOR CHANGES in this version! - Sessions! Sessions! Sessions! The long awaited ability to save and load cracking sessions is now here. Use the file menu to load and save sessions, which consist of 2 files each - one is a session data file, with a WCK extension, the other is a session LOG file, with a LOG extension. Get WebCracker loaded with your URL and password lsts, and crack if you want. When you stop, save the session so the next time you can pick up from right where you left off. If you experience any SERIOUS problems with sessions, please drop me a line. I didn't have time to do exhaustive tests, so report any problems... - Fixed a bug which appeared when Convert User IDs was set on. The IDs appeared as unconverted in the ID edit box, even though they were actually being sent to the target system correctly in the converted format. - Changed the results code handler to display a message and abort cracking if HTTP code 404 ("URL not found") was returned. Otherwise, if a connection to the net was dropped, WebCracker just ran through the IDs and Passwords until it was done, and there was no way to tell where it left off. Now it will log the user ID and password it was trying when it got the error. - Added support for multiple instances. Instead of logging to "Webcrack.Log" as in previous versions, WebCracker now logs to WC-xxxx.LOG. The xxxx is replaced with 0000,0001,0002 etc. This allows many instances of WebCracker to be run at once, and each will log to a seperate file. NOTE: if you let 10,000 log files accumulate, Webcracker will stop auto-numbering and just log to WC-LOG.OUT. When you save a session, the name of the log file is saved as well, so WebCracker won't create a new log file each time. The Log file is automatically saved by the program whenever a valid account is cracked, or when a cracking session is stopped. If you lose power, you won't lose all your found passwords. :) - WebCracker now tests the target URL to see if it's password protected or not. If it doesn't appear to be protected, you'll be notified with a message. This usually means you picked the wrong URL to attack, so you'll need to find a protected one. -Progress indicators now tell you which User ID/Password you are on, out of the total. This gives you an idea as to how far along the session is. Nothing fancy, but it's a start. - Other misc internal changes which you couldn't care less about. - A few users pointed out that the size of the password lists are limited to about 32,767 lines. This is a limitation of the Delphi listbox control, and is one I had hoped to overcome before releasing this version, but things didn't work out the way I had planned. So, that will be a future enhancement. If anyone has Delphi code for buffered line input which allows for unlimited file sizes, by all means drop me a line. :) - I do want to say thanks to the handful of folks who have written with suggestions and bugs. This program is still a long way from where I'd like it to be, but we're getting there. Without your input, bugs won't get squashed and cool features won't get thought up. Keep 'em coming! - Version 2.0 Beta 1.3 - Released 7/23/98 - Major changes to the internal code. Someone suggested enabling "batch" support, so you could line up 50 URLs in a row to crack, and move to the next after you hit X number of valid accounts. WebCracker wasn't built with that in mind, but I like the idea. I also want to enable "sessions", so you can stop then resume cracking right where you left off. The program needs a lot of work to get these features implemented, but it's moving in that direction. - Fixed some bugs with the two new options added in beta 1.2. Hopefully I got them all. (Yes, the one that jumped out when the password list was empty has been squashed) - The User ID no longer shows up in the password list box, even when "Try ID as first password" is turned on. The ID will still show up in the text box, but constantly adding and deleting IDs from the password list box was a lot of overhead that really didn't need to be. Hopefully this adds to the speed of the program. It will make future coding easier, if nothing else. - Changed the font in the Log windows to Courier New, 8 point. I think it's easier to read, and looks a little better. - CRAXD has offered to write a help file for WebCracker. This should take care of yet one more missing feature. KNOWN LIMITATIONS AND ISSUES IN THIS VERSION: - You might find the program doesn't act right when you first run it. Go into the SETUP screen, and verify that the new options are set the way you want. Click OK, and they will be saved. Everything should now work normally, if it didn't before. This is a registry issue I need to clear up. Not a biggie though. -User ID and Password file sizes are limited to 65536 (or so) lines. This is a Delphi limitation, not mine. If anyone can suggest a workaround, I'm all ears. Even so, I think most folks will find that 65000 is enough... (except for that one guy... :) - If you don't load any passwords, and have "Try ID as first password" toggled off, the program shouldn't enable the "start" button cause there's nothing to crack... but it does. That's just a little annoyance, and will be stomped later. - The Edit menu option is disabled. I'm still not sure if I'm going to use it... but it's there for now. Just ignore it. - Version 2.0 Beta 1.2 (Not Publically Released) - Problem: when an account was cracked, WebCracker would continue using the same account with the rest of the passwords, possibly returning a "cracked" result for each of the remaining passwords in the list. Changed the code so when an account is cracked, the remaining passwords are skipped and the cracking moves on to the next user ID. Speeds things up, especially with long password files, and fixes the bug. - Finished coding Proxy Support. Seems to work well. Thanks goes to Charles and Bartman/Abyss for testing. - Added an option to turn off trying User ID as the first password. - Added an option to Optimize Webcracker for speed. This disables the auto-scrolling of the list boxes as passwords and user IDs are tried. Seems to make a difference. Thanks to Anders Nielsen for pointing this out. - Version 2.0 Beta 1.1 First public beta of version 2. A few bugs, not all features implemented, but I wanted to get it out there for testing. - Version 2.0 Beta 1.0 Private beta release, not publically distributed. This version has nag screens stating that it's a beta, if you have this version upgrade to get rid of the nags. - Version 1.0 Original version by Doug Good, used Netscape for HTTP functions. Slow and had less functionality than version 2.0. If you have this version, upgrade!