+----------------------------------------------------------------------+ | ###### ## ## ###### ####### ###### ###### | | ## ## ## ## ## ## ## ## ## ## ## ## | | ## ######## #### #### ## ## ## ## ## | | ## ## ## ## ### ## ## ## ## ## ## | | ###### ## ## ######## ####### ###### ###### | +----------------------------------------------------------------------+ | CrackerHack Version 2.0 (c) 1992 - No Means No. Released 12/1/1992. | | Crackerhack is a very fast custom increment password cracker | | Utilities included with CH2 are: CH, SETCH, TIMECH, SPLITCH, & NETCH | | This documentation file describes the Crackerhack Version2 utilities | | in full detail along with examples & instructions on how to use them | +----------------------------------------------------------------------+ | -> First increment password cracker ever released (ever written?) <- | +----------------------------------------------------------------------+ Disclaimer: I, No Means No, nor any persons involved with the production, construction, instruction, publication, distribution, implementation or observation of CrackerHack Version 2.0 assume no responsibility over persons involved with using, abusing or choosing of CrackerHack Version 2.0, nor do we promote or condone it. People can make up thier own minds, it is up to the individual. Overview: This is a program, like any other, that can be used for a variety of purposes, educational, security, and yes, even cracking *gasp!*. However, it was intended to shed light on increment password cracking and prove that it is indeed very possible. I began writing Crackerhack sometime during the summer of 1992, however it was put aside several times so I could work on other projects. I completed version 1 of Crackerhack sometime in late september of 1992 and was due to be released to the public on 10/1/92, but it never happened. Instead, after discovering a few bugs and alot of compatability problems, I decided to just make CrackerHack Version 2 and have that be the first release to the public. Only CH, SETCH, and TIMECH were planned for CH1, I added SPLITCH and NETCH in CH2 as well as writing much more reliable and compatable source code for CH, SETCH and TIMECH. The documentation was also greatly extended to further discussion on the included utilities. The original release for CH2 was planned for 11/1/92 but due to it being submitted to 2600, I have extended the release date to 12/1/92. Crackerhack was my second Unix C program to start. A version 3 of Crackerhack could be very possible, it all depends on what I would like to add to it. If CH2 has any errors that I do not yet know about, or if there are any systems on which it will not compile or run correctly, please let me know. If I discover that there were any problems that I have missed, or if I decide to add extra features, then there WILL be a CH3. My internet mail address will be included at the end of this documentation file. The documentation you are about to read will be fairly detailed and I will attempt to make things easy to understand, even if you have never used a program like this before (I have never used a password cracker other than this one). I also strongly suggest you PRINT these documentations up on PAPER, it would be annoying to have to come back and scan through this file each time you want instructions, information, or help using a Crackerhack utility. So print these if you havn't already. Explination: To clear some things up, no password cracker can really be called a password cracker unless it actually CRACKS the encryption. This program is similar to other password crackers in the way it compares encryptions, but ONLY in that respect. It crypts the "guessed word" and compares the encryption of the "guessed word" to the encryption of the target password encryption, if they match, the "guessed word" is the unencrypted password. However, that is the ONLY way Crackerhack can be compared to other password crackers. Other crackers use dictionary files to use as guesswords. Crackerhack does NOT use this method, if it did it would be just like every other cracker out there, which would mean in would be a waste of my time for me to write (correct?). Instead, Crackerhack could be classified as an INCREMENT CRACKER. This means it tries EVERY possible combination within a specified range. Combinations and ranges are set with the SETCH utility and its use is explained in full detail in the "how to use SETCH" section. Understanding increment password cracking: Increment cracking works like binary counting on an alphanumeric table. An example would be if you were to scan from "aaa" to "zzz" in only lowercase alphas, it would count in the following format: aaa,aab,aac...nml,nmm,nmn,nmo,nmp,nmq,nmr,nms,nmt,nmu,nmv... zzu,zzv,zzw,zzx,zzy,zzz. You might be thinking "Damn that must take forever!". Well first of all, Crackerhack is meant to be used to work on ONLY ONE password and work on that password until it is either cracked, or the full combo/range has been completed. Longer cracks take longer time, of course. And it also depends on the machine you will be cracking the password on and if you will be using a fast encryption program with