Personal Computer Unix Password Cracker, Version 2.

01 - Copyright (c) 1990 -----------------------------------------------------------------------------Written By Doctor Dissector Released On December 17th, 1990 -----------------------------------------------------------------------------DISCLAIMER: =========== Doctor Dissector, the author of PCUPC will not be held responsible for the actions of anyone who may misuse this program for illegal appropriation of Unix(tm) accounts. Doctor Dissector DOES NOT endorse the illegal use of this program and CANNOT control the actions of the people who might use this program for illegal means. Description: ============ The Personal Computer Unix Password Cracker (PCUPC) is a program which effectively encrypts passwords from a list of words, comparing them to any unix etc/passwd file's encrypted passwords; matching passwords are recorded for future use. Limitations: ============ PCUPC can read data from an etc/passwd file. However, for best results, any lines in this file which have blank passwords ('::' password) or inactive flags (':*:' or ':***:') should be removed before administering cracking techiniques. If the lines from the etc/passwd file which contain input fields are not removed, all words and word combinations will appear to be valid for that specific user. If the lines from the etc/passwd file which contain asteriks are not removed, no words or word combinations will appear to be valid. 186/286 Version: ================ PCUPC comes in two versions, an 8088/8086 version and 80186/80286/80386 version. The 8088/8086 version is slightly slower than the 186/286/386 version, but this difference will not be obvious on any machine slower than a 25 Mhz 386 or with LARGE (over 10,000 combination) cracks. Both versions host the same features; the 8088/8086 version's executable is named "PCUPC.EXE" and the 186/286/386 version is named "PCUPC-AT.EXE". The following documentation will continue to describe BOTH versions under the name of PCUPC. Execution: ========== Usage: pcupwc /p<file> /v<file> /w<file> [/u] [/1] [/c] [/o] [/r] [/s] Mandatory Parameters: /p<file> Filename of the etc/passwd file to be cracked. If this parameter is not entered, PCUPC will request for a filename before beginning. /v<file> Filename of the output file, where all valid username/password combinations will be saved. If this parameter is not entered, PCUPC will request for a filename before beginning. /w<file> Filename of the wordfile where all password guesses are stored. Format of the words inside this wordfile must be one word per line, no blank lines are allowed. If this parameter is not

entered, PCUPC will request for a filename before beginning. Optional Parameters: /u This will tell PCUPC to compare every word from the wordfile against a user before moving to the next. Normally, PCUPC will crack for passwords in the following "format": FORMAT #1: ---------word #1: test test word #2: test test word #3: test test

user user user user user user

#1's #2's #1's #2's #1's #2's

password password... password password... password password... (etc...)

This flag will tell PCUPC to following the following format instead, for cracking passwords: FORMAT #2: ---------user #1's password: test test test user #2's password: test test test user #3's password: test test test

word word word word word word word word word

#1 #2 #3... #1 #2 #3... #1 #2 #3... (etc...)

/1 /c

/o

/r /s /?

PCUPC defaults to the first "format". This command overrides that format. This will tell PCUPC to test the characters a-z, A-Z, and 0-9 as passwords before testing words from the wordfile. This will tell PCUPC to test all guesses first in their normal case, then all uppercase, then all lowercase. PCUPC is smart and will not repeat word combinations which are the same. For example, PCUPC will test the word 'dood', first as 'dood' (normal), then as 'DOOD' (uppercase), but not 'dood' (lowercase) since it was already tested. This will tell PCUPC to display verbose output to the console. Normally, no information will be echoed to the screen once PCUPC begins cracking; this will tell PCUPC to print all guesses and correct guesses to the console. This will tell PCUPC to test all guesses in reverse after guessing them foreward. Like the '/o' flag, PCUPC will not repeat guesses if they are the same backwards and forewards. This will tell PCUPC to print all valid guesses to the console. This flag is automatically toggled when verbose output is active. Prints a summary of command line parameters and exits.

Examples: ========= pcupwc /pPASSWD.212 /vVALID.212 /wDICT.TXT /c /o The above command will instruct PCUPC to read encrypted passwords from the file PASSWD.212 (etc/passwd format), write any valid username/ password combinations to the file VALID.212, and read guesses from the

