+------------------------------------------------------+ | | | | | | | | Written By Doctor Dissector Copyright (c) 1991, By Doctor Dissector KILLER CRACKER: Portable Un*x Password Cracker ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Version 8.

00 LTD, Dated 7/28/91 | | | | | | | |

+------------------------------------------------------+

*** LIMITED EDITION !!!!! DO NOT DISTRIBUTE !!!!! LIMITED EDITION ***

License ------This program is NOT free software BUT may be used without charge or payment in any form IF your copy is a "registered" distributed version. You may modify it as much as you please, however, you MAY NOT re-distribute it, in any shape or for: ie. modified OR unmodified, without the expressed written consent (ie. e-mail) of Doctor Dissector. (bbs.doctord@doomsday.spies.com) This program was initially distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Disclaimer ----------

This program was written and released just to prove that Un*x accounts can be effectively cracked utilizing modified DES password encryption (crypt) routines and proper programming skills. I, Doctor Dissector, the author of Killer Cracker, do not endorse any type of illegal appropriation of computer accounts using programs such as this; my goal is only to prove that the Un*x operating system's greatest weakness in security lies in the /etc/passwd file. Doctor Dissector will not be held responsible for the actions of anyone who may misuse this program since he cannot control the actions of the people who might become exposed to this program's use for illegal means.

Quick Instructions -----------------To compile under any operating system using "make", edit the file "Makefile" included with this package to your needs and type "make".

File Listing & Description -------------------------WHATSNEW.800 -- Info on new modifications/additions to this version KC.DOC -- This document file KC.EXE -- MS/PC-DOS executable KC.H KC.C MAKEFILE. B_ORDER.C BCRYPT.H -- Killer Cracker source code header file -- Killer Cracker source code -- Makefile for KC, edit this and use "make" to compile! -- Determines if your machine is Network Byte Order -- Bcrypt encryption source code header file

BCRYPT.C XFDES.H XFDES.C GOODWORD.W GIRLWORD.W

-- Bcrypt encryption source code -- XFDES encryption source code header file -- XFDES encryption source code -- Collection of words from various sources -- Collection of female first names

Description ----------Killer Cracker (KC) is a program which effectively, and quickly, encrypts a sequence of guesses (words) utilizing a modified form of the DES Un*x password encryption alogrithm. These encrypted guesses are

then compared to the fields in any typical /etc/passwd file; any matches are recorded for future reference. Guesses to KC are read from several sources. The primary source of

guesses to encrypt come from a textfile (ASCII) of words separated by CR/LF pairs or LFs (depending on operating system). Other guesses are

taken from each individual account in any /etc/passwd file; the login name and two respective GECOS field entries. In addition, single characters

(a-z, A-Z, 0-9) and "funny" characters (^A-^Z, ESC, SPACE) can be tested as guesses as well. KC also has the ability to make several combinations

for several guesses from one guess (i.e. test the guess in normal case, uppercase, lowercase, and backwards) and the option to pre-pend or append any number of characters to the beginning or end of any guessed word. KC was also written in C source, which has been released and included in KC's release package. The source was developed to be highly portable

with most other C compilers, especially the Un*x C compilers.

Execution --------Killer Cracker can be invoked using various methods from the command line (shell prompt). Normally, KC will be called directly from the command In order

line; thus, usage from the command line will be discussed first.

to obtain a brief summary of KC's options from the command line, KC can be invoked with the '-?' or '/?' flag. Incedentally, all flags to KC must be The following info will

either preceded by a '-' or a '/' character.

discuss KC's command line flags and offer detailed descriptions for each. Under some Un*x shells, you may have to type the -? in double quotes ("-?") in order to get the appropriate response.

Usage: kc -?bcfghlostu -<1|2>[:]<chars> -<p|w|v>[:]<filename> -z[:]<minutes> kc -r[:]<filename>

Parms: -1 prefix chars -2 suffix chars

-p /etc/passwd file -w guess word file

-r restore file -v valid account file

Flags: -? explain usage -f test funny chars -l test login names -t test crypt result

-b test backwards -g test GECOS fields -o suppress output -u user based crack

-c test up/low cases -h hog resources -s single char test -z timeout (minutes)

Brief Summary Of Flags ----------------------? KC will print a brief summary of the available command line flags as shown above.

Description Of Flags

--------------------p[:]<file> Filename/path+filename of the /etc/passwd file to be cracked. The ':' character is optional (can be used to If no filename is specified,

clarify the command line). KC will prompt you for one.

-w[:]<file> Filename/path+filename of the wordfile where all password guesses are stored. Format of the words inside this wordfile must be one word per line, no blank lines are allowed. The ':' character is optional (can be used to If no filename is specified,

clarify the command line). KC will prompt you for one.