CH2, such as UFC (Ultra Fast Crypt). There is a "Suggestions" section later in this documentation that will explain different methods of cracking your target password. Some good suggestions on cracking methods, simple investigation procedures, and what to AVOID when attempting to crack a password (you wouldnt want it to run forever!). Files: Included with the archived version of this program is the UFC directory that contains all of the needed Ultra Fast Crypt files so you may add UFC in the Crackerhack files when compiling. This is explained in the section below called "compiling". The following files should be in your directory: CH2-DOC : This documentation file for Crackerhack Version 2. CH2-NET : Complete information on how to set up the NETCH program. makefile : The make file for Crackerhack Version 2. addch.h : The include file for ch.c and timech.c. ch.c : Crackerhack Version 2 source code. netch.c : Network Crackerhack Version 2 source code. setch.c : Setup Crackerhack Version 2 source code. splitch.c : Split Crackerhack Version 2 source code. timech.c : Time Crackerhack Version 2 source code. netch.sh : Network Crackerhack Version 2 work file. Compiling: Semi-detailed instructions can be found by just typing "make" in the directory where the Crackerhack files reside (runs the "makefile"). So if you should at any time need quicker instructions on how to compile Crackerhack, you can do that. I am going to explain here in a little more detail exactly how to compile them. Included with the archived version of Crackerhack V2, is UFC (Ultra Fast Crypt). All of the UFC files can be found in the UFC directory that is included in the CH2 archive. It is highly recommended that you use UFC or some other fast encryption method with Crackerhack 2 to get MUCH greater speeds when cracking, because, as most of us know, the standard crypt routines on any system are slower than a cop without his doughnuts in the morning! Because UFC is included with the Crackerhack archive, I will explain how to compile UFC to get the "libufc.a" file and add it to Crackerhack. First, switch over to the UFC directory and type "make libufc.a". This will compile the semi-portable version of UFC's "libufc.a" file which should compile and work correctly on ALL systems. However, you can specify which system you are using to generate a faster version of UFC for your system, if this is what you choose to do, you will have to read the UFC documentation for information on that. Also, when compiling it on a non-unix based system, use GCC compiler and it SHOULD compile and run correctly. This has not yet been tested, because CH2 was designed and meant to work on faster systems. There are 3 different ways to compile: -------------------------------------- Compiling Crackerhack V2 with "libufc.a": Copy the "libufc.a" file into the Crackerhack directory and type "make addufc". This will make all Crackerhack files and add the Ultra Fast Crypt routines into CH and TIMECH. Compiling Crackerhack V2 with "other.a": First compile the other fast encryption method and copy the needed file into the Crackerhack directory under the filename "other.a". Now type "make other", this will make all Crackerhack files and add your specified fast encryption routines into CH and TIMECH. Compiling Crackerhack V2 standard format: "make standard" will compile all Crackerhack files without fast encryption. -------------------------------------- NOTE: There are special instructions on how to make Crackerhack on a NeXT system. Add the following string after "make" and before your argument, 'CFLAG=""'... This will clear the optimization flag which seems to screw up the programs on a NeXT system, so use that so you dont run across any problems with it after compiling. You can also "make clean" which will delete all of the made Crackerhack files as well as ".ch-t", "libufc.a" and "other.a" if they exist. Using SETCH (Setting up Crackerhack): The first program you will want to run will be SETCH. SETCH is what is used to set up the cracking combination and ranges as well as selecting the password you wish to crack. SETCH creates the ".ch-d" data file which every other Crackerhack utility works with. After running SETCH you will get the following menu: +---(SETCH program output)-------------------------------------------+ |(1) Choose your target password from the "/etc/passwd" file. | |(2) Choose your target password from the ".ch-p" file. | |(3) Manually enter an encrypted password string. | +--------------------------------------------------------------------+ If you are going to be cracking an account that is on the system you will be cracking on, you will want to select #1 here. If you are going to be cracking a password that is on another system other than the one you will be cracking on you will need to copy the "/etc/passwd" file (or just a partial file or even just one single account if needed) from your target's system, on to the system you will be cracking on, under the file name of ".ch-p", and select #2. If you know the encryption of the password you want to crack, then you can select #3 and it will prompt you to type it in. Make sure you type it in EXACTLY (all 13 digits), otherwise