Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.

Dismiss

v25i005: crack - The Password Cracker, version 4.0a, Part01/05

11 views

Skip to first unread message

Alec Muffett

unread,

Nov 3, 1991, 6:14:31 PM11/3/91

Submitted-by: a...@aber.ac.uk (Alec David Muffett)
Posting-number: Volume 25, Issue 5
Archive-name: crack/part01
Environment: UNIX
Supersedes: crack: Volume 23, Issue 1-5

This is Crack 4.0a: A new, thoroughly rethought and rewritten version of
"The Sensible Password Cracker", by Alec D.E. Muffett.

New features include:-

1) A programmable dictionary generator.
2) Extra flexibility in cracking GECOS based passwords
3) A cleaned up, slightly faster fcrypt algorithm.
4) Support for compressed data files.
5) Better (?) documentation
6) Neater code
7) Scripts to mail users whose passwords are cracked
8) A simpler user interface
9) Better portability

and much more...

The only function dependencies are a getopt() function and a qsort()
function. Both of these should be supplied either with your compiler,
or are available from the public domain (eg: the GNU project).

Conditions of redistribution are listed in the LICENCE file. If you
want to get in touch with me, my addresses are shown below, but please
be patient 'cos I am between jobs at the moment (Oct 24th 1991) and
I can't be everywhere...

As ever, start with one of the README files, and work down from there.

alec muffett
--
INET: a...@aber.ac.uk JANET: a...@uk.ac.aber BITNET: aem%aber@ukacrl
UUCP: ...!mcsun!ukc!aber!aem ARPA: aem%uk.ac...@nsfnet-relay.ac.uk
SNAIL: Alec Muffett, Computer Unit, Llandinam UCW, Aberystwyth, UK, SY23 3DB
-- 8< snip, snip 8< --
#! /bin/sh
# This is a shell archive. Remove anything before this line, then unpack
# it by saving it into a file and typing "sh file". To overwrite existing
# files, type "sh file -c". You can also feed this as standard input via
# unshar, or by typing "sh <file", e.g.. If this archive is complete, you
# will see the following message at the end:
# "End of archive 1 (of 5)."
# Contents: BUGS DictSrc Dicts Docs MANIFEST README Runtime Scripts
# Scripts/clean Scripts/crack.mf Scripts/dicts.rules
# Scripts/do_install Scripts/do_pwc Scripts/gecos.rules
# Scripts/guess2fbk Scripts/install.mf Scripts/mrgfbk
# Scripts/plaster Scripts/saltcount Scripts/shadmrg Scripts/spotless
# Scripts/status Sources Sources/crack-port.c Sources/speeds.c
# Sources/tester.c
# Wrapped by aem@aberda on Thu Oct 24 11:14:38 1991
PATH=/bin:/usr/bin:/usr/ucb ; export PATH
if test -f 'BUGS' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'BUGS'\"
else
echo shar: Extracting \"'BUGS'\" $784 characters$
sed "s/^X//" >'BUGS' <<'END_OF_FILE'
XBugs as of 24th October 1991:-
X
X* Scripts/do_join: have removed the 'spot the short passwd'
Xfunctionality since awk was producing some weird errors to do with not
Xhaving enough fields to printf(). It's being silly, because one of the
Xvalues is undefined (ie: $3 is NULL. What the hell, it's replicated in
Xcrack-pwc.c, anyway... nobody should miss it...
X
X* Crack: is known to occasionally hang during a "Crack -network" whilst
Xrshing from machine to machine on some architectures. It's a persistent
Xproblem at some sites, when Crack rsh'es to a particular machine and
Xstays there, and thus never calls the next machine.
X
XFIX: mark machines that hang Crack with the "-f" option in network.conf
Xfile - then the 'rsh' will be backgrounded and Crack will continue to
Xthe next machine.
END_OF_FILE
if test 784 -ne `wc -c <'BUGS'`; then
echo shar: \"'BUGS'\" unpacked with wrong size!
fi
# end of 'BUGS'
fi
if test ! -d 'DictSrc' ; then
echo shar: Creating directory \"'DictSrc'\"
mkdir 'DictSrc'
fi
if test ! -d 'Dicts' ; then
echo shar: Creating directory \"'Dicts'\"
mkdir 'Dicts'
fi
if test ! -d 'Docs' ; then
echo shar: Creating directory \"'Docs'\"
mkdir 'Docs'
fi
if test -f 'MANIFEST' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'MANIFEST'\"
else
echo shar: Extracting \"'MANIFEST'\" $2581 characters$
sed "s/^X//" >'MANIFEST' <<'END_OF_FILE'
X File Name Archive # Description
X-----------------------------------------------------------
X APPENDIX.4.0 3 - Tips + info about this distribution
X BUGS 1 - History of misery
X Crack 2 - Password Cracker driver script
X DictSrc 1 - Directory
X DictSrc/bad_pws.dat 2 - Example bad password dictionary
X Dicts 1 - Directory
X Docs 1 - Directory
X Docs/README.ms 4 - Source code for documentation
X Docs/README.ps 5 - Postscript documentation
X LICENCE 2 - Conditions of redistribution
X MANIFEST 1 - This file
X README 1 - Plaintext documentation
X Runtime 1 - Directory
X Scripts 1 - Directory
X Scripts/Crack.network 2 - Crack driver interface to RCrack
X Scripts/RCrack 2 - Crack interface to 'rsh' or similar
X Scripts/clean 1 - Support script
X Scripts/crack.mf 1 - Utility makefile - used internally by scripts
X Scripts/dicts.rules 1 - Control rules for Crack processing
X Scripts/do_install 1 - Crack utility - used by driver script
X Scripts/do_join 2 - Crack utility - used by driver script
X Scripts/do_pwc 1 - Crack utility - used by driver script
X Scripts/gecos.rules 1 - More controls for Crack processing
X Scripts/guess2fbk 1 - Crash recovery aid
X Scripts/install.mf 1 - Utility makefile - used internally by scripts
X Scripts/mrgfbk 1 - Support Script - called from Scripts/spotless
X Scripts/nastygram 2 - Support Script
X Scripts/network.conf 2 - Control rules for "Crack -network"
X Scripts/plaster 1 - Support Script
X Scripts/saltcount 1 - Crack utility - used by driver script
X Scripts/shadmrg 1 - Support Script
X Scripts/spotless 1 - Support Script
X Scripts/status 1 - Support Script
X Sources 1 - Directory
X Sources/Makefile 2 - Makefile (what else?)
X Sources/conf.h 2 - Configuration file for executable
X Sources/crack-fcrypt.c 3 - fcrypt()
X Sources/crack-lib.c 2 - Support routines for password cracker
X Sources/crack-port.c 1 - Portability routines
X Sources/crack-pwc.c 4 - Password Cracker
X Sources/crack.h 2 - Kentucky Fried Wombat Cookies
X Sources/speeds.c 1 - Unsupported speed testing prog
X Sources/tester.c 1 - Unsupported compatibility testing prog
END_OF_FILE
if test 2581 -ne `wc -c <'MANIFEST'`; then
echo shar: \"'MANIFEST'\" unpacked with wrong size!
fi
# end of 'MANIFEST'
fi
if test -f 'README' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'README'\"
else
echo shar: Extracting \"'README'\" $30369 characters$
sed "s/^X//" >'README' <<'END_OF_FILE'
X
X
X
X
X
X
X
X
X
X "Crack Version 4.0a"
X A Sensible Password Checker for Unix
X
X
X Alec D.E. Muffett
X
X Computer Unit, University College of Wales
X Aberystwyth, Wales, SY23 3DB
X a...@aber.ac.uk
X +44 970 622492
X
X
X ABSTRACT
X
X Crack is a freely available program designed
X to find standard Unix eight-character DES
X encrypted passwords by standard guessing tech-
X niques outlined below. It is written to be flexi-
X ble, configurable and fast, and to be able to make
X use of several networked hosts via the Berkeley
X rsh program (or similar), where possible.
X
X
X
X1. Introduction to Version 4.0
X
XCrack is now into it's fourth version, and has been reworked
Xextensively to provide extra functionality, and the purpose
Xof this release is to consolidate as much of this new func-
Xtionality into as small a package as possible. To this end,
XCrack may appear to be less configurable: it has been writ-
Xten on the assumption that you run a fairly modern Unix, one
Xwith BSD functionality, and then patched in order to run on
Xother systems.
X
XThis, surprisingly enough, has led to neater code, and has
Xmade possible the introduction of greater flexibility which
Xsupercedes many of the options that could be configured in
Xearlier versions of Crack. In the same vein, some of the
Xolder options are now mandatory. These, such as feedback
Xmode and CRACK_PRINTOUT are no longer supported as options
Xand probably never will be again. There is just a lot of
Xwastage in not running with them, and too many dependencies
Xin other functions to bother programming around them.
X
XThe user interface is basically identical to the previous
Xversions, although some people have asked about providing
XX-windows GUI's to Crack, I think it would be a waste of
Xtime to do so. Crack has far less options than your ordinary
Xversion of /bin/ls.
X
X
X
X
X October 24, 1991
X
X
X
X
X
X - 2 -
X
X
XWith all that over, let's kick some (ass|arse|but(t)?)[1]
X
X2. Crack Methodology - Part 1: Internals
X
XCrack takes a series of password files and throws logic and
Xdictionaries at the passwords therein, in order to find
Xpasswords which are based upon personal information or dic-
Xtionary words, and are therefore insecure. It does not
Xattempt to remedy this situation, and it shoult NOT be used
Xin place of getting a really good secure passwd program
Xreplacement.
X
XThe above statement defines the purpose of Crack, and embo-
Xdies a great amount to hard work, graft, screams of Eureka!,
Xand a fair amount of swearing too. There is a great deal of
Xthinking behind the way that Crack attacks password files,
Xand although not perfect, I certainly hope that Crack will
Xout-do most of it's competitors.
X
XCrack works by making several passes over the password
Xentries that you supply to it. Each pass works by generat-
Xing password guesses based upon a sequence of assertions, or
Xrules, supplied to the program by the user. The rules are
Xspecified in a simplistic language, in the files gecos.rules
Xand dicts.rules in the Scripts directory. The distinction
Xbetween these two files will be made clear later.
X
XThe rules are written as a simple string of characters, with
Xone rule to a line. Blank lines, and comment lines begin-
Xning with a hash character # are ignored. Trailing whi-
Xtespace is also ignored. The instructions in the word are
Xfollowed left to right, and are applied to the dictionary
Xwords in sequence. A couple of simple pattern matching
Xprimitives are supplied for selection purposes. The syntax
Xis as follows:
X
X: No-op; do nothing to the word. This is useful as a
X space delimiter.
X
X<n Reject the word unless it is LESS THAN n characters
X long, where n is a digit 0-9, or a letter a-z for the
X values 10-35, respectively.
X
X>n Reject the word unless it is MORE THAN n characters
X long, where n is a digit 0-9, or a letter a-z for the
X values 10-35, respectively.
X
X/x Reject the word unless it contains the character 'x'.
X_________________________
X [1] An obscure lex joke, inserted only for the pur-
Xpose of allowing an example footnote for my reference -
Xsorry - AEM 8-)
X
X
X
X
X October 24, 1991
X
X
X
X
X
X - 3 -
X
X
X!y Reject the word unless it does not contain the charac-
X ter 'y'.
X
X^x Prepend character 'x' to the word.
X
X$y Append character 'y' to the word.
X
Xl Force the word to lowercase.
X
Xu Force the word to uppercase.
X
Xc Capitalise the word, lowercasing all other letters.
X
Xr Reverse the word back-to-front.
X
Xd Duplicate the word, so that fred becomes fredfred
X
Xf Reflect the word (mirror image), so that fred becomes
X fredderf
X
Xp Make best attempt to pluralise the word, assuming that
X it is lowercase.
X
Xsxy Substitute 'x' for 'y' throughout the word.
X
Xxnm Extract the string starting at position 'n' (starts at
X 0) for a length of up to 'm' characters, where 'n' and
X 'm' are digits in the range 0-9, or letters a-z for the
X values 10-35, respectively.
X
X
XSo, example rules could be:
X
Xc Capitalise the word. fred becomes Fred
X
Xl$? Lowercase the word and append a questionmark. fred
X becomes fred?
X
Xl/oso0c
X Lowercase the word, select it only if it contains the
X letter 'o' and substitute all o's for zeros, and capi-
X talise it. Both COLLEGE and college become C0llege
X
X<8l/i/olsi1so0$=
X Reject the word unless it is less that 8 characters
X long, lowercase the word, reject it if it does not con-
X tain both the letter 'i' and the letter 'o', substitute
X all i's for 1's, substitute all o's for 0's, and append
X an = sign.
X
X The reasoning for the 8 character test is that since,
X with standard crypt() type algorithms, the password is
X truncated at 8 characters, there is no point in bolting
X a letter onto the end of a word if it is 8 or more
X
X
X
X October 24, 1991
X
X
X
X
X
X - 4 -
X
X
X characters long already.
X
X<7l^($)
X Reject the word unless it is less than 7 characters
X long, lowercase it, prepend a '(' and append a ')'.
X Thus fred becomes (fred)
X
X$ : (ie: <dollar><space><colon>) Append a space character
X to the word (note that if you do not add the trailing
X no-op after the space, a syntax error will be generated
X since there is nothing to delineate the space character
X - remember: trailing whitespace is ignored).
X
X
XBefore you go on, I suggest you browse through the
XScripts/*.rules files, and take a look at the rules that I
Xsupply as defaults, and try to work out what they do.
X
XThe rules are stored in two different files for two dif-
Xferent purposes. Rules in Scripts/gecos.rules are applied
Xto data generated by Crack from the pw_gecos and pw_gecos
Xentries of the user's password entry.
X
XThe data generated by Crack and fed to the gecos rules for
Xthe user aem, who is Alec David Muffett, Compunit would be:
Xaem, Alec, David, Muffett, Compunit, and a series of permu-
Xtations of those words, either re-ordering the words and
Xjoining them together (eg: AlecMuffett), or making up new
Xwords based on initial letters of one word taken with the
Xrest of another (eg: AMuffett).
X
XThe entire set of rules in gecos.rules is applied to each of
Xthese words, which creates many more permutations and combi-
Xnations, all of which are tested. Hence testing the pass-
Xword gecos information under Crack v4.0 takes somewhat
Xlonger than it used to, but it is far more thorough.
X
X
XAfter a pass has been made over the data based on gecos
Xinformation, Crack makes further passes over the password
Xdata using successive rules from the Scripts/dicts.rules by
Xloading the entire Dicts/bigdict file into memory, with the
Xrule being applied to each word from that file. This gen-
Xerates a resident dictionary, which is generated is sorted
Xand uniqued so as to prevent wasting time on repetition.
XAfter each pass is completed, the memory used by the
Xresident dictionary is freed up, and (hopefully) re-used
Xwhen the next dictionary is loaded.
X
XThe Dicts/bigdict dictionary is created by Crack by merging,
Xsorting, and uniq'ing the source dictionaries, which are to
Xbe found in the directory DictSrc or, alternatively, may be
Xnamed in the Crack shellscript, via the $STDDICT variable.
XThe default dictionary named in the Crack script is
X
X
X
X October 24, 1991
X
X
X
X
X
X - 5 -
X
X
X/usr/dict/words.
X
XThe file DictSrc/bad_pws.dat which is meant to provide many
Xof those common, non-dictionary passwords, such as 12345678
Xor qwerty. If you wish to add a dictionary of your own,
Xjust copy it into the DictSrc directory (and use compress on
Xit if you wish to save space; Crack will unpack it whilst
Xgenerating the big dictionary) and then delete the contents
Xof the Dicts directory by running Scripts/spotless. Your
Xnew dictionary will be merged in on the next run. For more
Xinformation on dictionary attacks, see the paper called
X"Foiling the Cracker: A Survey of, and Improvements to,
XPassword Security" by Daniel Klein, available from
Xftp.sei.cmu.edu in ~/pub/dvk/passwd.*. Also, please read
Xthe APPENDIX file supplied with this distribution.[2]
X
XHaving described the method of cracking, perhaps we should
Xnow investigate the algorithm used to overlay the cracking
Xmechanism.
X
X3. Crack Methodology - Part 2: Feedback Filters
X
XAs is stated above, Crack v4.0 permutes and loads dic-
Xtionaries directly into memory, sorts and uniques them,
Xbefore attempting to use each of the words as a guess for
Xeach users' password. If Crack correctly guesses a pass-
Xword, it marks the user as 'done' and does not waste further
Xtime on trying to break that users password.
X
XOnce Crack has finished a dictionary pass, it sweeps the
Xlist of users looking for the passwords it has cracked. It
Xstores the broken passwords in both plaintext and encrypted
Xforms in a feedback file in the directory Runtime. Feedback
Xfiles have names of the form Runtime/F.*.
X
XThe purpose of this is so that, when Crack is next invoked,
Xit may recognise passwords that it has successfully cracked
Xbefore, and filter them from the input to the password
Xcracker. This provides an instant list of crackable users
Xwho have not changed their passwords since the last time
XCrack was run. This list appears in a file named out.i* in
Xthe $CRACK_OUT directory, or on stdout, if foreground mode
Xis invoked (see Options, below).
X
XIn a similar vein, when a Crack run terminates normally, it
Xwrites out to the feedback file all encrypted passwords that
Xit has NOT succeeded in cracking. Crack will then ignore
X_________________________
X [2] Extra dictionaries (those detailed in Dan Klein's
Xpaper) can be obtained via anonymous FTP from
Xuunet.uu.net (192.48.96.2) as ~/pub/dictionaries.tar.Z;
XCheck an Archie database for other possible sources of
Xdictionaries.
X
X
X
X October 24, 1991
X
X
X
X
X
X - 6 -
X
X
Xall of these passwords next time you run it.
X
XObviously, this is not desirable if you frequently change
Xyour dictionaries or rules, and so there is a script pro-
Xvided, Scripts/mrgfbk which sorts your feedback files,
Xmerges them into one, and optionally removes all traces of
X'uncrackable' passwords, so that your next Crack run can
Xhave a go at passwords it has not succeeded in breaking
Xbefore.
X
XMrgfbk is invoked automatically if you run Scripts/spotless.
X
X4. Crack Methodology - Part 3: Execution and Networking
X
XEach time Crack is invoked, whether networked or not, it
Xgenerates a diefile with a name of the form Runtime/D.* (for
Xnetwork cracks, this file is generated by RCrack, and is of
Xthe form Runtime/D.rem* which points to a real diefile,
Xnamed Runtime/RD.* - see below for details).
X
XThese diefiles contain debugging information about the job,
Xand are generated so that all the jobs on the entire network
Xcan be called quickly by invoking Scripts/plaster. Diefiles
Xdelete themselves after they have been run.
X
XAs you will read in the sections below, Crack has a -network
Xoption: This is designed to be a simple method of automati-
Xcally spreading the load of password cracking out over
Xseveral machines on a network, preferably if they are con-
Xnected by some form of networked filestore.
X
XWhen Crack -network is invoked, it filters its input in the
Xordinary way, and then splits its load up amongst several
Xmachines which are specified in the file
XScripts/network.conf.
X
XThis file contains a series of hostnames, power ratings,
Xflags, etc, relevant to the running of Crack on each
Xmachine. Crack then calls Scripts/RCrack to use the rsh
Xcommand (or similar) to invoke Crack on the other hosts.
XSee the RCrack script, and the example network.conf file for
Xdetails.
X
X5. Installation
X
XCrack is one of those most unusual of beasties, a self-
Xinstalling program. Some people have complained about this
Xapparent weirdness, but it has grown up with Crack ever
Xsince the earliest network version, when I could not be
Xbothered to log into several different machines with several
Xdifferent architectures, just in order to build the
Xbinaries. Once the necessary configuration options have been
Xset, the executables are created via make by running the
XCrack shellscript .
X
X
X
X October 24, 1991
X
X
X
X
X
X - 7 -
X
X
XCrack's configuration lies in two files, the Crack shell
Xscript, which contains all the installation specific confi-
Xguration data, and the file Sources/conf.h, which contains
Xconfiguration options specific to various binary platforms.
X
XIn the Crack shellscript, you will have to edit the
XCRACK_HOME variable to the correct value. This variable
Xshould be set to an absolute path name (names relative to
X~username are OK, so long as you have some sort of csh)
Xthrough which the directory containing Crack may be accessed
Xon ALL the machines that Crack will be run on. There is a
Xsimilar variable CRACK_OUT which specifies where Crack
Xshould put its output files - by default, this is the same
Xas $CRACK_HOME.
X
XYou will also have to edit the file Sources/conf.h and work
Xout which switches to enable. Each #define has a small note
Xexplaining its purpose. Where I have been in doubt about
Xthe portability of certain library functions, usually I have
Xre-written it, so you should be OK. Let me know of your
Xproblems, if you have any.
X
XIf you will be using Crack -network you will then have to
Xgenerate a Scripts/network.conf file. This contains a list
Xof hostnames to rsh to, what their binary type is (useful
Xwhen running a network Crack on several different architec-
Xtures), a guesstimate of their relative power (take your
Xslowest machine as unary, and measure all others relative to
Xit), and a list of per-host flags to add to those specified
Xon the Crack command line, when calling that host. There is
Xan example of such a file provided in the Scripts directory
X- take a look at it.
X
XIf ever you wish to specify a more precise figure as to the
Xrelative power of your machines, or you are simply at a
Xloss, play with the command make tests in the source code
Xdirectory. This can provide you with the number of
Xfcrypt()s that your machine can do per second, which is a
Xnumber that you can plug into your network.conf as a measure
Xof your machines' power (after rounding the value to an
Xinteger).
X
X6. Usage
X
XOkay, so, let's assume that you have edited your Crack
Xscript, and your Sources/conf.h file, where do you go from
Xhere ?
X
X
XCrack [options] [bindir] /etc/passwd [...other passwd files]
X
XCrack -network [options] /etc/passwd [...other passwd files]
X
X
X
X
X
X October 24, 1991
X
X
X
X
X
X - 8 -
X
X
XWhere bindir is the optional name of the directory where you
Xwant the binaries installed. This is useful where you want
Xto be able to run versions of Crack on several different
Xarchitectures. If bindir does not exist, a warning will be
Xissued, and the directory created.
X
X Note: bindir defaults to the name generic if not
X supplied.
X
X
XNotes for Yellow Pages (NIS) Users: I have occasional
Xqueries about how to get Crack running from a YP password
Xfile. There are several methods, but by far the simplest is
Xto generate a passwd format file by running:-
X
X ypcat passwd > passwd.yp
X
Xand then running Crack on this file.
X
X7. Options
X
X-f Runs Crack in foreground mode, ie: the password cracker
X is not backgrounded, and messages appear on stdout and
X stderr as you would expect. This option is only really
X useful for very small password files, or when you want
X to put a wrapper script around Crack.
X
X Foreground mode is disabled if you try running Crack
X -network -f on the command line, because of the insen-
X sibility of rshing to several machines in turn, waiting
X for each one to finish before calling the next. How-
X ever, please read the section about Network Cracking
X without NFS/RFS, below.
X
X-v Sets verbose mode, whereby Crack will print every guess
X it is trying on a per-user basis. This is a very quick
X way of flooding your filestore, but useful if you think
X something is going wrong.
X
X-m Sends mail to any user whose password you crack by
X invoking Scripts/nastygram with their username as an
X argument. The reason for using the script is so that a
X degree of flexibility in the format of the mail message
X is supplied; ie: you don't have to recompile code in
X order to change the message.[3]
X_________________________
X [3] I'm uncertain about the wisdom of mailing someone
Xlike this. If someone browses your cracked user's mail
Xsomehow, it's like a great big neon sign pointing at
Xthe user saying "This Is A Crackable Account - Go For
XIt!". Not to mention the false sense of security it
Xengenders in the System Manager that he's "informed"
Xthe user to change his password. What if the user
Xdoesn't log on for 3 months? However, so many people
X
X
X October 24, 1991
X
X
X
X
X
X - 9 -
X
X
X-nvalue
X Sets the process to be nice()ed to value, so, for exam-
X ple, the switch -n19 sets the Crack process to run at
X the lowest priority.
X
X-network
X Throws Crack into network mode, in which it reads the
X Scripts/network.conf file, splits its input into chunks
X which are sized according to the power of the target
X machine, and calls rsh to run Crack on that machine.
X Options for Crack running on the target machine may be
X supplied on the command line (eg: verbose or recover
X mode), or in the network.conf file if they pertain to
X specific hosts (eg: nice() values).
X
X-r<pointfile>
X This is only for use when running in recover mode.
X When a running Crack starts pass 2, it periodically
X saves its state in a pointfile, with a name of the form
X Runtime/P.* This file can be used to recover where you
X were should a host crash. Simply invoke Crack in
X exactly the same manner as the last time, with the
X addition of the -r switch, (eg: -rRuntime/P.12345)
X switch. Crack will startup and read the file, and jump
X to roughly where it left off. If you are cracking a
X very large password file, this can save oodles of time
X after a crash.
X
X If you were running a network Crack, then the jobs will
X again be spawned onto all the machines of the original
X Crack. The program will then check that the host it is
X running on is the same as is mentioned in the
X pointfile. If it is not, it will quietly die. Thus,
X assuming that you supply the same input data and do not
X change your network.conf file, Crack should pick up
X where it left off. This is a bit inelegant, but it's
X better than nothing at the moment.
X
X The method of error recovery outlined above causes
X headaches for users who want to do multiprocessing on
X parallel architectures. Crack is in no way parallel,
X and because of the way it's structured (reading stdin
X from shellscript frontends) it is a pain to divide the
X work amongst several processes via fork()ing.
X
X The hack solution to get several copies of Crack run-
X ning on one machine with n processors at the moment is
X to insert n copies of the entry for your parallel
X machine into the Scripts/network.conf file. If you use
X the -r option in these circumstances however, you will
X_________________________
Xhave wired it into their own versions of Crack, I sup-
Xpose it must be provided... AEM
X
X
X
X
X October 24, 1991
X
X
X
X
X
X - 10 -
X
X
X get n copies of the recovered process running, only one
X of them will have the correct input data.
X
X The old solution to this problem (see old documentation
X if you are interested) has been negated by the intro-
X duction of feedback mode, so the best bet in this par-
X ticular situation is to wait until the other jobs are
X done (and have written out lists of uncrackable pass-
X words), and then re-start the jobs from scratch. Any-
X one whose password was not cracked on the first run
X will be ignored on the second, if they have not changed
X it since. This is inelegant, but it's the best I can
X do in the limited time available.
X
X8. Support Scripts
X
XThe Scripts directory contains a small number of support and
Xutility scripts, some of which are designed to help Crack
Xusers check their progress. Briefly, the most useful ones
Xare:-
X
XScripts/shadmrg
X This is a small (but hopefully readable) script for
X merging /etc/passwd and /etc/shadow on System V style
X shadow password systems. It produces the merged data
X to stdout, and will need redirecting into a file before
X Crack can work on it. The script is meant to be fairly
X lucid, on the grounds that I worry that there are many
X shadowing schemes out there, and perhaps not all have
X the same data format.
X
X I have not wired this facility into the Crack command
X itself because the world does NOT revolve around System
X V yet, regardless of what some people would have me
X believe, and I believe that the lack of direct support
X for NIS outlined above, sets a precedent. There are
X just too many incompatibilities in shadow password
X schemes for me to hardwire anything.
X
XScripts/plaster
X which is named after a dumb joke, but is a simple fron-
X tend to the Runtime/D.* diefiles that each copy of the
X password cracker generates. Invoking Scripts/plaster
X will kill off all copies of the password cracker you
X are running, over the network or otherwise.
X
XScripts/status
X This script rshes to each machine mentioned in the
X Scripts/network.conf file, and provides some informa-
X tion about processes and uptime on that machine. This
X is useful when you want to find out just how well your
X password crackers are getting on during a Crack -net-
X work.
X
X
X
X
X October 24, 1991
X
X
X
X
X
X - 11 -
X
X
XScripts/{clean,spotless}
X These are really just frontends to a makefile. Invoking
X Scripts/clean tidies up the Crack home directory, and
X removes probably unwanted files, but leaves the pre-
X processed dictionary bigdict intact. Scripts/spotless
X does the same as Scripts/clean but obliterates bigdict
X and old output files too, and compresses the feedback
X files into one.
X
XScripts/nastygram
X This is the shellscript that is invoked by the password
X cracker to send mail to users who have guessable pass-
X words, if the -m option is used. Edit it at your lei-
X sure to suit your system.
X
XScripts/guess2fbk
X This script takes your out.* files as arguments and
X reformats the 'Guessed' lines into a slightly messy
X feedback file, suitable for storing with the others.
X
X An occasion where this might be useful is when your
X cracker has guessed many peoples passwords, and then
X died for some reason (a crash?) before writing out the
X guesses to a feedback file. Running
X
X Scripts/guess2fbk out.* >> Runtime/F.new
X
X will save the work that has been done.
X
X9. Network Cracking without NFS/RFS
X
XFor those users who have some form of rsh command, but do
Xnot have a a networked filestore running between hosts,
Xthere is now a solution which will allow you to do networked
Xcracking, proposed to me by Brian Tompsett at Hull. Person-
Xally, I consider the idea to be potty, but it fills in miss-
Xing functionality in a wonderfully tacky manner.
X
XFrom the documentation above, you will note that Crack will
Xundo the -f (output in foreground) option, if it is invoked
Xwith the -network switch at the same time (see the Options
Xsection above). This is true, but it does not apply if you
Xspecify -f option in the network.conf file.
X
XThe practical upshot of doing this is that remote copies of
XCrack can be made to read from stdin and write to stdout
Xover a network link, and thus remote processing is accom-
Xplished. I have tweaked Crack in such a way, therefore,
Xthat if the -f option is specified amongst the crack-flags
Xof a host in the network.conf, rather than backgrounding
Xitself on the remote host, the rsh command on the server is
Xbackgrounded, and output is written directly to the files on
Xthe server's filestore.
X
X
X
X
X October 24, 1991
X
X
X
X
X
X - 12 -
X
X
XThere are restrictions upon this method, mostly involving
Xthe number of processes that a user may run on the server at
Xany one time, and that you will have to collect feedback
Xoutput together manually (dropping it into the Runtime
Xdirectory on the server). However, it works. Also, if you
Xtry to use rsh as another user, you will suffer problems if
Xrsh insists on reading something from your terminal (eg: a
Xpassword for the remote account). Also, recovering using
Xcheckpointing goes out the window unless you specify the
Xname of the pointfile as it is named on the remote machine.
X
X10. Notes on fast crypt() implementations
X
XThe stdlib version of the crypt() subroutine is incredibly
Xslow. It is a massive bottleneck to the execution of Crack
Xand on typical platforms that you get at universities, it is
Xrare to find a machine which will achieve more than 50 stan-
Xdard crypt() s per second. On low-end diskless worksta-
Xtions, you may expect 2 or 3 per second. It was this slow-
Xness of the crypt() algorithm which originally supplied much
Xof the security Unix needed.[4]
X
XThere are now many implementations of faster versions of
Xcrypt() to be found on the network. The one supplied with
XCrack v3.2 and upwards is called fcrypt(). It was origi-
Xnally written in May 1986 by Robert Baldwin at MIT, and is a
Xgood version of the crypt() subroutine. I received a copy
Xfrom Icarus Sparry at Bath University, who had made a couple
Xof portability enhancements to the code.
X
XI rewrote most of the tables and the KeySchedule generating
Xalgorithm in the original fdes-init.c to knock 40% off the
Xexecution overhead of fcrypt() in the form that it was
Xshipped to me. I inlined a bunch of stuff, put it into a
Xsingle file, got some advice from Matt Bishop and Bob
XBaldwin [both of whom I am greatly indebted to] about what
Xto do to the xform() routine and to the fcrypt function
Xitself, and tidied up some algorithms. I have also added
Xmore lookup tables and reduced several formula for faster
Xuse. Fcrypt() is now barely recognisable as being based on
Xits former incarnation, and it is 3x faster.
X
XOn a DecStation 5000/200, fcrypt() is about 16 times faster
Xthan the standard crypt (your mileage may vary with other
Xarchitectures and compilers). This speed puts fcrypt() into
Xthe "moderately fast" league of crypt implementations. There
Xare faster versions of crypt to be had (eg: UFC) which may
Xbe found on the network. The advantage of fcrypt() is that
XI support it, understand it, and can distribute and fix it
Xwithout hassle. If you want to play around with other
X_________________________
X [4] See: "Password Security, A Case History" by Bob
XMorris & Ken Thomson, in the Unix Programmer Docs.
X
X
X
X October 24, 1991
X
X
X
X
X
X - 13 -
X
X
Xcrypts, that is up to you. Feel free. 8-)
X
X11. Conclusions
X
XWhat can be done about brute force attacks on your password
Xfile ?
X
XYou must get a drop-in replacement for the passwd and
Xyppasswd commands; one which will stop people from choosing
Xbad passwords in the first place. There are several pro-
Xgrams to do this; Matt Bishop's passwd+ and Clyde Hoover's
Xnpasswd program are good examples which are freely avail-
Xable. Consult an Archie database for more details on where
Xyou can get them from.
X
XIt would be nice if an organisation (such as CERT?) could be
Xpersuaded to supply skeletons of sensible passwd commands
Xfor the public good, as well as an archive of security
Xrelated utilities[5] on top of the excellent COPS. However,
Xfor Unix security to improve on a global scale, we will also
Xrequire pressure on the vendors, so that programs are writ-
Xten correctly from the beginning.
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X_________________________
X [5] COPS is available for anonymous FTP from
Xcert.sei.cmu.edu (128.237.253.5) in ~/cops
X
X
X
X
X October 24, 1991
X
X
END_OF_FILE
if test 30369 -ne `wc -c <'README'`; then
echo shar: \"'README'\" unpacked with wrong size!
fi
# end of 'README'
fi
if test ! -d 'Runtime' ; then
echo shar: Creating directory \"'Runtime'\"
mkdir 'Runtime'
fi
if test ! -d 'Scripts' ; then
echo shar: Creating directory \"'Scripts'\"
mkdir 'Scripts'
fi
if test -f 'Scripts/clean' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'Scripts/clean'\"
else
echo shar: Extracting \"'Scripts/clean'\" $447 characters$
sed "s/^X//" >'Scripts/clean' <<'END_OF_FILE'
X#!/bin/sh
X
X###
X# This program is copyright Alec Muffett 1991, and is provided as part of
X# the Crack v4.0 Password Cracking package. The author disclaims all
X# responsibility or liability with respect to it's usage or its effect
X# upon hardware or computer systems, and maintains copyright as set out in
X# the "LICENCE" document which accompanies distributions of Crack v4.0 and
X# upwards. So there...
X###
X
Xmake -f Scripts/crack.mf clean
X
Xexit 0
END_OF_FILE
if test 447 -ne `wc -c <'Scripts/clean'`; then
echo shar: \"'Scripts/clean'\" unpacked with wrong size!
fi
chmod +x 'Scripts/clean'
# end of 'Scripts/clean'
fi
if test -f 'Scripts/crack.mf' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'Scripts/crack.mf'\"
else
echo shar: Extracting \"'Scripts/crack.mf'\" $251 characters$
sed "s/^X//" >'Scripts/crack.mf' <<'END_OF_FILE'
XSRCDIR= Sources
XBIGDICT= Dicts/bigdict
X
Xall:
X @echo CALL TO CRACK.MF WITH NO TARGET
X
Xspotless: clean
X -rm -f out.* $(BIGDICT)
X -Scripts/mrgfbk
X
Xclean:
X -rm -f Runtime/D.* Runtime/P.* Runtime/RD.* tmp.* nohup.out
X -( cd $(SRCDIR) && make clean )
END_OF_FILE
if test 251 -ne `wc -c <'Scripts/crack.mf'`; then
echo shar: \"'Scripts/crack.mf'\" unpacked with wrong size!
fi
# end of 'Scripts/crack.mf'
fi
if test -f 'Scripts/dicts.rules' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'Scripts/dicts.rules'\"
else
echo shar: Extracting \"'Scripts/dicts.rules'\" $1029 characters$
sed "s/^X//" >'Scripts/dicts.rules' <<'END_OF_FILE'
X###
X# Description file for Crack dictionary processor. ADE Muffett, Oct 1991
X###
X# <n = reject if string >= n characters long, where n = 0-9
X# >n = reject if string <= n characters long, where n = 0-9
X# !y = reject if string contains 'y'
X# /x = reject if string does not contain 'x'
X# $y = append character 'y' to word
X# : = no-op - do nothing to the input word
X# ^x = prepend character 'x' to word
X# c = capitalise word
X# d = duplicate word
X# f = reflect word (mirror image)
X# l = force word lowercase
X# p = make best attempt to pluralise word
X# r = reverse word
X# sxy = substitute 'x' for 'y' in word
X# xnm = extract substring from position n for m characters
X# u = force word uppercase
X###
X# Here we go...
X###
Xl
X>2lp
X>2<8l$!
X>2<8l$.
X>2<8l$0
X>2<8l$1
X>2<8l$?
X>2lr
X>2c
X>2cr
X>2u
X>2/lsl1l
X>2/oso0l
X>2/l/osl1so0l
X>2lf
X>2<8$ :
X>2<8l$2
X>2<8l$3
X>2<8l$4
X>2<8l$5
X>2<8l$6
X>2<8l$7
X>2<8l$8
X>2<8l$9
X>2rc
X>2<8c$!
X>2<8c$.
X>2<8c$?
X>2ld
X>2<8u$!
X>2<8u$.
X>2<8u$?
X>2/OsO0u
X>2l^0
X>2l^1
X>2l^2
X>2l^3
X>2l^4
X>2l^5
X>2l^6
X>2l^7
X>2l^8
X>2l^9
X>2ud
X>2uf
X>2ur
END_OF_FILE
if test 1029 -ne `wc -c <'Scripts/dicts.rules'`; then
echo shar: \"'Scripts/dicts.rules'\" unpacked with wrong size!
fi
# end of 'Scripts/dicts.rules'
fi
if test -f 'Scripts/do_install' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'Scripts/do_install'\"
else
echo shar: Extracting \"'Scripts/do_install'\" $759 characters$
sed "s/^X//" >'Scripts/do_install' <<'END_OF_FILE'
X#!/bin/sh
X
X###
X# This program is copyright Alec Muffett 1991, and is provided as part of
X# the Crack v4.0 Password Cracking package. The author disclaims all
X# responsibility or liability with respect to it's usage or its effect
X# upon hardware or computer systems, and maintains copyright as set out in
X# the "LICENCE" document which accompanies distributions of Crack v4.0 and
X# upwards. So there...
X###
X
Xcrack_arch=$1
X
X###
X# Is there a binaries directory ?
X###
X
Xif [ ! -d $crack_arch ]
Xthen
X mkdir $crack_arch || exit 1
Xfi
X
Xcd $crack_arch || exit 1 # Can we get there from here ?
X
X###
X# Install makefiles in our directory if necessary.
X###
X
Xif [ ! -f Makefile ]
Xthen
X cp $CRACK_HOME/Scripts/install.mf Makefile || exit 1
Xfi
X
Xexit 0
END_OF_FILE
if test 759 -ne `wc -c <'Scripts/do_install'`; then
echo shar: \"'Scripts/do_install'\" unpacked with wrong size!
fi
chmod +x 'Scripts/do_install'
# end of 'Scripts/do_install'
fi
if test -f 'Scripts/do_pwc' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'Scripts/do_pwc'\"
else
echo shar: Extracting \"'Scripts/do_pwc'\" $695 characters$
sed "s/^X//" >'Scripts/do_pwc' <<'END_OF_FILE'
X#!/bin/sh
X
X###
X# This program is copyright Alec Muffett 1991, and is provided as part of
X# the Crack v4.0 Password Cracking package. The author disclaims all
X# responsibility or liability with respect to it's usage or its effect
X# upon hardware or computer systems, and maintains copyright as set out in
X# the "LICENCE" document which accompanies distributions of Crack v4.0 and
X# upwards. So there...
X###
X
Xcrack_arch=$1
X
Xif [ ! -d $crack_arch ]
Xthen
X Scripts/do_install $crack_arch || exit 1
Xfi
X
Xcd $crack_arch || exit 1 # Can we get there from here ?
X
X###
X# Make the password cracker
X###
X
Xmake crack-pwc || exit 1 # Check binaries are OK
X
Xexit 0
END_OF_FILE
if test 695 -ne `wc -c <'Scripts/do_pwc'`; then
echo shar: \"'Scripts/do_pwc'\" unpacked with wrong size!
fi
chmod +x 'Scripts/do_pwc'
# end of 'Scripts/do_pwc'
fi
if test -f 'Scripts/gecos.rules' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'Scripts/gecos.rules'\"
else
echo shar: Extracting \"'Scripts/gecos.rules'\" $698 characters$
sed "s/^X//" >'Scripts/gecos.rules' <<'END_OF_FILE'
X###
X# Try to avoid redundancy in this file... AEM
X###
X>2
X>2l
X>2cr
X>2rc
X>2ld
X>2lf
X>2lr
X>2u
X>2ud
X>2uf
X>2ur
X>2<8$0
X>2<8$1
X>2<8$2
X>2<8$3
X>2<8$4
X>2<8$5
X>2<8$6
X>2<8$7
X>2<8$8
X>2<8$9
X>2<8c$!
X>2<8c$.
X>2<8c$?
X>2<8l$!
X>2<8l$.
X>2<8l$0
X>2<8l$1
X>2<8l$2
X>2<8l$3
X>2<8l$4
X>2<8l$5
X>2<8l$6
X>2<8l$7
X>2<8l$8
X>2<8l$9
X>2<8l$?
X>2<8u$!
X>2<8u$.
X>2<8u$0
X>2<8u$1
X>2<8u$2
X>2<8u$3
X>2<8u$4
X>2<8u$5
X>2<8u$6
X>2<8u$7
X>2<8u$8
X>2<8u$9
X>2<8u$?
X>2<8u$?
X>2^0
X>2^1
X>2^2
X>2^3
X>2^4
X>2^5
X>2^6
X>2^7
X>2^8
X>2^9
X>2l^0
X>2l^1
X>2l^2
X>2l^3
X>2l^4
X>2l^5
X>2l^6
X>2l^7
X>2l^8
X>2l^9
X# A couple I missed from the Dan Klein paper
X>2cf
X>2^($)
X# You can enable these if you really want...
X#>2u^0
X#>2u^1
X#>2u^2
X#>2u^3
X#>2u^4
X#>2u^5
X#>2u^6
X#>2u^7
X#>2u^8
X#>2u^9
END_OF_FILE
if test 698 -ne `wc -c <'Scripts/gecos.rules'`; then
echo shar: \"'Scripts/gecos.rules'\" unpacked with wrong size!
fi
# end of 'Scripts/gecos.rules'
fi
if test -f 'Scripts/guess2fbk' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'Scripts/guess2fbk'\"
else
echo shar: Extracting \"'Scripts/guess2fbk'\" $859 characters$
sed "s/^X//" >'Scripts/guess2fbk' <<'END_OF_FILE'
X#!/bin/sh
X
X###
X# This program is copyright Alec Muffett 1991, and is provided as part of
X# the Crack v4.0 Password Cracking package. The author disclaims all
X# responsibility or liability with respect to it's usage or its effect
X# upon hardware or computer systems, and maintains copyright as set out in
X# the "LICENCE" document which accompanies distributions of Crack v4.0 and
X# upwards. So there...
X###
X
X###
X# guess2fbk : generates a 'feedback' file on stdout from output format
X# data. On occasions when emergency construction is useful.
X###
X
Xif [ $# = 0 ]
Xthen
X echo "Usage: $0 outputfile [...]"
X exit 1
Xfi
X
X###
X# Had to modify this awk script now that passwords are turning up with spaces
X###
X
Xcat $* |
Xawk '
X/Guessed/{
X start = index($0, "[");
X stop = index($0, "]");
X print "!fb!:" $NF ":Y:" substr($0, start+1, stop - start - 1)
X}
X' |
Xsort |
Xuniq
X
END_OF_FILE
if test 859 -ne `wc -c <'Scripts/guess2fbk'`; then
echo shar: \"'Scripts/guess2fbk'\" unpacked with wrong size!
fi
chmod +x 'Scripts/guess2fbk'
# end of 'Scripts/guess2fbk'
fi
if test -f 'Scripts/install.mf' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'Scripts/install.mf'\"
else
echo shar: Extracting \"'Scripts/install.mf'\" $574 characters$
sed "s/^X//" >'Scripts/install.mf' <<'END_OF_FILE'
X###
X# This program is copyright Alec Muffett 1991, and is provided as part of
X# the Crack v4.0 Password Cracking package. The author disclaims all
X# responsibility or liability with respect to it's usage or its effect
X# upon hardware or computer systems, and maintains copyright as set out in
X# the "LICENCE" document which accompanies distributions of Crack v4.0 and
X# upwards. So there...
X###
X
XSD= ../Sources
X
Xcrack-pwc: $(SD)/crack-pwc.c $(SD)/crack-lib.c $(SD)/conf.h $(SD)/crack-fcrypt.c
X ( cd $(SD) ; make clean )
X ( cd $(SD) ; make crack-pwc )
X cp $(SD)/crack-pwc .
END_OF_FILE
if test 574 -ne `wc -c <'Scripts/install.mf'`; then
echo shar: \"'Scripts/install.mf'\" unpacked with wrong size!
fi
# end of 'Scripts/install.mf'
fi
if test -f 'Scripts/mrgfbk' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'Scripts/mrgfbk'\"
else
echo shar: Extracting \"'Scripts/mrgfbk'\" $1246 characters$
sed "s/^X//" >'Scripts/mrgfbk' <<'END_OF_FILE'
X#!/bin/sh
X
X###
X# This program is copyright Alec Muffett 1991, and is provided as part of
X# the Crack v4.0 Password Cracking package. The author disclaims all
X# responsibility or liability with respect to it's usage or its effect
X# upon hardware or computer systems, and maintains copyright as set out in
X# the "LICENCE" document which accompanies distributions of Crack v4.0 and
X# upwards. So there...
X###
X
X###
X# mrgfbk - a shell script to merge all of your feedback files into one
X# before starting a Crack -F on a set of new dictionaries. This program
X# is called from "Scripts/spotless"
X###
X# mrgfbk takes all the feedback files and filters out all the GUESSED
X# passwords, and saves them to a new feedback file. The UNGUESSED
X# passwords are deleted, so that the new dictionaries can have a go at
X# them
X###
X
Xtf=./mfb$$
X
Xecho ""
Xecho "Saving all CRACKABLE passwords.
XDo you also want to save your UNCRACKABLE passwords ?
XAnswer NO if you have changed some rules or modified source dictionaries
X(default: yes) "
X
Xread answer
X
Xcase $answer in
X [Nn]*)
X cat Runtime/F.* |
X awk -F: '$3 == "Y"' |
X sort |
X uniq > $tf
X ;;
X *)
X cat Runtime/F.* |
X sort |
X uniq > $tf
X ;;
Xesac
X
Xrm -f Runtime/F.*
X
Xcp $tf Runtime/F.merged
X
Xrm -f $tf
X
Xexit 0
END_OF_FILE
if test 1246 -ne `wc -c <'Scripts/mrgfbk'`; then
echo shar: \"'Scripts/mrgfbk'\" unpacked with wrong size!
fi
chmod +x 'Scripts/mrgfbk'
# end of 'Scripts/mrgfbk'
fi
if test -f 'Scripts/plaster' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'Scripts/plaster'\"
else
echo shar: Extracting \"'Scripts/plaster'\" $665 characters$
sed "s/^X//" >'Scripts/plaster' <<'END_OF_FILE'
X#!/bin/sh
X
X###
X# This program is copyright Alec Muffett 1991, and is provided as part of
X# the Crack v4.0 Password Cracking package. The author disclaims all
X# responsibility or liability with respect to it's usage or its effect
X# upon hardware or computer systems, and maintains copyright as set out in
X# the "LICENCE" document which accompanies distributions of Crack v4.0 and
X# upwards. So there...
X###
X
X###
X# This program provides a quick network murder if running "Crack -network"
X###
X# The name is Chris Samuel's fault... "Plaster the Cracks" indeed...
X# Mail admiration of this joke to cc...@aber.ac.uk
X###
X
Xfor i in Runtime/D.*
Xdo
X echo $i
X $i
Xdone
X
Xexit 0
END_OF_FILE
if test 665 -ne `wc -c <'Scripts/plaster'`; then
echo shar: \"'Scripts/plaster'\" unpacked with wrong size!
fi
chmod +x 'Scripts/plaster'
# end of 'Scripts/plaster'
fi
if test -f 'Scripts/saltcount' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'Scripts/saltcount'\"
else
echo shar: Extracting \"'Scripts/saltcount'\" $627 characters$
sed "s/^X//" >'Scripts/saltcount' <<'END_OF_FILE'
X#!/bin/sh
X
X###
X# This program is copyright Alec Muffett 1991, and is provided as part of
X# the Crack v4.0 Password Cracking package. The author disclaims all
X# responsibility or liability with respect to it's usage or its effect
X# upon hardware or computer systems, and maintains copyright as set out in
X# the "LICENCE" document which accompanies distributions of Crack v4.0 and
X# upwards. So there...
X###
X
X###
X# Count the number of individual salts in do_join format...
X###
X
Xawk -F: '
XBEGIN {
X i = 0; # Just in case there is no input
X}
Xsubstr($3, 1, 2) != last {
X i++;
X last = substr($3, 1, 2);
X}
XEND {
X print i;
X}'
X
Xexit 0
END_OF_FILE
if test 627 -ne `wc -c <'Scripts/saltcount'`; then
echo shar: \"'Scripts/saltcount'\" unpacked with wrong size!
fi
chmod +x 'Scripts/saltcount'
# end of 'Scripts/saltcount'
fi
if test -f 'Scripts/shadmrg' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'Scripts/shadmrg'\"
else
echo shar: Extracting \"'Scripts/shadmrg'\" $948 characters$
sed "s/^X//" >'Scripts/shadmrg' <<'END_OF_FILE'
X#!/bin/sh
X
X###
X# This program is copyright Alec Muffett 1991, and is provided as part of
X# the Crack v4.0 Password Cracking package. The author disclaims all
X# responsibility or liability with respect to it's usage or its effect
X# upon hardware or computer systems, and maintains copyright as set out in
X# the "LICENCE" document which accompanies distributions of Crack v4.0 and
X# upwards. So there...
X###
X
Xshadow=/etc/shadow
Xpasswd=/etc/passwd
X
X###
X# Merge /etc/shadow & /etc/passwd for Crack. Assume 7 fields for /etc/passwd,
X# and other for /etc/shadow
X###
X
Xcat $passwd $shadow |
Xawk -F: '
XBEGIN {
X OFS = ":";
X}
X
XNF == 7 {
X pwents[$1] = $0;
X}
X
XNF != 7 {
X shadow_pw[$1] = $2;
X}
X
XEND {
X for (pw_name in pwents)
X {
X fields = split(pwents[pw_name], pwd, ":");
X
X if (shadow_pw[pwd[1]] != "LOCKED")
X {
X print pwd[1], \
X shadow_pw[pwd[1]], \
X pwd[3], \
X pwd[4], \
X pwd[5], \
X pwd[6], \
X pwd[7];
X }
X }
X}'
END_OF_FILE
if test 948 -ne `wc -c <'Scripts/shadmrg'`; then
echo shar: \"'Scripts/shadmrg'\" unpacked with wrong size!
fi
chmod +x 'Scripts/shadmrg'
# end of 'Scripts/shadmrg'
fi
if test -f 'Scripts/spotless' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'Scripts/spotless'\"
else
echo shar: Extracting \"'Scripts/spotless'\" $554 characters$
sed "s/^X//" >'Scripts/spotless' <<'END_OF_FILE'
X#!/bin/sh
X
X###
X# This program is copyright Alec Muffett 1991, and is provided as part of
X# the Crack v4.0 Password Cracking package. The author disclaims all
X# responsibility or liability with respect to it's usage or its effect
X# upon hardware or computer systems, and maintains copyright as set out in
X# the "LICENCE" document which accompanies distributions of Crack v4.0 and
X# upwards. So there...
X###
X
Xecho "Are you sure that you want to do this ? (no)"
Xread ans
X
Xcase $ans in
X [Yy]*)
X make -f Scripts/crack.mf spotless
X ;;
X *)
X ;;
Xesac
X
Xexit 0
END_OF_FILE
if test 554 -ne `wc -c <'Scripts/spotless'`; then
echo shar: \"'Scripts/spotless'\" unpacked with wrong size!
fi
chmod +x 'Scripts/spotless'
# end of 'Scripts/spotless'
fi
if test -f 'Scripts/status' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'Scripts/status'\"
else
echo shar: Extracting \"'Scripts/status'\" $630 characters$
sed "s/^X//" >'Scripts/status' <<'END_OF_FILE'
X#!/bin/sh
X
X###
X# This program is copyright Alec Muffett 1991, and is provided as part of
X# the Crack v4.0 Password Cracking package. The author disclaims all
X# responsibility or liability with respect to it's usage or its effect
X# upon hardware or computer systems, and maintains copyright as set out in
X# the "LICENCE" document which accompanies distributions of Crack v4.0 and
X# upwards. So there...
X###
X
Xcat Scripts/network.conf |
Xawk -F: '
X/^[A-Za-z]/{
X print "echo ::: Calling", $1, " :-";
X
X if ($4 == "")
X {
X rshf = "-n";
X } else
X {
X rshf = "-n -l " $4;
X }
X print "rsh ", $1, rshf, "\"uptime ; ps x\"";
X} ' |
Xsh
X
Xexit 0
END_OF_FILE
if test 630 -ne `wc -c <'Scripts/status'`; then
echo shar: \"'Scripts/status'\" unpacked with wrong size!
fi
chmod +x 'Scripts/status'
# end of 'Scripts/status'
fi
if test ! -d 'Sources' ; then
echo shar: Creating directory \"'Sources'\"
mkdir 'Sources'
fi
if test -f 'Sources/crack-port.c' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'Sources/crack-port.c'\"
else
echo shar: Extracting \"'Sources/crack-port.c'\" $740 characters$
sed "s/^X//" >'Sources/crack-port.c' <<'END_OF_FILE'
X/*
X * This program is copyright Alec Muffett 1991 except for some portions of
X * code in "crack-fcrypt.c" which are copyright Robert Baldwin, Icarus
X * Sparry and Alec Muffett. The author(s) disclaims all responsibility or
X * liability with respect to it's usage or its effect upon hardware or
X * computer systems, and maintain copyright as set out in the "LICENCE"
X * document which accompanies distributions of Crack v4.0 and upwards.
X */
X
X#include "crack.h"
X
X#ifdef CRACK_UNAME
X#include <sys/utsname.h>
Xint
Xgethostname (name, namelen)
X char *name;
X int namelen;
X{
X struct utsname uts;
X if (uname (&uts))
X {
X return (-1);
X }
X strncpy (name, uts.nodename, namelen - 1);
X return (0);
X}
X#endif /* CRACK_UNAME */
END_OF_FILE
if test 740 -ne `wc -c <'Sources/crack-port.c'`; then
echo shar: \"'Sources/crack-port.c'\" unpacked with wrong size!
fi
# end of 'Sources/crack-port.c'
fi
if test -f 'Sources/speeds.c' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'Sources/speeds.c'\"
else
echo shar: Extracting \"'Sources/speeds.c'\" $1323 characters$
sed "s/^X//" >'Sources/speeds.c' <<'END_OF_FILE'
X/*
X * This program is copyright Alec Muffett 1991 except for some portions of
X * code in "crack-fcrypt.c" which are copyright Robert Baldwin, Icarus
X * Sparry and Alec Muffett. The author(s) disclaims all responsibility or
X * liability with respect to it's usage or its effect upon hardware or
X * computer systems, and maintain copyright as set out in the "LICENCE"
X * document which accompanies distributions of Crack v4.0 and upwards.
X */
X
X#include <sys/time.h>
X#include <signal.h>
X#include <stdio.h>
X
Xstatic int cnt;
X#define ITIME 10 /* Number of seconds to run test. */
X
Xint Log(){}
X
Xvoid
XStop ()
X{
X printf ("Did %f %s()s per second.\n",
X ((float) cnt) / ((float) ITIME),
X#if defined(T1)
X "fcrypt"
X#elif defined(T2)
X "XForm"
X#else
X "crypt"
X#endif
X );
X exit (0);
X}
Xmain ()
X{
X struct itimerval itv;
X static int quarters[4];
X
X bzero (&itv, sizeof (itv));
X
X printf ("Running for %d seconds of virtual time ...\n", ITIME);
X
X#if defined(T1) || defined(T2)
X init_des ();
X#endif
X
X signal (SIGVTALRM, Stop);
X itv.it_value.tv_sec = ITIME;
X itv.it_value.tv_usec = 0;
X setitimer (ITIMER_VIRTUAL, &itv, NULL);
X
X for (cnt = 0;; cnt++)
X {
X#if defined(T1)
X fcrypt ("fredfred", "eek");
X#elif defined(T2)
X XForm (quarters, 0);
X#else
X crypt ("fredfred", "eek");
X#endif
X }
X}
END_OF_FILE
if test 1323 -ne `wc -c <'Sources/speeds.c'`; then
echo shar: \"'Sources/speeds.c'\" unpacked with wrong size!
fi
# end of 'Sources/speeds.c'
fi
if test -f 'Sources/tester.c' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'Sources/tester.c'\"
else
echo shar: Extracting \"'Sources/tester.c'\" $1222 characters$
sed "s/^X//" >'Sources/tester.c' <<'END_OF_FILE'
X/*
X * This program is copyright Alec Muffett 1991 except for some portions of
X * code in "crack-fcrypt.c" which are copyright Robert Baldwin, Icarus
X * Sparry and Alec Muffett. The author(s) disclaims all responsibility or
X * liability with respect to it's usage or its effect upon hardware or
X * computer systems, and maintain copyright as set out in the "LICENCE"
X * document which accompanies distributions of Crack v4.0 and upwards.
X */
X
X#include <stdio.h>
X#include <time.h>
X
X#define EEK 8192
X#define PROFx
X
Xstatic char *strings[] =
X{
X "fredfred",
X "brian",
X "ab",
X "qwerty",
X "marginallytoolong",
X (char *) 0
X};
X
XLog()
X{
X}
X
Xmain ()
X{
X int i;
X char **ptr;
X char a[255];
X char b[255];
X
X init_des ();
X
X#ifndef PROF
X for (ptr = strings; *ptr; ptr++)
X {
X strcpy (a, crypt (*ptr, *ptr));
X strcpy (b, fcrypt (*ptr, *ptr));
X
X printf ("\nCheck Old: %s\tNew: %s\n", a, b);
X
X if (!strcmp (a, b))
X {
X printf ("fcrypt() is compatible with standard crypt()\n");
X } else
X {
X printf ("fcrypt() is not compatible !!! \7\n");
X exit (1);
X }
X }
X printf ("Doing %d fcrypts()\n", EEK);
X#endif
X
X for (i = EEK; i; i--)
X {
X fcrypt ("fredfred", "eek");
X }
X
X return (0);
X}
END_OF_FILE
if test 1222 -ne `wc -c <'Sources/tester.c'`; then
echo shar: \"'Sources/tester.c'\" unpacked with wrong size!
fi
# end of 'Sources/tester.c'
fi
echo shar: End of archive 1 $of 5$.
cp /dev/null ark1isdone
MISSING=""
for I in 1 2 3 4 5 ; do
if test ! -f ark${I}isdone ; then
MISSING="${MISSING} ${I}"
fi
done
if test "${MISSING}" = "" ; then
echo You have unpacked all 5 archives.
rm -f ark[1-9]isdone
else
echo You still need to unpack the following archives:
echo " " ${MISSING}
fi
## End of shell archive.
exit 0
exit 0 # Just in case...
--
Kent Landfield INTERNET: ke...@sparky.IMD.Sterling.COM
Sterling Software, IMD UUCP: uunet!sparky!kent
Phone: (402) 291-8300 FAX: (402) 291-4362
Please send comp.sources.misc-related mail to ke...@uunet.uu.net.

