+------------------------------------------------------+

            |                                                      |

            |    KILLER CRACKER: Portable Un*x Password Cracker    |

            |    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~    |

            |           Version 8.00 LTD, Dated 7/28/91            |

            |                                                      |

            |             Written By Doctor Dissector              |

            |       Copyright (c) 1991, By Doctor Dissector        |

            |                                                      |

            +------------------------------------------------------+



     *** LIMITED EDITION !!!!! DO NOT DISTRIBUTE !!!!! LIMITED EDITION ***





License

-------

    This program is NOT free software BUT may be used without charge or

payment in any form IF your copy is a "registered" distributed version.

You may modify it as much as you please, however, you MAY NOT

re-distribute it, in any shape or for: ie. modified OR unmodified,

without the expressed written consent (ie. e-mail) of Doctor

Dissector. (bbs.doctord@doomsday.spies.com)

    This program was initially distributed in the hope that it will be

useful, but WITHOUT ANY WARRANTY; without even the implied warranty of

MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.





Disclaimer

----------

    This program was written and released just to prove that Un*x

accounts can be effectively cracked utilizing modified DES password

encryption (crypt) routines and proper programming skills.

    I, Doctor Dissector, the author of Killer Cracker, do not endorse

any type of illegal appropriation of computer accounts using programs

such as this; my goal is only to prove that the Un*x operating

system's greatest weakness in security lies in the /etc/passwd file.

    Doctor Dissector will not be held responsible for the actions of

anyone who may misuse this program since he cannot control the actions

of the people who might become exposed to this program's use for illegal

means.





Quick Instructions

------------------

    To compile under any operating system using "make", edit the file

"Makefile" included with this package to your needs and type "make".





File Listing & Description

--------------------------

    WHATSNEW.800 -- Info on new modifications/additions to this version

          KC.DOC -- This document file

          KC.EXE -- MS/PC-DOS executable

          KC.H   -- Killer Cracker source code header file

          KC.C   -- Killer Cracker source code

    MAKEFILE.    -- Makefile for KC, edit this and use "make" to compile!

     B_ORDER.C   -- Determines if your machine is Network Byte Order

      BCRYPT.H   -- Bcrypt encryption source code header file

      BCRYPT.C   -- Bcrypt encryption source code

       XFDES.H   -- XFDES encryption source code header file

       XFDES.C   -- XFDES encryption source code

    GOODWORD.W   -- Collection of words from various sources

    GIRLWORD.W   -- Collection of female first names





Description

-----------

    Killer Cracker (KC) is a program which effectively, and quickly,

encrypts a sequence of guesses (words) utilizing a modified form of the

DES Un*x password encryption alogrithm.  These encrypted guesses are

then compared to the fields in any typical /etc/passwd file; any matches

are recorded for future reference.

    Guesses to KC are read from several sources.  The primary source of

guesses to encrypt come from a textfile (ASCII) of words separated by

CR/LF pairs or LFs (depending on operating system).  Other guesses are

taken from each individual account in any /etc/passwd file; the login name

and two respective GECOS field entries.  In addition, single characters

(a-z, A-Z, 0-9) and "funny" characters (^A-^Z, ESC, SPACE) can be tested

as guesses as well.  KC also has the ability to make several combinations

for several guesses from one guess (i.e. test the guess in normal case,

uppercase, lowercase, and backwards) and the option to pre-pend or append

any number of characters to the beginning or end of any guessed word.

    KC was also written in C source, which has been released and included

in KC's release package.  The source was developed to be highly portable

with most other C compilers, especially the Un*x C compilers.





Execution

---------

    Killer Cracker can be invoked using various methods from the command

line (shell prompt).  Normally, KC will be called directly from the command

line; thus, usage from the command line will be discussed first.  In order

to obtain a brief summary of KC's options from the command line, KC can be

invoked with the '-?' or '/?' flag.  Incedentally, all flags to KC must be

either preceded by a '-' or a '/' character.  The following info will

discuss KC's command line flags and offer detailed descriptions for each.

Under some Un*x shells, you may have to type the -? in double quotes ("-?")

in order to get the appropriate response.



Usage: kc -?bcfghlostu -<1|2>[:]<chars> -<p|w|v>[:]<filename> -z[:]<minutes>

       kc -r[:]<filename>



Parms: -1 prefix chars       -p /etc/passwd file   -r restore file

       -2 suffix chars       -w guess word file    -v valid account file



Flags: -? explain usage      -b test backwards     -c test up/low cases

       -f test funny chars   -g test GECOS fields  -h hog resources

       -l test login names   -o suppress output    -s single char test

       -t test crypt result  -u user based crack   -z timeout (minutes)



    Brief Summary Of Flags

    ----------------------

    -?  KC will print a brief summary of the available command line flags

        as shown above.