-v[:]<file> Filename/path+filename of the output file, where all valid account/password combinations will be saved. The ':' character is optional (can be used to clarify the command line). If no filename is specified, KC will

prompt you for one.

-r[:]<file> Filename/path+filename of the restorefile you would like KC to read options and restoredata from. If this flag is

invoked without a following filename (i.e. "kc -r"), KC will assume a default filename of "restore". Also note

that if this flag is specified, all other flags from the command line will be ignored. The ':' character is

optional (can be used to clarify the command line).

-1[:]<char> The characters KC will be instructed to pre-pend to the front of each word tested, one single character at a time.

For example, if you used the flag "-1:abc", each test would test each word as "aWORD", "bWORD", and "cWORD".

-2[:]<char> The characters KC will be instructed to append to the end of each word tested, one single character at a time. For example, if you used the flag "-1:abc", each test would test each word as "WORDa", "WORDb", and "WORDc".

-z[:]<time> Under the Un*x environment, this will instruct KC to abort after the specified <time> in MINUTES.

-b

KC will be instructed to create a word combination from the available guesses as the reverse (backwards) from of the original guess. KC is intelligent and will not repeat testing of guesses

which are the same foreward and backward (i.e. "MOM" backwards is "MOM", KC will not test this guess in reverse). Of Guesses" for more information. Refer to "Examples

-c

KC will be instructed to create word combinations from the available guesses in all uppercase and all lowercase. KC is

intelligent and guesses which are the same in all uppercase or all lowercase will be skipped from testing in the respective combination. See "Examples Of Guesses" for more information.

-f

KC will be instructed to test the "funny" control characters ^A-^Z, ESC, and SPACE as guesses before testing guesses from the wordfile.

-g

KC will be instructed to test two words from the /etc/passwd GECOS field of each individual account as guesses for that particular

account.

KC will skip over entries in the GECOS field who's second

character is the '.' period character to avoid testing initials.

-h

KC will be instructed to hog all available system resources under (and ONLY under) the BSD Unix system. This means that KC will

attempt to raise the current resource limit of its process to the maximum allowed value (if it is not at its maximum already). This

could result in dramatic performance increases as well as increased suspicion to the process, but the end result is for you, the end user to decide.

-l

KC will be instructed to test the login name from the /etc/passwd GECOS field of each individual account as a guess for that particular account.

-o

KC will be instructed to suppress all output from printing to the local console/terminal. Normally, information about the current

session is printed to the standard output; however, on the Un*x operating system where background processing requires output to be directed away from the local console/terminal, verbose output could be a problem. Also note that this flag, when executed under the

Un*x operating system, will automatically fork KC into the background (returning you quickly to the shell prompt) and the NOHUP flag (HUP signal ignore) will be placed on its process (so logoff will not result in termination of the current session).

-s

KC will be instructed to test the single characters, a-z, A-Z, and 0-9 as guesses before testing guesses from the wordfile.

-t

KC will be instructed to test the result of a single, pre-installed, encrypt/comparison using the default encryption routines. If you

get an encryption error, then your system WILL NOT effectively crack passwords.

-u

KC will be instructed to compare every word from the wordfile avainst an account before moging to the next account. When

cracking by WORDS, KC will enable same-word-memory which increses speed over cracking by users up to 40%. Normally,

KC will crack for passwords in the following format:

Default Format -------------word #1: test account #1's password test account #2's password... word #2: test account #1's password test account #2's password... word #3: test account #1's password test account #2's password... (etc.)

This flag will instruct KC to follow the following format:

Optional Format --------------user #1's password: test word #1 test word #2 test word #3... user #2's password: test word #1 test word #2

test word #3... user #3's password: test word #1 test word #2 test word #3... (etc.)

Usage Examples -------------kc -c -p:passwd.212 -w:dict.txt -v:valid.212 The above command will instruct KC to read encrypted passwords from the file passwd.212 (/etc/passwd format), read guesses from the file dict.txt, and write any valid account/password combinations to the file valid.212. All guesses will be tested

in normal, upper, and lowercase. Output will be verbose to the console.

kc -cbo -ppwfile.txt -wwords.txt -vresults.txt The above command will instruct Killer Cracker to read encrypted passwords from the file pwfile.txt, read guesses from words.txt, and write all valid account/password combinations into results.txt. All guesses will be tested in normal, upper,

lowercase and reverse-normal, reverse-upper, and reverselowercase. All output will be suppressed.

kc -glu -ppasswd.txt -wwords.txt -vvalid.txt The above command will instruct Killer Cracker to read encrypted passwords from passwd.txt, read guesses from words.txt, and write valid account/password combinations to valid.txt. In addition,

the account/login names will be tested as passwords for each

account, and the GECOS field strings will be tested as passwords for each account. When cracking begins, KC will crack passwords

using the optional format. Output will be verbose to the standard output.

kc -c -p:passwd.txt The above command will instruct KC to read encrypted passwords from passwd.txt, interactively request the filenames for the wordfile and the validfile, and test guesses in normal, upper, and lowercase.

kc -rOLDCRACK.KC The above command will instruct KC to read the restorefile OLDCRACK.KC and restore the session as saved in that file.