Alec Muffett

unread,

Nov 3, 1991, 6:15:14 PM11/3/91

Submitted-by: a...@aber.ac.uk (Alec David Muffett)

Posting-number: Volume 25, Issue 6
Archive-name: crack/part02

Environment: UNIX
Supersedes: crack: Volume 23, Issue 1-5

#! /bin/sh

# it by saving it into a file and typing "sh file". To overwrite existing
# files, type "sh file -c". You can also feed this as standard input via
# unshar, or by typing "sh <file", e.g.. If this archive is complete, you
# will see the following message at the end:

# "End of archive 2 (of 5)."
# Contents: Crack DictSrc/bad_pws.dat LICENCE Scripts/Crack.network
# Scripts/RCrack Scripts/do_join Scripts/nastygram
# Scripts/network.conf Sources/Makefile Sources/conf.h
# Sources/crack-lib.c Sources/crack.h
# Wrapped by aem@aberda on Thu Oct 24 11:14:41 1991

PATH=/bin:/usr/bin:/usr/ucb ; export PATH

if test -f 'Crack' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'Crack'\"
else
echo shar: Extracting \"'Crack'\" $5911 characters$
sed "s/^X//" >'Crack' <<'END_OF_FILE'

X#!/bin/sh
X
X###
X# This program is copyright Alec Muffett 1991, and is provided as part of
X# the Crack v4.0 Password Cracking package. The author disclaims all
X# responsibility or liability with respect to it's usage or its effect
X# upon hardware or computer systems, and maintains copyright as set out in
X# the "LICENCE" document which accompanies distributions of Crack v4.0 and
X# upwards. So there...
X###
X
X###

X# CRACK_HOME: You must put DOUBLE QUOTES around this and have /bin/csh if
X# you work relative to ~username - this is the Crack installation directory.
X###
X
XCRACK_HOME="~aem/EXTRA2/crack40"
X
X###
X# CRACK_OUT: This is the directory into which all the password guesser
X# output files are to be stored. This affects only the "out.*" files, and
X# not "D.*" or "P.*", due to restraints on the support scripts.
X###
X
XCRACK_OUT="$CRACK_HOME"
X
X###
X# Umask for security's sake - stops files being world readable (if you
X# don't have it in your .login)
X###
X
Xumask 077
X
X###
X# DEFAULT_BIN : For non-network cracks, you can leave this as 'generic'.
X# Setting this to `arch` is non-portable.
X###
X
XDEFAULT_BIN="generic"
X
X###
X# List of standard dictionaries that you should have to provide words;
X#
X###
X
XSTDDICT="/usr/dict/words"
X
X###
X############### FROM HERE ON IN IT'S ALL MY FAULT ###############
X###
X
Xversion="4.0a RELEASE" # version number
Xpwl="" # user specified
Xdomail="" # user specified
Xfgnd="" # user specified
Xremote="" # program specified
Xnice="" # user specified
Xrcvr="" # user specified
Xinputfile="/tmp/pw.$$" # program specified, also in pwc.c
Xverbose="" # user specified
Xcf_file="Scripts/network.conf" # program specified
Xbigdict="Dicts/bigdict" # program specified
X
XCRACK_HOME_UNRES="$CRACK_HOME"
X
Xif [ -f "/bin/csh" ] # -x bombs on Ultrix
Xthen
X CRACK_OUT=` /bin/csh -fc "echo $CRACK_OUT" `
X CRACK_HOME=` /bin/csh -fc "echo $CRACK_HOME" `
Xfi
X
Xif [ ! -d "$CRACK_OUT" ]
Xthen
X echo "Warning: CRACK_OUT directory reset to directory '.'"
X CRACK_OUT="."
Xfi
X
Xexport CRACK_HOME
Xexport CRACK_OUT
Xexport DEFAULT_BIN
Xexport CRACK_HOME_UNRES
X
X###
X# Check existance of a home directory
X###
X
Xif [ "$CRACK_HOME" != "" -a -d "$CRACK_HOME" ]
Xthen
X cd $CRACK_HOME || exit 1
Xelse
X echo "Fatal error: the directory $CRACK_HOME does not exist."
X echo ""
X echo "Please set the value of CRACK_HOME in the 'Crack' script to the name of
X echo "the installation directory."
X echo ""
X echo "The current working directory is" `pwd`"

X exit 1
Xfi
X
X###

X# Announce ourselves.
X###
X
Xecho "Crack $version, The Password Cracker (c) Alec D.E. Muffett, 1991"
Xecho "Invoked as: $0 $*"

X
Xif [ $# = 0 ]
Xthen

X echo "Usage: $0 [options] [bindir] passwdfile [...]"
X echo "Or: $0 -network [options] passwdfile [...]"
X echo "Options:-"
X echo " -v - to produce verbose output"
X echo " -nnicevalue - to run niced to 'nicevalue'"
X echo " -rpointfile - to recover a crashed-out job"
X echo " -Rpointfile - to recover (with verify) a crashed-out job"
X echo " -f - to run in foreground (output to stdout)"
X echo " -m - to mail the user a warning message if cracked"

X exit 1
Xfi
X
X###

X# Make the dictionaries. God this is SOOOOO much simpler...
X###
X
Xif [ ! -s $bigdict ]
Xthen
X echo "Making dictionary $bigdict - This may take some time..."
X (
X for dictfile in $STDDICT DictSrc/*
X do
X case $dictfile in
X *.Z)
X zcat $dictfile
X ;;
X *)
X cat $dictfile
X ;;
X esac
X done
X ) |
X grep -v '^#' |
X sort |
X uniq > Dicts/bigdict
Xelse
X echo "Dictionary $bigdict intact"
Xfi
X
X###
X# Check your invocation...
X###
X
Xif [ "x$1" = "x-network" ]
Xthen
X shift
X Scripts/Crack.network $*
X exit 0
Xfi
X
Xwhile :
Xdo
X case $1 in
X -network)
X echo "Error: -network (if specified) must be first argument"
X exit 1
X ;;
X -X*)
X remote=$1
X shift
X ;;
X -m*)
X domail=$1
X shift
X ;;
X -l*)
X pwl=$1
X shift
X ;;
X -f*)
X fgnd=$1
X shift
X ;;
X -n*)
X nice=$1
X shift
X ;;
X -r*)
X rcvr=$1
X shift
X ;;
X -v*)
X verbose=$1
X shift
X ;;
X -*)
X echo "Error: unknown argument $1"
X shift
X ;;
X *)
X break
X ;;
X esac
Xdone
X
X###
X# Test first non-switch argument for existance, hence where to put binaries
X###
X
Xif [ -f "$1" ]
Xthen
X CRACK_ARCH="$CRACK_HOME/$DEFAULT_BIN"
Xelse
X CRACK_ARCH="$CRACK_HOME/$1"
X shift
Xfi
X
Xexport CRACK_ARCH
X
Xecho "Binary directory: $CRACK_ARCH"