you will get false results, or no results at all! In cases of #1 or #2, it will ask you a pattern to search for, you can either just press return (to list every account), or enter a pattern for SETCH to look for within each line of the password file (it uses the unix GREP command). Then it will go through each account in the password file and ask you which account you want to choose as your target. NOTE: In cases #1 or #2, and if you select a pattern to search for it will create the ".ch-t" file, which is a temporary file created when it uses the GREP command. This file will be deleted after selecting your target. If you have a disk space quota it might give you an error when it attempts to create this file when SETCH is working with very large password files. After you select either of the 3 options and select your target encryption it will then display the following: +---(SETCH program output)-------------------------------------------+ |Select one of the following COMBINATIONS: | |(1): 0123456789 | |(2): abcdefghijklmnopqrstuvwxyz | |(3): 0123456789abcdefghijklmnopqrstuvwxyz | |(4): ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz | |(5): 0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz | +--------------------------------------------------------------------+ This is where you select the COMBINATION. keep in mind here that when the program increments, it will count the combination from left to right. Example, if you choose #2, it will count from a to z and then flip to aa. ab. ac. etc. The decision on the combination depends on the method you wish to crack the target password with. Some examples: Will you be scanning in JUST numeric combinations? Then choose #1. Will you be doing a FULL alphanumeric (including uppercase) scan? Then choose #5. +---(SETCH program output)-------------------------------------------+ |Now select the cracking RANGE, up to 8 characters. | |From : | |To : | +--------------------------------------------------------------------+ This is where you select where your cracking increment scan will start at and end at. If you selected a combo of #1 for example, you will want the start and end to be NUMERIC, however there are exceptions. A valid exception would be if you were to crack a password starting with "staff000" and ending at "staff999" and you want it to scan numerics only. But if you selected from "test000" to "testaaa" with a numeric combination, it would increment forever. This is because it would never get to the "aaa" after "test999", instead it would flip to "tes0000" and continue counting. Be sure you select your COMBO and RANGE correctly. Once you have completed the "From" and "To" phase of SETCH it will then create the ".ch-d" Crackerhack data file. You have just completed setting up your crack. You may now run any of the other CH2 utilities. Using TIMECH (Time estimation of your crack): What this program does is tell you the estimated amount of time it will take to complete the full cracking scan on the current machine. It will first load the ".ch-d" data file. Then it counts the number of crypts per second (CPS) your machine is getting. Then it counts the number of encryptions it will take to crack your selection. It will then give you an estimate of the time it will take to complete the full crack in the format of YY/DD/HH/MM/SS (that is, if it doesn't crack it first!). Thats all there is to it. Simple and helpful. NOTE: Because systems/compilers vary on the maximum storage for the DOUBLE VARIABLE in C, smaller systems will come up with false results when counting the encryptions it will take to crack very large cracking ranges/combinations. But then again, it is not a good idea to even attempt running such large cracks on such small, obviously slow systems anyway. So I don't this this will be too much of a problem. However, this will be fixed in the possible CH3. Using CH (Crackerhack Version 2.0): Crackerhack! Run this program, it uses your specifications in the ".ch-d" file and runs the crack on it, all output will go to the ".ch-l" log file. The only way it can prematurely abort is if the ".ch-d" file does not exist. In that case it will immediatly tell you and abort, otherwise it will create or append to the ".ch-l" crackerhack log file the crack is it working on. It will stop and write the crack completion information to the ".ch-l" crackerhack log file if either of the following 3 things happen: 1) It cracks the password. 