Examples Of Guesses ------------------Killer Cracker can test words as normal, uppercase, lowercase, reversed, and with numerical suffixes. The following table displays the

guesses for the words "Guess", "password", "PW", and 'MOM'. The '$' fields are areas which are skipped because the guess would be a repeat and the 'X' fields are areas which are never accessed.

+-----------------------------------------------------------------------+ | Flags | Normal | Upcase |Lowcase |Reverse |Ureverse|Lreverse| Suffix |

|--------+--------+--------+--------+--------+--------+--------+--------| | "c" | |Guess |GUESS |guess |XXXXXXXX|XXXXXXXX|XXXXXXXX|XXXXXXXX|

|password|PASSWORD|$$$$$$$$|XXXXXXXX|XXXXXXXX|XXXXXXXX|XXXXXXXX|

| |

|PW |MOM

|$$$$$$$$|pw |$$$$$$$$|mom

|XXXXXXXX|XXXXXXXX|XXXXXXXX|XXXXXXXX| |XXXXXXXX|XXXXXXXX|XXXXXXXX|XXXXXXXX|

|--------+--------+--------+--------+--------+--------+--------+--------| | "r" | | | |Guess |XXXXXXXX|XXXXXXXX|sseuG |XXXXXXXX|XXXXXXXX|XXXXXXXX|

|password|XXXXXXXX|XXXXXXXX|drowssap|XXXXXXXX|XXXXXXXX|XXXXXXXX| |PW |MOM |XXXXXXXX|XXXXXXXX|WP |XXXXXXXX|XXXXXXXX|XXXXXXXX|

|XXXXXXXX|XXXXXXXX|$$$$$$$$|XXXXXXXX|XXXXXXXX|XXXXXXXX|

|--------+--------+--------+--------+--------+--------+--------+--------| | "rc" | | | |Guess |GUESS |guess |sseuG |SSEUG |sseug |XXXXXXXX|

|password|PASSWORD|$$$$$$$$|drowssap|DROWSSAP|$$$$$$$$|XXXXXXXX| |PW |MOM |$$$$$$$$|pw |$$$$$$$$|mom |WP |$$$$$$$$|wp |XXXXXXXX|

|$$$$$$$$|$$$$$$$$|$$$$$$$$|XXXXXXXX|

+-----------------------------------------------------------------------+

Killer Cracker's Symbols -----------------------When Killer Cracker is cracking passwords and output is allowed to the standard output, KC will print one of three symbols to the console for each comparison done.

"-"

This symbol is printed to the standard output when KC has completed one encryption/comparison.

"+"

This symbol is printed to the standard output when KC has already cracked the account in question or if the account had been flagged as "inactive." comparison as a result. KC will skip the encryption/

"*"

This symbol is printed to the standard output when KC is skipping the particular encryption/comparision because the guess tested would repeat a previous comparision using the same word in a different configuration. See "Examples Of Guesses" for information.

Quitting Killer Cracker ----------------------Normally, Killer Cracker will continue cracking until it has completed the last word (in the default format) or the last account (in the optional format). If cracking must be aborted in the middle of

a job, the normal terminate key sequence Control-C for MS/DOS machines, Control-\ for Un*x can be used to stop the job, close all files properly, and create a restorefile (named "restore") for future continuation of the crack (if desired). If any other method is used to

terminate the crack job (powerdown, warm/cold boot, kill -9, etc) the files may not be updated properly and data may be lost. If you are not

familiar with Un*x job control, and KC places itself in the background, you can either send a SIGQUIT/SIGINT to the KC pid or you can bring the KC process into the foreground and then type Control-C. Also note that when KC is running under suppressed output mode, the response to hitting Control-C may take up to several minutes on MS/DOS machines; just hit Control-C like three times, then sit back and wait for KC to abort (patience, my friend!).