X
X###
X# Make the password cracker
X###
X

XScripts/do_pwc $CRACK_ARCH || exit 1
X
X###
X# Process input to the program
X###
X
Xecho "Sorting data for Crack."
X
Xif [ "x$remote" != "x" ]
Xthen
X cat > $inputfile
Xelse
X out_init=$CRACK_OUT/out.i.$$
X
X Scripts/do_join $out_init $* > $inputfile || exit 1
X
X if [ "x$domail" != "x" ]
X then
X MISCREANTS=`awk '/Guessed/{print $6}' < $out_init`
X echo Sending Warning Mail to $MISCREANTS
X Scripts/nastygram $MISCREANTS
X fi
X
X if [ "x$fgnd" != "x" ]
X then
X cat $out_init || exit 1
X rm -f $out_init
X fi
Xfi
X
X###
X# Check the runtime scratch file directory for pwc
X###
X
Xif [ ! -d Runtime ]
Xthen
X echo "Creating Runtime Directory."
X mkdir Runtime || exit 1
Xfi
X
X###
X# Kick it off into the background ?
X###
X# This is the message which has drawn the most complaints... However, I
X# have no way of knowing the name in advance, and I can't have crack-pwc
X# print it on stdout due to hanging file descriptors which bollox a
X# network crack. Hence I HAVE to be vague...
X###
X
Xflags="$remote $fgnd $XXdomail $pwl $nice $rcvr $verbose -i $inputfile"
X
Xecho "Flags:" $flags $bigdict
X
Xif [ "x$fgnd" != "x" ]
Xthen
X echo "Running program in foreground"
X $CRACK_ARCH/crack-pwc $flags $bigdict < /dev/null 2>&1
Xelse
X echo "Running program in background"
X nohup $CRACK_ARCH/crack-pwc $flags $bigdict </dev/null >/dev/null 2>&1 &
X echo "Output will be written to a file in directory $CRACK_OUT"
X echo "named 'out.<something>'"
Xfi
X
Xsleep 1
X
Xtest -f nohup.out && rm nohup.out
X
X###
X# There are horrible timeraces involved in removing $tmpfile, so I dont.
X# Crack-pwc does. Still. Hohum.
X###
X
Xexit 0
END_OF_FILE
if test 5911 -ne `wc -c <'Crack'`; then
echo shar: \"'Crack'\" unpacked with wrong size!
fi
chmod +x 'Crack'
# end of 'Crack'
fi
if test -f 'DictSrc/bad_pws.dat' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'DictSrc/bad_pws.dat'\"
else
echo shar: Extracting \"'DictSrc/bad_pws.dat'\" $6493 characters$
sed "s/^X//" >'DictSrc/bad_pws.dat' <<'END_OF_FILE'
XBongpoo
X0
X1
X123456
X12345678
X2
X3
X4
X5
X6
X7
X8
X9
XA
XAdrian
XAdrianna
XAlasdair
XAlbert
XAlex
XAlexander
XAlice
XAlicia
XAlisa
XAlison
XAlistair
XAlister
XAllison
XAmanda
XAmber
XAmy
XAndrea
XAnduin
XAngela
XAngie
XAnita
XAnn
XAnna
XAnne
XAnnette
XApril
XArlene
XArthur
XAthena
XB
XBBROYGBVGW
XBailey
XBarbara
XBart
XBartman
XBecky
XBeryl
XBeth
XBetsie
XBetty
XBeverly
XBishop
XBob
XBrandi
XBrandy
XBrenda
XBridget
XC
XCalvin
XCamille
XCandi
XCandy
XCaren
XCarla
XCarmen
XCarol
XCarole
XCarolina
XCaroline
XCarrie
XCatherine
XCathy
XCecily
XCharity
XCharles
XChristina
XChristine
XChristy
XCindy
XClaudia
XCollins
XConnie
XCornelius
XCristina
XCrystal
XCynthia
XD
XDaisy
XDana
XDaniel
XDanielle
XDawn
XDeb
XDebbie
XDeborah
XDenise
XDesiree
XDiana
XDiane
XDoobrie
XDulce
XDuncan
XE
XEdwina
XEileen
XEinstein
XElaine
XElanor
XElizabeth
XEllen
XEmily
XEmmanuel
XErica
XErika
XErin
XEvelyn
XF
XFelicia
XG
XGabriel
XGeorge
XGertrude
XGilly
XGina
XGinger
XH
XHarvey
XHeather
XHeidi
XHiawatha
XHobbes
XHolly
XI
XIngrid
XIrene
XJ
XJackie
XJane
XJanet
XJanice
XJanie
XJasmin
XJean
XJeanne
XJen
XJenni
XJennifer
XJenny
XJessica
XJill
XJoanne
XJody
XJohnny
XJoseph
XJoshua
XJoy
XJoyce
XJudith
XJudy
XJulia
XJulie
XJune
XK
XKaren
XKarie
XKarina
XKate
XKathleen
XKathrine
XKathy
XKatina
XKatrina
XKelly
XKeri
XKerri
XKerrie
XKerry
XKim
XKimberly
XKitten
XKrista
XKristen
XKristi
XKristie
XKristin
XKristine
XKristy
XL
XLana
XLara
XLaura
XLeah
XLeslie
XLinda
XLisa
XLiz
XLois
XLori
XLorin
XLorraine
XLouis
XLouise
XLucy
XLynn
XLynne
XM
XMVEMJSUNP
XMalcolm
XMara
XMarci
XMarcy
XMaria
XMarietta
XMarni
XMary
XMaurice
XMeagan
XMegan
XMelissa
XMichael
XMichele
XMichelle
XMickey
XMonica
XMortis
XN
XNancy
XNicole
XNita
XNoreen
XO
XOlivia
XP
XPam
XPamela
XPat
XPatricia
XPatty
XPaula
XPenelope
XPierre
XPolly
XQ
XR
XRachel
XRachelle
XRebecca
XRenee
XRobin
XRobyn
XRochelle
XRonald
XRonnie
XRose
XRosemary
XS
XSamantha
XSandra
XSandy
XSara
XSarah
XShannon
XSharon
XSherri
XShirley
XSnarfel
XSondra
XSonia
XSonya
XStacey
XStaci
XStacie
XStacy
XSteph
XStephanie
XSusan
XSusanne
XSusie
XSuzanne
XSuzie
XSybil
XT
XTamara
XTami
XTamie
XTammy
XTara
XTheresa
XTiffany
XTina
XTraci
XTracie
XTracy
XTrisha
XU
XUrsula
XV
XValerie
XVeronica
XVicky
XVirginia
XW
XWOBAFGKMRNS
XWarren
XWendi
XWendy
XWhitney
XWilliam
XWillie
XWilma
XX
XY
XYolanda
XZ
Xa
Xaaa
Xabc
Xabcd
Xabcde
Xabcdef
Xabcdefg
Xabcdefgh
Xacademia
Xacademic
Xaccess
Xada
Xadmin
Xaerobics
Xairplane
Xalbany
Xalbatross
Xalf
Xalgebra
Xalias
Xaliases
Xalpha
Xalphabet
Xama
Xamadeus
Xamorphous
Xanalog
Xanchor
Xandromache
Xandy
Xanimals
Xanswer
Xanthropogenic
Xanvils
Xanything
Xaria
Xariadne
Xarrow
Xasd
Xasdfgh
Xasm
Xasshole
Xatmosphere
Xaztecs
Xazure
Xb
Xbacchus
Xbadass
Xbanana
Xbananas
Xbandit
Xbanks
Xbarber
Xbaritone
Xbasic
Xbass
Xbassoon
Xbatch
Xbatman
Xbeach
Xbeater
Xbeauty
Xbeaver
Xbeethoven
Xbeetledrive
Xbeloved
Xbenz
Xbeowulf
Xberkeley
Xberlin
Xberliner
Xbeta
Xbicameral
Xbitch
Xbizzy
Xbradley
Xbrian
Xbroadway
Xbsd
Xbuggerall
Xbumbling
Xburgess
Xbuzby
Xc
Xcad
Xcampanile
Xcantor
Xcardinal
Xcarmen
Xcarolina
Xcarson
Xcascades
Xcastle
Xcat
Xcayuga
Xceltics
Xcerulean
Xchange
Xcharles
Xcharming
Xcharon
Xchat
Xcheesecake
Xchem
Xchemistry
Xchess
Xchester
Xchocolate
Xcigar
Xcinelli
Xclass
Xclassic
Xcluster
Xclusters
Xcode
Xcoffee
Xcoke
Xcollins
Xcommrades
Xcomputer
Xcomrade
Xcomrades
Xcondo
Xcondom
Xconnect
Xconsole
Xcookie
Xcookie
Xcooper
Xcornelius
Xcouscous
Xcreate
Xcreation
Xcreosote
Xcretin
Xcriminal
Xcshrc
Xd
Xdaemon
Xdancer
Xdaniel
Xdanny
Xdapper
Xdata
Xdave
Xdecember
Xdefault
Xdefoe
Xdeluge
Xdesperate
Xdevelop
Xdevice
Xdial
Xdiet
Xdieter
Xdigital
Xdisc
Xdiscbox
Xdiscovery
Xdisk
Xdisney
Xdog
Xdos
Xdrought
Xe
Xeager
Xearth
Xeasier
Xeasy
Xeatme
Xedges
Xedinburgh
Xedwin
Xegghead
Xeiderdown
Xelephant
Xemail
Xemerald
Xenemy
Xengine
Xengineer
Xenterprise
Xenzyme
Xersatz
Xestablish
Xestate
Xeternity
Xeuclid
Xeugene
Xextension
Xf
Xfairway
Xfender
Xfermat
Xferrari
Xfidelity
Xfield
Xfile
Xfinite
Xfishers
Xflakes
Xfloat
Xflower
Xflowers
Xfoolproof
Xfootball
Xforesight
Xformat
Xforsythe
Xfourier
Xfred
Xfriend
Xfrighten
Xfun
Xfunction
Xfungible
Xg
Xgabriel
Xgames
Xgardner
Xgarfield
Xgatt
Xgauss
Xgeorge
Xgertrude
Xgibson
Xglacier
Xgnu
Xgolf
Xgolfer
Xgorgeous
Xgorges
Xgosling
Xgouge
Xgraham
Xgrahm
Xgrass
Xgroup
Xgryphon
Xgucci
Xguess
Xguest
Xguitar
Xgumption
Xguntis
Xgweledigaeth
Xh
Xhack
Xhacker
Xhal
Xhamlet
Xhandily
Xhappening
Xharmony
Xharold
Xhawaii
Xhebrides
Xheinlein
Xhello
Xhelp
Xherbert
Xhibernia
Xhidden
Xhobbit
Xhomework
Xhoney
Xhorse
Xhorus
Xhutchins
Xhydrogen
Xibm
Xiluvben
Ximbroglio
Ximperial
Xinclude
Xingres
Xingress
Xinna
Xinnocuous
Xinternet
Xirishman
Xisis
Xizzy
Xj
Xjapan
Xjester
Xjixian
Xjohnny
Xjuggle
Xjupiter
Xk
Xkalajira
Xkermit
Xkernel
Xkey
Xkipper
Xkirkland
Xknight
Xl
Xladle
Xlager
Xlambda
Xlamination
Xlarkin
Xlarry
Xlazarus
Xlebesgue
Xlee
Xleland
Xleroy
Xlewis
Xlibrary
Xlight
Xlisp
Xllareggub
Xlock
Xlockout
Xlove
Xm
Xmacintosh
Xmack
Xmaggot
Xmagic
Xmail
Xmaint
Xmalcom
Xmanager
Xmark
Xmarkus
Xmars
Xmarty
Xmarvin
Xmaster
Xmath
Xmaurice
Xmellon
Xmemory
Xmercury
Xmerlin
Xmets
Xmgr
Xmichael
Xmike
Xminimum
Xminsky
Xmit
Xmodem
Xmogul
Xmoguls
Xmoose
Xmorley
Xmortis
Xmouse
Xmozart
Xmuser
Xmutant
Xn
Xnagel
Xnapoleon
Xnasa
Xnepenthe
Xneptune
Xness
Xnet
Xnetwork
Xnew
Xnews
Xnewton
Xnext
Xnobody
Xnoxious
Xnuclear
Xnutrition
Xnyquist
Xo
Xoceanography
Xocelot
Xoerhrdle
Xoffice
Xolivetti
Xolivia
Xopen
Xoperator
Xoracle
Xorca
Xorchid
Xorwell
Xosiris
Xoutlaw
Xoxford
Xp
Xpacific
Xpad
Xpainless
Xpakistan
Xpaper
Xpapers
Xpass
Xpassword
Xpencil
Xpenguin
Xpenis
Xpeoria
Xpercolate
Xpersimmon
Xpersona
Xpete
Xpeter
Xphilip
Xphoenix
Xphone
Xpierre
Xpizza
Xplane
Xplayboy
Xplover
Xpluto
Xplymouth
Xpolynomial
Xpondering
Xpork
Xporsche
Xposter
Xpower
Xpraise
Xprecious
Xprelude
Xpresto
Xprince
Xprinceton
Xpriv
Xprivate
Xprivs
Xprofessor
Xprofile
Xprogram
Xprotect
Xprotozoa
Xpub
Xpublic
Xpumpkin
Xpuneet
Xpuppet
Xq
Xqwerty
Xqwertyui
Xr
Xrabbit
Xrachmaninoff
Xrainbow
Xraindrop
Xraleigh
Xrandom
Xrascal
Xreagan
Xreally
Xregional
Xremote
Xrick
Xripple
Xrisc
Xrje
Xrobot
Xrobotics
Xrochester
Xrodent
Xrolex
Xromano
Xronald
Xroot
Xrosebud
Xroses
Xruben
Xrules
Xruth
Xs
Xsal
Xsaturn
Xsaxon
Xscamper
Xscheme
Xschool
Xscott
Xscotty
Xsecret
Xsecurity
Xsensor
Xserenity
Xservice
Xsesame
Xsex
Xsharc
Xsharks
Xsharon
Xsheffield
Xsheldon
Xshell
Xshit
Xshitforbrains
Xshiva
Xshivers
Xshuttle
Xsignature
Xsilverlake
Xsimon
Xsimple
Xsimpsons
Xsinger
Xsingle
Xsmile
Xsmiles
Xsmooch
Xsmother
Xsnatch
Xsnoopy
Xsoap
Xsocrates
Xsomebody
Xsossina
Xsparrows
Xspit
Xsplatter
Xsplodge
Xspring
Xspringer
Xsquires
Xstrangle
Xstratford
Xstudent
Xstuttgart
Xsubway
Xsuccess
Xsucker
Xsummer
Xsun
Xsuper
Xsuperstage
Xsuperuser
Xsupport
Xsupported
Xsurfer
Xswearer
Xsymmetry
Xsys
Xsysadmin
Xsystem
Xt
Xtangerine
Xtape
Xtarget
Xtarragon
Xtaylor
Xteabag
Xtech
Xtelephone
Xtemptation
Xtennis
Xterminal
Xtest
Xthailand
Xthanatos
Xtiger
Xtoggle
Xtomato
Xtopography
Xtortoise
Xtoxic
Xtoyota
Xtrails
Xtransfer
Xtrivial
Xtrombone
Xtty
Xtubas
Xtuttle
Xu
Xumesh
Xunhappy
Xunicorn
Xunix
Xunknown
Xuranus
Xurchin
Xutil
Xutility
Xuucp
Xv
Xvasant
Xvenus
Xvertigo
Xvillage
Xvirgin
Xvisitor
Xvortex
Xw
Xwargames
Xwarren
Xwater
Xweenie
Xwhatever
Xwhatnot
Xwhiting
Xwhitney
Xwholesale
Xwill
Xwilliam
Xwilliamsburg
Xwillie
Xwinston
Xwisconsin
Xwizard
Xwizzy
Xwombat
Xwoodwind
Xword
Xwork
Xwormwood
Xwyoming
Xx
Xxerox
Xxfer
Xxmodem
Xxyz
Xy
Xyaco
Xyang
Xyellowstone
Xyosemite
Xz
Xzap
Xzerox
Xzimmerman
Xzmodem
Xzxcvbn
END_OF_FILE
if test 6493 -ne `wc -c <'DictSrc/bad_pws.dat'`; then
echo shar: \"'DictSrc/bad_pws.dat'\" unpacked with wrong size!
fi
# end of 'DictSrc/bad_pws.dat'
fi
if test -f 'LICENCE' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'LICENCE'\"
else
echo shar: Extracting \"'LICENCE'\" $4771 characters$
sed "s/^X//" >'LICENCE' <<'END_OF_FILE'
X(*
XThis document is freely plagiarised from the 'Artistic Licence',
Xdistributed as part of the Perl v4.0 kit by Larry Wall, which is
Xavailable from most major archive sites
X*)
X
XThis documents purpose is to state the conditions under which this
XPackage (See definition below) viz: The "Crack" Password Cracker, which
Xis copyright Alec David Edward Muffett, may be copied, such that the
XCopyright Holder maintains some semblance of artistic control over the
Xdevelopment of the package, while giving the users of the package the
Xright to use and distribute the Package in a more-or-less customary
Xfashion, plus the right to make reasonable modifications.
X
XSo there.
X
X***************************************************************************
X
XDefinitions:
X
X"Package" refers to the collection of files distributed by the Copyright
XHolder, and derivatives of that collection of files created through
Xtextual modification, or segments thereof.
X
X"Standard Version" refers to such a Package if it has not been modified,
Xor has been modified in accordance with the wishes of the Copyright
XHolder.
X
X"Copyright Holder" is whoever is named in the copyright or copyrights
Xfor the package.
X
X"You" is you, if you're thinking about copying or distributing this
XPackage.
X
X"Reasonable copying fee" is whatever you can justify on the basis of
Xmedia cost, duplication charges, time of people involved, and so on.
X(You will not be required to justify it to the Copyright Holder, but
Xonly to the computing community at large as a market that must bear the
Xfee.)
X
X"Freely Available" means that no fee is charged for the item itself,
Xthough there may be fees involved in handling the item. It also means
Xthat recipients of the item may redistribute it under the same
Xconditions they received it.
X
X1. You may make and give away verbatim copies of the source form of the
XStandard Version of this Package without restriction, provided that you
Xduplicate all of the original copyright notices and associated
Xdisclaimers.
X
X2. You may apply bug fixes, portability fixes and other modifications
Xderived from the Public Domain or from the Copyright Holder. A Package
Xmodified in such a way shall still be considered the Standard Version.
X
X3. You may otherwise modify your copy of this Package in any way,
Xprovided that you insert a prominent notice in each changed file stating
Xhow and when AND WHY you changed that file, and provided that you do at
Xleast ONE of the following:
X
Xa) place your modifications in the Public Domain or otherwise make them
XFreely Available, such as by posting said modifications to Usenet or an
Xequivalent medium, or placing the modifications on a major archive site
Xsuch as uunet.uu.net, or by allowing the Copyright Holder to include
Xyour modifications in the Standard Version of the Package.
X
Xb) use the modified Package only within your corporation or
Xorganization.
X
Xc) rename any non-standard executables so the names do not conflict with
Xstandard executables, which must also be provided, and provide separate
Xdocumentation for each non-standard executable that clearly documents
Xhow it differs from the Standard Version.
X
Xd) make other distribution arrangements with the Copyright Holder.
X
X4. You may distribute the programs of this Package in object code or
Xexecutable form, provided that you do at least ONE of the following:
X
Xa) distribute a Standard Version of the executables and library files,
Xtogether with instructions (in the manual page or equivalent) on where
Xto get the Standard Version.
X
Xb) accompany the distribution with the machine-readable source of the
XPackage with your modifications.
X
Xc) accompany any non-standard executables with their corresponding
XStandard Version executables, giving the non-standard executables
Xnon-standard names, and clearly documenting the differences in manual
Xpages (or equivalent), together with instructions on where to get the
XStandard Version.
X
Xd) make other distribution arrangements with the Copyright Holder.
X
X5. You may charge a reasonable copying fee for any distribution of this
XPackage. You may charge any fee you choose for support of this Package.
XYOU MAY NOT CHARGE A FEE FOR THIS PACKAGE ITSELF. However, you may
Xdistribute this Package in aggregate with other (possibly commercial)
Xprograms as part of a larger (possibly commercial) software distribution
Xprovided that you do not advertise this Package as a product of your
Xown.
X
X6. The name of the Copyright Holder may not be used to endorse or
Xpromote products derived from this software without specific prior
Xwritten permission.
X
X7. THIS PACKAGE IS PROVIDED "AS IS" AND WITHOUT ANY EXPRESS OR IMPLIED
XWARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
XMERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
X
X The End
END_OF_FILE
if test 4771 -ne `wc -c <'LICENCE'`; then
echo shar: \"'LICENCE'\" unpacked with wrong size!
fi
# end of 'LICENCE'
fi
if test -f 'Scripts/Crack.network' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'Scripts/Crack.network'\"
else
echo shar: Extracting \"'Scripts/Crack.network'\" $3793 characters$
sed "s/^X//" >'Scripts/Crack.network' <<'END_OF_FILE'

X# This program reads the network.conf and breaks up the sorted password
X# file and runs RCrack to kick Crack up on all the machines and feeds
X# the file to it.
X###
X# Okay, if you don't like this bit of code, YOU think of a totally
X# portable way to do this - in shell scripts without using PERL - Alec.
X###
X
Xcf=Scripts/network.conf
Xtf=/tmp/mcp.$$
X
X###
X# Check that the config file is in place
X###
X
Xif [ ! -f $cf -o ! -s $cf ]
Xthen
X echo "Crack.network: empty or missing config file: $cf"

X exit 1
Xfi
X
X###

X# Parse arguments
X###
X
Xargs=""
Xfiles=""
Xdomail=""
X
Xfor i in $*
Xdo
X if [ -f "$i" ]
X then
X files="$files $i"
X else
X case $i in
X -f*)
X echo "Crack: -f option on COMMAND LINE incompatible with networking - Ignored"
X ;;
X -m*)
X domail="$i"
X args="$args $i"
X ;;
X *)
X args="$args $i"
X ;;
X esac
X fi
Xdone
X
X###
X# Get on with your proper job
X###
X
Xecho "Merging input data."
X
Xif [ "$CRACK_OUT" != "" ]
Xthen
X warn=$CRACK_OUT/out.i2.$$
Xelse
X warn=out.i2.$$
Xfi
X
XScripts/do_join $warn $files > $tf
X
Xif [ "x$domail" != "x" ]
Xthen
X MISCREANTS=`awk '/Guessed/{print $6}' < $warn`
X echo Sending Warning Mail to $MISCREANTS
X Scripts/nastygram $MISCREANTS
Xfi
X
X###
X# Statistics gathering
X###
X
Xlines=`wc -l < $tf`
Xsaltlines=`Scripts/saltcount < $tf`
X
X# Must not quote $lines/$saltlines here for comparison to work
Xif [ $lines = 0 -o $saltlines = 0 ]
Xthen
X echo "Crack: no uncracked input to distribute."

X exit 1
Xfi
X

Xecho "Starting analysis for Network-Crack."
X
Xcat $cf |
Xgrep -v '^#' |
Xgrep -v '$^' |
Xsort -t: +2 -n |
Xawk -F: '
XBEGIN {
X hostcount = 0;
X totalweight = 0;
X linecount = '"$lines"';
X saltlinecount = '"$saltlines"';
X iargs = "'"$args"'";
X file = "'"$tf"'";
X}
X
X/^[a-zA-Z0-9]/ {
X hostname[hostcount] = $1;
X bintype[hostcount] = $2;
X relpow[hostcount] = $3;
X powtot += $3;
X
X if (index($6, "-f") == 0)
X {
X asynch[hostcount] = "";
X } else
X {
X asynch[hostcount] = "-asynch";
X }
X
X crackf[hostcount] = $6 " " iargs; # useropts go second get priority

X
X if ($4 == "")
X {

X rshuser[hostcount] = "";
X } else
X {
X rshuser[hostcount] = "-l " $4;
X crackf[hostcount] = crackf[hostcount] " -U" $4;
X }
X
X if ($5 == "")
X {
X crackp[hostcount] = "$CRACK_HOME_UNRES/Crack";
X } else
X {
X crackp[hostcount] = $5;
X }
X
X crackf[hostcount] = iargs " " $6;
X hostcount++;
X}
X
XEND {
X done = 1;
X slice = 0.0;
X remainder = 0.0;
X todo = saltlinecount;
X print "echo Users:", linecount;
X print "echo Salts:", saltlinecount;
X print "echo Remote Hosts:", hostcount;
X print "echo Total power:", powtot;
X
X for (i = 0; i < hostcount; i++)
X {
X if (i < hostcount - 1)
X {
X# This balancing algorithm by: geo...@au.edu.monash.cc.moa (George Scott)
X# its wonderful - AEM
X slice = relpow[i] / powtot; # fraction
X slice *= todo; # percentage
X slice = int(slice); # round down
X todo -= slice; # remainder
X powtot -= relpow[i];
X } else
X {
X slice = todo; # fastest machine gets the rest.
X todo = 0;
X }
X if (slice > 0)
X {
X print "echo Calling", hostname[i], "for", slice, "different salts";
X
X line = sprintf( \
X "Scripts/RCrack %s %d %d %s %s \"%s\" %s %s %s < %s", \
X asynch[i], \
X done, \
X done + slice - 1, \
X hostname[i], \
X rshuser[i], \
X crackp[i], \
X "-XRuntime/RD.'"$$"'." i, \
X crackf[i], \
X bintype[i], \
X file);
X# print "echo", line;
X print line;
X }
X done += slice;
X }
X}' | sh # I'll bet you didn't expect this...
X
Xrm $tf
Xexit 0
END_OF_FILE
if test 3793 -ne `wc -c <'Scripts/Crack.network'`; then
echo shar: \"'Scripts/Crack.network'\" unpacked with wrong size!
fi
chmod +x 'Scripts/Crack.network'
# end of 'Scripts/Crack.network'
fi
if test -f 'Scripts/RCrack' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'Scripts/RCrack'\"
else
echo shar: Extracting \"'Scripts/RCrack'\" $3363 characters$
sed "s/^X//" >'Scripts/RCrack' <<'END_OF_FILE'

X# For those ignorant of 'rsh', what I am trying to build is a line of
X# the form
X# rsh hostname [-n] [-l remoteuser] command [args ...]
X#
X###
X
Xmachine=`(uname) 2>&1` # What architecture are we on ?
X
X###
X# Map architecture to rsh-equivalent...
X###
X
Xcase $machine in
X "HP_UX") # Hewlett Packard boxen
X remote_shell="remsh"
X ;;
X# "XENIX"|"Xenix") # Just a suggestion...
X# remote_shell="rcmd"
X# ;;
X *) # default
X remote_shell="rsh"
X ;;
Xesac
X
X###
X# Are we going to kick rsh into the background, or are we going to
X# background the thing on the remote end ?
X###
X
Xasynch_mode=""
X
Xif [ "x$1" = "x-asynch" ]
Xthen
X echo "(asynchronous $remote_shell mode)"
X asynch_mode="$1"
X shift
Xelse
X echo "(remotely backgrounded mode)"
Xfi
X
X###
X# Segments of input data to read.
X###
X
Xstartline=$1
Xshift
Xstopline=$1
Xshift
X
Xdatafile=/tmp/rcrk.$$ # temporary data file
X
X###
X# Awk reads from stdin... Create an input file for rsh...

X###
X
Xawk -F: '
XBEGIN {

X usercount = 0;
X saltcount = 0;
X startsalt = '"$startline"';
X stopsalt = '"$stopline"';
X}
X
X{
X if (substr($3, 1, 2) != last)
X {
X saltcount++;

X last = substr($3, 1, 2);
X }
X

X if (saltcount >= startsalt && saltcount <= stopsalt)
X {
X usercount++;
X print $0;
X }
X}' > $datafile
X
X###
X# Test that we should actually bother to do anything.
X###
X
Xnumlines=`wc -l < $datafile`
X
X###
X# Must not quote $numlines here for comparison to work
X###
X
Xif [ $numlines = 0 ]
Xthen
X echo "RCrack: Nothing left to dispatch to remote host."
X rm -f $datafile
X exit 0
Xelse
X echo Salted Segment comprises $numlines users # Don't quote this...
Xfi
X
X###
X# Now for the important bits. Create a diefile pointing to a remote diefile
X# (It's easier to get Crack.network to wire $remotediefile into arglist)
X###
X
Xremhost=$1 # Name of remote host ($2 == Crack path)
Xremotediefile=$3 # Name of remote diefile
Xlocaldiefile=Runtime/D.rem$$ # Local pointer to above
X
Xawk -F: '
XBEGIN {
X rshell = "'"$remote_shell"'";
X rhost = "'"$remhost"'";
X rdie = "'"$remotediefile"'";
X rdie = substr(rdie,3,length(rdie) - 2);
X}
X
X$1 == rhost {
X if ($4 != "")
X {
X rshf = "-l " $4 " -n";
X } else
X {
X rshf = "-n";
X }
X if ($5 != "")
X {
X nf = split($5, path, "/");
X ch = path[1];
X for (i = 2; i < nf; i++)
X {
X ch = ch "/" path[i];
X }
X } else
X {
X ch = "'"$CRACK_HOME_UNRES"'";
X }
X}
X
XEND {
X print "#!/bin/sh";
X print "rm $0 && " rshell, rhost, rshf, "\"cd " ch ";" rdie "\"";
X}' < Scripts/network.conf > $localdiefile
X
Xchmod 700 $localdiefile
X
Xif [ "x$asynch_mode" = "x-asynch" ]
Xthen
X if [ "x$CRACK_OUT" != "x" ]
X then
X outfile=$CRACK_OUT/out.r$$
X else
X outfile=./out.r$$
X fi
X
X # 'rsh' traps SIGHUP and survives OK
X
X echo "Invoking: $remote_shell $@ <$datafile >$outfile 2>&1 && rm -f $datafile $localdiefile &"
X $remote_shell "$@" <$datafile >$outfile 2>&1 && rm -f $datafile $localdiefile &
Xelse
X # Perfectly ordinary network crack.
X echo "Invoking: $remote_shell $@ < $datafile"
X $remote_shell "$@" < $datafile
X rm -f $datafile

Xfi
X
Xexit 0
END_OF_FILE

if test 3363 -ne `wc -c <'Scripts/RCrack'`; then
echo shar: \"'Scripts/RCrack'\" unpacked with wrong size!
fi
chmod +x 'Scripts/RCrack'
# end of 'Scripts/RCrack'
fi
if test -f 'Scripts/do_join' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'Scripts/do_join'\"
else
echo shar: Extracting \"'Scripts/do_join'\" $1912 characters$
sed "s/^X//" >'Scripts/do_join' <<'END_OF_FILE'

X# Empty the output file, Error if cannot create
X###
X
Xwarn=$1
Xshift
Xcp /dev/null $warn || exit 1
X
X###
X# Have we got feedback ?
X###
X
Xfbkfiles=`sh -c "echo Runtime/F.*"`
Xif [ "$fbkfiles" = "Runtime/F.*" ]
Xthen
X fbkfiles=""
Xfi
X
X###
X# As Walt Disney would say, we start with a simple bracket:-
X###
X
X(
X if [ "$fbkfiles" != "" ]
X then
X cat $fbkfiles
X fi
X
X (
X for file in $*
X do
X awk '/^[A-Za-z0-9]/ {print "'"$file"':" $0}' < $file
X done
X ) |
X sort -t: +2
X) |
Xawk -F: '
XBEGIN {
X FS = ":";
X numf = 8; # number of fields in a pwent, + 1
X warn="'"$warn"'";
X date = "'"`date`"'";
X date = substr(date, 5, 15);
X}
X
X/^!fb!/ {
X if ($3 == "N")
X {
X guessable[$2] = "N";
X } else if ($3 == "Y")
X {
X guessable[$2] = "Y";
X decrypt[$2] = $4;
X } else
X {
X print "Strange feedback: ", $0 >> "/dev/tty";
X }
X next;
X}
X
XNF != numf {
X printf("join: Rejected '%s': does not have %d fields\n", \
X $0, numf) >> warn;
X next;
X}
X
X$3 == "" {
X printf("join: %s Warning! %s (%s in %s) has a NULL password!\n", \
X date, $2, $7, $1) >> warn;
X next;
X}
X
Xindex($3, "*") != 0 || \
Xindex($3, "!") != 0 || \
Xindex($3, " ") != 0 {
X printf("join: %s User %s (in %s) has a locked password:- %s\n", \
X date, $2, $1, $3) >> warn;
X next;
X}
X
X{
X if (guessable[$3] == "N")
X {
X next;
X } else if (guessable[$3] == "Y")
X {
X if ($4 == 0)
X {
X msg = "ROOT PASSWORD ";
X } else
X {
X msg = "";
X }
X printf("join: %s Guessed %s%s (%s in %s) [%s] %s\n", \
X date, $2, msg, $8, $1, decrypt[$3], $3) >> warn;
X } else
X {
X print $0;
X }

X}'
X
Xexit 0
END_OF_FILE

if test 1912 -ne `wc -c <'Scripts/do_join'`; then
echo shar: \"'Scripts/do_join'\" unpacked with wrong size!
fi
chmod +x 'Scripts/do_join'
# end of 'Scripts/do_join'
fi
if test -f 'Scripts/nastygram' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'Scripts/nastygram'\"
else
echo shar: Extracting \"'Scripts/nastygram'\" $1452 characters$
sed "s/^X//" >'Scripts/nastygram' <<'END_OF_FILE'

Xfor username in $*
Xdo
X mail $username <<EndOfLetter
X `date`
X
XDear $username,
X
XThe login password you use for the account "$username" has been found to
Xbe insecure by the "Crack" password guessing program. You must change
Xyour password as soon as possible.
X
XPasswords which are not easily compromised by programs such as "Crack"
Xare based upon non-dictionary words, hence any word which might appear
Xin a dictionary, EVEN IF IT IS SUPPOSEDLY A OBSCURE WORD is unsuitable.
X
XSimilarly, any password which is derived from your name, department or
Xother personal information is unsuitable because it can be easily
Xguessed.
X
XIt is important that password security be maintained at a high level for
Xthe sake of ALL the people who use these computers. We thank you for
Xyour co-operation in this matter.
X
X Yours,
X
X Alec Muffett, Aberystwyth, UK
X pp Your System Administrator
XEndOfLetter
Xdone
END_OF_FILE
if test 1452 -ne `wc -c <'Scripts/nastygram'`; then
echo shar: \"'Scripts/nastygram'\" unpacked with wrong size!
fi
chmod +x 'Scripts/nastygram'
# end of 'Scripts/nastygram'
fi
if test -f 'Scripts/network.conf' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'Scripts/network.conf'\"
else
echo shar: Extracting \"'Scripts/network.conf'\" $2330 characters$
sed "s/^X//" >'Scripts/network.conf' <<'END_OF_FILE'
X###
X# Format of this file:-
X###
X#
X# host:binary type:relative power:rsh user:crack path:crack flags:comment
X#
X# host = hostname to 'rsh' to
X# binary type = type of executable to build on this sort of machine
X# relative power = power of host relative to weakest machine
X# rsh user = username to 'rsh -l' to, if not same as current user.
X# crack path = full path name of Crack on host (deft: $CRACK_HOME/Crack)
X# crack flags = additional flags to add to crack command line on that host
X# comment = anything, really, for your reference
X#
X# 1) Don't bother specifying "-F" amongst "crack flags" as the
X# one which you use on the command line will be passed across.
X#
X# 2) You CAN specify "-f" here, to throw the remote password cracker
X# into foreground mode for non-NFS working, but please read the docs
X# thoroughly first.
X###
X# I have specified relative power here as the number of fcrypts per second
X# that each host is (roughly) capable of. This is a perfectly good way to
X# define relative power, but if you are at a loss, call your weakest machine
X# '1', and measure all others in terms of that.
X###
X
X### Mainframe power boxes
Xaberda:mipsel:530:::-n4: Mainframe Dec 5830
Xaberdb:mipsel:530:::-n4: Mainframe Dec 5830
Xaberdc:mipsel:565:::: Mainframe DecStation 5000/200
Xaberdq:sun4:400:::: Mainframe Sun 4/330
X
X### Some of the CS machines over an rsh link - souped up Sun 3/50s
X#odin:sun3:50::~aem/Crack/Crack:-n10 -f: Computer Science Server
X#thor:sun3:50::~aem/Crack/Crack:-n10 -f: Computer Science Server
X
X### Colour DECStation 2100's
Xdecgca:mipsel:275:::-n4: Graphics Room DecStation 2100
Xdecgcb:mipsel:275:::-n4: Graphics Room DecStation 2100
Xdecgcc:mipsel:275:::-n4: Graphics Room DecStation 2100
Xdecgcd:mipsel:275:::-n4: Graphics Room DecStation 2100
X#decgce:mipsel:275:::-n4: Nigel's 2100 gets switched off nites
X
X### Monochrome DECStation 2100's
Xdecgma:mipsel:275:::-n4: Graphics Room DecStation 2100
X#decgmb:mipsel:275:::-n4:DecStation 2100 cannabalised for parts
Xdecgmc:mipsel:275:::-n4: Graphics Room DecStation 2100
Xdecgmd:mipsel:275:::-n4: Graphics Room DecStation 2100
Xdecgme:mipsel:275:::-n4: Graphics Room DecStation 2100
X
X### Sun 3/50C's which are barely worth bothering about
X#sunga:sun3:60:::-n4: Graphics Room Sun 3/60
X#sunga:sun3:60:::-n4: Graphics Room Sun 3/60
X#sunga:sun3:60:::-n4: Graphics Room Sun 3/60
END_OF_FILE
if test 2330 -ne `wc -c <'Scripts/network.conf'`; then
echo shar: \"'Scripts/network.conf'\" unpacked with wrong size!
fi
# end of 'Scripts/network.conf'
fi
if test -f 'Sources/Makefile' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'Sources/Makefile'\"
else
echo shar: Extracting \"'Sources/Makefile'\" $1685 characters$
sed "s/^X//" >'Sources/Makefile' <<'END_OF_FILE'
X###
X# Makefile for the CRACK suite V4.0, (c) ADE Muffett, Aug 1991
X###
X# Configurtable bitz...
X###
X
XCC= cc
XCFLAGS= -O
XLIBS=
XSHELL= /bin/sh
X
X###
X# Not so configurable bitz...
X###
X
XPWC= crack-pwc
XCRACKLIB= crack-lib.o crack-port.o
XCRACKCRYPT= crack-fcrypt.o
X
X###
X# If you intend to wire in your own fcrypt() thingy, try putting a
X# specific target for crack-fcrypt.o in this file...
X###
X
X$(PWC): $(CRACKLIB) $(CRACKCRYPT) crack-pwc.o
X $(CC) $(CFLAGS) -o $@ crack-pwc.o \
X $(CRACKLIB) $(CRACKCRYPT) $(LIBS)
X
Xcrack-pwc.c: crack.h
X
Xcrack-lib.c: crack.h
X
Xcrack.h: conf.h
X touch crack.h
X
Xconf.h:
X
X###
X# For tidying up...
X###
X
Xclean:
X -rm -f $(PWC) *.o *.u *.a
X -rm -f tester *.pixie *.Addrs *.Counts
X -rm -f speedcrypt speedfcrypt speedxform
X
X###
X# These targets below are for fcrypt() development only
X###
XPIXIEF = -procedures -heavy -invocations -zero
X
Xtests: speedcrypt tester speedxform speedfcrypt
X -./tester
X -./speedfcrypt
X -./speedxform
X -./speedcrypt
X
Xspeedfcrypt: speeds.c $(CRACKLIB) $(CRACKCRYPT)
X $(CC) -DT1 -o speedfcrypt speeds.c $(CRACKLIB) $(CRACKCRYPT)
X
Xspeedxform: speeds.c $(CRACKLIB) $(CRACKCRYPT)
X $(CC) -DT2 -o speedxform speeds.c $(CRACKLIB) $(CRACKCRYPT)
X
Xspeedcrypt: speeds.c $(CRACKLIB) $(CRACKCRYPT)
X $(CC) -o speedcrypt speeds.c $(CRACKLIB) $(CRACKCRYPT)
X
Xtester: tester.o $(CRACKLIB) $(CRACKCRYPT)
X $(CC) -o tester tester.o $(CRACKLIB) $(CRACKCRYPT)
X
Xtester.pixie: tester
X pixie -o tester.pixie tester
X
Xprof: tester.pixie
X time tester.pixie
X prof -pixie tester $(PIXIEF)
X
Xb: crack-fcrypt.c.orig
X
Xcrack-fcrypt.c.orig: crack-fcrypt.c
X cp crack-fcrypt.c crack-fcrypt.c.orig
X
Xt: test-load.o crack-lib.o
X cc -o t test-load.o crack-lib.o
END_OF_FILE
if test 1685 -ne `wc -c <'Sources/Makefile'`; then
echo shar: \"'Sources/Makefile'\" unpacked with wrong size!
fi
# end of 'Sources/Makefile'
fi
if test -f 'Sources/conf.h' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'Sources/conf.h'\"
else
echo shar: Extracting \"'Sources/conf.h'\" $3826 characters$
sed "s/^X//" >'Sources/conf.h' <<'END_OF_FILE'

X/*
X * This program is copyright Alec Muffett 1991 except for some portions of
X * code in "crack-fcrypt.c" which are copyright Robert Baldwin, Icarus
X * Sparry and Alec Muffett. The author(s) disclaims all responsibility or
X * liability with respect to it's usage or its effect upon hardware or
X * computer systems, and maintain copyright as set out in the "LICENCE"
X * document which accompanies distributions of Crack v4.0 and upwards.
X */
X
X#include <stdio.h>

X#include <ctype.h>
X#include <pwd.h>
X#include <signal.h>
X
X/*
X * Undefine this symbol if your name is not Alec David Edward Muffett
X */
X
X#undef DEVELOPMENT_VERSION
X
X/*
X * define this symbol if you are on a system where you don't have the
X * strchr() function in your standard library (usually this means you are on
X * a BSD based system with no System Visms) but instead, you DO have the
X * equivalent index() function.
X */
X
X#undef INDEX_NOT_STRCHR
X
X/*
X * What bytesex is your machine ? Select one of the two below, if you have
X * some really weird machine - otherwise the program should be able to work
X * it out itself.
X */
X
X#undef BIG_ENDIAN
X#undef LITTLE_ENDIAN
X
X/* If you haven't selected one of the above options... */
X#if !defined(BIG_ENDIAN) && !defined(LITTLE_ENDIAN)
X
X/* Can we work out if we are little endian ? */
X#if defined(vax) || defined(ns32000) || defined(sun386) || \
X defined(i386) || defined(MIPSEL) || defined(BIT_ZERO_ON_RIGHT)
X#define LITTLE_ENDIAN /* YES */
X#endif
X
X/* Can we work out if we are bigendian ? */
X#if defined(sel) || defined(pyr) || defined(mc68000) || \
X defined(sparc) || defined(is68k) || defined(tahoe) || \
X defined(ibm032) || defined(ibm370) || defined(MIPSEB) || \
X defined(__convex__) || defined(hpux) || defined(apollo) || \
X defined (BIT_ZERO_ON_LEFT) || defined(m68k) || defined(m88k) || \
X defined(_IBMR2) || defined(AMIGA) /* yes, an Amiga A500... */
X#define BIG_ENDIAN /* YES */
X#endif
X
X/* end of trying to guess things */
X#endif
X
X/* are we schitzophrenic ? */
X#if defined(BIG_ENDIAN) && defined(LITTLE_ENDIAN)
XERROR_BAD_BIT_ORDER; /* YES */
X#endif
X
X/* are we still ignorant ? */
X#if !defined(BIG_ENDIAN) && !defined(LITTLE_ENDIAN)
XERROR_NO_BIT_ORDER; /* YES */
X#endif
X
X
X/*
X * define this if you have the macros _toupper() and _tolower(), which are
X * compatible with the un-intelligent K&R versions of the toupper() and
X * tolower() functions, and which do not test their input for validity.
X */
X
X#undef FAST_TOCASE
X
X/*
X * define this if you are on a Sys V type system with a uname() system call
X * AND YOU HAVE NO gethostname() - it fakes up a BSD gethostname() so you can
X * use CRACK_NETWORK; see crack-port.c
X */
X
X#undef CRACK_UNAME
X
X/*
X * define this if you want to search the first 1Kb segment of users
X * .plan/.project/.signature files for potential passwords
X */
X
X#undef CRACK_DOTFILES
X
X/*
X * define this if you are using fcrypt() - you might not want to if fcrypt()
X * doesn't work properly
X */
X
X#define FCRYPT
X
X/*
X * THE FOLLOWING SYMBOLS PERTAIN ONLY TO FCRYPT() USAGE
X */
X
X/*
X * if defined, use builtin clearing in preference to using bzero(), for 4
X * or 8 byte long ints. This is most preferable, and a Good Thing. If it
X * is not defined, fcrypt() will try to use bzero().
X */
X
X#define BUILTIN_CLEAR
X
X/*
X * define this if you have a 4 byte "long_int" on RISC machines and want a
X * speedup - it should not hurt CISC machines either. Do NOT define it on a
X * 8-byte int machine...
X */
X
X#undef FDES_4BYTE
X
X/*
X * define this if you are on a Cray or something with an 8-byte int, to
X * enable Matthew Kaufman's fcrypt fix. I hope it works okay, cos I can't
X * test it - AEM.
X */
X
X#undef FDES_8BYTE
X
X/*
X * undef this if your compiler knows the fact that 6*x == x<<1 + x<<2
X */
X
X#undef BRAINDEAD6
X
X/* END OF THINGS THAT NEED CONFIGURING */
X
X#ifdef DEVELOPMENT_VERSION
X#define FDES_4BYTE
X#endif
END_OF_FILE
if test 3826 -ne `wc -c <'Sources/conf.h'`; then
echo shar: \"'Sources/conf.h'\" unpacked with wrong size!
fi
# end of 'Sources/conf.h'
fi
if test -f 'Sources/crack-lib.c' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'Sources/crack-lib.c'\"
else
echo shar: Extracting \"'Sources/crack-lib.c'\" $8130 characters$
sed "s/^X//" >'Sources/crack-lib.c' <<'END_OF_FILE'