2) It completes the cracking scan. 3) It is aborted. It is best to run Crackerhack in the background, because some cracks take quite a long time. A nohup (no hangup) is suggested as well. This will make sure the program does not abort if the user hangs up or loses connection to the system. An example on a unix system would be to do this: "nohup ch &". The & signifies that the program will be run in the background as a job. ACCESS NOTE: If you have superuser access, or if the system you are on allows users to set priority, Crackerhack will automatically set the priority of the program to absolute highest (-20). This will eat up process and CPU, but it is worth it because you will get much faster CPS. If you do not have such access to set the priority to a job, then it will not be set and will run normally. ABORTING NOTE: If Crackerhack is aborted it will write the last encryption to the log file. This will let you know where it left off when it was aborted so you are able to continue the crack from where it left off. However, Crackerhack is UNABLE to detect the system shutdown, this might cause problems if you are running it on a system that has an upcoming shutdown! You might want to time it if your system has shutdowns to make sure it wont get killed with the shutdown. If anyone knows how to detect a shutdown, let me know, I have not figured it out. Also, it can not detect "sure kills" (kill -9) because they can not be caught. So if you are going to kill it, send a -QUIT, -TERM, or -INT so it will write the last encryption to the log file in case you decide to continue that crack at a later time. Using SPLITCH (Split Crackerhack into multiple jobs): This program does exactly what its called, it SPLITS crackerhack into multiple jobs to be run on the same system, this is useful for such systems as Crays where you can run multiple jobs and still get the same results for each job as you would from one single job. This greatly increases the CPS (Crypts per second). The program sets the limit to up to 10 SPLITS, if you wish to run more than 10, you will have to change the source code to "#define SPLITMAX <#>" where <#> equals the maximum number of splits you wish it to allow. You will then have to recompile the program if you change it. To use SPLITCH, you simply specify the # of splits you wish to split your crack into (set by SETCH) after the program name. If you wish to split it into, say 7 jobs, you would type up "splitch 7". Everything afterwards is automatically done by SPLITCH. What it does is it counts the cracks in your scan combo/range and then splits it up and runs the crackerhack jobs for you with "nohup ch &", if you do not wish to use that format, you will have you go into the source code once again and change "#define BEFORECH" and "#define AFTERCH". This program is indeed useful and serves its purpose, but an even MUCH more powerful program is needed for another purposes, and that program is NETCH. Using NETCH (Split Crackerhack and NETWORK the multiple jobs): This program does as stated in SPLITCH, except the splitted jobs will NOT be run on the machine you are currently running it on, but instead the splitted jobs will be run on any machine(s) you specify (that you have access to of course). You will need to compile a list of systems you are on (that you have RSH access to) in a file named ".ch-n", which is the Crackerhack network information file. The format for this file is thoroughly explained in the CH2-NET file. If your system does not support the "rsh" command, you will have to check to see which command it uses instead, it might be "rshl" or something similar, if it is different than "rsh" you can specify the command when you run NETCH. For example if it uses rshl, you will need to run netch like this: "netch rshl". When this program is run, it will first access the ".ch-n" file and collect the information within. If there are any errors in the format, it will display the error and abort. If it is fine it will then access the ".ch-d" data file (set with SETCH) and split your crack according to the specified networks in ".ch-n" and attempt to access each system and run the splits. If there are any errors with accessing the system, it will let you know then attempt to access the next system - it will not abort. It is a good idea to first run a test net-crack to make sure all systems are working correctly before running your real crack, be sure if you run a test net-crack to go and kill the cracks on each system before you run the actual crack. If you don't, it will surely slow down the CPS time you get on your actual crack. Of course, there is an alternative, and that is to run a very short NETCH splitted crack to not only test to make sure your network is working correctly, but it will also allow it to be finished very quickly so you don't have to go to each system and abort them before running your actual net-crack. In the program, the maximum networks allowed are 100... This can be changed by editing the line "#define SPLITMAX <#>" where <#> is of course, as explained above in SPLITCH, the maximum number of splits allowed. In this case it is the maximum number of network systems/splits allowed. Each split will go to one machine on the network that you specify in the ".ch-n" file. All networked cracks will be run with "nohup" and "&" as explained in the SPLITCH section, however if you want to change them in netch, you'll have to edit the netch.sh file. The netch.sh file is used only by netch when networking your crack. This program is a powerful utility if used correctly, so use it correctly! Files used/created: Note that all the files start with a ".", which means they will be hidden to a normal user on a standard unix system. Use the "-a" flag when using "ls" to display them. [FILE]: (Created_by) (Used_by) Description of file. ------: ------------ --------- -------------------- .ch-d : (SETCH ) (all ) Crackerhack