file DICT.TXT. All guesses will be tested in upper and lowercase. Output will be verbose to the console. pcupwc /ppwfile.txt /vresults.txt /wwords.txt /r /c /s The above command will instruct PCUPC to read encrypted passwords from the file PWFILE.TXT, write valid username/password combinations into RESULTS.TXT, and read guesses from WORDS.TXT. All guesses will be tested in reverse, upper, and lowercase. Valid username/password combinations will also be echoed to the screen. pcupwc /1 /o The above command will instruct PCUPC to ask for the names of the password file, valid output file, and wordfile upon execution. When cracking begins, PCUPC will test the characters a-z, A-Z, and 0-9 as passwords and print all output verbose to the console. pcupwc /u the above command will instruct PCUPC to ask for the names of the password file, valid output file, and wordfile upon execution. When cracking begins, PCUPC will crack following format #2. Nothing will be echoed to the console. Example Of Guesses: =================== PCUPC can test words as normal, uppercase, lowercase, and reversed. The following table displays the guesses for the words 'Guess', 'password', 'PW', and 'MOM'. The x'd out areas are fields which are never accessed by each particular flag. The blank spaces are fields which would be repetitive to PCUPC and therefore are not tested. +---------------------------------------------------------------------------+ | Flags | Normal | Upcase | Lowcase | Reverse | Ureverse | Lreverse | +---------------------------------------------------------------------------+ | [/c] | Guess | GUESS | guess |XXXXXXXXXX|XXXXXXXXXX|XXXXXXXXXX| | | password | PASSWORD | |XXXXXXXXXX|XXXXXXXXXX|XXXXXXXXXX| | | PW | | pw |XXXXXXXXXX|XXXXXXXXXX|XXXXXXXXXX| | | MOM | | mom |XXXXXXXXXX|XXXXXXXXXX|XXXXXXXXXX| +---------+----------+----------+----------+----------+----------+----------+ | [/r] | Guess |XXXXXXXXXX|XXXXXXXXXX| sseuG |XXXXXXXXXX|XXXXXXXXXX| | | password |XXXXXXXXXX|XXXXXXXXXX| drowssap |XXXXXXXXXX|XXXXXXXXXX| | | PW |XXXXXXXXXX|XXXXXXXXXX| WP |XXXXXXXXXX|XXXXXXXXXX| | | MOM |XXXXXXXXXX|XXXXXXXXXX| |XXXXXXXXXX|XXXXXXXXXX| +---------+----------+----------+----------+----------+----------+----------+ | [/r /c] | Guess | GUESS | guess | sseuG | SSEUG | sseug | | | password | PASSWORD | | drowssap | DROWSSAP | | | | PW | | pw | WP | | wp | | | MOM | | mom | | | | +---------------------------------------------------------------------------+ Notes: ====== 1. When aborting a crack session, be sure to exit with a CONTROL-Q; if any other break key (CONTROL-ALT-DEL, CONTROL-C, CONTROL-BREAK, Cold Boot) is used to interrupt PCUPC, some valid passwords may not be written to disk properly. CONTROL-Q properly end-writes and closes the valid output file elimiating any chance of data loss.

2. When using the default format for cracking, whenever a valid password is found for a given user, PCUPC will skip that user for the remainder of the crack; this saves time! When verbose output is active and PCUPC skips a user, an 'o' will be echoed to the screen instead of the usual '.'. 3. When using the '/u' format for cracking, whenever a valid password is found for a user, PCUPC will move on to the next user; this saves time! The default format has the capability to have a faster throughput compared to the second format; the reason is simple, examine the following example. Format #1, Hypothetical Situation: 10 words, 10 users. Word Word Word Word Word Word Word Word Word Word #1, #2, #3, #4, #5, #6, #7, #8, #9, #10, Users Users Users Users Users Users Users Users Users Users Tested: Tested: Tested: Tested: Tested: Tested: Tested: Tested: Tested: Tested: 1,2,3,4,5,6,7,8,9,10 1,2,3,4,5,6,7,8,9,10 1,2,3,4,5,6,7,8,9,10 1,2,4,5,6,7,8,9,10 1,2,4,5,6,7,8,9,10 1,2,4,5,6,7,8,9,10 1,2,4,5,6,7,8,10 1,2,4,6,7,8,10 1,2,4,6,7,8,10 1,2,4,6,7,8,10

(Valid For User #3) (Valid For User #9) (Valid For User #5)

As you can see, the crack started with 10 users, and in the end, only 7 users are being cracked because the other three have already been cracked, and PCUPC will skip them; as a result, at the end of long cracks, PCUPC will appear to run much faster as it skips already cracked users. -----------------------------------------------------------------------------Benchmarks: PCUPWC (v.99 Beta) vs PCUPC (v2.01, 8088 & 186/286/386) 1,000 Total Password Combinations Times In Minutes, Speeds In Combinations/Second +--------+-------+--------+-------+--------+-------+ Benchmarks | PCUPWC | Speed | PCUPC | Speed |PCUPC-AT| Speed | +------------+--------+-------+--------+-------+--------+-------+ | 20 Mhz 386 | 3.87 | 4.3 | 0.77 | 21.7 | 0.74 | 22.5 | | 25 Mhz 386 | 3.11 | 5.2 | 0.64 | 26.0 | 0.61 | 27.3 | | 33 Mhz 386 | 1.53 | 10.9 | 0.30 | 55.6 | 0.28 | 60.0 | +------------+--------+-------+--------+-------+--------+-------+ +----------+ | Average | | Increase | | Over | | PCUPWC | +----------+ | 514.0% | | 513.5% | | 530.3% | +----------+

-----------------------------------------------------------------------------Special thanks to Razor and Minuteman for helping me out on encryption and other technical procedures while programming this cracker. Some more special thanx go out to PLAGUE and a user who wishes not to be named at this time for help with the fast DES encryption routines. -(c)1990------------------------------------------------------------------eof-