X#define RULE_NOOP ':'
X#define RULE_PREPEND '^'
X#define RULE_APPEND '$'
X#define RULE_REVERSE 'r'
X#define RULE_UPPERCASE 'u'
X#define RULE_LOWERCASE 'l'
X#define RULE_PLURALISE 'p'
X#define RULE_CAPITALISE 'c'
X#define RULE_DUPLICATE 'd'
X#define RULE_REFLECT 'f'
X#define RULE_SUBSTITUTE 's'
X#define RULE_MATCH '/'
X#define RULE_NOT '!'
X#define RULE_LT '<'
X#define RULE_GT '>'
X#define RULE_EXTRACT 'x'
X
Xvoid
XTrim (string) /* remove trailing whitespace from a string */
X register char *string;
X{
X register char *ptr;
X
X for (ptr = string; *ptr; ptr++);
X while ((--ptr >= string) && isspace (*ptr));
X *(++ptr) = '\0';
X}
X
Xchar *
XClone (string, maxsize)
X char *string;
X int maxsize;
X{
X register int len;
X register char *retval;
X
X len = strlen (string);
X if (maxsize && len > maxsize)
X {
X len = maxsize;
X }
X retval = (char *) malloc (len + 1);
X strncpy (retval, string, len);
X retval[len] = '\0';
X return (retval);
X}
X
Xint
XSuffix (word, suffix)
X char *word;
X char *suffix;
X{
X register int i;
X register int j;
X
X i = strlen (word);
X j = strlen (suffix);
X
X if (i > j)
X {
X return (STRCMP ((word + i - j), suffix));
X } else

X {
X return (-1);
X }
X}

X
Xchar *
XReverse (str) /* return a pointer to a reversal */
X register char *str;
X{
X register int i;
X register int j;
X register char *ptr;
X static char area[STRINGSIZE];
X
X j = i = strlen (str);
X while (*str)
X {
X area[--i] = *str++;
X }
X area[j] = '\0';
X return (area);
X}
X
Xchar *
XUppercase (str) /* return a pointer to an uppercase */
X register char *str;
X{
X register char *ptr;
X static char area[STRINGSIZE];
X
X ptr = area;
X while (*str)
X {
X *(ptr++) = islower (*str) ? toupper (*str) : *str;
X str++;
X }
X *ptr = '\0';
X
X return (area);
X}
X
Xchar *
XLowercase (str) /* return a pointer to an lowercase */
X register char *str;
X{
X register char *ptr;
X static char area[STRINGSIZE];
X
X ptr = area;
X while (*str)
X {
X *(ptr++) = isupper (*str) ? tolower (*str) : *str;
X str++;
X }
X *ptr = '\0';
X
X return (area);
X}
X
Xchar *
XCapitalise (str) /* return a pointer to an capitalised */
X register char *str;
X{
X register char *ptr;
X static char area[STRINGSIZE];
X
X ptr = area;
X
X while (*str)
X {
X *(ptr++) = isupper (*str) ? tolower (*str) : *str;
X str++;
X }
X
X *ptr = '\0';
X
X if (islower (area[0]))
X {
X area[0] = toupper (area[0]);
X }
X return (area);
X}
X
Xchar *
XPluralise (string) /* returns a pointer to a plural */
X register char *string;
X{
X register int length;
X static char area[STRINGSIZE];
X
X length = strlen (string);
X strcpy (area, string);
X
X if (!Suffix (string, "ch") ||
X !Suffix (string, "ex") ||
X !Suffix (string, "ix") ||
X !Suffix (string, "sh") ||
X !Suffix (string, "ss"))
X {
X /* bench -> benches */
X strcat (area, "es");
X } else if (length > 2 && string[length - 1] == 'y')
X {
X if (strchr ("aeiou", string[length - 2]))
X {
X /* alloy -> alloys */
X strcat (area, "s");
X } else
X {
X /* gully -> gullies */
X strcpy (area + length - 1, "ies");
X }
X } else if (string[length - 1] == 's')
X {
X /* bias -> biases */
X strcat (area, "es");
X } else
X {
X /* catchall */
X strcat (area, "s");
X }
X
X return (area);
X}
X
Xchar *
XSubstitute (string, old, new) /* returns pointer to a swapped about copy */
X register char *string;
X register char old;
X register char new;
X{
X register char *ptr;
X static char area[STRINGSIZE];
X
X ptr = area;
X while (*string)
X {
X *(ptr++) = *string == old ? new : *string;
X string++;
X }
X *ptr = '\0';
X return (area);
X}
X
Xint
XChar2Int (character)
X char character;
X{
X if (character >= '0' && character <= '9')
X {
X return (character - '0');
X }
X if (character >= 'a' && character <= 'z')
X {
X return (character - 'a' + 10);
X }
X if (character >= 'A' && character <= 'Z')
X {
X return (character - 'A' + 10);

X }
X return (-1);
X}
X

Xchar *
XMangle (input, control) /* returns a pointer to a controlled Mangle */
X char *input;
X char *control;
X{
X int limit;
X register char *ptr;
X static char area[STRINGSIZE];
X char area2[STRINGSIZE];
X
X area[0] = '\0';
X strcpy (area, input);
X
X for (ptr = control; *ptr; ptr++)
X {
X switch (*ptr)
X {
X case RULE_NOOP:
X break;
X case RULE_REVERSE:
X strcpy (area, Reverse (area));
X break;
X case RULE_UPPERCASE:
X strcpy (area, Uppercase (area));
X break;
X case RULE_LOWERCASE:
X strcpy (area, Lowercase (area));
X break;
X case RULE_CAPITALISE:
X strcpy (area, Capitalise (area));
X break;
X case RULE_PLURALISE:
X strcpy (area, Pluralise (area));
X break;
X case RULE_REFLECT:
X strcat (area, Reverse (area));
X break;
X case RULE_DUPLICATE:
X strcpy (area2, area);
X strcat (area, area2);
X break;
X case RULE_GT:
X if (!ptr[1])
X {
X Log ("Mangle: '>' missing argument in '%s'\n",
X control);
X } else
X {
X limit = Char2Int (*(++ptr));
X if (limit < 0)
X {
X Log ("Mangle: '>' weird argument in '%s'\n",
X control);
X return ((char *) 0);
X }
X if (strlen (area) <= limit)
X {
X return ((char *) 0);
X }
X }
X break;
X case RULE_LT:
X if (!ptr[1])
X {
X Log ("Mangle: '<' missing argument in '%s'\n",
X control);
X } else
X {
X limit = Char2Int (*(++ptr));
X if (limit < 0)
X {
X Log ("Mangle: '<' weird argument in '%s'\n",
X control);
X return ((char *) 0);
X }
X if (strlen (area) >= limit)
X {
X return ((char *) 0);
X }
X }
X break;
X case RULE_PREPEND:
X if (!ptr[1])
X {
X Log ("Mangle: prepend missing argument in '%s'\n",
X control);
X } else
X {
X area2[0] = *(++ptr);
X strcpy (area2 + 1, area);
X strcpy (area, area2);
X }
X break;
X case RULE_APPEND:
X if (!ptr[1])
X {
X Log ("Mangle: append missing argument in '%s'\n",
X control);
X } else
X {
X register char *string;
X
X string = area;
X while (*(string++));
X string[-1] = *(++ptr);
X *string = '\0';
X }
X break;
X case RULE_SUBSTITUTE:
X if (!ptr[1] || !ptr[2])
X {
X Log ("Mangle: substitute missing argument in '%s'\n",
X control);
X } else
X {
X strcpy (area, Substitute (area, ptr[1], ptr[2]));
X ptr += 2;
X }
X break;
X case RULE_EXTRACT:
X if (!ptr[1] || !ptr[2])
X {
X Log ("Mangle: extract missing argument in '%s'\n",
X control);
X } else
X {
X int i;
X int start;
X int length;
X
X start = Char2Int (*(++ptr));
X length = Char2Int (*(++ptr));
X if (start < 0 || length < 0)
X {
X Log ("Mangle: extract: weird argument in '%s'\n",
X control);
X return ((char *) 0);
X }
X strcpy (area2, area);
X for (i = 0; length-- && area2[start + i]; i++)
X {
X area[i] = area2[start + i];
X }
X /* cant use strncpy() - no trailing NUL */
X area[i] = '\0';
X }
X break;
X case RULE_MATCH:
X if (!ptr[1])
X {
X Log ("Mangle: '/' missing argument in '%s'\n",
X control);
X } else
X {
X register char *string;
X register char c;
X
X c = *(++ptr);
X for (string = area; *string; string++)
X {
X if (*string == c)
X {
X break;
X }
X }
X if (!*string)
X {
X return ((char *) 0);
X }
X }
X break;
X case RULE_NOT:
X if (!ptr[1])
X {
X Log ("Mangle: '!' missing argument in '%s'\n",
X control);
X } else
X {
X register char *string;
X register char c;
X
X c = *(++ptr);
X for (string = area; *string; string++)
X {
X if (*string == c)
X {
X return ((char *) 0);
X }
X }
X }
X break;
X default:
X Log ("Mangle: unknown command %c in %s\n",
X *ptr,
X control);
X break;
X }
X }
X return (area);
X}
END_OF_FILE
if test 8130 -ne `wc -c <'Sources/crack-lib.c'`; then
echo shar: \"'Sources/crack-lib.c'\" unpacked with wrong size!
fi
# end of 'Sources/crack-lib.c'
fi
if test -f 'Sources/crack.h' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'Sources/crack.h'\"
else
echo shar: Extracting \"'Sources/crack.h'\" $3228 characters$
sed "s/^X//" >'Sources/crack.h' <<'END_OF_FILE'

X#include "conf.h"
X
X#define STRINGSIZE 255
X
Xextern void Trim ();
Xextern char *Reverse ();
Xextern char *Uppercase ();
Xextern char *Lowercase ();
Xextern char *Clone ();
Xextern char *Mangle ();
Xextern char *gethostname ();
X
X#ifdef FAST_TOCASE
X#define toupper(x) _toupper(x)
X#define tolower(x) _tolower(x)
X#endif
X
X#ifdef FCRYPT
X#define crypt(a,b) fcrypt(a,b)
X#endif
X
X#ifdef INDEX_NOT_STRCHR
X#define strchr(a,b) index(a,b)
X#endif
X
Xstruct USER
X{
X int done; /* bool flag */
X char *filename; /* where we got it from */
X char *passwd_txt; /* plaintext of password */
X struct passwd passwd; /* ...guess... */
X struct USER *across; /* line of users with same salt */
X struct USER *next; /* next users with different salt */
X};
X
Xstruct DICT
X{
X char *word; /* simple linked list */
X struct DICT *next;
X};
X
Xstruct RULE
X{
X char *rule;
X struct RULE *next;
X};
X
X#define STRCMP(x,y) ((x)[0] != (y)[0] ? -1 : strcmp((x),(y)))
X
X/* Rest of stuff is from crack-fcrypt.c */
X
X#define reg register
X#define uns unsigned
X#define unsb uns char
X#define unsl uns long
X
X/*
X * Types for the different ways to represent DES bit patterns. Bits are
X * always right justified within fields. Bits which have lower indices in
X * the NBS spec are stored in the vax bits with less significance (e.g., Bit
X * 1 of NBS spec is stored in the bit with weight 2 ** 0 to the Vax.
X */
X
X#define obpb1 unsb /* One bit per byte. */
X#define sbpb6 unsb /* Six bits per byte, 6 held. */
X#define sbpb6R unsb /* Six bits per byte Reversed order, 6 held. */
X#define sbpb24 unsl /* Six bits per byte, 24 held. */
X#define ebpb24 unsl /* Eight bits per bit, 24 held. */
X#define fbpb4 unsb /* Four bits per byte, 4 held. */
X#define fbpb4R unsb /* Four bits per byte Reversed order, 4 held. */
X
X/*
X * The operation (6 * x) is often better optimised as this (for really
X * braindead compilers) - AEM
X */
X
X#ifdef BRAINDEAD6
X#define SIX_TIMES(exprn) (((exprn) << 2) + ((exprn) << 1))
X#else
X#define SIX_TIMES(exprn) (6 * (exprn))
X#endif /* BRAINDEAD6 */
X
X/* DES transformation type... */
X
Xunion SDATA
X{
X sbpb24 b[2];
X sbpb6 c[8];
X};
X
X#ifndef FDES_8BYTE /* Not on a Cray */
X#ifndef FDES_4BYTE /* Thanks to Matt Bishop for this idea -AEM. */
X#define SIZEFIX 0
X#define INDIRECT(a,b) (a)[b]
X#else
X#define SIZEFIX 2 /* "n" where 2^n == sizeof(sbpb24) */
X#define INDIRECT(a,b) (*((sbpb24 *)(((unsigned char *) a) + (b))))
X#endif
X#endif
X
X/*
X * These used to be rather slow and frequently used functions - AEM
X */
X
X#define TF_TO_SIXBIT(tf) \
X (sbpb24)((tf & 077L) | \
X ((tf & 07700L) << 2) | \
X ((tf & 0770000L) << 4) | \
X ((tf & 077000000L) << 6))
X
X#define SIXBIT_TO_TF(sb) \
X (ebpb24)((sb & 0x3fL) | \
X ((sb & 0x3f00L) >> 2) | \
X ((sb & 0x3f0000L) >> 4) | \
X ((sb & 0x3f000000L) >> 6))
END_OF_FILE
if test 3228 -ne `wc -c <'Sources/crack.h'`; then
echo shar: \"'Sources/crack.h'\" unpacked with wrong size!
fi
# end of 'Sources/crack.h'
fi
echo shar: End of archive 2 $of 5$.
cp /dev/null ark2isdone

Alec Muffett

unread,

Nov 3, 1991, 6:15:44 PM11/3/91

Submitted-by: a...@aber.ac.uk (Alec David Muffett)

Posting-number: Volume 25, Issue 7
Archive-name: crack/part03

Environment: UNIX
Supersedes: crack: Volume 23, Issue 1-5

#! /bin/sh

# "End of archive 3 (of 5)."
# Contents: APPENDIX.4.0 Sources/crack-fcrypt.c
# Wrapped by aem@aberda on Thu Oct 24 11:14:43 1991

PATH=/bin:/usr/bin:/usr/ucb ; export PATH

if test -f 'APPENDIX.4.0' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'APPENDIX.4.0'\"
else
echo shar: Extracting \"'APPENDIX.4.0'\" $16140 characters$
sed "s/^X//" >'APPENDIX.4.0' <<'END_OF_FILE'
XAPPENDIX FILE FOR VERSION 4.0 of Crack. By Alec Muffett, 7th Oct 1991
X**********************************************************************
XThis is the latest version of Crack, The Sensible Password Cracker.
X
XThere have been a LOT of changes since version 3.*, first and foremost,
Xthere is NO DICTIONARY PREPROCESSOR. This is part of a drive during
Xre-writing the code to move as much as possible of the configuration
Xgumph out of the central code and into the Scripts directory.
X
XAll the manipulations which are carried out on the dictionary are
Xcontrolled by external files, so that the user can configure the program
Xto permute and unique the dictionary on the fly, saving vast amounts of
Xfilestore for a small time tradeoff.
X
XIf you really want to make a dictionary pass of capitalised reversed
Xwords containing the letter "Q" with a semicolon appended, feel free!
XThe rule is:-
X cr/Q$;
X
XThis is further detailed in the README file. The extra flexibility
Xgenerated is worth the slight loss in efficiency,
X
XOther changes in attitude and programming style: Crack is now written
Xwith most of it's features hardwired in; eg: Feedback mode is no longer
Xoptional, Crack output files ALWAYS print their guesses, and so on.
X
XThis is partly due to laziness, and partly due to the complexity of the
Xcode. It's simpler if I assume that users don't want to go around
Xcrippling the code before running it.
X
XAlso, I assume that certin features are supplied with your c-compiler
Xtoo. You will need a qsort() function as well as a getopt() function to
Xrun v4.0, but these are pretty common nowadays. If not, complain to
Xyour vendor or pull one from the public domain.
X
XAlso, I've tried (with a lot of external help: thanks to cip_maz) to get
XCrack working on 16 bit machines. It may work... 8-)
X
XCrack now can scan .plan/.project/.signature files for information...
XIt only checks the first 1Kb of each file... I consider this to be
Xenough, because, as I well know, some .plan files get a bit bigger than
Xthat. (If you don't know what I'm talking about, pull a copy of ASP
Xfrom your local comp.sources.misc archive. My big .plan is 2.6Mb)
X
XFinally, I'm providing with this version a "terms of usage" file, which
Xdetails what I would like people to do or not do with my code. I've
Xworked bloody hard on this project, partly in hope that it will scare
Xthe commercial world into doing things for unix security amongst the
Xunix community. Two BIG multinationals have already contacted me about
Xthis code, but mostly because it's done horrible things to their
Xinternal network security. I'd like to see them implement something for
Xthe users, too...
X
XI DO intend to keep Crack up to date with development work, but my
Xfuture on the net is looking a little shaky at the moment. Hang in
Xthere - if you get no immediate reply on EMailing me, I'll get back to
Xyou eventually. It does seem that Crack v4.0 has gone just about as far
Xas it can without being too silly or inefficient, so I am going to have
Xto consider VERY CAREFULLY about where it goes from here on in.
X
X in peaceful paranoia,
X yours sincerely,
X
X alec muffett (with TWO T's !)
X***********************************************************************
XThere now follows any information that is still pertinent from previous
XAPPENDIX files
X***********************************************************************
X
XSeveral people have asked me why I don't write Crack so that it
Xdistributes dictionaries over the network and hacks the same password
Xfile on each machine, as opposed to spreading users over the network and
Xusing the same dictionaries.
X
XThere are several reasons for this, which I will outline.
X
XThe reasoning that spreading the dictionaries over the network is faster
Xis correct in the case of cracking the passwords of ONE user - it is
Xmost efficient to run different dictionaries on him on several machines,
Xand you will break his password eventually.
X
XScaling this by a factor of 'n' users causes problems. Firstly, if a
Xmachine guesses one persons password, it must inform all others on the
Xnetwork not to waste time cracking him, but to get on with the other
Xusers. This is difficult and nasty.
X
XSecondly, it is not what Crack was designed to do. The name "Crack" is
Xactually a misnomer - Crack really ought to be called "Passwdcheck" or
Xsomething similar, but such names lack sex appeal.
X
XCrack is not a program designed to break the password of every user in
Xthe file. Rather, it is designed to find weak passwords in the file, by
Xattacking those sorts of bad passwords which are most likely to be used,
Xin the order in which they would most easily be found (ie: are most
Xlikely to be used by a moronic user).
X
XCrack is not designed to break user passwords; it is designed to break
Xpassword files. This is a subtle but important distinction.
X
XIf you want to break into a safe, you do not take a hammer at every bit
Xof it in turn; instead, first you try some simple combinations, then you
Xtry blowing the hinges off, then you get out an acetylene torch and go
Xfor the bolt. If that doesnt work, THEN you start on the walls. You go
Xfor the bits which are most likely to be weak first.
X
XConsider a password file with 'n' users in it. Say that your ordinary,
Xserial password cracker uses a dictionary of 1000 words, and tries each
Xword 6 ways (upper/lower/mixed case, permuted with forwards/backwards)
X
XAlso consider that out of that 1000 users, only one (the last one) has a
Xguessable password - "fred".
X
XAlso say that it takes time 'T' seconds to encrypt a word.
X
XIf you use the "try each user in turn" method, like the COPS password
Xcracker, you will have to wait for a time:-
X
X 999 users * 1000 words * 6 ways * T = 5994000 T seconds
X
Xbefore you get to that last user. Spreading this load around on a
Xnetwork only alleviates the number of words to be searched (divides them
Xby the number of machines you are working on).
X
XThus, if you use 10 machines, the machine which will guess "fred" will
Xget to that last user in:-
X
X 999 * (1000 / 10) * 6 ways = 599400 T seconds.
X
XAlternatively you can try it the Crack way - "fred" is a word which
Xappears in a forwards dictionary. You will only wait:-
X
X 999 users * 1000 words * 1st way * T = 999000 T seconds
X
Xto get to that user. Now split the users across 10 machines (for
Xsimplicity, as outlined above):-
X
X (999 / 10) users * 1000 words * 1st way = 99900 T seconds
X
XTo get to his password, in ONLY 17% of the time taken by networking
Xusing the serial cracking method. This is only a boundary case, but I
Xhope I have illustrated the concept.
X
X********
X
XCrack has several other optimisations because of its structured password
Xguesses. The figures below are entirely empirical, but I reckon that
Xthey're as good as any:
X
XThe first pass that Crack makes is over the user data user information
Xgleaned from the users' password field. In my test file, this gets
Xabout 3% of the passwords (out of a total of 11% guessed). This pass
Xalso completes the quickest of all, working as it does from a very small
Xamount of data, but one which is very frequently used for passwords.
X
XThe first sweep of the second pass, consisting of lowercase dictionary
Xwords, gets about another 5% of the passwords. This means that, for our
X1150 users, we have now cracked a cumulative total of 91 accounts. The
Xlength of the first sweep depends on how much CPU and how many
Xdictionaries I supply, but using the Ultrix /usr/dict/words and my
Xbad_pws.dat, over 4 CPUs, it doesn't take much more that a couple of
Xhours.
X
XFor the further sweeps, the percentages cracked per sweep tail off, 2%,
X1%, 0.5%... But they are the people with fairly exotic passwords, and
Xit's only common sense that that they will take some time to crack.
X
X********
X
XThere is one more major optimisation that I haven't mentioned. Because
Xof the way the UNIX crypt() algorithm works, each encryption is "salted"
Xwith a two letter sequence which is stored as the first two characters
Xof the encrypted password. This salting means that the word "fred" can
Xbe encrypted and appear in a password file in (literally) thousands of
Xdifferent ways - so long as each encryption has a different salt.
X
XHence, it makes sense to do things in this manner:
X
X1) sort and group the input data by encryption salt.
X2) for each different groups' encryption salt
X * get a dictionary word
X * encrypt it using that salt (This is the time consuming bit)
X * compare the encryption with each member of the group with that salt
X * if it matches, you have guessed that users password.
X
XThis knocks (empirical guesswork time again) up to one third of the
Xdictionary encryptions off - thus saving you 0.3 of the time all the
Xdictionary sweeps would ordinarily take. You can work out this figure
Xyourself: Crack gives this statistic when it says
X
X pwc: Loaded 'n' password entries into 'm' salted lines.
X
Xso you can work out the percentage of users who have the same salt:-
X
X x = (m / n) * 100
X
Xand hence the percentage of encryption time that you save = (100 - x).
X
X********
X
XI was listening to the REM album 'Green' on the way back from the
XCropredy folk festival, whilst thinking over things to do to Crack, and
XI was struck (not for the first time) by the words of the first verse to
X'World Leader Pretend':-
X
X I sit at my table, and wage war upon myself.
X It seems like it's all, it's all for nothing.
X I know the barricades, and I know the mortar in the wall
X I recognise the weapons, I use them well.
X
X This is my mistake, let me make it good,
X I raised the wall, and I will be the one to knock it down...
X
X- writing password cracking programs gets to you after a bit.
X
X********
X
XSome people have asked me how to generate safe passwords. This, sadly,
Xhas become a religious issue, and there are now, on USENET, several
Xvociferous "password geeks" who will say "my method is the best", in the
Xsame way that some mathematicians will try to compare so-called "random
Xnumber generating algorithms". Such statements are pointless. I'm
Xsorry for adding to the confusion, but I must say that I think they are
Xwrong.
X
XOkay, so I am a security fatalist and a security philosopher, but I am
Xnot going to give and hard and fast answers; rather, I'd like to make
Xsome points and recommendations to the people out there. Security isn't
Xa tangible thing, it is applied psychology.
X
XThe whole point of a password is to prevent people accessing your
Xsystem, getting into it from outside. Once someone is inside your
Xsystem, assuming that they have the relevant knowledge of your O/S, it
Xis safest to assume that anyone can get to be 'superuser'. Your only
Xsecurity once someone is on your system is called "security by
Xobscurity". If your user has sufficient knowledge, you've "had it".
X
XThe question isn't "How secure can my system be made?".
X
XThe question really should be, "How much do I care, how much can I trust?".
X
XA system can be perfectly secure without any passwords at all, so long
Xas it is in an environment of people who recognise its purpose and
Xdepend on it. I say this after having had acounts on several 'public'
Xmachines, which could have been taken to bits by any competent Unix
Xperson, but were largely safe - because when someone worked out who did
Xanything nasty, the culprit was ostracised from the community. There
X_is_ a caveat to this, however.
X
XThe problem is the sort of people who go around the world 'collecting'
Xcomputer accounts and breaking machines, those who have either a
Xchildish mentality or an ulterior motive.
X
XThe former are like the little boys who go around breaking windows and
Xvandalising things 'for kicks'. They are the ones who see every
Xpassword file as a "NO ENTRY" sign, and therefore, driven by what they
Xthink is anarchy and fun, they break in and smash the place up. Tell
Xthem that they are behaving like children, and they will behave moreso.
X
XThe latter are driven by personal motives or money. Their reasons are
Xtoo complex for me to analyse here.
X
XThe 'babyish' hackers need a lesson (which I hope that eventually they
Xlearn) that true anarchy is for the general good, and is best achieved
Xby fiat amongst the community. USENET is a good example - there is a
Xlot of petty bickering and arguing, but an incredible amount of good
Xcomes out of it. It is anarchy that the old greek philosophers would
Xhave approved of.
X
XWhat I am trying to say is that, when I say that if someone gets into
Xyour system, you've "had it", you should consider whether there is
Xanything to have "had" in the first place. There is no point in getting
Xyourself paranoid over security - if you do, you'll lose out. Don't be
Xtoo paranoid. Be SENSIBLE instead, and secure your system according to
Xit's needs, and not according to some 'holy bible' of absolute security.
X
XIf someone gets into your system, you find out how they did it, patch
Xthe hole, check for back doors, brush yourself off, and start again.
XIt's not the end of the world.
X
XWhat this statement doesn't address (yet) is the needs of system
Xmanagers who have a REAL need for security - be it corporate data or
Xresearch work - on their system. As I have said before, most O/S's have
Xgaping holes in them that cannot be entirely filled, and so the crackers
Xmust be stopped on the doorstep. At the password login.
X
XPeople who say that they have a way of generating safe passwords are
Xmisinformed, IMHO. Saying that the password "wyufwqpl" is secure is as
Xmeaningful as saying that the number "4" is random. Password security,
Xlike any other form of computer security, is not absolute, but should
Xbe taken in context.
X
XYou can't say that a certain method will provide secure, random
Xpasswords, because, in defining an algorithm to create these passwords,
Xyou will use only a subset of all the possible passwords that could ever
Xexist. You have shrunk the 'search space' for the passwords.
X
XSomeone merely has to write a password cracker which will search this
Xsmall subset of passwords, in order to break your system. Passwords
Xgenerated by any algorithm, human or computer based, are merly
Xpseudo-secure, in the same way that numbers can be pseudo-random. For
Xillustration of this aspect of password security, read the document
X"Password Security, A Case History" by Morris and Thompson.
X
XThere is an incredibly large set of possible passwords in the world, and
Xthe best approach toward choosing a password is not to try to find a way
Xto generate 'secure' passwords - there are no such things - but rather
Xyou should learn to choose passwords which are not easily searched for.
XPasswords which are out of the 'search space' of most password crackers
Xlike 'Crack'.
X
XRead the Crack documentation. See what sort of things other programs
Xlike Crack would search for. Think of some yourself. I am not going to
Xspecifically mention methods, you should really work something out for
Xyourself.
X
XAt the bottom line, the password "fred" is just as secure (random) as
Xthe password "blurflpox"; the only problem is that "fred" is in a more
Xeasily searched part of the "password space".
X
XBoth of these passwords are more easily found than "Dxk&2+15^N" however.
XNow you must ask yourself if you can cope with remembering "Dxk&2+15^N".
X
X8-)
X
X********
X
XI'd like to thank Chris Samuel & Piercarlo (Peter) Grandi for all their
Xhelp in beta-testing early versions of Crack, and in Peter's case
Xespecially, for dropping me into the deep end of troff. Die, you
Xbastard. 8->
X
XI'd also like to thank Chris Myers, Randal Schwartz, Chris Lewis,
XM.Maclaren@bath, and Brian Tompsett (b...@uk.ac.hull.cs), for pointing me
Xto the now famous v3.2 bug, and for numerous suggestions and patches,
Xnot to mention the enormous amount of debugging information he's sent me
Xabout Crack v3.3. To him should go the prize for "Most Vociferous Beta
XTester".
X
XAnd finally, to my girlfriend Gilly, for her occasional large doses of
Xsanity. 8-)
X - alec
X--
XINET: a...@aber.ac.uk JANET: a...@uk.ac.aber BITNET: aem%aber@ukacrl
XUUCP: ...!mcsun!ukc!aber!aem ARPA: aem%uk.ac...@nsfnet-relay.ac.uk
XSNAIL: Alec Muffett, Computer Unit, Llandinam UCW, Aberystwyth, UK, SY23 3DB
X
END_OF_FILE
if test 16140 -ne `wc -c <'APPENDIX.4.0'`; then
echo shar: \"'APPENDIX.4.0'\" unpacked with wrong size!
fi
# end of 'APPENDIX.4.0'
fi
if test -f 'Sources/crack-fcrypt.c' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'Sources/crack-fcrypt.c'\"
else
echo shar: Extracting \"'Sources/crack-fcrypt.c'\" $22754 characters$
sed "s/^X//" >'Sources/crack-fcrypt.c' <<'END_OF_FILE'

X/*
X * Misc defs for the fast password transform optimisations.