Restorefile Format ------------------

Killer Cracker's option to restore aborted sessions or to "read" options from a normal (ASCII) file can come in handy in many circumstances. The following text describes the format of this file and how KC interprets the information in it. Note that the BASIC format of the

restorefile is "IDENTIFIER=TOKEN<newline>" where <newline> is either a CR/LF pair or a LF (depending on system implementation). Case is

ignored in the IDENTIFIER but the TOKEN's case may be important in filenames, accountnames, and words in a particular wordfile.

Example: Filename "restore" --------------------------Passwordfile=/etc/passwd Wordfile=crackwords.txt Validfile=valid.txt Prefixes=abc Suffixes=123 Flags=1rc Timeout=0 Lastaccount=daemon Lastword=phoenix

Description Of Identifiers -------------------------Passwordfile Filename of the passwordfile (same as -p<file> from the command line).

Wordfile

Filename of the wordfile (same as -w<file> from the command line).

Validfile

Filename of the validfile (same as -v<file> from the command line).

Prefixes

The characters which would be used to prefix the words being tested (same as -1<chars> from the command line).

Suffixes

The characters which would be used to suffix the words being tested (same as -2<chars> from the command line).

Flags

Flags which are currently active (same flags as offered on the command line).

Timeout

The minutes before Killer Cracker will abort the restored session.

Lastaccount

Last account cracked during an aborted session; the first account to begin cracking when the session begins (skip all preceding accounts). This

identifier is only read if the session is based on users (if the -u flag is specified). If the -u

flag is specified in the "Flags" identifier and this field does not exist or the account does not exist in the passwordfile, KC will yield an error.

Lastword

Last word cracked during an aborted session; the first word to begin cracking from when the session

begines (skip all preceding words in the given wordfile). This identifier is only read if the

session is based on words (default, no -u flag). If this identifier is missing and cracking is based on words, KC will yield an error. If the Lastword

word does not occur in the wordfile, the session will start and end without cracking anything.

System Dependent Information ---------------------------Implementation -------------MS/PC-DOS Options/Restrictions ------------------------------------------------------Killer Cracker has an upper account limit of around 2000-3000 accounts per session (max accounts per passwordfile) depending on how much system memory you have free at the time of execution.

BSD Un*x

If the '-o' flag is used, Killer Cracker will automatically fork itself into the background and the NOHUP flag (ignore HUP, hangup signal) will be set. NOTE: KC has a special command line flag which can be used ('-h') to "hog" all available system resources to KC during any given session. This is a flag which

should be used with caution, because when KC hogs resources, KC HOGS resources! (ie. on one system, w/o resource hogging, KC got 12 crypts/second... with hogging on, it got 37 crypts/second) This could arouse suspicion upon the superuser's part as other users of

the system find they can't do shit while the cracker is running. The timeout feature is enabled.

SYSV Un*x

If the '-o' flag is used, Killer Cracker will fork itself into the background as in BSD Un*x. feature is enabled. The timeout

STRIPPED

Signal processing (CONTROL-C) is ignored (hitting CONTROL-C will not save KC's process state, terminating the session "abruptly").

Notes ----1. When using the default format for cracking, Killer Cracker will skip accounts which already have been cracked in the following hypothetical format:

Default Format, Hypothetical Situation: 10 words, 10 users.

Word #1, Word #2, Word #3, Word #4, Word #5, Word #6, Word #7, Word #8, Word #9,

Users Tested: 1,2,3,4,5,6,7,8,9,10 Users Tested: 1,2,3,4,5,6,7,8,9,10 Users Tested: 1,2,3,4,5,6,7,8,9,10 Users Tested: 1,2,4,5,6,7,8,9,10 Users Tested: 1,2,4,5,6,7,8,9,10 Users Tested: 1,2,4,5,6,7,8,9,10 Users Tested: 1,2,4,5,6,7,8,10 Users Tested: 1,2,4,6,7,8,10 Users Tested: 1,2,4,6,7,8,10 (Valid For User #9) (Valid For User #5) (Valid For User #3)

Word #10, Users Tested: 1,2,4,6,7,8,10

When using the [u] option, Killer Cracker will jump to the next account when (if) a valid password is cracked for the current user.

2. When cracking accounts using Killer Cracking in "by-word" format, encryption/comparisions take place up to 100% (2x) faster than when cracking by users. This is due to an optimization in BCRYPT/XFDES which

allows KC to remember the mask of the current word being cracked and the calculation does not have to be re-done for all other comparisions with that same word. Note: these optimizations will not be as apparent

when cracking a small amount of users and/or when cracking the login/gecos fields, as each user is tested against a different guess anyway.

-----------------------------------------------------------------------------Thanx to Razor, So76, Scooter, PLAGUE, VIz, and all others who aided in the research and development of this password cracker. -(c) 1991-----------------------------------------------------------------EOF-