    Description Of Flags

    --------------------

    -p[:]<file> Filename/path+filename of the /etc/passwd file to be

                cracked.  The ':' character is optional (can be used to

                clarify the command line).  If no filename is specified,

                KC will prompt you for one.



    -w[:]<file> Filename/path+filename of the wordfile where all password

                guesses are stored. Format of the words inside this

                wordfile must be one word per line, no blank lines are

                allowed.  The ':' character is optional (can be used to

                clarify the command line).  If no filename is specified,

                KC will prompt you for one.



    -v[:]<file> Filename/path+filename of the output file, where all

                valid account/password combinations will be saved.

                The ':' character is optional (can be used to clarify the

                command line).  If no filename is specified, KC will

                prompt you for one.



    -r[:]<file> Filename/path+filename of the restorefile you would like

                KC to read options and restoredata from.  If this flag is

                invoked without a following filename (i.e. "kc -r"), KC

                will assume a default filename of "restore".  Also note

                that if this flag is specified, all other flags from the

                command line will be ignored.  The ':' character is

                optional (can be used to clarify the command line).



    -1[:]<char> The characters KC will be instructed to pre-pend to the

                front of each word tested, one single character at a time.

                For example, if you used the flag "-1:abc", each test

                would test each word as "aWORD", "bWORD", and "cWORD".



    -2[:]<char> The characters KC will be instructed to append to the

                end of each word tested, one single character at a time.

                For example, if you used the flag "-1:abc", each test

                would test each word as "WORDa", "WORDb", and "WORDc".



    -z[:]<time> Under the Un*x environment, this will instruct KC to

                abort after the specified <time> in MINUTES.



    -b  KC will be instructed to create a word combination from the

        available guesses as the reverse (backwards) from of the original

        guess.  KC is intelligent and will not repeat testing of guesses

        which are the same foreward and backward (i.e. "MOM" backwards is

        "MOM", KC will not test this guess in reverse).  Refer to "Examples

        Of Guesses" for more information.



    -c  KC will be instructed to create word combinations from the

        available guesses in all uppercase and all lowercase.  KC is

        intelligent and guesses which are the same in all uppercase or

        all lowercase will be skipped from testing in the respective

        combination.  See "Examples Of Guesses" for more information.



    -f  KC will be instructed to test the "funny" control characters ^A-^Z,

        ESC, and SPACE as guesses before testing guesses from the wordfile.



    -g  KC will be instructed to test two words from the /etc/passwd GECOS

        field of each individual account as guesses for that particular

        account.  KC will skip over entries in the GECOS field who's second

        character is the '.' period character to avoid testing initials.



    -h  KC will be instructed to hog all available system resources under

        (and ONLY under) the BSD Unix system.  This means that KC will

        attempt to raise the current resource limit of its process to the

        maximum allowed value (if it is not at its maximum already).  This

        could result in dramatic performance increases as well as increased

        suspicion to the process, but the end result is for you, the

        end user to decide.



    -l  KC will be instructed to test the login name from the /etc/passwd

        GECOS field of each individual account as a guess for that

        particular account.



    -o  KC will be instructed to suppress all output from printing to the

        local console/terminal.  Normally, information about the current

        session is printed to the standard output; however, on the Un*x

        operating system where background processing requires output to be

        directed away from the local console/terminal, verbose output could

        be a problem.  Also note that this flag, when executed under the

        Un*x operating system, will automatically fork KC into the

        background (returning you quickly to the shell prompt) and the

        NOHUP flag (HUP signal ignore) will be placed on its process (so

        logoff will not result in termination of the current session).



    -s  KC will be instructed to test the single characters, a-z, A-Z, and

        0-9 as guesses before testing guesses from the wordfile.



    -t  KC will be instructed to test the result of a single, pre-installed,

        encrypt/comparison using the default encryption routines.  If you

        get an encryption error, then your system WILL NOT effectively

        crack passwords.



    -u  KC will be instructed to compare every word from the wordfile

        avainst an account before moging to the next account.  When

        cracking by WORDS, KC will enable same-word-memory which

        increses speed over cracking by users up to 40%.  Normally,

        KC will crack for passwords in the following format:



             Default Format

             --------------

                 word #1: test account #1's password

                          test account #2's password...

                 word #2: test account #1's password

                          test account #2's password...

                 word #3: test account #1's password

                          test account #2's password... (etc.)