X */
X
X#include "crack.h"
X

X/*
X * Data segment gathered into one place, try to keep this stuff long aligned
X * - AEM
X */
X
Xstatic char iobuf[16];
Xstatic obpb1 crypt_block[72]; /* 72 is next multiple of 8 bytes after 66 */
Xstatic sbpb24 KS[32];
Xstatic sbpb24 S0H[64], S1H[64], S2H[64], S3H[64];
Xstatic sbpb24 S4H[64], S5H[64], S6H[64], S7H[64];
Xstatic sbpb24 S0L[64], S1L[64], S2L[64], S3L[64];
Xstatic sbpb24 S4L[64], S5L[64], S6L[64], S7L[64];
Xstatic sbpb24 out96[4];
X
X/*
X * Start of the real thing
X */
X
Xvoid
Xfsetkey ()
X{
X /*
X * This used to be utterly horrendous. It still is, but it's much, much,
X * smaller... (and quite a bit faster...) - AEM
X */
X static unsb KeyToKS[] =
X {
X 9, 50, 33, 59, 48, 16, 32, 56, 1, 8, 18, 41, 2, 34, 25, 24,
X 43, 57, 58, 0, 35, 26, 17, 40, 21, 27, 38, 53, 36, 3, 46, 29,
X 4, 52, 22, 28, 60, 20, 37, 62, 14, 19, 44, 13, 12, 61, 54, 30,
X 1, 42, 25, 51, 40, 8, 24, 48, 58, 0, 10, 33, 59, 26, 17, 16,
X 35, 49, 50, 57, 56, 18, 9, 32, 13, 19, 30, 45, 28, 62, 38, 21,
X 27, 44, 14, 20, 52, 12, 29, 54, 6, 11, 36, 5, 4, 53, 46, 22,
X 50, 26, 9, 35, 24, 57, 8, 32, 42, 49, 59, 17, 43, 10, 1, 0,
X 48, 33, 34, 41, 40, 2, 58, 16, 60, 3, 14, 29, 12, 46, 22, 5,
X 11, 28, 61, 4, 36, 27, 13, 38, 53, 62, 20, 52, 19, 37, 30, 6,
X 34, 10, 58, 48, 8, 41, 57, 16, 26, 33, 43, 1, 56, 59, 50, 49,
X 32, 17, 18, 25, 24, 51, 42, 0, 44, 54, 61, 13, 27, 30, 6, 52,
X 62, 12, 45, 19, 20, 11, 60, 22, 37, 46, 4, 36, 3, 21, 14, 53,
X 18, 59, 42, 32, 57, 25, 41, 0, 10, 17, 56, 50, 40, 43, 34, 33,
X 16, 1, 2, 9, 8, 35, 26, 49, 28, 38, 45, 60, 11, 14, 53, 36,
X 46, 27, 29, 3, 4, 62, 44, 6, 21, 30, 19, 20, 54, 5, 61, 37,
X 2, 43, 26, 16, 41, 9, 25, 49, 59, 1, 40, 34, 24, 56, 18, 17,
X 0, 50, 51, 58, 57, 48, 10, 33, 12, 22, 29, 44, 62, 61, 37, 20,
X 30, 11, 13, 54, 19, 46, 28, 53, 5, 14, 3, 4, 38, 52, 45, 21,
X 51, 56, 10, 0, 25, 58, 9, 33, 43, 50, 24, 18, 8, 40, 2, 1,
X 49, 34, 35, 42, 41, 32, 59, 17, 27, 6, 13, 28, 46, 45, 21, 4,
X 14, 62, 60, 38, 3, 30, 12, 37, 52, 61, 54, 19, 22, 36, 29, 5,
X 35, 40, 59, 49, 9, 42, 58, 17, 56, 34, 8, 2, 57, 24, 51, 50,
X 33, 18, 48, 26, 25, 16, 43, 1, 11, 53, 60, 12, 30, 29, 5, 19,
X 61, 46, 44, 22, 54, 14, 27, 21, 36, 45, 38, 3, 6, 20, 13, 52,
X 56, 32, 51, 41, 1, 34, 50, 9, 48, 26, 0, 59, 49, 16, 43, 42,
X 25, 10, 40, 18, 17, 8, 35, 58, 3, 45, 52, 4, 22, 21, 60, 11,
X 53, 38, 36, 14, 46, 6, 19, 13, 28, 37, 30, 62, 61, 12, 5, 44,
X 40, 16, 35, 25, 50, 18, 34, 58, 32, 10, 49, 43, 33, 0, 56, 26,
X 9, 59, 24, 2, 1, 57, 48, 42, 54, 29, 36, 19, 6, 5, 44, 62,
X 37, 22, 20, 61, 30, 53, 3, 60, 12, 21, 14, 46, 45, 27, 52, 28,
X 24, 0, 48, 9, 34, 2, 18, 42, 16, 59, 33, 56, 17, 49, 40, 10,
X 58, 43, 8, 51, 50, 41, 32, 26, 38, 13, 20, 3, 53, 52, 28, 46,
X 21, 6, 4, 45, 14, 37, 54, 44, 27, 5, 61, 30, 29, 11, 36, 12,
X 8, 49, 32, 58, 18, 51, 2, 26, 0, 43, 17, 40, 1, 33, 24, 59,
X 42, 56, 57, 35, 34, 25, 16, 10, 22, 60, 4, 54, 37, 36, 12, 30,
X 5, 53, 19, 29, 61, 21, 38, 28, 11, 52, 45, 14, 13, 62, 20, 27,
X 57, 33, 16, 42, 2, 35, 51, 10, 49, 56, 1, 24, 50, 17, 8, 43,
X 26, 40, 41, 48, 18, 9, 0, 59, 6, 44, 19, 38, 21, 20, 27, 14,
X 52, 37, 3, 13, 45, 5, 22, 12, 62, 36, 29, 61, 60, 46, 4, 11,
X 41, 17, 0, 26, 51, 48, 35, 59, 33, 40, 50, 8, 34, 1, 57, 56,
X 10, 24, 25, 32, 2, 58, 49, 43, 53, 28, 3, 22, 5, 4, 11, 61,
X 36, 21, 54, 60, 29, 52, 6, 27, 46, 20, 13, 45, 44, 30, 19, 62,
X 25, 1, 49, 10, 35, 32, 48, 43, 17, 24, 34, 57, 18, 50, 41, 40,
X 59, 8, 9, 16, 51, 42, 33, 56, 37, 12, 54, 6, 52, 19, 62, 45,
X 20, 5, 38, 44, 13, 36, 53, 11, 30, 4, 60, 29, 28, 14, 3, 46,
X 17, 58, 41, 2, 56, 24, 40, 35, 9, 16, 26, 49, 10, 42, 33, 32,
X 51, 0, 1, 8, 43, 34, 25, 48, 29, 4, 46, 61, 44, 11, 54, 37,
X 12, 60, 30, 36, 5, 28, 45, 3, 22, 27, 52, 21, 20, 6, 62, 38
X };
X
X reg int i;
X reg int j;
X reg unsigned long r;
X reg unsb *k;
X
X k = KeyToKS;
X
X for (i = 0; i < 32; i++)
X {
X /* 16-bit tweaks suggested by cip...@fb6tcp.physik.uni-paderborn.de */
X /* inlining speedup tweak suggested by taho...@csd.harris.com */
X /* (strange addition compensates missing TF_TO_SIXBIT) */
X r = (unsigned long) crypt_block[*(k++)];
X r |= (unsigned long) crypt_block[*(k++)] << 1;
X r |= (unsigned long) crypt_block[*(k++)] << 2;
X r |= (unsigned long) crypt_block[*(k++)] << 3;
X r |= (unsigned long) crypt_block[*(k++)] << 4;
X r |= (unsigned long) crypt_block[*(k++)] << 5;
X r |= (unsigned long) crypt_block[*(k++)] << (2 + 6);
X r |= (unsigned long) crypt_block[*(k++)] << (2 + 7);
X r |= (unsigned long) crypt_block[*(k++)] << (2 + 8);
X r |= (unsigned long) crypt_block[*(k++)] << (2 + 9);
X r |= (unsigned long) crypt_block[*(k++)] << (2 + 10);
X r |= (unsigned long) crypt_block[*(k++)] << (2 + 11);
X r |= (unsigned long) crypt_block[*(k++)] << (4 + 12);
X r |= (unsigned long) crypt_block[*(k++)] << (4 + 13);
X r |= (unsigned long) crypt_block[*(k++)] << (4 + 14);
X r |= (unsigned long) crypt_block[*(k++)] << (4 + 15);
X r |= (unsigned long) crypt_block[*(k++)] << (4 + 16);
X r |= (unsigned long) crypt_block[*(k++)] << (4 + 17);
X r |= (unsigned long) crypt_block[*(k++)] << (6 + 18);
X r |= (unsigned long) crypt_block[*(k++)] << (6 + 19);
X r |= (unsigned long) crypt_block[*(k++)] << (6 + 20);
X r |= (unsigned long) crypt_block[*(k++)] << (6 + 21);
X r |= (unsigned long) crypt_block[*(k++)] << (6 + 22);
X r |= (unsigned long) crypt_block[*(k++)] << (6 + 23);
X KS[i] = r;
X }
X}
X
Xvoid
XXForm (saltvalue)
X sbpb24 saltvalue;
X{
X#ifdef BIG_ENDIAN /* Icarus Sparry, Bath - mod AEM */
X#define STEP --
X#define START &sdata.c[7]
X#define Dl sdata.b[1]
X#define Dh sdata.b[0]
X#else /* LITTLE_ENDIAN */
X#define STEP ++
X#define START &sdata.c[0]
X#define Dl sdata.b[0]
X#define Dh sdata.b[1]
X#endif
X union SDATA sdata;
X reg sbpb24 Rl;
X reg sbpb24 Rh;
X reg sbpb24 Ll;
X reg sbpb24 Lh;
X reg sbpb6 *dp;
X int loop;
X int kloop;
X sbpb24 *kp;
X reg sbpb24 k;
X#ifdef FDES_8BYTE
X reg sbpb24 tmpi;
X#endif /* FDES_8BYTE */
X
X Ll = Lh = Rl = Rh = 0;
X
X for (loop = 25; loop--; /* nothing */ )
X {
X kp = KS;
X for (kloop = 8; kloop--; /* nothing */ )
X {
X k = (Rl ^ Rh) & saltvalue;
X#ifndef FDES_8BYTE
X Dl = (k ^ Rl ^ *kp++) << SIZEFIX;
X Dh = (k ^ Rh ^ *kp++) << SIZEFIX;
X#else
X /* hack to make things work better - matthew kaufman */
X /* I haven't tried any of this - I don't have a cray... AEM */
X tmpi = (k ^ Rl ^ *kp++);
X sdata.c[3] = (tmpi >> 24) & 0x00ff;
X sdata.c[2] = (tmpi >> 16) & 0x00ff;
X sdata.c[1] = (tmpi >> 8) & 0x00ff;
X sdata.c[0] = (tmpi) & 0x00ff;
X tmpi = (k ^ Rh ^ *kp++);
X sdata.c[7] = (tmpi >> 24) & 0x00ff;
X sdata.c[6] = (tmpi >> 16) & 0x00ff;
X sdata.c[5] = (tmpi >> 8) & 0x00ff;
X sdata.c[4] = (tmpi) & 0x00ff;
X#endif /* FDES_8BYTE */
X
X dp = START;
X Lh ^= INDIRECT (S0H, *dp);
X Ll ^= INDIRECT (S0L, *dp STEP);
X Lh ^= INDIRECT (S1H, *dp);
X Ll ^= INDIRECT (S1L, *dp STEP);
X Lh ^= INDIRECT (S2H, *dp);
X Ll ^= INDIRECT (S2L, *dp STEP);
X Lh ^= INDIRECT (S3H, *dp);
X Ll ^= INDIRECT (S3L, *dp STEP);
X Lh ^= INDIRECT (S4H, *dp);
X Ll ^= INDIRECT (S4L, *dp STEP);
X Lh ^= INDIRECT (S5H, *dp);
X Ll ^= INDIRECT (S5L, *dp STEP);
X Lh ^= INDIRECT (S6H, *dp);
X Ll ^= INDIRECT (S6L, *dp STEP);
X Lh ^= INDIRECT (S7H, *dp);
X Ll ^= INDIRECT (S7L, *dp STEP);
X
X k = (Ll ^ Lh) & saltvalue;
X#ifndef FDES_8BYTE
X Dl = (k ^ Ll ^ *kp++) << SIZEFIX;
X Dh = (k ^ Lh ^ *kp++) << SIZEFIX;
X#else
X tmpi = (k ^ Ll ^ *kp++);
X sdata.c[3] = (tmpi >> 24) & 0x00ff;
X sdata.c[2] = (tmpi >> 16) & 0x00ff;
X sdata.c[1] = (tmpi >> 8) & 0x00ff;
X sdata.c[0] = (tmpi) & 0x00ff;
X tmpi = (k ^ Lh ^ *kp++);
X sdata.c[7] = (tmpi >> 24) & 0x00ff;
X sdata.c[6] = (tmpi >> 16) & 0x00ff;
X sdata.c[5] = (tmpi >> 8) & 0x00ff;
X sdata.c[4] = (tmpi) & 0x00ff;
X#endif /* FDES_8BYTE */
X
X dp = START;
X Rh ^= INDIRECT (S0H, *dp);
X Rl ^= INDIRECT (S0L, *dp STEP);
X Rh ^= INDIRECT (S1H, *dp);
X Rl ^= INDIRECT (S1L, *dp STEP);
X Rh ^= INDIRECT (S2H, *dp);
X Rl ^= INDIRECT (S2L, *dp STEP);
X Rh ^= INDIRECT (S3H, *dp);
X Rl ^= INDIRECT (S3L, *dp STEP);
X Rh ^= INDIRECT (S4H, *dp);
X Rl ^= INDIRECT (S4L, *dp STEP);
X Rh ^= INDIRECT (S5H, *dp);
X Rl ^= INDIRECT (S5L, *dp STEP);
X Rh ^= INDIRECT (S6H, *dp);
X Rl ^= INDIRECT (S6L, *dp STEP);
X Rh ^= INDIRECT (S7H, *dp);
X Rl ^= INDIRECT (S7L, *dp STEP);
X }
X
X Ll ^= Rl;
X Lh ^= Rh;
X Rl ^= Ll;
X Rh ^= Lh;
X Ll ^= Rl;
X Lh ^= Rh;
X }
X
X /*
X * for reasons that I cannot explain, if I insert the contents of the
X * UnXForm function right HERE, making the tweaks as necessary to avoid
X * using out96[] to pass data, I LOSE 30% of my speed. I don't know why.
X * Hence, I continue to use out96[]...
X */
X {
X reg sbpb24 *qp;
X qp = out96;
X *qp++ = Ll;
X *qp++ = Lh;
X *qp++ = Rl;
X *qp++ = Rh;
X }
X}
X
Xvoid
XUnXForm ()
X{
X reg sbpb24 Rl;
X reg sbpb24 Rh;
X reg sbpb24 Ll;
X reg sbpb24 Lh;
X reg obpb1 *ptr;
X reg long int mask;
X register long int *lip;
X
X Ll = SIXBIT_TO_TF (out96[0]);
X Lh = SIXBIT_TO_TF (out96[1]);
X Rl = SIXBIT_TO_TF (out96[2]);
X Rh = SIXBIT_TO_TF (out96[3]);
X
X#ifdef BUILTIN_CLEAR
X lip = (long int *) crypt_block;
X for (mask = (sizeof (crypt_block) / sizeof (long int)); mask--; /* - */ )
X {
X *(lip++) = 0L;
X }
X#else /* BUILTIN_CLEAR */
X bzero (crypt_block, 66);
X#endif /* BUILTIN_CLEAR */
X
X ptr = crypt_block;
X mask = 0x000400L;
X if (Rl & mask)
X *ptr = 0x01;
X ptr++;
X if (Ll & mask)
X *ptr = 0x01;
X ptr++;
X mask = 0x400000L;
X if (Rl & mask)
X *ptr = 0x01;
X ptr++;
X if (Ll & mask)
X *ptr = 0x01;
X ptr++;
X mask = 0x000400L;
X if (Rh & mask)
X *ptr = 0x01;
X ptr++;
X if (Lh & mask)
X *ptr = 0x01;
X ptr++;
X mask = 0x400000L;
X if (Rh & mask)
X *ptr = 0x01;
X ptr++;
X if (Lh & mask)
X *ptr = 0x01;
X ptr++;
X mask = 0x000200L;
X if (Rl & mask)
X *ptr = 0x01;
X ptr++;
X if (Ll & mask)
X *ptr = 0x01;
X ptr++;
X mask = 0x200000L;
X if (Rl & mask)
X *ptr = 0x01;
X ptr++;
X if (Ll & mask)
X *ptr = 0x01;
X ptr++;
X mask = 0x000200L;
X if (Rh & mask)
X *ptr = 0x01;
X ptr++;
X if (Lh & mask)
X *ptr = 0x01;
X ptr++;
X mask = 0x200000L;
X if (Rh & mask)
X *ptr = 0x01;
X ptr++;
X if (Lh & mask)
X *ptr = 0x01;
X ptr++;
X mask = 0x000100L;
X if (Rl & mask)
X *ptr = 0x01;
X ptr++;
X if (Ll & mask)
X *ptr = 0x01;
X ptr++;
X mask = 0x100000L;
X if (Rl & mask)
X *ptr = 0x01;
X ptr++;
X if (Ll & mask)
X *ptr = 0x01;
X ptr++;
X mask = 0x000100L;
X if (Rh & mask)
X *ptr = 0x01;
X ptr++;
X if (Lh & mask)
X *ptr = 0x01;
X ptr++;
X mask = 0x100000L;
X if (Rh & mask)
X *ptr = 0x01;
X ptr++;
X if (Lh & mask)
X *ptr = 0x01;
X ptr++;
X mask = 0x000080L;
X if (Rl & mask)
X *ptr = 0x01;
X ptr++;
X if (Ll & mask)
X *ptr = 0x01;
X ptr++;
X mask = 0x080000L;
X if (Rl & mask)
X *ptr = 0x01;
X ptr++;
X if (Ll & mask)
X *ptr = 0x01;
X ptr++;
X mask = 0x000080L;
X if (Rh & mask)
X *ptr = 0x01;
X ptr++;
X if (Lh & mask)
X *ptr = 0x01;
X ptr++;
X mask = 0x080000L;
X if (Rh & mask)
X *ptr = 0x01;
X ptr++;
X if (Lh & mask)
X *ptr = 0x01;
X ptr++;
X mask = 0x000010L;
X if (Rl & mask)
X *ptr = 0x01;
X ptr++;
X if (Ll & mask)
X *ptr = 0x01;
X ptr++;
X mask = 0x010000L;
X if (Rl & mask)
X *ptr = 0x01;
X ptr++;
X if (Ll & mask)
X *ptr = 0x01;
X ptr++;
X mask = 0x000010L;
X if (Rh & mask)
X *ptr = 0x01;
X ptr++;
X if (Lh & mask)
X *ptr = 0x01;
X ptr++;
X mask = 0x010000L;
X if (Rh & mask)
X *ptr = 0x01;
X ptr++;
X if (Lh & mask)
X *ptr = 0x01;
X ptr++;
X mask = 0x000008L;
X if (Rl & mask)
X *ptr = 0x01;
X ptr++;
X if (Ll & mask)
X *ptr = 0x01;
X ptr++;
X mask = 0x008000L;
X if (Rl & mask)
X *ptr = 0x01;
X ptr++;
X if (Ll & mask)
X *ptr = 0x01;
X ptr++;
X mask = 0x000008L;
X if (Rh & mask)
X *ptr = 0x01;
X ptr++;
X if (Lh & mask)
X *ptr = 0x01;
X ptr++;
X mask = 0x008000L;
X if (Rh & mask)
X *ptr = 0x01;
X ptr++;
X if (Lh & mask)
X *ptr = 0x01;
X ptr++;
X mask = 0x000004L;
X if (Rl & mask)
X *ptr = 0x01;
X ptr++;
X if (Ll & mask)
X *ptr = 0x01;
X ptr++;
X mask = 0x004000L;
X if (Rl & mask)
X *ptr = 0x01;
X ptr++;
X if (Ll & mask)
X *ptr = 0x01;
X ptr++;
X mask = 0x000004L;
X if (Rh & mask)
X *ptr = 0x01;
X ptr++;
X if (Lh & mask)
X *ptr = 0x01;
X ptr++;
X mask = 0x004000L;
X if (Rh & mask)
X *ptr = 0x01;
X ptr++;
X if (Lh & mask)
X *ptr = 0x01;
X ptr++;
X mask = 0x000002L;
X if (Rl & mask)
X *ptr = 0x01;
X ptr++;
X if (Ll & mask)
X *ptr = 0x01;
X ptr++;
X mask = 0x002000L;
X if (Rl & mask)
X *ptr = 0x01;
X ptr++;
X if (Ll & mask)
X *ptr = 0x01;
X ptr++;
X mask = 0x000002L;
X if (Rh & mask)
X *ptr = 0x01;
X ptr++;
X if (Lh & mask)
X *ptr = 0x01;
X ptr++;
X mask = 0x002000L;
X if (Rh & mask)
X *ptr = 0x01;
X ptr++;
X if (Lh & mask)
X *ptr = 0x01;
X ptr++;
X}
X
Xchar *
Xfcrypt (pw, salt)
X char *pw;
X char *salt;
X{
X /* Table lookups for salts reduce fcrypt() overhead dramatically */
X static sbpb24 salt0[] =
X {
X 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31,
X 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47,
X 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63,
X 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 5, 6, 7, 8, 9, 10, 11, 12,
X 13, 14, 15, 16, 17,
X
X 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31,
X 32, 33, 34, 35, 36, 37, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41,
X 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57,
X 58, 59, 60, 61, 62, 63, 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11,
X 12, 13, 14, 15, 16, 17,
X
X 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31,
X 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47,
X 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63,
X 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17,
X
X 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31,
X 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47,
X 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63,
X 0, 1, 2, 3, 4
X };
X static sbpb24 salt1[] =
X {
X 1152, 1216, 1280, 1344, 1408, 1472, 1536, 1600, 1664,
X 1728, 1792, 1856, 1920, 1984, 2048, 2112, 2176, 2240, 2304,
X 2368, 2432, 2496, 2560, 2624, 2688, 2752, 2816, 2880, 2944,
X 3008, 3072, 3136, 3200, 3264, 3328, 3392, 3456, 3520, 3584,
X 3648, 3712, 3776, 3840, 3904, 3968, 4032, 0, 64, 128, 192, 256,
X 320, 384, 448, 512, 576, 640, 704, 320, 384, 448, 512, 576, 640,
X 704, 768, 832, 896, 960, 1024, 1088,
X
X 1152, 1216, 1280, 1344, 1408, 1472, 1536, 1600, 1664,
X 1728, 1792, 1856, 1920, 1984, 2048, 2112, 2176, 2240, 2304,
X 2368, 2048, 2112, 2176, 2240, 2304, 2368, 2432, 2496, 2560,
X 2624, 2688, 2752, 2816, 2880, 2944, 3008, 3072, 3136, 3200,
X 3264, 3328, 3392, 3456, 3520, 3584, 3648, 3712, 3776, 3840,
X 3904, 3968, 4032, 0, 64, 128, 192, 256, 320, 384, 448, 512, 576,
X 640, 704, 768, 832, 896, 960, 1024, 1088,
X
X 1152, 1216, 1280, 1344, 1408, 1472, 1536, 1600, 1664,
X 1728, 1792, 1856, 1920, 1984, 2048, 2112, 2176, 2240, 2304,
X 2368, 2432, 2496, 2560, 2624, 2688, 2752, 2816, 2880, 2944,
X 3008, 3072, 3136, 3200, 3264, 3328, 3392, 3456, 3520, 3584,
X 3648, 3712, 3776, 3840, 3904, 3968, 4032, 0, 64, 128, 192, 256,
X 320, 384, 448, 512, 576, 640, 704, 768, 832, 896, 960, 1024,
X 1088,
X
X 1152, 1216, 1280, 1344, 1408, 1472, 1536, 1600, 1664,
X 1728, 1792, 1856, 1920, 1984, 2048, 2112, 2176, 2240, 2304,
X 2368, 2432, 2496, 2560, 2624, 2688, 2752, 2816, 2880, 2944,
X 3008, 3072, 3136, 3200, 3264, 3328, 3392, 3456, 3520, 3584,
X 3648, 3712, 3776, 3840, 3904, 3968, 4032, 0, 64, 128, 192, 256
X };
X
X /* final perutation desalting */
X static obpb1 final[] =
X {
X 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 65, 66,
X 67, 68, 69, 70, 71, 72, 73, 74, 75, 76, 77, 78, 79, 80, 81, 82,
X 83, 84, 85, 86, 87, 88, 89, 90, 97, 98, 99, 100, 101, 102, 103,
X 104, 105, 106, 107, 108, 109, 110, 111, 112, 113, 114, 115, 116,
X 117, 118, 119, 120, 121, 122, 123, 124, 125, 126, 127, 128, 129,
X 130, 131, 132, 133, 134, 135, 136, 137, 138, 139, 140, 141, 142,
X 143, 144, 145, 146, 147, 148, 149, 150, 151, 152, 153, 154, 155,
X 156, 157, 158, 159, 160, 161, 162, 163, 164, 165, 166, 167, 168,
X 169, 170, 171, 172, 173, 174, 175, 176, 177, 178, 179, 180, 181,
X 182, 183, 184, 185, 186, 187, 188, 189, 190, 191, 192, 193, 194,
X 195, 196, 197, 198, 199, 200, 201, 202, 203, 204, 205, 206, 207,
X 208, 209, 210, 211, 212, 213, 214, 215, 216, 217, 218, 219, 220,
X 221, 222, 223, 224, 225, 226, 227, 228, 229, 230, 231, 232, 233,
X 234, 235, 236, 237, 238, 239, 240, 241, 242, 243, 244, 245, 246,
X 247, 248, 249, 250, 251, 252, 253, 254, 255,
X /* Truncate overflow bits at 256 */
X 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15,
X 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31,
X 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47,
X 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58
X };
X
X reg int i, j, k;
X reg long int *lip;
X sbpb24 saltvalue;
X
X#ifdef BUILTIN_CLEAR
X lip = (long int *) crypt_block;
X for (i = (sizeof (crypt_block) / sizeof (long int)); i--; /* - */ )
X {
X *(lip++) = 0L;
X }
X#else /* BUILTIN_CLEAR */
X bzero (crypt_block, 66);
X#endif /* BUILTIN_CLEAR */
X
X for (i = 0; (k = *pw) && i < 64; pw++)
X {
X crypt_block[i++] = (k >> 6) & 01;
X crypt_block[i++] = (k >> 5) & 01;
X crypt_block[i++] = (k >> 4) & 01;
X crypt_block[i++] = (k >> 3) & 01;
X crypt_block[i++] = (k >> 2) & 01;
X crypt_block[i++] = (k >> 1) & 01;
X crypt_block[i++] = (k >> 0) & 01;
X i++; /* have to skip one here (parity bit) */
X }
X
X fsetkey ( /* crypt_block */ );
X
X#ifdef BUILTIN_CLEAR
X lip = (long int *) crypt_block;
X for (i = (sizeof (crypt_block) / sizeof (long int)); i--; /* - */ )
X {
X *(lip++) = 0L;
X }
X#else /* BUILTIN_CLEAR */
X bzero (crypt_block, 66);
X#endif /* BUILTIN_CLEAR */
X
X iobuf[0] = salt[0];
X iobuf[1] = salt[1];
X
X saltvalue = salt0[iobuf[0]] | salt1[iobuf[1]];
X saltvalue = TF_TO_SIXBIT (saltvalue);
X
X XForm (saltvalue);
X UnXForm ();
X
X for (i = 0; i < 11; i++)
X {
X k = 0;
X
X for (j = 0; j < 6; j++)
X {
X k = (k << 1) | crypt_block[SIX_TIMES (i) + j];
X }
X iobuf[i + 2] = final[k];
X }
X
X iobuf[i + 2] = 0;
X
X if (iobuf[1] == 0)
X {
X iobuf[1] = iobuf[0];
X }
X return (iobuf);
X}
X/********* INITIALISATION ROUTINES *********/
X
Xfbpb4
XlookupS (tableno, t6bits)
X unsl tableno;
X sbpb6R t6bits;
X{
X static fbpb4R S[8][64] =
X {
X 14, 4, 13, 1, 2, 15, 11, 8, 3, 10, 6, 12, 5, 9, 0, 7,
X 0, 15, 7, 4, 14, 2, 13, 1, 10, 6, 12, 11, 9, 5, 3, 8,
X 4, 1, 14, 8, 13, 6, 2, 11, 15, 12, 9, 7, 3, 10, 5, 0,
X 15, 12, 8, 2, 4, 9, 1, 7, 5, 11, 3, 14, 10, 0, 6, 13,
X
X 15, 1, 8, 14, 6, 11, 3, 4, 9, 7, 2, 13, 12, 0, 5, 10,
X 3, 13, 4, 7, 15, 2, 8, 14, 12, 0, 1, 10, 6, 9, 11, 5,
X 0, 14, 7, 11, 10, 4, 13, 1, 5, 8, 12, 6, 9, 3, 2, 15,
X 13, 8, 10, 1, 3, 15, 4, 2, 11, 6, 7, 12, 0, 5, 14, 9,
X
X 10, 0, 9, 14, 6, 3, 15, 5, 1, 13, 12, 7, 11, 4, 2, 8,
X 13, 7, 0, 9, 3, 4, 6, 10, 2, 8, 5, 14, 12, 11, 15, 1,
X 13, 6, 4, 9, 8, 15, 3, 0, 11, 1, 2, 12, 5, 10, 14, 7,
X 1, 10, 13, 0, 6, 9, 8, 7, 4, 15, 14, 3, 11, 5, 2, 12,
X
X 7, 13, 14, 3, 0, 6, 9, 10, 1, 2, 8, 5, 11, 12, 4, 15,
X 13, 8, 11, 5, 6, 15, 0, 3, 4, 7, 2, 12, 1, 10, 14, 9,
X 10, 6, 9, 0, 12, 11, 7, 13, 15, 1, 3, 14, 5, 2, 8, 4,
X 3, 15, 0, 6, 10, 1, 13, 8, 9, 4, 5, 11, 12, 7, 2, 14,
X
X 2, 12, 4, 1, 7, 10, 11, 6, 8, 5, 3, 15, 13, 0, 14, 9,
X 14, 11, 2, 12, 4, 7, 13, 1, 5, 0, 15, 10, 3, 9, 8, 6,
X 4, 2, 1, 11, 10, 13, 7, 8, 15, 9, 12, 5, 6, 3, 0, 14,
X 11, 8, 12, 7, 1, 14, 2, 13, 6, 15, 0, 9, 10, 4, 5, 3,
X
X 12, 1, 10, 15, 9, 2, 6, 8, 0, 13, 3, 4, 14, 7, 5, 11,
X 10, 15, 4, 2, 7, 12, 9, 5, 6, 1, 13, 14, 0, 11, 3, 8,
X 9, 14, 15, 5, 2, 8, 12, 3, 7, 0, 4, 10, 1, 13, 11, 6,
X 4, 3, 2, 12, 9, 5, 15, 10, 11, 14, 1, 7, 6, 0, 8, 13,
X
X 4, 11, 2, 14, 15, 0, 8, 13, 3, 12, 9, 7, 5, 10, 6, 1,
X 13, 0, 11, 7, 4, 9, 1, 10, 14, 3, 5, 12, 2, 15, 8, 6,
X 1, 4, 11, 13, 12, 3, 7, 14, 10, 15, 6, 8, 0, 5, 9, 2,
X 6, 11, 13, 8, 1, 4, 10, 7, 9, 5, 0, 15, 14, 2, 3, 12,
X
X 13, 2, 8, 4, 6, 15, 11, 1, 10, 9, 3, 14, 5, 0, 12, 7,
X 1, 15, 13, 8, 10, 3, 7, 4, 12, 5, 6, 11, 0, 14, 9, 2,
X 7, 11, 4, 1, 9, 12, 14, 2, 0, 6, 10, 13, 15, 3, 5, 8,
X 2, 1, 14, 7, 4, 10, 8, 13, 15, 12, 9, 0, 3, 5, 6, 11,
X };
X sbpb6 fixed6bits;
X fbpb4R r;
X fbpb4 fixedr;
X
X fixed6bits = (((t6bits >> 0) & 01) << 5) +
X (((t6bits >> 1) & 01) << 3) +
X (((t6bits >> 2) & 01) << 2) +
X (((t6bits >> 3) & 01) << 1) +
X (((t6bits >> 4) & 01) << 0) +
X (((t6bits >> 5) & 01) << 4);
X
X r = S[tableno][fixed6bits];
X
X fixedr = (((r >> 3) & 01) << 0) +
X (((r >> 2) & 01) << 1) +
X (((r >> 1) & 01) << 2) +
X (((r >> 0) & 01) << 3);
X
X return (fixedr);
X}
X
Xvoid
Xinit (tableno, lowptr, highptr)
X unsl tableno;
X sbpb24 *lowptr, *highptr;
X{
X
X static unsb P[] =
X {
X 15, 6, 19, 20,
X 28, 11, 27, 16,
X 0, 14, 22, 25,
X 4, 17, 30, 9,
X 1, 7, 23, 13,
X 31, 26, 2, 8,
X 18, 12, 29, 5,
X 21, 10, 3, 24,
X };
X
X static unsb E[] =
X {
X 31, 0, 1, 2, 3, 4,
X 3, 4, 5, 6, 7, 8,
X 7, 8, 9, 10, 11, 12,
X 11, 12, 13, 14, 15, 16,
X 15, 16, 17, 18, 19, 20,
X 19, 20, 21, 22, 23, 24,
X 23, 24, 25, 26, 27, 28,
X 27, 28, 29, 30, 31, 0,
X };
X
X static obpb1 tmp32[32];
X static obpb1 tmpP32[32];
X static obpb1 tmpE[48];
X
X int j, k, i;
X int tablenoX4;
X reg sbpb24 spare24;
X
X tablenoX4 = tableno * 4;
X
X for (j = 0; j < 64; j++)
X {
X k = lookupS (tableno, j);
X
X for (i = 0; i < 32; i++)
X {
X tmp32[i] = 0;
X }
X for (i = 0; i < 4; i++)
X {
X tmp32[tablenoX4 + i] = (k >> i) & 01;
X }
X for (i = 0; i < 32; i++)
X {
X tmpP32[i] = tmp32[P[i]];
X }
X for (i = 0; i < 48; i++)
X {
X tmpE[i] = tmpP32[E[i]];
X }
X
X lowptr[j] = 0;
X highptr[j] = 0;
X
X for (i = 0; i < 24; i++)
X {
X lowptr[j] |= (unsigned long) tmpE[i] << i;
X }
X for (k = 0, i = 24; i < 48; i++, k++)
X {
X highptr[j] |= (unsigned long) tmpE[i] << k;
X }
X
X spare24 = lowptr[j]; /* to allow for macro expansion */
X lowptr[j] = TF_TO_SIXBIT (spare24);
X spare24 = highptr[j]; /* to allow for macro expansion */
X highptr[j] = TF_TO_SIXBIT (spare24);
X }
X}
Xinit_des ()
X{
X init (0L, S0L, S0H);
X init (1L, S1L, S1H);
X init (2L, S2L, S2H);
X init (3L, S3L, S3H);
X init (4L, S4L, S4H);
X init (5L, S5L, S5H);
X init (6L, S6L, S6H);
X init (7L, S7L, S7H);
X}
END_OF_FILE
if test 22754 -ne `wc -c <'Sources/crack-fcrypt.c'`; then
echo shar: \"'Sources/crack-fcrypt.c'\" unpacked with wrong size!
fi
# end of 'Sources/crack-fcrypt.c'
fi
echo shar: End of archive 3 $of 5$.
cp /dev/null ark3isdone

Alec Muffett

unread,

Nov 3, 1991, 6:16:04 PM11/3/91

Submitted-by: a...@aber.ac.uk (Alec David Muffett)

Posting-number: Volume 25, Issue 8
Archive-name: crack/part04

Environment: UNIX
Supersedes: crack: Volume 23, Issue 1-5

#! /bin/sh

# "End of archive 4 (of 5)."
# Contents: Docs/README.ms Sources/crack-pwc.c
# Wrapped by aem@aberda on Thu Oct 24 11:14:44 1991

PATH=/bin:/usr/bin:/usr/ucb ; export PATH

if test -f 'Docs/README.ms' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'Docs/README.ms'\"
else
echo shar: Extracting \"'Docs/README.ms'\" $28316 characters$
sed "s/^X//" >'Docs/README.ms' <<'END_OF_FILE'
X.de C
X.ie n .B "\\$1" \\$2
X.el .CW "\\$1" \\$2
X..
X.TL
X"Crack Version 4.0a"
X.br
XA Sensible Password Checker for Unix
X.AU
XAlec D.E. Muffett
X.AI
XComputer Unit, University College of Wales
XAberystwyth, Wales, SY23 3DB
X.I a...@aber.ac.uk
X+44 970 622492
X.AB
X.B Crack
Xis a freely available program designed to find standard Unix
Xeight-character DES encrypted passwords by standard guessing techniques
Xoutlined below. It is written to be flexible, configurable and fast,
Xand to be able to make use of several networked hosts via the Berkeley
X.C rsh
Xprogram (or similar), where possible.
X.AE
X.NH 1
XIntroduction to Version 4.0
X.LP
XCrack is now into it's fourth version, and has been reworked extensively
Xto provide extra functionality, and the purpose of this release is to
Xconsolidate as much of this new functionality into as small a package as
Xpossible. To this end, Crack may appear to be less configurable: it has
Xbeen written on the assumption that you run a fairly modern Unix, one
Xwith BSD functionality, and then patched in order to run on other
Xsystems.
X.LP
XThis, surprisingly enough, has led to neater code, and has made possible
Xthe introduction of greater flexibility which supercedes many of the
Xoptions that could be configured in earlier versions of Crack. In the
Xsame vein, some of the older options are now mandatory. These, such as
X.I "feedback mode"
Xand
X.C CRACK_PRINTOUT
Xare no longer supported as options and probably never will be again.
XThere is just a lot of wastage in not running with them, and too many
Xdependencies in other functions to bother programming around them.
X.LP
XThe user interface is basically identical to the previous versions,
Xalthough some people have asked about providing X-windows GUI's to
XCrack, I think it would be a waste of time to do so. Crack has far
Xless options than your ordinary version of
X.C /bin/ls .
X.LP
XWith all that over, let's kick some (ass|arse|but(t)?)\**
X.FS
XAn obscure
X.I lex
Xjoke, inserted only for the purpose of allowing an example footnote for
Xmy reference - sorry - AEM
X.C 8-)
X.FE
X.NH 1
XCrack Methodology - Part 1: Internals
X.LP
XCrack takes a series of password files and throws logic and dictionaries
Xat the passwords therein, in order to find passwords which are based
Xupon personal information or dictionary words, and are therefore
Xinsecure. It does
X.B not

Xattempt to remedy this situation, and it shoult

X.B NOT
Xbe used in place of getting a really good secure
X.C passwd
Xprogram replacement.
X.LP
XThe above statement defines the purpose of Crack, and embodies a great
Xamount to hard work, graft, screams of
X.I Eureka! ,
Xand a fair amount of swearing too. There is a great deal of thinking
Xbehind the way that Crack attacks password files, and although not
Xperfect, I certainly hope that Crack will out-do most of it's
Xcompetitors.
X.LP
XCrack works by making several passes over the password entries that you
Xsupply to it. Each pass works by generating password guesses based upon
Xa sequence of assertions, or rules, supplied to the program by the user.
XThe rules are specified in a simplistic language, in the files
X.C gecos.rules
Xand
X.C dicts.rules
Xin the
X.C Scripts
Xdirectory.
XThe distinction between these two files will be made clear later.
X.LP
XThe rules are written as a simple string of characters, with one rule to
Xa line. Blank lines, and comment lines beginning with a hash character
X.B #
Xare ignored. Trailing whitespace is also ignored. The instructions in
Xthe word are followed left to right, and are applied to the dictionary
Xwords in sequence. A couple of simple pattern matching primitives are
Xsupplied for selection purposes. The syntax is as follows:
X.IP :
XNo-op; do nothing to the word. This is useful as a space delimiter.
X.IP <n
XReject the word unless it is
X.B "LESS THAN"
X.I n
Xcharacters long, where
X.I n
Xis a digit 0-9, or a letter a-z for the values 10-35, respectively.
X.IP >n
XReject the word unless it is
X.B "MORE THAN"
X.I n
Xcharacters long, where
X.I n
Xis a digit 0-9, or a letter a-z for the values 10-35, respectively.
X.IP /x
XReject the word unless it contains the character 'x'.
X.IP !y
XReject the word unless it does not contain the character 'y'.
X.IP ^x
XPrepend character 'x' to the word.
X.IP $y
XAppend character 'y' to the word.
X.IP l
XForce the word to lowercase.
X.IP u
XForce the word to uppercase.
X.IP c
XCapitalise the word, lowercasing all other letters.
X.IP r
XReverse the word back-to-front.
X.IP d
XDuplicate the word, so that
X.I fred
Xbecomes
X.I fredfred
X.IP f
XReflect the word (mirror image), so that
X.I fred
Xbecomes
X.I fredderf
X.IP p
XMake best attempt to pluralise the word, assuming that it is lowercase.
X.IP sxy
XSubstitute 'x' for 'y' throughout the word.
X.IP xnm
XExtract the string starting at position 'n' (starts at 0) for a length
Xof up to 'm' characters, where 'n' and 'm' are digits in the range 0-9,
Xor letters a-z for the values 10-35, respectively.
X.sp 1v
X.LP

XSo, example rules could be:

X.IP c
XCapitalise the word.
X.I fred
Xbecomes
X.I Fred
X.IP l$?
XLowercase the word and append a questionmark.
X.I fred
Xbecomes
X.I fred?
X.IP l/oso0c
XLowercase the word, select it only if it contains the letter 'o' and
Xsubstitute all o's for zeros, and capitalise it.
XBoth
X.I COLLEGE
Xand
X.I college
Xbecome
X.I C0llege
X.IP <8l/i/olsi1so0$=
XReject the word unless it is less that 8 characters long, lowercase the
Xword, reject it if it does not contain both the letter 'i' and the
Xletter 'o', substitute all i's for 1's, substitute all o's for 0's, and
Xappend an = sign.
X.IP
XThe reasoning for the 8 character test is that since, with standard
X.I crypt()
Xtype algorithms, the password is truncated at 8 characters, there is no
Xpoint in bolting a letter onto the end of a word if it is 8 or more
Xcharacters long already.
X.IP <7l^($)
XReject the word unless it is less than 7 characters long, lowercase it,
Xprepend a '(' and append a ')'. Thus
X.I fred
Xbecomes
X.I (fred)
X.IP "$ :"
X(ie: <dollar><space><colon>) Append a space character to the word (note
Xthat if you do not add the trailing no-op after the space, a syntax
Xerror will be generated since there is nothing to delineate the space
Xcharacter - remember: trailing whitespace is ignored).
X.sp 1v
X.LP

XBefore you go on, I suggest you browse through the

X.C Scripts/*.rules
Xfiles, and take a look at the rules that I supply as defaults, and try
Xto work out what they do.
X.LP
XThe rules are stored in two different files for two different purposes.
XRules in
X.C Scripts/gecos.rules
Xare applied to data generated by Crack from the pw_gecos and pw_gecos

Xentries of the user's password entry.