Crack data file. .ch-l : (CH ) (user ) Crackerhack Log file. .ch-n : (user ) (NETCH ) Crackerhack Network information file. .ch-p : (user ) (SETCH ) Alternate Passwd file, "etc/passwd" format. .ch-t : (SETCH ) (SETCH ) Temporary file when choosing target in SETCH. Suggestions: Some people immediately attempt to crack a password with full or very long range/combinations which is crazy under most conditions, but there are some conditions under which it can actually be done though, only under those conditions should it even be attempted. Such large cracks are usually not even necessary. But maybe, for some reason, you want a VERY LONG increment scan. No computer is fast enough to complete it in a reasonable amount of time, however, there is an alternative. If you are able to access a network of machines, you can divide the specified large crack on several machines. NETCH does this for you automatically, and with NETCH and a large number of systems, a very large crack CAN be done. Of course, you have to have access to those systems if you want to use them. As stated before, this is usually not necessary, so let this be your last choice. One of the first things you will want to do is find out the requirements for changing a password on the system where the target derived from. An example, if password changing on that system requires it being at least 6 digits long with alpha and numeric characters, you might want to start cracking with the following scan first: Combo #3, Range From "000000" To "zzzzzz". Of course you can scan everything below 6 digits if you wish. Just experiment, you will get the hang of it if you havn't already. Make sure you enter in all information correctly when setting up your crack with SETCH! A strong suggestion is that you read over the above documentation if you havn't already. Alot is explained in each section that could have been explained in this section instead but I felt it would be better to give the needed information/explination that pertained to that particular section. Speeds: From all of the tests other people and myself have done, Crackerhack 2 is THE absolute fastest password cracker (Encryptions Per Second) out there. When used with the same encryption techniques as the other cracker in question, most usually it is UFC. It can get as much as (maybe more than) 10 times faster than other password crackers on a UNICOS Cray system! (Using SPLITCH on a Cray will accomplish this. If your user has priority access you can get extreme ammounts of crypts per second without using SPLITCH). On every system it has been tested on and every cracker it has been compared to, it comes out as the fastest cracker in CPS. Of course, if you do not beleive this, you can test it and compare it for yourself. I was going to include a couple of charts in these documentations, however I was not able to obtain a sizeable ammount of information for the charts by the time of the release. If I write a future version of Crackerhack, I will include the charts in that version. Known Problems: After completing this version I found a couple of minor problems: When compiling Crackerhack on systems such as SysV, it may not compile correctly and get errors. This same problem might occur on some HP systems as well. Crackerhack should compile and run correctly under most other systems. Crackerhack might not compile under DOS, this depends on how you compile it and with what compiler. Very little tests have been done with this, because CH2 was meant to be used on much faster systems. However if you wish to pursuit compiling Crackerhack2 on a PC, use a compiler that can compile programs in the UNIX C format (such as gcc). If there is a Crackerhack Version 3, these problems will be fixed along with any other problems that arise in Crackerhack Version 2. Credits: Thats it! I had no credits for Crackerhack Version 1 because I did all the testing myself before releasing it to selected people to have tested. When I gave it out to be tested, I was notified of certain problems on different systems so I could correct them for the public release of Crackerhack (CH2). So i'd like to thank those people who helped me get this programs compatibility to where it is now and/or just using it alot and giving me feedback on it. Those people are: Nat X, Sarlo, Lazar, Infomaster, Lithium Bandit, and Krynn. I would also like to acknowledge Infomaster who not only suggested the idea of NETCH, but was extremely helpful with testing it! These people were alot of help and are recognized for it, thanks. Also advanced thanks to Informix who is going to be helping me distribute CH2 when it is released. Thats it!: Docs are finished. I hope everyone that uses this realizes it's potential, fully understands how it operates, and puts it to good use. I didn't spend all this time programming it for it just to be "collected". If you happen to find any bugs, compiling problems, or if you have any comments, complaints, suggestions, questions, or if you just want to annoy me or just need someone to talk to, then you can leave me mail at the following internet mail address and I will try to help you as much as I can. No Means No nmn@mindvox.phantom.com