X.LP

XThe data generated by Crack and fed to the gecos rules

Xfor the user
X.I "aem",
Xwho is
X.I "Alec David Muffett, Compunit"
Xwould be:
X.I "aem",
X.I "Alec",
X.I "David",
X.I "Muffett",
X.I "Compunit",
Xand a series of permutations of those words, either re-ordering the
Xwords and joining them together (eg:
X.I "AlecMuffett" ),
Xor making up new words based on initial letters of one word taken with
Xthe rest of another (eg:
X.I "AMuffett" ).
X.LP
XThe entire set of rules in gecos.rules is applied to each of these
Xwords, which creates many more permutations and combinations, all of
Xwhich are tested. Hence testing the password gecos information under
XCrack v4.0 takes somewhat longer than it used to, but it is far more
Xthorough.
X.sp 1v
X.LP
XAfter a pass has been made over the data based on gecos information,
XCrack makes further passes over the password data using successive rules
Xfrom the
X.C Scripts/dicts.rules
Xby loading the entire
X.C Dicts/bigdict
Xfile into memory, with the rule being applied to each word from that
Xfile. This generates a
X.I "resident dictionary" ,
Xwhich is generated is sorted and uniqued so as to prevent wasting time
Xon repetition. After each pass is completed, the memory used by the
Xresident dictionary is freed up, and (hopefully) re-used when the next
Xdictionary is loaded.
X.LP
XThe
X.C Dicts/bigdict
Xdictionary is created by Crack by merging, sorting, and uniq'ing the
Xsource dictionaries, which are to be found in the directory
X.C DictSrc
Xor, alternatively, may be named in the Crack shellscript, via the
X.C $STDDICT
Xvariable. The default dictionary named in the Crack script is
X.C /usr/dict/words .
X.LP
XThe file
X.C DictSrc/bad_pws.dat
Xwhich is meant to provide many of those common, non-dictionary
Xpasswords, such as
X.I 12345678
Xor
X.I qwerty .
XIf you wish to add a dictionary of your own, just copy it into the
X.C DictSrc
Xdirectory (and use
X.C compress
Xon it if you wish to save space; Crack will unpack it whilst generating
Xthe big dictionary) and then delete the contents of the
X.C Dicts
Xdirectory by running
X.C Scripts/spotless .
XYour new dictionary will be merged in on the next run.
XFor more information on dictionary attacks, see the paper called
X"Foiling the Cracker: A Survey of, and Improvements to, Password
XSecurity" by Daniel Klein, available from
X.I "ftp.sei.cmu.edu"
Xin
X.I "~/pub/dvk/passwd.*" .
XAlso, please read the
X.C APPENDIX
Xfile supplied with this distribution.\**
X.FS
XExtra dictionaries (those detailed in Dan Klein's paper) can be
Xobtained via anonymous FTP from
X.I uunet.uu.net
X(192.48.96.2) as
X.I ~/pub/dictionaries.tar.Z ;
XCheck an
X.I Archie
Xdatabase for other possible sources of dictionaries.
X.FE
X.LP
XHaving described the method of cracking, perhaps we should now
Xinvestigate the algorithm used to overlay the cracking mechanism.
X.NH 1
XCrack Methodology - Part 2: Feedback Filters
X.LP
XAs is stated above, Crack v4.0 permutes and loads dictionaries directly
Xinto memory, sorts and uniques them, before attempting to use each of
Xthe words as a guess for each users' password. If Crack correctly
Xguesses a password, it marks the user as 'done' and does not waste
Xfurther time on trying to break that users password.
X.LP
XOnce Crack has finished a dictionary pass, it sweeps the list of users
Xlooking for the passwords it has cracked. It stores the broken passwords
Xin both plaintext and encrypted forms in a
X.I "feedback file"
Xin the directory
X.C Runtime .
XFeedback files have names of the form
X.C Runtime/F.* .
X.LP
XThe purpose of this is so that, when Crack is next invoked, it may
Xrecognise passwords that it has successfully cracked before, and filter
Xthem from the input to the password cracker. This provides an
X.I instant
Xlist of crackable users who have not changed their passwords since the
Xlast time Crack was run. This list appears in a file named
X.C out.i*
Xin the
X.C $CRACK_OUT
Xdirectory, or on
X.I stdout ,
Xif foreground mode is invoked (see
X.I Options ,
Xbelow).
X.LP
XIn a similar vein, when a Crack run terminates normally, it writes out
Xto the feedback file all encrypted passwords that it has
X.B NOT
Xsucceeded in cracking. Crack will then ignore all of these passwords
Xnext time you run it.
X.LP
XObviously, this is not desirable if you frequently change your
Xdictionaries or rules, and so there is a script provided,
X.C Scripts/mrgfbk
Xwhich sorts your feedback files, merges them into one, and optionally
Xremoves all traces of 'uncrackable' passwords, so that your next Crack
Xrun can have a go at passwords it has not succeeded in breaking before.
X.LP
X.C Mrgfbk
Xis invoked automatically if you run
X.C Scripts/spotless .
X.NH 1
XCrack Methodology - Part 3: Execution and Networking
X.LP
XEach time Crack is invoked, whether networked or not, it generates a
X.I diefile
Xwith a name of the form
X.C Runtime/D.*
X(for network cracks, this file is generated by RCrack, and is of the form
X.C Runtime/D.rem*
Xwhich points to a
X.B real
Xdiefile, named
X.C Runtime/RD.*
X- see below for details).
X.LP
XThese diefiles contain debugging information about the job, and are
Xgenerated so that all the jobs on the entire network can be called
Xquickly by invoking
X.C Scripts/plaster .
XDiefiles delete themselves after they have been run.
X.LP

XAs you will read in the sections below, Crack has a

X.C "-network"
Xoption: This is designed to be a simple method of automatically
Xspreading the load of password cracking out over several machines on a
Xnetwork, preferably if they are connected by some form of networked
Xfilestore.
X.LP
XWhen
X.C "Crack -network"
Xis invoked, it filters its input in the ordinary way, and then splits
Xits load up amongst several machines which are specified in the file
X.C Scripts/network.conf .
X.LP
XThis file contains a series of hostnames, power ratings, flags, etc,
Xrelevant to the running of Crack on each machine. Crack then calls
X.C Scripts/RCrack
Xto use the
X.C rsh
Xcommand (or similar) to invoke Crack on the other hosts. See the RCrack
Xscript, and the example network.conf file for details.
X.NH 1
XInstallation
X.LP
XCrack is one of those most unusual of beasties, a self-installing
Xprogram. Some people have complained about this apparent weirdness, but
Xit has grown up with Crack ever since the earliest network version, when
XI could not be bothered to log into several different machines with
Xseveral different architectures, just in order to build the binaries.
XOnce the necessary configuration options have been set, the executables
Xare created via
X.C make
Xby running the Crack shellscript .
X.LP

XCrack's configuration lies in two files, the

X.C Crack
Xshell script, which contains all the installation specific configuration
Xdata, and the file
X.C Sources/conf.h ,
Xwhich contains configuration options specific to various binary platforms.
X.LP

XIn the Crack shellscript, you will have to edit the

X.C CRACK_HOME
Xvariable to the correct value. This variable should be set to an
Xabsolute path name (names relative to
X.I ~username
Xare OK, so long as you have some sort of
X.C csh )
Xthrough which the directory containing Crack may be accessed on
X.B ALL
Xthe machines that Crack will be run on. There is a similar variable
X.C CRACK_OUT
Xwhich specifies where Crack should put its output files - by default,
Xthis is the same as
X.C "$CRACK_HOME" .
X.LP

XYou will also have to edit the file

X.C Sources/conf.h
Xand work out which switches to enable. Each
X.C #define
Xhas a small note explaining its purpose. Where I have been in doubt about
Xthe portability of certain library functions, usually I have re-written
Xit, so you should be OK. Let me know of your problems, if you have any.
X.LP

XIf you will be using

X.C "Crack -network"
Xyou will then have to generate a
X.C Scripts/network.conf
Xfile. This contains a list of hostnames to
X.C rsh
Xto, what their
X.I "binary type"
Xis (useful when running a network Crack on several different
Xarchitectures), a guesstimate of their
X.I "relative power"
X(take your slowest machine as unary, and measure all others relative to

Xit), and a list of per-host

X.I flags
Xto
X.B add
Xto those specified on the
X.C Crack
Xcommand line, when calling that host. There is an example of such a
Xfile provided in the Scripts directory - take a look at it.
X.LP
XIf ever you wish to specify a more precise figure as to the relative
Xpower of your machines, or you are simply at a loss, play with the
Xcommand
X.C "make tests"
Xin the source code directory. This can provide you with the number of
Xfcrypt()s that your machine can do per second, which is a number that
Xyou can plug into your
X.C network.conf
Xas a measure of your machines' power (after rounding the value to an
Xinteger).
X.NH 1
XUsage
X.LP

XOkay, so, let's assume that you have edited your

X.C Crack
Xscript, and your
X.C Sources/conf.h
Xfile, where do you go from here ?
X.LP
X.DS B
X.fi
X.C Crack
X[\c
X.I options ]
X[\c
X.I bindir ]
X.C /etc/passwd
X[...other passwd files]
X.sp 1v
X.C "Crack -network"
X[\c
X.I options ]
X.C /etc/passwd
X[...other passwd files]
X.DE
X.LP
XWhere
X.B bindir
Xis the optional name of the directory where you want the binaries
Xinstalled. This is useful where you want to be able to run versions of
XCrack on several different architectures. If
X.B bindir
Xdoes not exist, a warning will be issued, and the directory created.
X.QP
XNote:
X.B bindir
Xdefaults to the name
X.C generic
Xif not supplied.
X.QP
X.LP
X.B "Notes for Yellow Pages (NIS) Users:"
XI have occasional queries about how to get Crack running from a YP
Xpassword file. There are several methods, but by far the simplest is to
Xgenerate a passwd format file by running:-
X.DS B
X.C "ypcat passwd > passwd.yp"
X.DE

Xand then running Crack on this file.

X.NH 1
XOptions
X.IP "\fB-f\fP"
XRuns Crack in
X.I foreground
Xmode, ie: the password cracker is not backgrounded, and messages appear
Xon stdout and stderr as you would expect. This option is only really
Xuseful for very small password files, or when you want to put a wrapper
Xscript around Crack.
X.IP
XForeground mode is disabled if you try running
X.C "Crack -network -f"
Xon the command line, because of the insensibility of
X.C rsh ing
Xto several machines in turn, waiting for each one to finish before
Xcalling the next. However, please read the section about
X.I "Network Cracking without NFS/RFS" ,
Xbelow.
X.IP "\fB-v\fP"
XSets verbose mode, whereby Crack will print every guess it is trying on
Xa per-user basis. This is a very quick way of flooding your filestore,
Xbut useful if you think something is going wrong.
X.IP "\fB-m\fP"
XSends mail to any user whose password you crack by invoking
X.C Scripts/nastygram
Xwith their username as an argument. The reason for using the script is
Xso that a degree of flexibility in the format of the mail message is
Xsupplied; ie: you don't have to recompile code in order to change the
Xmessage.\**
X.FS
XI'm uncertain about the wisdom of mailing someone like this. If someone
Xbrowses your cracked user's mail somehow, it's like a great big neon
Xsign pointing at the user saying "This Is A Crackable Account - Go For
XIt!". Not to mention the false sense of security it engenders in the
XSystem Manager that he's "informed" the user to change his password.
XWhat if the user doesn't log on for 3 months? However, so many people
Xhave wired it into their own versions of Crack, I suppose it
X.B must
Xbe provided... AEM
X.FE
X.IP "\fB-nvalue\fP"
XSets the process to be
X.C nice() ed
Xto
X.I value ,
Xso, for example, the switch
X.C \&-n19
Xsets the Crack process to run at the lowest priority.
X.IP "\fB-network\fP"
XThrows Crack into network mode, in which it reads the
X.C Scripts/network.conf
Xfile, splits its input into chunks which are sized according to the
Xpower of the target machine, and calls
X.C rsh
Xto run Crack on that machine. Options for Crack running on the target
Xmachine may be supplied on the command line (eg: verbose or recover
Xmode), or in the network.conf file if they pertain to specific hosts
X(eg:
X.C nice()
Xvalues).
X.IP "\fB-r<pointfile>\fP"
XThis is only for use when running in
X.I recover
Xmode. When a running Crack starts pass 2, it periodically saves its
Xstate in a
X.I pointfile ,
Xwith a name of the form
X.C "Runtime/P.*"
XThis file can be used to recover where you were should a host crash.
XSimply invoke Crack in
X.B exactly
Xthe same manner as the last time, with the addition of the
X.C "-r"
Xswitch, (eg:
X.C "-rRuntime/P.12345" )
Xswitch. Crack will startup and read the file, and jump to roughly where
Xit left off. If you are cracking a very large password file, this can
Xsave oodles of time after a crash.
X.IP
XIf you were running a
X.I network
XCrack, then the jobs will again be spawned onto all the machines of the
Xoriginal Crack. The program will then check that the host it is running
Xon is the same as is mentioned in the pointfile. If it is not, it will
Xquietly die. Thus, assuming that you supply the same input data and do
Xnot change your
X.C network.conf
Xfile, Crack should pick up where it left off. This is a bit inelegant,
Xbut it's better than nothing at the moment.
X.IP
XThe method of error recovery outlined above causes headaches for users
Xwho want to do multiprocessing on parallel architectures. Crack is in
Xno way parallel, and because of the way it's structured (reading stdin
Xfrom shellscript frontends) it is a pain to divide the work amongst
Xseveral processes via
X.C fork() ing.
X.IP
XThe hack solution to get several copies of Crack running on one machine
Xwith
X.I n
Xprocessors at the moment is to insert
X.I n
Xcopies of the entry for your parallel machine into the
X.C Scripts/network.conf
Xfile. If you use the
X.C \&-r
Xoption in these circumstances however, you will get
X.I n
Xcopies of the recovered process running, only one of them will have the
Xcorrect input data.
X.IP
XThe old solution to this problem (see old documentation if you are
Xinterested) has been negated by the introduction of feedback mode, so
Xthe best bet in this particular situation is to wait until the other
Xjobs are done (and have written out lists of uncrackable passwords), and
Xthen re-start the jobs from scratch. Anyone whose password was not
Xcracked on the first run will be ignored on the second, if they have not
Xchanged it since. This is inelegant, but it's the best I can do in the
Xlimited time available.
X.NH
XSupport Scripts
X.LP
XThe
X.C Scripts
Xdirectory contains a small number of support and utility scripts, some
Xof which are designed to help Crack users check their progress.
XBriefly, the most useful ones are:-
X.IP "\fBScripts/shadmrg\fP"
XThis is a small (but hopefully readable) script for merging
X.C /etc/passwd
Xand
X.C /etc/shadow
Xon System V style shadow password systems. It produces the merged data
Xto stdout, and will need redirecting into a file before Crack can work
Xon it. The script is meant to be fairly lucid, on the grounds that I
Xworry that there are many shadowing schemes out there, and perhaps not
Xall have the same data format.
X.IP
X.B "I have not"
Xwired this facility into the Crack command itself because the world does
X.B NOT
Xrevolve around System V yet, regardless of what some people would have
Xme believe, and I believe that the lack of direct support for NIS
Xoutlined above, sets a precedent. There are just too many
Xincompatibilities in shadow password schemes for me to hardwire
Xanything.
X.IP "\fBScripts/plaster\fP"
Xwhich is named after a dumb joke, but is a simple frontend to the
X.C "Runtime/D.*"
Xdiefiles that each copy of the password cracker generates. Invoking
X.C Scripts/plaster
Xwill kill off all copies of the password cracker you are running, over
Xthe network or otherwise.
X.IP "\fBScripts/status\fP"
XThis script
X.C rsh es
Xto each machine mentioned in the
X.C Scripts/network.conf
Xfile, and provides some information about processes and uptime on that
Xmachine. This is useful when you want to find out just how well your
Xpassword crackers are getting on during a
X.C "Crack -network" .
X.IP "\fBScripts/{clean,spotless}\fP"
XThese are really just frontends to a makefile. Invoking
X.C Scripts/clean
Xtidies up the Crack home directory, and removes probably unwanted files,
Xbut leaves the pre-processed dictionary
X.C bigdict
Xintact.
X.C Scripts/spotless
Xdoes the same as
X.C Scripts/clean
Xbut obliterates
X.C bigdict
Xand old output files too, and compresses the feedback files into one.
X.IP "\fBScripts/nastygram\fP"
XThis is the shellscript that is invoked by the password cracker to send
Xmail to users who have guessable passwords, if the
X.C -m
Xoption is used. Edit it at your leisure to suit your system.
X.IP "\fBScripts/guess2fbk\fP"
XThis script takes your
X.C out.*
Xfiles as arguments and reformats the 'Guessed' lines into a slightly
Xmessy
X.I feedback
Xfile, suitable for storing with the others.
X.IP
XAn occasion where this might be useful is when your cracker has guessed
Xmany peoples passwords, and then died for some reason (a crash?) before
Xwriting out the guesses to a feedback file. Running
X.DS B
X.C "Scripts/guess2fbk out.* >> Runtime/F.new"
X.DE
Xwill save the work that has been done.
X.NH 1
XNetwork Cracking without NFS/RFS
X.LP

XFor those users who have some form of

X.C rsh
Xcommand, but do not have a a networked filestore running between hosts,
Xthere is now a solution which will allow you to do networked cracking,
Xproposed to me by Brian Tompsett at Hull. Personally, I consider the
Xidea to be potty, but it fills in missing functionality in a wonderfully
Xtacky manner.
X.LP
XFrom the documentation above, you will note that Crack will undo the
X.C "-f"
X.I "(output in foreground)"
Xoption, if it is invoked with the
X.C "-network"
Xswitch at the same time (see the
X.I Options
Xsection above). This is true, but it does not apply if you specify
X.C "-f"
Xoption in the
X.C network.conf
Xfile.
X.LP
XThe practical upshot of doing this is that remote copies of Crack
Xcan be made to read from
X.I stdin
Xand write to
X.I stdout
Xover a network link, and thus remote processing is accomplished. I have
Xtweaked Crack in such a way, therefore, that if the
X.C "-f"
Xoption is specified amongst the crack-flags of a host in the
Xnetwork.conf, rather than backgrounding itself on the remote host, the
X.C rsh
Xcommand on the
X.B server
Xis backgrounded, and output is written directly to the files on the
Xserver's filestore.
X.LP
XThere are restrictions upon this method, mostly involving the number of
Xprocesses that a user may run on the server at any one time, and that
Xyou will have to collect feedback output together manually (dropping it
Xinto the
X.C Runtime
Xdirectory on the server). However, it works. Also, if you try to use
X.C rsh
Xas another user, you will suffer problems if
X.C rsh
Xinsists on reading something from your terminal (eg: a password for the
Xremote account). Also, recovering using checkpointing goes out the
Xwindow unless you specify the name of the pointfile as it is named
Xon the remote machine.
X.NH 1
XNotes on fast crypt() implementations
X.LP

XThe stdlib version of the

X.C crypt()
Xsubroutine is incredibly slow. It is a
X.I massive
Xbottleneck to the execution of Crack and on typical platforms that you
Xget at universities, it is rare to find a machine which will achieve
Xmore than 50 standard crypt() s per second. On low-end diskless
Xworkstations, you may expect 2 or 3 per second. It was this slowness of
Xthe crypt() algorithm which originally supplied much of the security
XUnix needed.\**
X.FS
XSee: "Password Security, A Case History" by Bob Morris & Ken Thomson, in
Xthe Unix Programmer Docs.
X.FE
X.LP
XThere are now
X.B many
Ximplementations of faster versions of crypt()
Xto be found on the network. The one supplied with Crack v3.2 and
Xupwards is called
X.C fcrypt() .
XIt was originally written in May 1986 by Robert Baldwin at MIT, and is a
Xgood version of the crypt() subroutine. I received a copy from Icarus
XSparry at Bath University, who had made a couple of portability
Xenhancements to the code.
X.LP
XI rewrote most of the tables and the KeySchedule generating algorithm in
Xthe original
X.I fdes-init.c
Xto knock 40% off the execution overhead of fcrypt() in the form that it
Xwas shipped to me. I inlined a bunch of stuff, put it into a single
Xfile, got some advice from Matt Bishop and Bob Baldwin [both of whom I
Xam greatly indebted to] about what to do to the
X.C xform()
Xroutine and to the fcrypt function itself, and tidied up some
Xalgorithms. I have also added more lookup tables and reduced several
Xformula for faster use. Fcrypt() is now barely recognisable as being
Xbased on its former incarnation, and it is 3x faster.
X.LP
XOn a DecStation 5000/200, fcrypt() is about 16 times faster than the
Xstandard crypt (your mileage may vary with other architectures and
Xcompilers). This speed puts fcrypt() into the "moderately fast" league
Xof crypt implementations. There
X.B are
Xfaster versions of crypt to be had (eg:
X.C UFC )
Xwhich may be found on the network. The advantage of fcrypt() is that I
Xsupport it, understand it, and can distribute and fix it without hassle.
XIf you want to play around with other crypts, that is up to you. Feel
Xfree.
X.C 8-)
X.NH 1
XConclusions
X.LP
XWhat can be done about brute force attacks on your password file ?
X.LP

XYou must get a drop-in replacement for the

X.C passwd
Xand
X.C yppasswd
Xcommands; one which will stop people from choosing bad passwords in the
Xfirst place. There are several programs to do this; Matt Bishop's
X.C "passwd+"
Xand Clyde Hoover's
X.C "npasswd"
Xprogram are good examples which are freely available. Consult an
X.B Archie
Xdatabase for more details on where you can get them from.
X.LP

XIt would be nice if an organisation (such as

X.B CERT ?)
Xcould be persuaded to supply skeletons of
X.I sensible
Xpasswd commands for the public good, as well as an archive of security
Xrelated utilities\**
Xon top of the excellent
X.C COPS .
X.FS
X.C COPS
Xis available for anonymous FTP from
X.I "cert.sei.cmu.edu"
X(128.237.253.5) in
X.I ~/cops
X.FE
XHowever, for Unix security to improve on a global scale, we will also
Xrequire pressure on the vendors, so that programs are written correctly
Xfrom the beginning.
END_OF_FILE
if test 28316 -ne `wc -c <'Docs/README.ms'`; then
echo shar: \"'Docs/README.ms'\" unpacked with wrong size!
fi
# end of 'Docs/README.ms'
fi
if test -f 'Sources/crack-pwc.c' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'Sources/crack-pwc.c'\"
else
echo shar: Extracting \"'Sources/crack-pwc.c'\" $23895 characters$
sed "s/^X//" >'Sources/crack-pwc.c' <<'END_OF_FILE'

X#define DOTFILESIZE 1024
X#define WORDSTACKSIZE 1024
X
X/*
X * crack-pwc.c - an optimised password cracker. (c) ADE Muffett, Oct 1991. If
X * this won't break your password file, it's unlikely that anything else
X * will.
X */
X
Xchar version[] = "4.0a"; /* version of prog */
Xchar runtime[] = "Runtime";
Xchar feedback_string[] = "!fb!";
Xchar rulefile[] = "Scripts/dicts.rules";
Xchar gecosfile[] = "Scripts/gecos.rules";
Xchar nastygram[] = "Scripts/nastygram";
X
X/* runtime variable declarations */
X
Xint pid; /* current process ID */
Xint pwlength = 8; /* significant length of a password */
Xstruct USER *userroot; /* root of linked list of users */
Xstruct RULE *ruleroot; /* root of linked list of rules */
Xstruct RULE *gecosroot; /* root of linked list of (gecos) rules */
Xstruct DICT *dictroot; /* root of linked list of words */
Xchar **dictbase; /* root of array of words */
X
X/* datafile variables */
X
Xchar diefile[STRINGSIZE]; /* where die output goes... */
Xchar feedbackfile[STRINGSIZE]; /* where feedback ouytput goes */
Xchar opfile[STRINGSIZE]; /* where Log() output goes */
Xchar pointfile[STRINGSIZE]; /* checkpointing */
Xchar this_hostname[STRINGSIZE]; /* gethostname() hack */
X
X/* recover variables */
X
Xchar old_hostname[STRINGSIZE]; /* next 4 vars used in recovery */
Xchar old_dictname[STRINGSIZE];
Xchar old_rule[STRINGSIZE];
Xint old_usernum;
Xchar old_username[STRINGSIZE];
X
X/* switches */
Xchar input_file[STRINGSIZE];
Xint foreground_bool;
Xint remote_bool;
Xint nice_value;
Xint recover_bool;
Xchar recover_file[STRINGSIZE];
Xint verbose_bool;
Xchar supplied_name[STRINGSIZE];
Xint mail_bool;
X
X/* compare two struct DICTs lexically - hook for qsort() function */
X
Xint
XDictCmp (a, b)
X char **a;
X char **b;
X{
X return (strcmp (*a, *b));
X}
X/* log anything to datafile. */
X
Xvoid
XLog (fmt, a, b, c, d, e, f, g, h, i, j)
X char *fmt;
X long int a, b, c, d, e, f, g, h, i, j;
X{
X long t;
X
X time (&t);
X printf ("pwc: %-15.15s ", ctime (&t) + 4);
X printf (fmt, a, b, c, d, e, f, g, h, i, j);
X fflush (stdout);
X}
X/* print a guess, giving a single place to mod where necessary */
X
Xvoid
XPrintGuess (eptr, guess)
X register struct USER *eptr;
X char *guess;
X{
X eptr -> done = 1;
X eptr -> passwd_txt = Clone (guess, 0); /* ESSENTIAL to FeedBack() */
X
X Log ("Guessed %s%s (%s in %s) [%s] %s\n",
X (eptr -> passwd.pw_uid ? "" : "ROOT PASSWORD "),
X eptr -> passwd.pw_name,
X eptr -> passwd.pw_shell,
X eptr -> filename,
X guess,
X eptr -> passwd.pw_passwd);
X if (mail_bool)
X {
X char dobuff[STRINGSIZE];
X
X sprintf ("%s %s", nastygram, eptr -> passwd.pw_name);
X system (dobuff);
X }
X}
X/* trap a signal on shutdown */
X
Xvoid
XCatchTERM ()
X{
X /* bury magnets */
X /* swallow the rapture */
X /* let's gather feathers */
X /* don't fall on me - from 'Fall in Me' by R.E.M. */
X Log ("Caught a SIGTERM! Commiting suicide...\n");
X Log ("<argh!>\n");
X sync ();
X exit (0);
X}
X/* write a pointfile out */
X
Xvoid
XSetPoint (dict, rule, usernum, username)
X char *dict;
X char *rule;
X int usernum;
X char *username;
X{
X FILE *fp;
X long t;
X
X if (!(fp = fopen (pointfile, "w")))
X {
X perror (pointfile);
X return;
X }
X time (&t);
X fprintf (fp, "host=%s pid=%d pointtime=%s",
X this_hostname, pid, ctime (&t));
X fprintf (fp, "%s\n", this_hostname);
X fprintf (fp, "%s\n", dict);
X fprintf (fp, "%s\n", rule);
X fprintf (fp, "%d\n", usernum);
X fprintf (fp, "%s\n", username);
X fclose (fp);
X}
X/* read a pointfile in... */
X
Xint
XGetPoint (pf)
X char *pf;
X{
X FILE *fp;
X char buffer[STRINGSIZE];
X
X if (!(fp = fopen (pf, "r")))
X {
X perror (pf);
X return (-1);
X }
X /* junk */
X if (!fgets (buffer, STRINGSIZE, fp))
X {
X return (-2);
X }
X /* hostname */
X if (!fgets (old_hostname, STRINGSIZE, fp))
X {
X return (-3);
X }
X /* dictname */
X if (!fgets (old_dictname, STRINGSIZE, fp))
X {
X return (-4);
X }
X /* rule */
X if (!fgets (old_rule, STRINGSIZE, fp))
X {
X return (-5);
X }
X /* usernum */
X if (!fgets (buffer, STRINGSIZE, fp))
X {
X return (-6);
X }
X /* username */
X if (!fgets (old_username, STRINGSIZE, fp))
X {
X return (-7);
X }
X Trim (old_hostname);
X if (strcmp (old_hostname, this_hostname))
X {
X return (-8);
X }
X Trim (old_dictname);
X Trim (old_rule);
X old_usernum = atoi (buffer);
X Trim (old_username);
X fclose (fp);
X return (0);
X}
X/* jump ':' separated fields in an input */
X
Xchar *
XPWSkip (p)
X register char *p;
X{
X while (*p && *p != ':')
X {
X p++;
X }
X if (*p)
X {
X *p++ = '\0';
X }
X return (p);
X}
X/* parse and store a password entry */
X
Xstruct USER *
XParse (buffer)
X register char *buffer;
X{
X register char *p;
X register struct USER *retval;
X
X retval = (struct USER *) malloc (sizeof (struct USER));
X retval -> next = retval -> across = NULL;
X retval -> passwd_txt = NULL;
X retval -> done = 0;
X Trim (buffer);
X
X p = Clone (buffer, 0);
X retval -> filename = p;
X p = PWSkip (p);
X retval -> passwd.pw_name = p;
X p = PWSkip (p);
X retval -> passwd.pw_passwd = p;
X p = PWSkip (p);
X retval -> passwd.pw_uid = atoi (p);
X p = PWSkip (p);
X retval -> passwd.pw_gid = atoi (p);
X p = PWSkip (p);
X retval -> passwd.pw_gecos = p;
X p = PWSkip (p);
X retval -> passwd.pw_dir = p;
X p = PWSkip (p);
X retval -> passwd.pw_shell = p;
X return (retval);
X}
X/* load pre-formatted password entries off stdin into linked list */
X
Xint
XLoadData ()
X{
X char *ptr;
X char salt[2];
X char buffer[STRINGSIZE];
X int numlines;
X int numentries;
X register struct USER *new_element;
X register struct USER *current_line;
X
X numlines = 0;
X numentries = 0;
X current_line = NULL;
X salt[0] = salt[1] = '*';
X
X while (fgets (buffer, STRINGSIZE, stdin))
X {
X if (!*buffer || isspace (*buffer))
X {
X continue;
X }
X new_element = Parse (buffer);
X
X ptr = new_element -> passwd.pw_passwd;
X if (!ptr[0])
X {
X Log ("Warning! %s (%s in %s) has a NULL password!\n",
X new_element -> passwd.pw_name,
X new_element -> passwd.pw_shell,
X new_element -> filename);
X continue;
X }
X if (strchr (ptr, '*') ||
X strchr (ptr, '!') ||
X strchr (ptr, ' '))
X {
X Log ("User %s (in %s) has a locked password:- %s\n",
X new_element -> passwd.pw_name,
X new_element -> filename,
X new_element -> passwd.pw_passwd);
X continue;
X }
X if (strlen (ptr) < 13)
X {
X Log ("User %s (in %s) has a short crypted password - ignoring.\n",
X new_element -> passwd.pw_name,
X new_element -> filename);
X continue;
X }
X if (strlen (ptr) > 13)
X {
X Log ("User %s (in %s) has a long crypted password - truncating.\n",
X new_element -> passwd.pw_name,
X new_element -> filename);
X ptr[13] = '\0';
X }
X numentries++;
X
X if (ptr[0] == salt[0] && ptr[1] == salt[1])
X {
X new_element -> across = current_line;
X current_line = new_element;
X } else
X {
X if (current_line)
X {
X current_line -> next = userroot;
X }
X userroot = current_line;
X current_line = new_element;
X numlines++;
X salt[0] = ptr[0];
X salt[1] = ptr[1];
X }
X }
X
X if (current_line) /* last one tends to hang about */
X {
X current_line -> next = userroot;
X userroot = current_line;
X numlines++;
X }
X Log ("Loaded %d password entries into %d salted lines.\n",
X numentries, --numlines);
X
X return (numentries);
X}
X/* and load rules from a standard file into a similar list */
X
Xint
XLoadRules (file, rootpos)
X char *file;
X struct RULE **rootpos;
X{
X int i;
X FILE *fp;
X struct RULE *tmproot;
X char buffer[STRINGSIZE];
X register struct RULE *scratch;
X
X if (!(fp = fopen (file, "r")))
X {
X Log ("cannot open %s\n", file);
X perror (file);
X return (-1);
X }
X i = 0;
X tmproot = (struct RULE *) 0;
X
X while (fgets (buffer, STRINGSIZE, fp))
X {
X Trim (buffer);
X if (!buffer[0] || buffer[0] == '#') /* skip comments in dicts */
X {
X continue;
X }
X if (!tmproot)
X {
X scratch = (struct RULE *) malloc (sizeof (struct RULE));
X tmproot = scratch;
X } else
X {
X scratch -> next = (struct RULE *) malloc (sizeof (struct RULE));
X scratch = scratch -> next;
X }
X scratch -> rule = Clone (buffer, 0); /* full copy */
X scratch -> next = (struct RULE *) 0; /* forward order */
X i++;
X }
X fclose (fp);
X Log ("Loaded %d rules from '%s'.\n", i, file);
X *rootpos = tmproot;
X return (i);
X}
X/* load a dictionary into a linked list, sort it into an array */
X
Xint
XLoadDict (file, rule)
X char *file;
X char *rule;

X{
X register int i;

X int nelem;
X int tabled;
X int discarded;
X int rejected;
X char *lastptr;
X FILE *fp;
X register char *mangle;
X register struct DICT *scratch;
X char buffer[STRINGSIZE];
X
X if (!(fp = fopen (file, "r")))
X {
X perror (file);
X return (-1);
X }
X nelem = 0;
X rejected = 0;
X while (fgets (buffer, STRINGSIZE, fp))
X {
X Trim (buffer);
X if (!buffer[0])
X {
X continue;
X }
X mangle = Mangle (buffer, rule);
X
X if (!mangle)
X {
X rejected++;
X if (verbose_bool)
X {
X Log ("Rejected '%s' due to rule specs.\n", buffer);
X }
X continue;
X }
X if (dictroot && !strncmp (mangle, dictroot -> word, pwlength))
X {
X rejected++;
X if (verbose_bool)
X {
X Log ("'%s' ignored on load; duplicated to %d chars.\n",
X buffer, pwlength);
X }
X continue;
X }
X scratch = (struct DICT *) malloc (sizeof (struct DICT));
X scratch -> word = Clone (mangle, pwlength);
X scratch -> next = dictroot;
X dictroot = scratch;
X nelem++;
X
X if (verbose_bool)
X {
X Log ("Loaded '%s' as '%s' using '%s'\n", buffer, scratch -> word,
X rule);
X }
X }
X fclose (fp);
X
X if (nelem <= 0)

X {
X return (0);
X }

X Log ("Loaded %d words from '%s' using rule '%s'\n", nelem, file, rule);
X Log ("(Rejected %d words during loading)\n", rejected);
X
X dictbase = (char **) calloc (nelem, sizeof (char *));
X if (!dictbase)
X {
X Log ("PANIC: Cannot allocate memory for dictbase structure...\n");
X exit (1);
X }
X tabled = 0;
X for (scratch = dictroot; scratch; scratch = scratch -> next)
X {
X dictbase[tabled++] = scratch -> word;
X }
X
X Log ("Stored %d words in table for sorting\n", tabled);
X
X qsort (dictbase, tabled, sizeof (struct DICT *), DictCmp);
X
X discarded = 0;
X lastptr = dictbase[0];
X for (i = 1; i < tabled; i++)
X {
X /*
X * no point in putting a test-first-char STRCMP macro here, since in
X * sorted data, the first char is usually the same...
X */
X if (!strcmp (lastptr, dictbase[i]))
X {
X dictbase[i] = (char *) 0;
X discarded++;
X } else
X {
X lastptr = dictbase[i];
X }
X }
X
X Log ("Discarded %d duplicate words in sorted table\n", discarded);
X return (nelem);
X}
X/* lose the current dictionary */
X
Xint
XDropDict ()
X{
X struct DICT *scratch;
X
X while (dictroot)
X {
X free (dictroot -> word);
X scratch = dictroot -> next;
X free (dictroot);
X dictroot = scratch;
X }
X free (dictbase);
X return (0);
X}
X
X/*
X * write a feedback file if there is anything to save - return number
X * uncracked users
X */
X
Xint
XFeedBack (log_notdone)
X int log_notdone;
X{
X register FILE *fp;
X static char fmt[] = "%s:%s:%s:%s\n";
X register struct USER *head;
X register struct USER *arm;
X int done;
X int notdone;
X
X notdone = done = 0;
X
X Log ("Sweeping data looking for feedback.\n");
X
X fp = (FILE *) 0;
X
X for (head = userroot; head; head = head -> next)
X {
X for (arm = head; arm; arm = arm -> across)
X {
X if (arm -> done)
X {
X done++;
X /* horrible little hack, vile, sick, I love it */
X if (!fp)
X {
X if (!(fp = fopen (feedbackfile, "w")))
X {
X perror (feedbackfile);
X return(-1);
X }
X Log ("Feedback file opened for writing.\n");
X }
X fprintf (fp,fmt,feedback_string,
X arm -> passwd.pw_passwd,"Y",arm -> passwd_txt);
X } else
X {
X notdone++;
X if (log_notdone)
X {
X if (!fp) /* and again !!! heheheheheheh */
X {
X if (!(fp = fopen (feedbackfile, "w")))
X {
X perror (feedbackfile);
X return(-1);
X }
X Log ("Feedback file opened for writing.\n");
X }
X /* I think I'm going slightly warped */
X fprintf (fp,fmt,feedback_string,
X arm -> passwd.pw_passwd,"N","");

X }
X }
X
X }
X }

X if (fp)
X {
X fclose (fp);
X Log ("Closing feedback file.\n");
X }
X Log("FeedBack: %d users done, %d users left to crack.\n", done, notdone);
X return(notdone);
X}
X/* try a chain of users with the same salt */
X
Xint
XTryManyUsers (eptr, guess) /* returns 0 if all done this chain */
X register struct USER *eptr;
X char *guess;
X{
X register int retval;
X char guess_crypted[STRINGSIZE];
X
X if (eptr -> done && !eptr -> across)

X {
X return (0);
X }

X
X strcpy (guess_crypted, crypt (guess, eptr -> passwd.pw_passwd));
X
X retval = 0;
X
X while (eptr)
X {
X if (verbose_bool)
X {
X Log ("Trying '%s' on %s from line %s\n",
X guess,
X eptr -> passwd.pw_name,
X eptr -> filename);
X }
X if (!eptr->done && !STRCMP (guess_crypted, eptr -> passwd.pw_passwd))
X {
X PrintGuess (eptr, guess);
X }
X retval += (!(eptr -> done));
X eptr = eptr -> across;
X }
X
X return (retval);
X}
X/* try a word on an individual */
X
Xint
XTryOneUser (eptr, guess) /* returns non-null on guessed user */
X register struct USER *eptr;
X register char *guess;
X{
X if (!guess || !*guess || eptr -> done)

X {
X return (0);
X }

X if (verbose_bool)
X {
X Log ("Trying '%s' on %s from %s\n",
X guess,
X eptr -> passwd.pw_name,
X eptr -> filename);
X }
X if (strcmp (crypt (guess, eptr -> passwd.pw_passwd),
X eptr -> passwd.pw_passwd))

X {
X return (0);
X }

X PrintGuess (eptr, guess);
X
X return (1);
X}
X/* frontend to TryOneUser() to save hassle */
X
Xint
XWordTry (entry_ptr, guess)
X register struct USER *entry_ptr;
X register char *guess;

X{
X register int i;

X struct RULE *ruleptr;
X register char *mangle;
X
X if (!guess[0] || !guess[1])

X {
X return (0);
X }

X for (ruleptr = gecosroot; ruleptr; ruleptr = ruleptr -> next)
X {
X if (mangle = Mangle (guess, ruleptr -> rule))
X {
X if (TryOneUser (entry_ptr, mangle))
X {
X return (1);
X }

X }
X }
X return (0);
X}

X/* Special manipulations for the GECOS field and dotfiles */
X
Xint
XParseBuffer (entry_ptr, buffer, advanced)
X register struct USER *entry_ptr;
X char *buffer;
X int advanced;
X{
X int wordcount;

X register int i;
X register int j;
X register char *ptr;

X char junk[STRINGSIZE];
X char *words[WORDSTACKSIZE];
X
X /* zap all punctuation */
X for (ptr = buffer; *ptr; ptr++)
X {
X if (ispunct (*ptr) || isspace (*ptr))
X {
X *ptr = ' ';
X }
X }
X
X /* break up all individual words */
X wordcount = 0;
X ptr = buffer;
X while (*ptr)
X {
X while (*ptr && isspace (*ptr))
X {
X ptr++;
X }
X if (*ptr)
X {
X words[wordcount++] = ptr;
X if (wordcount >= WORDSTACKSIZE)
X {
X Log ("ParseBuffer: Abort: Stack Full !\n");
X return (0);
X }
X }
X while (*ptr && !isspace (*ptr))
X {
X ptr++;
X }
X
X if (*ptr)
X {
X *(ptr++) = '\0';
X }
X }
X
X words[wordcount] = (char *) 0;
X
X /* try all the words individually */
X if (verbose_bool)
X {
X Log ("Trying individual words\n");
X }
X for (i = 0; i < wordcount; i++)
X {
X if (WordTry (entry_ptr, words[i]))
X {
X return (1);
X }
X }
X
X if (!advanced)

X {
X return (0);
X }

X
X /* try pairings of words */
X if (verbose_bool)
X {
X Log ("Trying paired words\n");
X }
X for (j = 1; j < wordcount; j++)
X {
X for (i = 0; i < j; i++)
X {
X /* Skip initials for next pass */
X if (!words[i][1] || !words[j][1])
X {
X continue;
X }
X strcpy (junk, words[i]);
X strcat (junk, words[j]);
X if (WordTry (entry_ptr, junk))
X {
X return (1);
X }
X }
X }
X
X /* try initials + words */
X if (verbose_bool)
X {
X Log ("Trying initial'ed words\n");
X }
X for (j = 1; j < wordcount; j++)
X {
X for (i = 0; i < j; i++)
X {
X junk[0] = words[i][0];
X if (islower (junk[0]))
X {
X junk[0] = toupper (junk[0]);
X }
X junk[1] = '\0';
X strcat (junk, words[j]);
X if (WordTry (entry_ptr, junk))
X {
X return (1);
X }
X }
X }
X
X return (0);
X}
X/* run over password entries looking for passwords */
X
Xvoid
XPass1 ()
X{
X int i;
X int j;
X FILE *fp;
X int cracked;
X char junk[DOTFILESIZE];
X char filename[STRINGSIZE];
X struct USER *head;
X register char *ptr;
X register struct USER *this;
X static char *dotfiles[] =
X {
X ".plan",
X ".project",
X ".signature",

X (char *) 0
X };
X

X Log ("Starting pass 1 - password information\n");
X
X for (head = userroot; head; head = head -> next)
X {
X for (this = head; this; this = this -> across)
X {
X strcpy (junk, this -> passwd.pw_gecos);
X
X if (WordTry (this, this -> passwd.pw_name) ||
X ParseBuffer (this, junk, 1))
X {
X continue;
X }
X#ifdef CRACK_DOTFILES
X for (i = 0; dotfiles[i]; i++)
X {
X sprintf (filename, "%s/%s", this -> passwd.pw_dir, dotfiles[i]);
X
X if (!(fp = fopen (filename, "r")))
X {
X continue;
X }
X
X j = fread (junk, 1, DOTFILESIZE, fp);
X
X fclose (fp);
X
X if (j <= 1)
X {
X continue;
X }
X
X junk[j - 1] = '\0'; /* definite terminator */
X
X if (verbose_bool)
X {
X Log("DOTFILES: Checking %d bytes of %s\n", j, filename);
X }
X
X if (ParseBuffer (this, junk, 0))
X {
X continue;
X }
X }
X#endif CRACK_DOTFILES
X }
X }
X return;
X}
X
Xvoid
XPass2 (dictfile)
X char *dictfile;
X{
X int i;
X int pointuser;
X int dictsize;
X struct USER *headptr;
X struct RULE *ruleptr;
X
X Log ("Starting pass 2 - dictionary words\n");
X headptr = (struct USER *) 0;
X ruleptr = (struct RULE *) 0;
X
X /* check if we are recovering from a crash */
X if (recover_bool)
X {
X recover_bool = 0; /* switch off */
X for (ruleptr = ruleroot;
X ruleptr && strcmp (ruleptr -> rule, old_rule);
X ruleptr = ruleptr -> next);
X if (!ruleptr)
X {
X Log ("Fatal: Ran off end of list looking for rule '%s'\n",
X old_rule);
X exit (1);
X }
X for (headptr = userroot; /* skip right number of users */
X headptr && old_usernum--;
X headptr = headptr -> next);
X if (!headptr)
X {
X Log ("Fatal: Ran off end of list looking for user '%s'\n",
X old_username);

X exit (1);
X }
X }
X

X /* start iterating here */
X for (ruleptr = (ruleptr ? ruleptr : ruleroot);
X ruleptr;
X ruleptr = ruleptr -> next)
X {
X if ((dictsize = LoadDict (dictfile, ruleptr -> rule)) <= 0)
X {
X Log ("Oops! I got an empty dictionary! Skipping rule '%s'!\n",
X ruleptr -> rule);
X continue;
X }
X pointuser = 0;
X
X /* iterate all the users */
X for (headptr = (headptr ? headptr : userroot);
X headptr;
X headptr = headptr -> next)
X {
X SetPoint (dictfile,
X ruleptr -> rule,
X pointuser++,
X headptr -> passwd.pw_name);
X
X /* iterate all the words */
X for (i = 0; i < dictsize; i++)
X {
X /* skip repeated words... */
X if (dictbase[i] && !TryManyUsers (headptr, dictbase[i]))

X {
X break;
X }
X }
X }

X /* free up memory */
X DropDict ();
X /* write feedback file */
X if (!FeedBack (0))
X {
X Log("FeedBack: information: all users are cracked after this pass\n");
X return;
X }
X /* on next pass, start from top of user list */
X headptr = (struct USER *) 0;
X }
X}
X
Xint
Xmain (argc, argv)
X int argc;
X char *argv[];
X{
X int i;
X int uerr;
X long t;
X int die_bool = 0;
X FILE *fp;
X char *file;
X char *crack_out;
X extern int optind;
X extern char *optarg;
X static char getopt_string[] = "i:fX:n:r:vml:";
X
X uerr = 0;
X if (argc == 1)
X {
X uerr++;
X }
X while ((i = getopt (argc, argv, getopt_string)) != EOF)
X {
X switch (i)
X {
X case 'i':
X strcpy (input_file, optarg);
X if (!freopen (input_file, "r", stdin))
X {
X perror (input_file);
X exit (1);
X }
X if (!strncmp(input_file, "/tmp/pw.", 7))
X {
X unlink(input_file);
X }
X break;
X case 'm':
X mail_bool = 1;
X break;
X case 'f':
X foreground_bool = 1;
X break;
X case 'X':
X remote_bool = 1;
X strcpy (supplied_name, optarg);
X break;
X case 'l':
X pwlength = atoi (optarg);
X break;
X case 'n':
X nice_value = atoi (optarg);
X nice (nice_value);
X break;
X case 'r':
X recover_bool = 1;
X strcpy (recover_file, optarg);
X break;
X case 'v':
X verbose_bool = 1;
X break;
X default:
X case '?':
X uerr++;

X break;
X }
X }
X

X if (optind >= argc)
X {
X uerr++;
X }
X if (uerr)
X {
X fprintf (stderr,
X "Usage:\t%s -%s dictfile [dictfile...]\n",
X argv[0],
X getopt_string);
X exit (1);
X }
X time (&t);
X pid = getpid ();
X if (!(crack_out = (char *) getenv ("CRACK_OUT")))
X {
X crack_out = ".";
X }
X sprintf (opfile, "%s/out.%d", crack_out, pid);
X if (remote_bool)
X {
X sprintf (diefile, "%s", supplied_name);
X } else
X {
X sprintf (diefile, "%s/D.%d", runtime, pid);
X }
X sprintf (pointfile, "%s/P.%d", runtime, pid);
X sprintf (feedbackfile, "%s/F.%d", runtime, pid);
X
X if (gethostname (this_hostname, STRINGSIZE))
X {
X perror ("gethostname");
X }
X if (!foreground_bool)
X {
X if (!freopen (opfile, "w", stdout))
X {
X perror ("freopen(stdout)");
X exit (1);
X }
X if (!freopen (opfile, "a", stderr))
X {
X perror ("freopen(stderr)");

X exit (1);
X }
X }

X /*
X * don't generate a die file unless we are not 'attached' to a
X * terminal... except when we are remote as well...
X */
X
X if (!foreground_bool || (foreground_bool && remote_bool))
X {
X if (!(fp = fopen (diefile, "w")))
X {
X perror (diefile);
X exit (1);
X }
X die_bool = 1;
X fprintf (fp, "#!/bin/sh\n");
X fprintf (fp, "# host=%s pid=%d starttime=%s",
X this_hostname, pid, ctime (&t));
X fprintf (fp, "kill -TERM %d && rm $0", pid);
X fclose (fp);
X chmod (diefile, 0700);
X }
X Log ("Crack v%s: The Password Cracker, (c) ADE Muffett, 1991\n", version);
X
X#ifdef FCRYPT

X init_des ();
X#endif
X

X /* Quick, verify that we are sane ! */
X
X if (strcmp (crypt ("fredfred", "fredfred"), "frxWbx4IRuBBA"))
X {
X Log ("Version of crypt() being used internally is not compatible with standard.\n");
X Log ("This could be due to byte ordering problems - see the comments in Sources/conf.h\n");
X Log ("If there is another reason for this, edit the source to remove this assertion.\n");
X Log ("Terminating...\n");
X exit (0);
X }
X signal (SIGTERM, CatchTERM);
X
X Log ("Loading Data, host=%s pid=%d\n", this_hostname, pid);
X
X if (LoadData () <= 0)
X {
X Log ("Nothing to Crack. Exiting...\n");
X exit (0);
X }
X if (LoadRules (rulefile, &ruleroot) < 0 ||
X LoadRules (gecosfile, &gecosroot) < 0)
X {
X exit (1);
X }
X if (!recover_bool)
X {
X /* We are starting afresh ! Ah, the birds in May ! */
X Pass1 ();
X if (!FeedBack (0))
X {
X Log("FeedBack: information: all users are cracked after gecos pass\n");
X goto finish_crack;
X }
X } else
X {
X int rval;
X if (rval = GetPoint (recover_file))
X {
X Log ("Recovery from file %s not permitted on this host [code %d]\n",
X recover_file,
X rval);
X exit (0);
X }
X /* Some spodulous creep pulled our plug... */
X while ((optind < argc) && strcmp (argv[optind], old_dictname))
X {
X optind++;
X }
X }
X
X for (i = optind; i < argc; i++)
X {
X Pass2 (argv[i]);
X }
X
X Log ("Tidying up files...\n");
X FeedBack (1);
X
Xfinish_crack:
X
X if (die_bool)
X {
X unlink (diefile);
X }
X unlink (pointfile);
X
X Log ("Done.\n");

X
X return (0);
X}
END_OF_FILE

if test 23895 -ne `wc -c <'Sources/crack-pwc.c'`; then
echo shar: \"'Sources/crack-pwc.c'\" unpacked with wrong size!
fi
# end of 'Sources/crack-pwc.c'
fi
echo shar: End of archive 4 $of 5$.
cp /dev/null ark4isdone

Alec Muffett

unread,

Nov 3, 1991, 6:16:35 PM11/3/91

Submitted-by: a...@aber.ac.uk (Alec David Muffett)

Posting-number: Volume 25, Issue 9
Archive-name: crack/part05

Environment: UNIX
Supersedes: crack: Volume 23, Issue 1-5

#! /bin/sh

# "End of archive 5 (of 5)."
# Contents: Docs/README.ps
# Wrapped by aem@aberda on Thu Oct 24 11:14:46 1991

PATH=/bin:/usr/bin:/usr/ucb ; export PATH

if test -f 'Docs/README.ps' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'Docs/README.ps'\"
else
echo shar: Extracting \"'Docs/README.ps'\" $49701 characters$
sed "s/^X//" >'Docs/README.ps' <<'END_OF_FILE'
X%!PS-Adobe-3.0
X%%Creator: groff version 1.02
X%%DocumentNeededResources: font Times-Bold
X%%+ font Times-Italic
X%%+ font Times-Roman
X%%+ font Courier
X%%DocumentSuppliedResources: procset grops 1.02 0
X%%Pages: 8
X%%PageOrder: Ascend
X%%Orientation: Portrait
X%%EndComments
X%%BeginProlog
X%%BeginResource: procset grops 1.02 0
X
X/setpacking where {
X pop
X currentpacking
X true setpacking
X} if
X
X/grops 120 dict dup begin
X
X% The ASCII code of the space character.
X/SC 32 def
X
X/A /show load def
X/B { 0 SC 3 -1 roll widthshow } bind def
X/C { 0 exch ashow } bind def
X/D { 0 exch 0 SC 5 2 roll awidthshow } bind def
X/E { 0 rmoveto show } bind def
X/F { 0 rmoveto 0 SC 3 -1 roll widthshow } bind def
X/G { 0 rmoveto 0 exch ashow } bind def
X/H { 0 rmoveto 0 exch 0 SC 5 2 roll awidthshow } bind def
X/I { 0 exch rmoveto show } bind def
X/J { 0 exch rmoveto 0 SC 3 -1 roll widthshow } bind def
X/K { 0 exch rmoveto 0 exch ashow } bind def
X/L { 0 exch rmoveto 0 exch 0 SC 5 2 roll awidthshow } bind def
X/M { rmoveto show } bind def
X/N { rmoveto 0 SC 3 -1 roll widthshow } bind def
X/O { rmoveto 0 exch ashow } bind def
X/P { rmoveto 0 exch 0 SC 5 2 roll awidthshow } bind def
X/Q { moveto show } bind def
X/R { moveto 0 SC 3 -1 roll widthshow } bind def
X/S { moveto 0 exch ashow } bind def
X/T { moveto 0 exch 0 SC 5 2 roll awidthshow } bind def
X
X% name size font SF -
X
X/SF {
X findfont exch
X [ exch dup 0 exch 0 exch neg 0 0 ] makefont
X dup setfont
X [ exch /setfont cvx ] cvx bind def
X} bind def
X
X% name a c d font MF -
X
X/MF {
X findfont
X [ 5 2 roll
X 0 3 1 roll % b
X neg 0 0 ] makefont
X dup setfont
X [ exch /setfont cvx ] cvx bind def
X} bind def
X
X/level0 0 def
X/RES 0 def
X/PL 0 def
X/LS 0 def
X
X% BP -
X
X/BP {
X /level0 save def
X 1 setlinecap
X 1 setlinejoin
X 72 RES div dup scale
X LS {
X 90 rotate
X } {
X 0 PL translate
X } ifelse
X 1 -1 scale
X} bind def
X
X/EP {
X level0 restore
X showpage
X} bind def
X
X
X% centerx centery radius startangle endangle DA -
X
X/DA {
X newpath arcn stroke
X} bind def
X
X% x y SN - x' y'
X% round a position to nearest (pixel + (.25,.25))
X
X/SN {
X transform
X .25 sub exch .25 sub exch
X round .25 add exch round .25 add exch
X itransform
X} bind def
X
X% endx endy startx starty DL -
X% we round the endpoints of the line, so that parallel horizontal
X% and vertical lines will appear even
X
X/DL {
X SN
X moveto
X SN
X lineto stroke
X} bind def
X
X% centerx centery radius DC -
X
X/DC {
X newpath 0 360 arc closepath
X} bind def
X
X
X/TM matrix def
X
X% width height centerx centery DE -
X
X/DE {
X TM currentmatrix pop
X translate scale newpath 0 0 .5 0 360 arc closepath
X TM setmatrix
X} bind def
X
X% these are for splines
X
X/RC /rcurveto load def
X/RL /rlineto load def
X/ST /stroke load def
X/MT /moveto load def
X/CL /closepath load def
X
X% fill the last path
X
X% amount FL -
X
X/FL {
X currentgray exch setgray fill setgray
X} bind def
X
X% fill with the ``current color''
X
X/BL /fill load def
X
X/LW /setlinewidth load def
X% new_font_name encoding_vector old_font_name RE -
X
X/RE {
X findfont
X dup maxlength dict begin
X {
X 1 index /FID ne { def } { pop pop } ifelse
X } forall
X /Encoding exch def
X dup /FontName exch def
X currentdict end definefont pop
X} bind def
X
X/DEFS 0 def
X
X% hpos vpos EBEGIN -
X
X/EBEGIN {
X moveto
X DEFS begin
X} bind def
X
X/EEND /end load def
X
X/CNT 0 def
X/level1 0 def
X
X% llx lly newwid wid newht ht newllx newlly PBEGIN -
X
X/PBEGIN {
X /level1 save def
X translate
X div 3 1 roll div exch scale
X neg exch neg exch translate
X % set the graphics state to default values
X 0 setgray
X 0 setlinecap
X 1 setlinewidth
X 0 setlinejoin
X 10 setmiterlimit
X [] 0 setdash
X /setstrokeadjust where {
X pop
X false setstrokeadjust
X } if
X /setoverprint where {
X pop
X false setoverprint
X } if
X newpath
X /CNT countdictstack def
X /showpage {} def
X} bind def
X
X/PEND {
X clear
X countdictstack CNT sub { end } repeat
X level1 restore
X} bind def
X
Xend def
X
X/setpacking where {
X pop
X setpacking
X} if
X%%EndResource
X%%IncludeResource: font Times-Bold
X%%IncludeResource: font Times-Italic
X%%IncludeResource: font Times-Roman
X%%IncludeResource: font Courier
Xgrops begin/DEFS 1 dict def DEFS begin/u{.001 mul}bind def end/RES 72 def/PL
X792 def/LS false def/ENC0[/asciicircum/asciitilde/Scaron/Zcaron/scaron/zcaron
X/Ydieresis/trademark/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef
X/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef
X/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/space/exclam
X/quotedbl/numbersign/dollar/percent/ampersand/quoteright/parenleft/parenright
X/asterisk/plus/comma/hyphen/period/slash/zero/one/two/three/four/five/six/seven
X/eight/nine/colon/semicolon/less/equal/greater/question/at/A/B/C/D/E/F/G/H/I/J
X/K/L/M/N/O/P/Q/R/S/T/U/V/W/X/Y/Z/bracketleft/backslash/bracketright/circumflex
X/underscore/quoteleft/a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p/q/r/s/t/u/v/w/x/y/z
X/braceleft/bar/braceright/tilde/.notdef/quotesinglbase/guillemotleft
X/guillemotright/bullet/florin/fraction/perthousand/dagger/daggerdbl/endash
X/emdash/ff/fi/fl/ffi/ffl/dotlessi/dotlessj/grave/hungarumlaut/dotaccent/breve
X/caron/ring/ogonek/quotedblleft/quotedblright/oe/lslash/quotedblbase/OE/Lslash
X/.notdef/exclamdown/cent/sterling/currency/yen/brokenbar/section/dieresis
X/copyright/ordfeminine/guilsinglleft/logicalnot/minus/registered/macron/degree
X/plusminus/twosuperior/threesuperior/acute/mu/paragraph/periodcentered/cedilla
X/onesuperior/ordmasculine/guilsinglright/onequarter/onehalf/threequarters
X/questiondown/Agrave/Aacute/Acircumflex/Atilde/Adieresis/Aring/AE/Ccedilla
X/Egrave/Eacute/Ecircumflex/Edieresis/Igrave/Iacute/Icircumflex/Idieresis/Eth
X/Ntilde/Ograve/Oacute/Ocircumflex/Otilde/Odieresis/multiply/Oslash/Ugrave
X/Uacute/Ucircumflex/Udieresis/Yacute/Thorn/germandbls/agrave/aacute/acircumflex
X/atilde/adieresis/aring/ae/ccedilla/egrave/eacute/ecircumflex/edieresis/igrave
X/iacute/icircumflex/idieresis/eth/ntilde/ograve/oacute/ocircumflex/otilde
X/odieresis/divide/oslash/ugrave/uacute/ucircumflex/udieresis/yacute/thorn
X/ydieresis]def/Courier@0 ENC0/Courier RE/Times-Roman@0 ENC0/Times-Roman RE
X/Times-Italic@0 ENC0/Times-Italic RE/Times-Bold@0 ENC0/Times-Bold RE
X%%EndProlog
X%%Page: 1 1
X%%BeginPageSetup
XBP
X%%EndPageSetup
X/F0 12/Times-Bold@0 SF("Crack V)232.398 123 Q(ersion 4.0a")-1.104 E 3(AS)
X188.838 138 S(ensible Password Checker for Unix)207.174 138 Q/F1 10
X/Times-Italic@0 SF(Alec D.E. Muffett)253.005 162 Q/F2 10/Times-Roman@0 SF
X(Computer Unit, University College of W)198.685 180 Q(ales)-.8 E
X(Aberystwyth, W)222.99 192 Q(ales, SY23 3DB)-.8 E F1(aem@aber)254.52 204 Q
X(.ac.uk)-1.11 E F2(+44 970 622492)255.18 216 Q F1(ABSTRACT)264.385 252 Q/F3 10
X/Times-Bold@0 SF(Crack)133 279.6 Q F2 .335(is a freely available program desig\
Xned to \214nd standard Unix eight-character)2.836 F .744
X(DES encrypted passwords by standard guessing techniques outlined below)108
X291.6 R 5.745(.I)-.65 G 3.245(ti)423.73 291.6 S 3.245(sw)432.535 291.6 S
X(ritten)446.89 291.6 Q 1.431(to be \215exible, con\214gurable and fast, and to\
X be able to make use of several networked)108 303.6 R(hosts via the Berkeley)
X108 315.6 Q/F4 10/Courier@0 SF(rsh)2.5 E F2
X(program $or similar$, where possible.)2.5 E F3 2.5(1. Intr)72 351.6 R
X(oduction to V)-.18 E(ersion 4.0)-.92 E F2 .273(Crack is now into it')72 367.2
XR 2.774(sf)-.55 G .274(ourth version, and has been reworked extensively to pro\
Xvide extra functionality)164.756 367.2 R 2.774(,a)-.65 G(nd)494 367.2 Q .942(t\
Xhe purpose of this release is to consolidate as much of this new functionality\
X into as small a package as)72 379.2 R 2.822(possible. T)72 391.2 R 2.822(ot)
X-.7 G .322(his end, Crack may appear to be less con\214gurable: it has been wr\
Xitten on the assumption that)128.614 391.2 R .683
X(you run a fairly modern Unix, one with BSD functionality)72 403.2 R 3.183(,a)
X-.65 G .683(nd then patched in order to run on other sys-)320.383 403.2 R
X(tems.)72 415.2 Q .111(This, surprisingly enough, has led to neater code, and \
Xhas made possible the introduction of greater \215exibil-)72 430.8 R .085(ity \
Xwhich supercedes many of the options that could be con\214gured in earlier ver\
Xsions of Crack.)72 442.8 R .084(In the same)5.084 F 6.028
X(vein, some of the older options are now mandatory)72 454.8 R 11.028(.T)-.65 G
X6.028(hese, such as)342.79 454.8 R F1 6.028(feedback mode)8.528 F F2(and)8.528
XE F4(CRACK_PRINTOUT)72 466.8 Q F2 .643
X(are no longer supported as options and probably never will be again.)3.143 F
X.642(There is just a)5.642 F .415(lot of wastage in not running with them, and\
X too many dependencies in other functions to bother program-)72 478.8 R
X(ming around them.)72 490.8 Q .916(The user interface is basically identical t\
Xo the previous versions, although some people have asked about)72 506.4 R 1.408
X(providing X-windows GUI')72 518.4 R 3.908(st)-.55 G 3.908(oC)196.494 518.4 S
X1.408(rack, I think it would be a waste of time to do so. Crack has far less)
X212.072 518.4 R(options than your ordinary version of)72 530.4 Q F4(/bin/ls)2.5
XE F2(.)A -.4(Wi)72 546 S(th all that over).4 E 2.5(,l)-.4 G(et')149.25 546 Q
X2.5(sk)-.55 G(ick some $ass|arse|but\(t$?\))170.64 546 Q/F5 7/Times-Roman@0
XSF(1)274.61 541.9 Q F3 2.5(2. Crack)72 570 R(Methodology - Part 1: Internals)
X2.5 E F2 .1(Crack takes a series of password \214les and throws logic and dict\
Xionaries at the passwords therein, in order to)72 585.6 R .349(\214nd password\
Xs which are based upon personal information or dictionary words, and are there\
Xfore insecure.)72 597.6 R .92(It does)72 609.6 R F3(not)3.42 E F2 .92
X(attempt to remedy this situation, and it shoult)3.42 F F3(NOT)3.421 E F2 .921
X(be used in place of getting a really good)3.421 F(secure)72 621.6 Q F4(passwd)
X2.5 E F2(program replacement.)2.5 E 1.884(The above statement de\214nes the pu\
Xrpose of Crack, and embodies a great amount to hard work, graft,)72 637.2 R
X.831(screams of)72 649.2 R F1(Eur)3.331 E(eka!)-.37 E F2 3.331(,a)C .831
X(nd a fair amount of swearing too.)161.313 649.2 R .832
X(There is a great deal of thinking behind the way)5.832 F .432(that Crack atta\
Xcks password \214les, and although not perfect, I certainly hope that Crack wi\
Xll out-do most of)72 661.2 R(it')72 673.2 Q 2.5(sc)-.55 G(ompetitors.)91.17
X673.2 Q .207(Crack works by making several passes over the password entries th\
Xat you supply to it.)72 688.8 R .208(Each pass works by)5.208 F .443(generatin\
Xg password guesses based upon a sequence of assertions, or rules, supplied to \
Xthe program by the)72 700.8 R .32 LW 144 708.8 72 708.8 DL/F6 5.6/Times-Roman@0
XSF(1)82 717.32 Q/F7 8/Times-Roman@0 SF .06(An obscure)2 3.28 N/F8 8
X/Times-Italic@0 SF(lex)2.06 E F7 .059(joke, inserted only for the purpose of a\
Xllowing an example footnote for my reference - sorry)2.059 F 2(-A)72 730.6 S
X(EM)82.44 730.6 Q/F9 8/Courier@0 SF(8-\))2 E EP
X%%Page: 2 2
X%%BeginPageSetup
XBP
X%%EndPageSetup
X/F0 10/Times-Roman@0 SF(-2-)282.17 48 Q(user)72 84 Q 5.668(.T)-.55 G .669
X(he rules are speci\214ed in a simplistic language, in the \214les)102.388 84 R
X/F1 10/Courier@0 SF(gecos.rules)3.169 E F0(and)3.169 E F1(dicts.rules)3.169 E
XF0(in)3.169 E(the)72 96 Q F1(Scripts)2.5 E F0(directory)2.5 E 5(.T)-.65 G
X(he distinction between these two \214les will be made clear later)180.28 96 Q
X(.)-.55 E .972(The rules are written as a simple string of characters, with on\
Xe rule to a line.)72 111.6 R .971(Blank lines, and comment)5.971 F .587
X(lines beginning with a hash character)72 123.6 R/F2 10/Times-Bold@0 SF(#)3.087
XE F0 .587(are ignored.)3.087 F -.35(Tr)5.587 G .588
X(ailing whitespace is also ignored.).35 F .588(The instructions)5.588 F .035(i\
Xn the word are followed left to right, and are applied to the dictionary words\
X in sequence.)72 135.6 R 2.534(Ac)5.034 G .034(ouple of sim-)450.602 135.6 R
X(ple pattern matching primitives are supplied for selection purposes.)72 147.6
XQ(The syntax is as follows:)5 E 22.22(:N)72 163.2 S
X(o-op; do nothing to the word. This is useful as a space delimiter)104.22 163.2
XQ(.)-.55 E 11.86(<n Reject)72 178.8 R .375(the word unless it is)2.875 F F2
X.376(LESS THAN)2.875 F/F3 10/Times-Italic@0 SF(n)2.876 E F0 .376
X(characters long, where)2.876 F F3(n)2.876 E F0 .376
X(is a digit 0-9, or a letter a-z for)2.876 F(the values 10-35, respectively)97
X190.8 Q(.)-.65 E 11.86(>n Reject)72 206.4 R .059(the word unless it is)2.56 F
XF2 .059(MORE THAN)2.559 F F3(n)2.559 E F0 .059(characters long, where)2.559 F
XF3(n)2.559 E F0 .059(is a digit 0-9, or a letter a-z for)2.559 F
X(the values 10-35, respectively)97 218.4 Q(.)-.65 E 14.72(/x Reject)72 234 R
X(the word unless it contains the character 'x'.)2.5 E 14.17(!y Reject)72 249.6
XR(the word unless it does not contain the character 'y'.)2.5 E 14.17
X(^x Prepend)72 265.2 R(character 'x' to the word.)2.5 E 12.5($y Append)72 280.8
XR(character 'y' to the word.)2.5 E 22.22(lF)72 296.4 S
X(orce the word to lowercase.)102.56 296.4 Q 20(uF)72 312 S
X(orce the word to uppercase.)102.56 312 Q 20.56(cC)72 327.6 S
X(apitalise the word, lowercasing all other letters.)103.67 327.6 Q 21.67(rR)72
X343.2 S(everse the word back-to-front.)103.67 343.2 Q 20(dD)72 358.8 S
X(uplicate the word, so that)104.22 358.8 Q F3(fr)2.5 E(ed)-.37 E F0(becomes)2.5
XE F3(fr)2.5 E(edfr)-.37 E(ed)-.37 E F0 21.67(fR)72 374.4 S
X(e\215ect the word $mirror image$, so that)103.67 374.4 Q F3(fr)2.5 E(ed)-.37
XE F0(becomes)2.5 E F3(fr)2.5 E(edderf)-.37 E F0 20(pM)72 390 S
X(ake best attempt to pluralise the word, assuming that it is lowercase.)105.89
X390 Q 8.61(sxy Substitute)72 405.6 R('x' for 'y' throughout the word.)2.5 E
X4.72(xnm Extract)72 421.2 R .724(the string starting at position 'n' $starts \
Xat 0$ for a length of up to 'm' characters, where 'n')3.223 F(and 'm' are dig\
Xits in the range 0-9, or letters a-z for the values 10-35, respectively)97
X433.2 Q(.)-.65 E(So, example rules could be:)72 460.8 Q 20.56(cC)72 476.4 S
X(apitalise the word.)103.67 476.4 Q F3(fr)5 E(ed)-.37 E F0(becomes)2.5 E F3(Fr)
X2.5 E(ed)-.37 E F0 10.28(l$? Lowercase)72 492 R
X(the word and append a questionmark.)2.5 E F3(fr)5 E(ed)-.37 E F0(becomes)2.5 E
XF3(fr)2.5 E(ed?)-.37 E F0(l/oso0c)72 507.6 Q .065(Lowercase the word, select i\
Xt only if it contains the letter 'o' and substitute all o')97 519.6 R 2.565(sf)
X-.55 G .065(or zeros, and capi-)429.945 519.6 R(talise it.)97 531.6 Q(Both)5 E
XF3(COLLEGE)2.5 E F0(and)2.5 E F3(college)2.5 E F0(become)2.5 E F3(C0llege)2.5 E
XF0(<8l/i/olsi1so0$=)72 547.2 Q .103(Reject the word unless it is less that 8 c\
Xharacters long, lowercase the word, reject it if it does not con-)97 559.2 R
X.393(tain both the letter 'i' and the letter 'o', substitute all i')97 571.2 R
X2.893(sf)-.55 G .393(or 1')329.196 571.2 R .393(s, substitute all o')-.55 F
X2.893(sf)-.55 G .393(or 0')429.501 571.2 R .393(s, and append)-.55 F
X(an = sign.)97 583.2 Q .894
X(The reasoning for the 8 character test is that since, with standard)97 598.8 R
XF3(crypt)3.394 E F0 .894(type algorithms, the pass-)3.394 F .452(word is t\
Xruncated at 8 characters, there is no point in bolting a letter onto the end o\
Xf a word if it is 8)97 610.8 R(or more characters long already)97 622.8 Q(.)
X-.65 E(<7l^$$$)72 638.4 Q .578(Reject the word unless it is less than 7 char\
Xacters long, lowercase it, prepend a '$' and append a '$'.)97 650.4 R(Thus)97
X662.4 Q F3(fr)2.5 E(ed)-.37 E F0(becomes)2.5 E F3($fr)2.5 E(ed$)-.37 E F0
X7.22 2.5($: $)72 678 T .446(ie: <dollar><space><colon>$ Append a space chara\
Xcter to the word $note that if you do not add the)100.33 678 R .548(trailing \
Xno-op after the space, a syntax error will be generated since there is nothing\
X to delineate the)97 690 R
X(space character - remember: trailing whitespace is ignored$.)97 702 Q EP
X%%Page: 3 3
X%%BeginPageSetup
XBP
X%%EndPageSetup
X/F0 10/Times-Roman@0 SF(-3-)282.17 48 Q .021
X(Before you go on, I suggest you browse through the)72 84 R/F1 10/Courier@0 SF
X(Scripts/*.rules)2.521 E F0 .021(\214les, and take a look at the rules)2.521 F
X(that I supply as defaults, and try to work out what they do.)72 96 Q .403
X(The rules are stored in two dif)72 111.6 R .403(ferent \214les for two dif)
X-.18 F .403(ferent purposes.)-.18 F .403(Rules in)5.403 F F1
X(Scripts/gecos.rules)2.903 E F0 1.15(are applied to data generated by Crack fr\
Xom the pw_gecos and pw_gecos entries of the user)72 123.6 R 2.25 -.55('s p).37
XH(assword).55 E(entry)72 135.6 Q(.)-.65 E .41
X(The data generated by Crack and fed to the gecos rules for the user)72 151.2 R
X/F2 10/Times-Italic@0 SF(aem)2.911 E F0 2.911(,w)C .411(ho is)376.955 151.2 R
XF2 .411(Alec David Muffett, Com-)2.911 F(punit)72 163.2 Q F0 .823(would be:)
X3.323 F F2(aem)3.323 E F0(,)A F2(Alec)3.323 E F0(,)A F2(David)3.323 E F0(,)A F2
X(Muffett)3.323 E F0(,)A F2(Compunit)3.323 E F0 3.323(,a)C .822
X(nd a series of permutations of those words, either)300.514 163.2 R .077
X(re-ordering the words and joining them together $eg:)72 175.2 R F2
X(AlecMuffett)2.577 E F0 .077($, or making up new words based on initial)B
X(letters of one word taken with the rest of another $eg:)72 187.2 Q F2
X(AMuffett)2.5 E F0($.)A .456(The entire set of rules in gecos.rules is applie\
Xd to each of these words, which creates many more permuta-)72 202.8 R .138
X(tions and combinations, all of which are tested.)72 214.8 R .138
X(Hence testing the password gecos information under Crack)5.138 F
X(v4.0 takes somewhat longer than it used to, but it is far more thorough.)72
X226.8 Q .349(After a pass has been made over the data based on gecos informati\
Xon, Crack makes further passes over the)72 254.4 R 4.191
X(password data using successive rules from the)72 266.4 R F1
X(Scripts/dicts.rules)6.691 E F0 4.191(by loading the entire)6.691 F F1
X(Dicts/bigdict)72 278.4 Q F0 .705(\214le into memory)3.205 F 3.205(,w)-.65 G
X.705(ith the rule being applied to each word from that \214le.)233.56 278.4 R
X.705(This gener)5.705 F(-)-.2 E .212(ates a)72 290.4 R F2 -.37(re)2.712 G .212
X(sident dictionary).37 F F0 2.712(,w)C .212(hich is generated is sorted and un\
Xiqued so as to prevent wasting time on repeti-)185.518 290.4 R 2.737
X(tion. After)72 302.4 R .236(each pass is completed, the memory used by the re\
Xsident dictionary is freed up, and $hopefully$)2.737 F
X(re-used when the next dictionary is loaded.)72 314.4 Q(The)72 330 Q F1
X(Dicts/bigdict)2.842 E F0 .342(dictionary is created by Crack by mer)2.842 F
X.342(ging, sorting, and uniq'ing the source dictio-)-.18 F 1.668
X(naries, which are to be found in the directory)72 342 R F1(DictSrc)4.168 E F0
X(or)4.168 E 4.168(,a)-.4 G(lternatively)334.398 342 Q 4.167(,m)-.65 G 1.667
X(ay be named in the Crack)393.745 342 R 5.033(shellscript, via the)72 354 R F1
X($STDDICT)7.534 E F0 5.034
X(variable. The default dictionary named in the Crack script is)7.534 F F1
X(/usr/dict/words)72 366 Q F0(.)A 1.48(The \214le)72 381.6 R F1
X(DictSrc/bad_pws.dat)3.98 E F0 1.479
X(which is meant to provide many of those common, non-dictionary)3.979 F .463
X(passwords, such as)72 393.6 R F2(12345678)2.963 E F0(or)2.963 E F2(qwerty)
X2.963 E F0 5.463(.I)C 2.963(fy)244.478 393.6 S .463
X(ou wish to add a dictionary of your own, just copy it into the)255.771 393.6 R
XF1(DictSrc)72 405.6 Q F0 .002(directory $and use)2.502 F F1(compress)2.502 E
XF0 .002(on it if you wish to save space; Crack will unpack it whilst gener)
X2.502 F(-)-.2 E 5.662
X(ating the big dictionary$ and then delete the contents of the)72 417.6 R F1
X(Dicts)8.162 E F0 5.663(directory by running)8.162 F F1(Scripts/spotless)72
X429.6 Q F0 5.315(.Y)C .315(our new dictionary will be mer)182.035 429.6 R .315
X(ged in on the next run.)-.18 F .314(For more information on)5.314 F .385(dict\
Xionary attacks, see the paper called "Foiling the Cracker: A Survey of, and Im\
Xprovements to, Password)72 441.6 R 1.776
X(Security" by Daniel Klein, available from)72 453.6 R F2(ftp.sei.cmu.edu)4.276
XE F0(in)4.276 E F2(~/pub/dvk/passwd.*)4.276 E F0 6.776(.A)C 1.775
X(lso, please read the)422.584 453.6 R F1(APPENDIX)72 465.6 Q F0
X(\214le supplied with this distribution.)2.5 E/F3 7/Times-Roman@0 SF(2)260.02
X461.5 Q F0 .138(Having described the method of cracking, perhaps we should now\
X investigate the algorithm used to overlay)72 481.2 R(the cracking mechanism.)
X72 493.2 Q/F4 10/Times-Bold@0 SF 2.5(3. Crack)72 517.2 R
X(Methodology - Part 2: Feedback Filters)2.5 E F0 1.402(As is stated above, Cra\
Xck v4.0 permutes and loads dictionaries directly into memory)72 532.8 R 3.902
X(,s)-.65 G 1.402(orts and uniques)435.646 532.8 R .781(them, before attempting\
X to use each of the words as a guess for each users' password.)72 544.8 R .782
X(If Crack correctly)5.781 F .035(guesses a password, it marks the user as 'don\
Xe' and does not waste further time on trying to break that users)72 556.8 R
X(password.)72 568.8 Q 1.642(Once Crack has \214nished a dictionary pass, it sw\
Xeeps the list of users looking for the passwords it has)72 584.4 R .07(cracked\
X. It stores the broken passwords in both plaintext and encrypted forms in a)72
X596.4 R F2 .07(feedback \214le)2.57 F F0 .07(in the direc-)2.57 F(tory)72 608.4
XQ F1(Runtime)2.5 E F0 5(.F)C(eedback \214les have names of the form)145.67
X608.4 Q F1(Runtime/F.*)2.5 E F0(.)A .386(The purpose of this is so that, when \
XCrack is next invoked, it may recognise passwords that it has success-)72 624 R
X.269(fully cracked before, and \214lter them from the input to the password cr\
Xacker)72 636 R 2.769(.T)-.55 G .269(his provides an)386.817 636 R F2(instant)
X2.769 E F0 .268(list of)2.768 F .482(crackable users who have not changed thei\
Xr passwords since the last time Crack was run. This list appears)72 648 R .639
X(in a \214le named)72 660 R F1(out.i*)3.139 E F0 .639(in the)3.139 F F1
X($CRACK_OUT)3.139 E F0(directory)3.139 E 3.139(,o)-.65 G 3.139(ro)310.861 660 S
X(n)322.33 660 Q F2(stdout)3.139 E F0 3.139(,i)C 3.139(ff)363.338 660 S .638
X(oreground mode is invoked $see)373.137 660 R F2(Options)72 672 Q F0 2.5(,b)C
X(elow$.)113.67 672 Q .32 LW 144 688.2 72 688.2 DL/F5 5.6/Times-Roman@0 SF(2)82
X696.72 Q/F6 8/Times-Roman@0 SF 2.311
X(Extra dictionaries $those detailed in Dan Klein')2 3.28 N 4.311(sp)-.44 G
X2.312(aper$ can be obtained via anonymous FTP from)263.177 700 R/F7 8
X/Times-Italic@0 SF(uunet.uu.net)72 710 Q F6 .899($192.48.96.2$ as)2.899 F F7
X(~/pub/dictionaries.tar)2.899 E(.Z)-.888 E F6 2.899(;C)C .899(heck an)254.932
X710 R F7(Ar)2.899 E(chie)-.296 E F6 .898
X(database for other possible sources of)2.899 F(dictionaries.)72 720 Q EP
X%%Page: 4 4
X%%BeginPageSetup
XBP
X%%EndPageSetup
X/F0 10/Times-Roman@0 SF(-4-)282.17 48 Q 1.262
X(In a similar vein, when a Crack run terminates normally)72 84 R 3.762(,i)-.65
XG 3.762(tw)315.6 84 S 1.263(rites out to the feedback \214le all encrypted)
X329.362 84 R .367(passwords that it has)72 96 R/F1 10/Times-Bold@0 SF(NOT)2.867
XE F0 .367(succeeded in cracking.)2.867 F .366
X(Crack will then ignore all of these passwords next time)5.367 F(you run it.)72
X108 Q(Obviously)72 123.6 Q 3.113(,t)-.65 G .613(his is not desirable if you fr\
Xequently change your dictionaries or rules, and so there is a script)121.413
X123.6 R(provided,)72 135.6 Q/F2 10/Courier@0 SF(Scripts/mrgfbk)4.736 E F0 2.236
X(which sorts your feedback \214les, mer)4.736 F 2.236
X(ges them into one, and optionally)-.18 F .781(removes all traces of 'uncracka\
Xble' passwords, so that your next Crack run can have a go at passwords it)72
X147.6 R(has not succeeded in breaking before.)72 159.6 Q F2(Mrgfbk)72 175.2 Q
XF0(is invoked automatically if you run)2.5 E F2(Scripts/spotless)2.5 E F0(.)A
XF1 2.5(4. Crack)72 199.2 R(Methodology - Part 3: Execution and Networking)2.5 E
XF0 .177(Each time Crack is invoked, whether networked or not, it generates a)72
X214.8 R/F3 10/Times-Italic@0 SF(die\214le)2.677 E F0 .177
X(with a name of the form)2.677 F F2(Run-)2.676 E(time/D.*)72 226.8 Q F0 .485
X($for network cracks, this \214le is generated by RCrack, and is of the form)
X5.485 F F2(Runtime/D.rem*)2.986 E F0(which points to a)72 238.8 Q F1 -.18(re)
X2.5 G(al).18 E F0(die\214le, named)2.5 E F2(Runtime/RD.*)2.5 E F0 2.5(-s)5 G
X(ee below for details$.)307.97 238.8 Q 1.036(These die\214les contain debuggi\
Xng information about the job, and are generated so that all the jobs on the)72
X254.4 R .912(entire network can be called quickly by invoking)72 266.4 R F2
X(Scripts/plaster)3.413 E F0 5.913(.D)C .913(ie\214les delete themselves after)
X383.231 266.4 R(they have been run.)72 278.4 Q 1.095
X(As you will read in the sections below)72 294 R 3.594(,C)-.65 G 1.094
X(rack has a)244.816 294 R F2(-network)3.594 E F0 1.094
X(option: This is designed to be a simple)3.594 F .435(method of automatically \
Xspreading the load of password cracking out over several machines on a network\
X,)72 306 R
X(preferably if they are connected by some form of networked \214lestore.)72 318
XQ(When)72 333.6 Q F2 1.114(Crack -network)3.614 F F0 1.113
X(is invoked, it \214lters its input in the ordinary way)3.614 F 3.613(,a)-.65 G
X1.113(nd then splits its load up)400.925 333.6 R
X(amongst several machines which are speci\214ed in the \214le)72 345.6 Q F2
X(Scripts/network.conf)2.5 E F0(.)A .486(This \214le contains a series of hostn\
Xames, power ratings, \215ags, etc, relevant to the running of Crack on each)72
X361.2 R 3.152(machine. Crack)72 373.2 R .652(then calls)3.152 F F2
X(Scripts/RCrack)3.152 E F0 .651(to use the)3.152 F F2(rsh)3.151 E F0 .651
X(command $or similar$ to invoke Crack on)3.151 F(the other hosts.)72 385.2 Q
X(See the RCrack script, and the example network.conf \214le for details.)5 E F1
X2.5(5. Installation)72 409.2 R F0 .915
X(Crack is one of those most unusual of beasties, a self-installing program.)72
X424.8 R .915(Some people have complained)5.915 F .106(about this apparent weir\
Xdness, but it has grown up with Crack ever since the earliest network version,\
X when)72 436.8 R 3.538(Ic)72 448.8 S 1.038
X(ould not be bothered to log into several dif)83.308 448.8 R 1.038
X(ferent machines with several dif)-.18 F 1.039(ferent architectures, just in)
X-.18 F .045(order to build the binaries.)72 460.8 R .045(Once the necessary co\
Xn\214guration options have been set, the executables are cre-)5.045 F(ated via)
X72 472.8 Q F2(make)2.5 E F0(by running the Crack shellscript .)2.5 E(Crack')72
X488.4 Q 3.43(sc)-.55 G .93(on\214guration lies in two \214les, the)110.42 488.4
XR F2(Crack)3.431 E F0 .931
X(shell script, which contains all the installation speci\214c)3.431 F .485
X(con\214guration data, and the \214le)72 500.4 R F2(Sources/conf.h)2.984 E F0
X2.984(,w)C .484(hich contains con\214guration options speci\214c to vari-)
X295.556 500.4 R(ous binary platforms.)72 512.4 Q .023
X(In the Crack shellscript, you will have to edit the)72 528 R F2(CRACK_HOME)
X2.524 E F0 .024(variable to the correct value.)2.524 F .024(This variable)5.024
XF .118(should be set to an absolute path name $names relative to)72 540 R F3
X(~username)2.617 E F0 .117(are OK, so long as you have some sort)2.617 F(of)72
X552 Q F2(csh)3.206 E F0 3.206($t)C .706
X(hrough which the directory containing Crack may be accessed on)110.852 552 R
XF1(ALL)3.206 E F0 .707(the machines that Crack)3.207 F .506
X(will be run on. There is a similar variable)72 564 R F2(CRACK_OUT)3.006 E F0
X.506(which speci\214es where Crack should put its output)3.006 F
X(\214les - by default, this is the same as)72 576 Q F2($CRACK_HOME)2.5 E F0(.)A
X-1(Yo)72 591.6 S 4.245(uw)1 G 1.745(ill also have to edit the \214le)99.685
X591.6 R F2(Sources/conf.h)4.246 E F0 1.746
X(and work out which switches to enable.)4.246 F(Each)6.746 E F2(#define)72
X603.6 Q F0 .108(has a small note explaining its purpose.)2.608 F .107
X(Where I have been in doubt about the portability of cer)5.107 F(-)-.2 E .254
X(tain library functions, usually I have re-written it, so you should be OK.)72
X615.6 R .255(Let me know of your problems, if)5.254 F(you have any)72 627.6 Q
X(.)-.65 E 1.03(If you will be using)72 643.2 R F2 1.03(Crack -network)3.53 F F0
X1.03(you will then have to generate a)3.53 F F2(Scripts/network.conf)3.53 E F0
X.519(\214le. This contains a list of hostnames to)72 655.2 R F2(rsh)3.019 E F0
X.519(to, what their)3.019 F F3 .52(binary type)3.02 F F0 .52
X(is $useful when running a network)3.02 F .567(Crack on several dif)72 667.2 R
X.567(ferent architectures$, a guesstimate of their)-.18 F F3 -.37(re)3.066 G
X.566(lative power).37 F F0 .566($take your slowest machine)3.066 F .653
X(as unary)72 679.2 R 3.153(,a)-.65 G .654
X(nd measure all others relative to it$, and a list of per)115.696 679.2 R
X(-host)-.2 E F3(\215ags)3.154 E F0(to)3.154 E F1(add)3.154 E F0 .654
X(to those speci\214ed on the)3.154 F F2(Crack)72 691.2 Q F0 .778
X(command line, when calling that host.)3.278 F .777
X(There is an example of such a \214le provided in the Scripts)5.777 F
X(directory - take a look at it.)72 703.2 Q .232(If ever you wish to specify a \
Xmore precise \214gure as to the relative power of your machines, or you are si\
Xm-)72 718.8 R .984(ply at a loss, play with the command)72 730.8 R F2 .983
X(make tests)3.483 F F0 .983(in the source code directory)3.483 F 5.983(.T)-.65
XG .983(his can provide you)422.451 730.8 R EP
X%%Page: 5 5
X%%BeginPageSetup
XBP
X%%EndPageSetup
X/F0 10/Times-Roman@0 SF(-5-)282.17 48 Q .062(with the number of fcrypts th\
Xat your machine can do per second, which is a number that you can plug into)72
X84 R(your)72 96 Q/F1 10/Courier@0 SF(network.conf)2.5 E F0(as a measure of you\
Xr machines' power $after rounding the value to an integer$.)2.5 E/F2 10
X/Times-Bold@0 SF 2.5(6. Usage)72 120 R F0(Okay)72 135.6 Q 3.21(,s)-.65 G .71
X(o, let')102.61 135.6 R 3.21(sa)-.55 G .709(ssume that you have edited your)
X137.64 135.6 R F1(Crack)3.209 E F0 .709(script, and your)3.209 F F1
X(Sources/conf.h)3.209 E F0 .709(\214le, where)3.209 F(do you go from here ?)72
X147.6 Q F1(Crack)148.285 169.2 Q F0([)2.5 E/F3 10/Times-Italic@0 SF(options)A
XF0 2.5(][)C F3(bindir)222.725 169.2 Q F0(])A F1(/etc/passwd)2.5 E F0
X([...other passwd \214les])2.5 E F1(Crack -network)148.285 193.2 Q F0([)2.5 E
XF3(options)A F0(])A F1(/etc/passwd)2.5 E F0([...other passwd \214les])2.5 E
X(Where)72 214.8 Q F2(bindir)3.421 E F0 .921
X(is the optional name of the directory where you want the binaries installed.)
X3.421 F .922(This is useful)5.922 F .944
X(where you want to be able to run versions of Crack on several dif)72 226.8 R
X.944(ferent architectures. If)-.18 F F2(bindir)3.444 E F0 .943(does not)3.443 F
X(exist, a warning will be issued, and the directory created.)72 238.8 Q(Note:)
X97 254.4 Q F2(bindir)2.5 E F0(defaults to the name)2.5 E F1(generic)2.5 E F0
X(if not supplied.)2.5 E F2 .147(Notes for Y)72 273.6 R .147
X(ellow Pages $NIS$ Users:)-1.11 F F0 2.647(Ih)2.647 G .147
X(ave occasional queries about how to get Crack running from a YP)238.819 273.6
XR .052(password \214le.)72 285.6 R .051(There are several methods, but by far \
Xthe simplest is to generate a passwd format \214le by run-)5.051 F(ning:-)72
X297.6 Q F1(ypcat passwd > passwd.yp)216 315.6 Q F0
X(and then running Crack on this \214le.)72 333.6 Q F2 2.5(7. Options)72 357.6 R
X(-f)72 373.2 Q F0 .28(Runs Crack in)97 373.2 R F3(for)2.78 E(egr)-.37 E(ound)
X-.37 E F0 .281
X(mode, ie: the password cracker is not backgrounded, and messages appear)2.78 F
X.561(on stdout and stderr as you would expect.)97 385.2 R .561
X(This option is only really useful for very small password)5.561 F
X(\214les, or when you want to put a wrapper script around Crack.)97 397.2 Q
X1.688(Foreground mode is disabled if you try running)97 412.8 R F1 1.688
X(Crack -network -f)4.188 F F0 1.688(on the command line,)4.188 F 1.382
X(because of the insensibility of)97 424.8 R F1(rsh)3.881 E F0 1.381
X(ing to several machines in turn, waiting for each one to \214nish)B .36
X(before calling the next. However)97 436.8 R 2.86(,p)-.4 G .36
X(lease read the section about)239.75 436.8 R F3 .36
X(Network Cracking without NFS/RFS)2.86 F F0(,)A(below)97 448.8 Q(.)-.65 E F2
X(-v)72 464.4 Q F0 .851
X(Sets verbose mode, whereby Crack will print every guess it is trying on a per)
X97 464.4 R .85(-user basis.)-.2 F .85(This is a)5.85 F(very quick way of \215o\
Xoding your \214lestore, but useful if you think something is going wrong.)97
X476.4 Q F2(-m)72 492 Q F0 .793
X(Sends mail to any user whose password you crack by invoking)97 492 R F1
X(Scripts/nastygram)3.293 E F0 .794(with their)3.293 F .407(username as an ar)97
X504 R 2.907(gument. The)-.18 F .407
X(reason for using the script is so that a degree of \215exibility in the for)
X2.907 F(-)-.2 E 1.266(mat of the mail message is supplied; ie: you don')97 516
XR 3.766(th)-.18 G 1.266(ave to recompile code in order to change the)316.14 516
XR(message.)97 528 Q/F4 7/Times-Roman@0 SF(3)133.38 523.9 Q F2(-nvalue)72 543.6
XQ F0 .481(Sets the process to be)97 555.6 R F1(nice)2.981 E F0 .481(ed to)B
XF3(value)2.981 E F0 2.981(,s)C .481(o, for example, the switch)278.218 555.6 R
XF1(-n19)2.98 E F0 .48(sets the Crack process)2.98 F
X(to run at the lowest priority)97 567.6 Q(.)-.65 E F2(-network)72 583.2 Q F0
X.774(Throws Crack into network mode, in which it reads the)97 595.2 R F1
X(Scripts/network.conf)3.275 E F0 .775(\214le, splits its)3.275 F .252
X(input into chunks which are sized according to the power of the tar)97 607.2 R
X.251(get machine, and calls)-.18 F F1(rsh)2.751 E F0 .251(to run)2.751 F 1.216
X(Crack on that machine.)97 619.2 R 1.216(Options for Crack running on the tar)
X6.216 F 1.217(get machine may be supplied on the)-.18 F .998(command line $eg\
X: verbose or recover mode$, or in the network.conf \214le if they pertain to \
Xspeci\214c)97 631.2 R(hosts $eg:)97 643.2 Q F1(nice\($)2.5 E F0(values\).)2.5
XE F2(-r<point\214le>)72 658.8 Q F0 2.626(This is only for use when running in)
X97 670.8 R F3 -.37(re)5.126 G(cover).37 E F0 5.126(mode. When)5.126 F 5.126(ar)
X5.126 G 2.626(unning Crack starts pass 2, it)375.32 670.8 R .32 LW 144 678.8 72
X678.8 DL/F5 5.6/Times-Roman@0 SF(3)82 687.32 Q/F6 8/Times-Roman@0 SF 1.027
X(I'm uncertain about the wisdom of mailing someone like this.)2 3.28 N 1.026
X(If someone browses your cracked user)5.027 F -.44('s).296 G .124(mail somehow)
X72 700.6 R 2.125(,i)-.52 G(t')124.841 700.6 Q 2.125(sl)-.44 G .125(ike a great\
X big neon sign pointing at the user saying "This Is A Crackable Account - Go F\
Xor)136.75 700.6 R 2.842(It!". Not)72 710.6 R .841(to mention the false sense o\
Xf security it engenders in the System Manager that he')2.842 F 2.841(s")-.44 G
X.841(informed" the)386.791 710.6 R .869(user to change his password.)72 720.6 R
X.87(What if the user doesn')4.87 F 2.87(tl)-.144 G .87
X(og on for 3 months? However)257.41 720.6 R 2.87(,s)-.32 G 2.87(om)365.182
X720.6 S .87(any people have)378.276 720.6 R
X(wired it into their own versions of Crack, I suppose it)72 730.6 Q/F7 8
X/Times-Bold@0 SF(must)2 E F6(be provided... AEM)2 E EP
X%%Page: 6 6
X%%BeginPageSetup
XBP
X%%EndPageSetup
X/F0 10/Times-Roman@0 SF(-6-)282.17 48 Q .797(periodically saves its state in a)
X97 84 R/F1 10/Times-Italic@0 SF(point\214le)3.297 E F0 3.297(,w)C .796
X(ith a name of the form)272.009 84 R/F2 10/Courier@0 SF(Runtime/P.*)3.296 E F0
X.796(This \214le can be)5.796 F .269
X(used to recover where you were should a host crash.)97 96 R .27
X(Simply invoke Crack in)5.269 F/F3 10/Times-Bold@0 SF(exactly)2.77 E F0 .27
X(the same man-)2.77 F .147(ner as the last time, with the addition of the)97
X108 R F2(-r)2.647 E F0 .146(switch, $eg:)2.646 F F2(-rRuntime/P.12345)2.646 E
XF0 2.646($s)C 2.646(witch. Crack)450.254 108 R .553
X(will startup and read the \214le, and jump to roughly where it left of)97 120
XR 3.053(f. If)-.18 F .553(you are cracking a very lar)3.053 F(ge)-.18 E
X(password \214le, this can save oodles of time after a crash.)97 132 Q .717
X(If you were running a)97 147.6 R F1(network)3.217 E F0 .717
X(Crack, then the jobs will again be spawned onto all the machines of)3.217 F
X.352(the original Crack.)97 159.6 R .352(The program will then check that the \
Xhost it is running on is the same as is men-)5.352 F .295
X(tioned in the point\214le.)97 171.6 R .294(If it is not, it will quietly die.)
X5.295 F .294(Thus, assuming that you supply the same input)5.294 F .429
X(data and do not change your)97 183.6 R F2(network.conf)2.929 E F0 .43
X(\214le, Crack should pick up where it left of)2.929 F 2.93(f. This)-.18 F .43
X(is a)2.93 F(bit inelegant, but it')97 195.6 Q 2.5(sb)-.55 G
X(etter than nothing at the moment.)186.73 195.6 Q .862(The method of error rec\
Xovery outlined above causes headaches for users who want to do multipro-)97
X211.2 R .53(cessing on parallel architectures.)97 223.2 R .53
X(Crack is in no way parallel, and because of the way it')5.53 F 3.03(ss)-.55 G
X(tructured)467.9 223.2 Q .024($reading stdin from shellscript frontends$ it \
Xis a pain to divide the work amongst several processes via)97 235.2 R F2
X(fork)97 247.2 Q F0(ing.)A 1.053
X(The hack solution to get several copies of Crack running on one machine with)
X97 262.8 R F1(n)3.553 E F0 1.053(processors at the)3.553 F 7.805
X(moment is to insert)97 274.8 R F1(n)207.67 274.8 Q F0 7.804
X(copies of the entry for your parallel machine into the)222.974 274.8 R F2
X(Scripts/network.conf)97 286.8 Q F0 .183(\214le. If you use the)2.683 F F2(-r)
X2.683 E F0 .183(option in these circumstances however)2.683 F 2.683(,y)-.4 G
X.184(ou will)475.756 286.8 R(get)97 298.8 Q F1(n)2.5 E F0(copies of the recove\
Xred process running, only one of them will have the correct input data.)2.5 E
X.858(The old solution to this problem $see old documentation if you are inter\
Xested$ has been negated by)97 314.4 R .252(the introduction of feedback mode,\
X so the best bet in this particular situation is to wait until the other)97
X326.4 R .773(jobs are done $and have written out lists of uncrackable passwor\
Xds$, and then re-start the jobs from)97 338.4 R 3.177(scratch. Anyone)97 350.4
XR .678(whose password was not cracked on the \214rst run will be ignored on th\
Xe second, if)3.177 F .532(they have not changed it since.)97 362.4 R .532
X(This is inelegant, but it')5.532 F 3.032(st)-.55 G .532
X(he best I can do in the limited time avail-)335.062 362.4 R(able.)97 374.4 Q
XF3 2.5(8. Support)72 398.4 R(Scripts)2.5 E F0(The)72 414 Q F2(Scripts)2.59 E F0
X.09(directory contains a small number of support and utility scripts, some of \
Xwhich are designed)2.59 F(to help Crack users check their progress.)72 426 Q
X(Brie\215y)5 E 2.5(,t)-.65 G(he most useful ones are:-)274.37 426 Q F3
X(Scripts/shadmrg)72 441.6 Q F0 .679
X(This is a small $but hopefully readable$ script for mer)97 453.6 R(ging)-.18
XE F2(/etc/passwd)3.179 E F0(and)3.179 E F2(/etc/shadow)3.179 E F0(on)3.179 E
X.191(System V style shadow password systems.)97 465.6 R .191
X(It produces the mer)5.191 F .192(ged data to stdout, and will need redi-)-.18
XF .367(recting into a \214le before Crack can work on it.)97 477.6 R .367
X(The script is meant to be fairly lucid, on the grounds)5.367 F .07(that I wor\
Xry that there are many shadowing schemes out there, and perhaps not all have t\
Xhe same data)97 489.6 R(format.)97 501.6 Q F3 3.462(Ih)97 517.2 S .962(ave not)
X109.912 517.2 R F0 .961
X(wired this facility into the Crack command itself because the world does)3.462
XF F3(NOT)3.461 E F0(revolve)3.461 E .465(around System V yet, regardless of wh\
Xat some people would have me believe, and I believe that the)97 529.2 R .008
X(lack of direct support for NIS outlined above, sets a precedent.)97 541.2 R
X.008(There are just too many incompatibil-)5.008 F
X(ities in shadow password schemes for me to hardwire anything.)97 553.2 Q F3
X(Scripts/plaster)72 568.8 Q F0 .372
X(which is named after a dumb joke, but is a simple frontend to the)97 580.8 R
XF2(Runtime/D.*)2.872 E F0 .372(die\214les that each)5.372 F .141
X(copy of the password cracker generates. Invoking)97 592.8 R F2
X(Scripts/plaster)2.641 E F0 .141(will kill of)2.641 F 2.64(fa)-.18 G .14
X(ll copies of the)444.42 592.8 R
X(password cracker you are running, over the network or otherwise.)97 604.8 Q F3
X(Scripts/status)72 620.4 Q F0 .359(This script)97 632.4 R F2(rsh)2.859 E F0
X.359(es to each machine mentioned in the)B F2(Scripts/network.conf)2.859 E F0
X.36(\214le, and provides)2.859 F .232
X(some information about processes and uptime on that machine.)97 644.4 R .231
X(This is useful when you want to \214nd)5.231 F
X(out just how well your password crackers are getting on during a)97 656.4 Q F2
X(Crack -network)2.5 E F0(.)A F3(Scripts/{clean,spotless})72 672 Q F0 .547
X(These are really just frontends to a make\214le. Invoking)97 684 R F2
X(Scripts/clean)3.047 E F0 .547(tidies up the Crack home)3.047 F(directory)97
X696 Q 3.551(,a)-.65 G 1.051
X(nd removes probably unwanted \214les, but leaves the pre-processed dictionary)
X142.941 696 R F2(bigdict)3.55 E F0(intact.)97 708 Q F2(Scripts/spotless)6.047 E
XF0 1.047(does the same as)3.547 F F2(Scripts/clean)3.547 E F0 1.047
X(but obliterates)3.547 F F2(bigdict)3.547 E F0(and)3.547 E
X(old output \214les too, and compresses the feedback \214les into one.)97 720 Q
XEP
X%%Page: 7 7
X%%BeginPageSetup
XBP
X%%EndPageSetup
X/F0 10/Times-Roman@0 SF(-7-)282.17 48 Q/F1 10/Times-Bold@0 SF
X(Scripts/nastygram)72 84 Q F0 .392(This is the shellscript that is invoked by \
Xthe password cracker to send mail to users who have guess-)97 96 R
X(able passwords, if the)97 108 Q/F2 10/Courier@0 SF(-m)2.5 E F0
X(option is used. Edit it at your leisure to suit your system.)2.5 E F1
X(Scripts/guess2fbk)72 123.6 Q F0 1.148(This script takes your)97 135.6 R F2
X(out.*)3.648 E F0 1.148(\214les as ar)6.148 F 1.148
X(guments and reformats the 'Guessed' lines into a slightly)-.18 F(messy)97
X147.6 Q/F3 10/Times-Italic@0 SF(feedback)2.5 E F0
X(\214le, suitable for storing with the others.)2.5 E .546(An occasion where th\
Xis might be useful is when your cracker has guessed many peoples passwords,)97
X163.2 R(and then died for some reason $a crash?$ before writing out the gues\
Xses to a feedback \214le.)97 175.2 Q(Running)5 E F2
X(Scripts/guess2fbk out.* >> Runtime/F.new)180.5 193.2 Q F0
X(will save the work that has been done.)97 211.2 Q F1 2.5(9. Network)72 235.2 R
X(Cracking without NFS/RFS)2.5 E F0 .981(For those users who have some form of)
X72 250.8 R F2(rsh)3.482 E F0 .982
X(command, but do not have a a networked \214lestore running)3.482 F .515(betwe\
Xen hosts, there is now a solution which will allow you to do networked crackin\
Xg, proposed to me by)72 262.8 R .517(Brian T)72 274.8 R .517(ompsett at Hull.)
X-.7 F(Personally)5.517 E 3.017(,Ic)-.65 G .517(onsider the idea to be potty)
X231.242 274.8 R 3.017(,b)-.65 G .518
X(ut it \214lls in missing functionality in a)352.294 274.8 R
X(wonderfully tacky manner)72 286.8 Q(.)-.55 E .29
X(From the documentation above, you will note that Crack will undo the)72 302.4
XR F2(-f)2.789 E F3 .289($output in for)2.789 F(egr)-.37 E(ound$)-.37 E F0
X.289(option, if)2.789 F .124(it is invoked with the)72 314.4 R F2(-network)
X2.624 E F0 .124(switch at the same time $see the)2.624 F F3(Options)2.624 E F0
X.124(section above$.)2.624 F .125(This is true, but)5.125 F
X(it does not apply if you specify)72 326.4 Q F2(-f)2.5 E F0(option in the)2.5 E
XF2(network.conf)2.5 E F0(\214le.)2.5 E .437(The practical upshot of doing this\
X is that remote copies of Crack can be made to read from)72 342 R F3(stdin)
X2.937 E F0 .437(and write)2.937 F(to)72 354 Q F3(stdout)2.692 E F0 .192
X(over a network link, and thus remote processing is accomplished.)2.692 F 2.692
X(Ih)5.192 G .193(ave tweaked Crack in such a)388.906 354 R(way)72 366 Q 3.932
X(,t)-.65 G 1.432(herefore, that if the)97.222 366 R F2(-f)3.931 E F0 1.431(opt\
Xion is speci\214ed amongst the crack-\215ags of a host in the network.conf,)
X3.931 F .22(rather than backgrounding itself on the remote host, the)72 378 R
XF2(rsh)2.72 E F0 .22(command on the)2.72 F F1(server)2.72 E F0 .22
X(is backgrounded, and)2.72 F
X(output is written directly to the \214les on the server)72 390 Q 1.1 -.55
X('s \214).37 H(lestore.).55 E .644(There are restrictions upon this method, mo\
Xstly involving the number of processes that a user may run on)72 405.6 R .223(\
Xthe server at any one time, and that you will have to collect feedback output \
Xtogether manually $dropping it)72 417.6 R .137(into the)72 429.6 R F2(Runtime)
X2.637 E F0 .137(directory on the server$.)2.637 F(However)5.136 E 2.636(,i)-.4
XG 2.636(tw)295.484 429.6 S .136(orks. Also, if you try to use)308.12 429.6 R F2
X(rsh)2.636 E F0 .136(as another user)2.636 F(,)-.4 E .885(you will suf)72 441.6
XR .886(fer problems if)-.18 F F2(rsh)3.386 E F0 .886
X(insists on reading something from your terminal $eg: a password for the)3.386
XF .644(remote account$.)72 453.6 R .644(Also, recovering using checkpointing \
Xgoes out the window unless you specify the name)5.644 F
X(of the point\214le as it is named on the remote machine.)72 465.6 Q F1 2.5
X(10. Notes)72 489.6 R(on fast crypt implementations)2.5 E F0 .58
X(The stdlib version of the)72 505.2 R F2(crypt)3.08 E F0 .58
X(subroutine is incredibly slow)3.08 F 5.58(.I)-.65 G 3.08(ti)348.58 505.2 S
X3.08(sa)357.22 505.2 S F3(massive)A F0 .58(bottleneck to the execu-)3.08 F .838
X(tion of Crack and on typical platforms that you get at universities, it is ra\
Xre to \214nd a machine which will)72 517.2 R .598
X(achieve more than 50 standard crypt s per second.)72 529.2 R .599
X(On low-end diskless workstations, you may expect 2)5.599 F .454
X(or 3 per second.)72 541.2 R .454(It was this slowness of the crypt algori\
Xthm which originally supplied much of the secu-)5.454 F(rity Unix needed.)72
X553.2 Q/F4 7/Times-Roman@0 SF(4)141.71 549.1 Q F0 .956(There are now)72 568.8 R
XF1(many)3.456 E F0 .956
X(implementations of faster versions of crypt to be found on the network.)
X3.456 F .955(The one)5.955 F 1.38
X(supplied with Crack v3.2 and upwards is called)72 580.8 R F2(fcrypt)3.881
XE F0 6.381(.I)C 3.881(tw)335.173 580.8 S 1.381
X(as originally written in May 1986 by)349.054 580.8 R 1.315
X(Robert Baldwin at MIT)72 592.8 R 3.815(,a)-.74 G 1.315
X(nd is a good version of the crypt subroutine.)180.12 592.8 R 3.814(Ir)
X6.314 G 1.314(eceived a copy from Icarus)390.454 592.8 R
X(Sparry at Bath University)72 604.8 Q 2.5(,w)-.65 G
X(ho had made a couple of portability enhancements to the code.)186.06 604.8 Q
X3.166(Ir)72 620.4 S .667(ewrote most of the tables and the KeySchedule generat\
Xing algorithm in the original)81.826 620.4 R F3(fdes-init.c)3.167 E F0 .667
X(to knock)3.167 F .117(40% of)72 632.4 R 2.617(ft)-.18 G .116
X(he execution overhead of fcrypt in the form that it was shipped to me.)
X109.824 632.4 R 2.616(Ii)5.116 G .116(nlined a bunch of stuf)410.676 632.4 R
X(f,)-.18 E .753(put it into a single \214le, got some advice from Matt Bishop \
Xand Bob Baldwin [both of whom I am greatly)72 644.4 R .353
X(indebted to] about what to do to the)72 656.4 R F2(xform)2.853 E F0 .352
X(routine and to the fcrypt function itself, and tidied up some)2.853 F 3.29
X(algorithms. I)72 668.4 R .791(have also added more lookup tables and reduced \
Xseveral formula for faster use.)3.29 F .791(Fcrypt is)5.791 F(now barely r\
Xecognisable as being based on its former incarnation, and it is 3x faster)72
X680.4 Q(.)-.55 E .155(On a DecStation 5000/200, fcrypt is about 16 times f\
Xaster than the standard crypt $your mileage may vary)72 696 R .317
X(with other architectures and compilers$.)72 708 R .317
X(This speed puts fcrypt into the "moderately fast" league of crypt)5.317 F
X.32 LW 144 716 72 716 DL/F5 5.6/Times-Roman@0 SF(4)82 724.52 Q/F6 8
X/Times-Roman@0 SF .215(See: "Password Security)2 3.28 N 2.215(,AC)-.52 G .215
X(ase History" by Bob Morris & Ken Thomson, in the Unix Programmer Docs.)182.62
X727.8 R EP
X%%Page: 8 8
X%%BeginPageSetup
XBP
X%%EndPageSetup
X/F0 10/Times-Roman@0 SF(-8-)282.17 48 Q .87(implementations. There)72 84 R/F1
X10/Times-Bold@0 SF(ar)3.37 E(e)-.18 E F0 .87
X(faster versions of crypt to be had $eg:)3.37 F/F2 10/Courier@0 SF(UFC)3.369 E
XF0 3.369($w)C .869(hich may be found on the net-)378.806 84 R 2.768(work. The)
X72 96 R .269(advantage of fcrypt is that I support it, understand it, and \
Xcan distribute and \214x it without has-)2.769 F 2.5(sle. If)72 108 R
X(you want to play around with other crypts, that is up to you.)2.5 E
X(Feel free.)5 E F2(8-\))5 E F1 -.55(11)72 132 S 5(.C).55 G(onclusions)96.17 132
XQ F0(What can be done about brute force attacks on your password \214le ?)72
X147.6 Q -1(Yo)72 163.2 S 2.754(um)1 G .253
X(ust get a drop-in replacement for the)98.754 163.2 R F2(passwd)2.753 E F0(and)
X2.753 E F2(yppasswd)2.753 E F0 .253(commands; one which will stop peo-)2.753 F
X.79(ple from choosing bad passwords in the \214rst place.)72 175.2 R .791
X(There are several programs to do this; Matt Bishop')5.791 F(s)-.55 E F2
X(passwd+)72 187.2 Q F0 .315(and Clyde Hoover)2.815 F -.55('s).37 G F2(npasswd)
X3.365 E F0 .314(program are good examples which are freely available.)2.815 F
X(Consult)5.314 E(an)72 199.2 Q F1(Ar)2.5 E(chie)-.18 E F0
X(database for more details on where you can get them from.)2.5 E .904
X(It would be nice if an or)72 214.8 R .904(ganisation $such as)-.18 F F1(CER)
X3.404 E(T)-.35 E F0 3.404(?$ could)B .904(be persuaded to supply skeletons of)
X3.404 F/F3 10/Times-Italic@0 SF(sensible)3.405 E F0 1.448(passwd commands for \
Xthe public good, as well as an archive of security related utilities)72 226.8 R
X/F4 7/Times-Roman@0 SF(5)441.382 222.7 Q F0 1.447(on top of the)448.829 226.8 R
X(excellent)72 238.8 Q F2(COPS)2.754 E F0 5.254(.H)C(owever)149.828 238.8 Q
X2.754(,f)-.4 G .254(or Unix security to improve on a global scale, we will als\
Xo require pressure on)187.442 238.8 R
X(the vendors, so that programs are written correctly from the beginning.)72
X250.8 Q .32 LW 144 708.2 72 708.2 DL/F5 5.6/Times-Roman@0 SF(5)82 716.72 Q/F6 8
X/Courier@0 SF(COPS)2 3.28 M/F7 8/Times-Roman@0 SF
X(is available for anonymous FTP from)2 E/F8 8/Times-Italic@0 SF
X(cert.sei.cmu.edu)2 E F7($128.237.253.5$ in)2 E F8(~/cops)2 E EP
X%%Trailer
Xend
X%%EOF
END_OF_FILE
if test 49701 -ne `wc -c <'Docs/README.ps'`; then
echo shar: \"'Docs/README.ps'\" unpacked with wrong size!
fi
# end of 'Docs/README.ps'
fi
echo shar: End of archive 5 $of 5$.
cp /dev/null ark5isdone

0 new messages