        This flag will instruct KC to follow the following format:



             Optional Format

             ---------------

                 user #1's password: test word #1

                                     test word #2

                                     test word #3...

                 user #2's password: test word #1

                                     test word #2

                                     test word #3...

                 user #3's password: test word #1

                                     test word #2

                                     test word #3... (etc.)





Usage Examples

--------------

    kc -c -p:passwd.212 -w:dict.txt -v:valid.212

        The above command will instruct KC to read encrypted passwords

        from the file passwd.212 (/etc/passwd format), read guesses from

        the file dict.txt, and write any valid account/password

        combinations to the file valid.212.  All guesses will be tested

        in normal, upper, and lowercase. Output will be verbose to the

        console.



    kc -cbo -ppwfile.txt -wwords.txt -vresults.txt

        The above command will instruct Killer Cracker to read encrypted

        passwords from the file pwfile.txt, read guesses from words.txt,

        and write all valid account/password combinations into

        results.txt.  All guesses will be tested in normal, upper,

        lowercase and reverse-normal, reverse-upper, and reverse-

        lowercase.  All output will be suppressed.



    kc -glu -ppasswd.txt -wwords.txt -vvalid.txt

        The above command will instruct Killer Cracker to read encrypted

        passwords from passwd.txt, read guesses from words.txt, and write

        valid account/password combinations to valid.txt.  In addition,

        the account/login names will be tested as passwords for each

        account, and the GECOS field strings will be tested as passwords

        for each account.  When cracking begins, KC will crack passwords

        using the optional format. Output will be verbose to the standard

        output.



    kc -c -p:passwd.txt

        The above command will instruct KC to read encrypted passwords

        from passwd.txt, interactively request the filenames for the

        wordfile and the validfile, and test guesses in normal, upper,

        and lowercase.



    kc -rOLDCRACK.KC

        The above command will instruct KC to read the restorefile

        OLDCRACK.KC and restore the session as saved in that file.





Examples Of Guesses

-------------------

    Killer Cracker can test words as normal, uppercase, lowercase,

reversed, and with numerical suffixes.  The following table displays the

guesses for the words "Guess", "password", "PW", and 'MOM'. The '$' fields

are areas which are skipped because the guess would be a repeat and the

'X' fields are areas which are never accessed.



 +-----------------------------------------------------------------------+

 | Flags  | Normal | Upcase |Lowcase |Reverse |Ureverse|Lreverse| Suffix |

 |--------+--------+--------+--------+--------+--------+--------+--------|

 | "c"    |Guess   |GUESS   |guess   |XXXXXXXX|XXXXXXXX|XXXXXXXX|XXXXXXXX|

 |        |password|PASSWORD|$$$$$$$$|XXXXXXXX|XXXXXXXX|XXXXXXXX|XXXXXXXX|

 |        |PW      |$$$$$$$$|pw      |XXXXXXXX|XXXXXXXX|XXXXXXXX|XXXXXXXX|

 |        |MOM     |$$$$$$$$|mom     |XXXXXXXX|XXXXXXXX|XXXXXXXX|XXXXXXXX|

 |--------+--------+--------+--------+--------+--------+--------+--------|

 | "r"    |Guess   |XXXXXXXX|XXXXXXXX|sseuG   |XXXXXXXX|XXXXXXXX|XXXXXXXX|

 |        |password|XXXXXXXX|XXXXXXXX|drowssap|XXXXXXXX|XXXXXXXX|XXXXXXXX|

 |        |PW      |XXXXXXXX|XXXXXXXX|WP      |XXXXXXXX|XXXXXXXX|XXXXXXXX|

 |        |MOM     |XXXXXXXX|XXXXXXXX|$$$$$$$$|XXXXXXXX|XXXXXXXX|XXXXXXXX|

 |--------+--------+--------+--------+--------+--------+--------+--------|

 | "rc"   |Guess   |GUESS   |guess   |sseuG   |SSEUG   |sseug   |XXXXXXXX|

 |        |password|PASSWORD|$$$$$$$$|drowssap|DROWSSAP|$$$$$$$$|XXXXXXXX|

 |        |PW      |$$$$$$$$|pw      |WP      |$$$$$$$$|wp      |XXXXXXXX|

 |        |MOM     |$$$$$$$$|mom     |$$$$$$$$|$$$$$$$$|$$$$$$$$|XXXXXXXX|

 +-----------------------------------------------------------------------+





Killer Cracker's Symbols

------------------------

    When Killer Cracker is cracking passwords and output is allowed to the

standard output, KC will print one of three symbols to the console for

each comparison done.



       "-"  This symbol is printed to the standard output when KC has

            completed one encryption/comparison.



       "+"  This symbol is printed to the standard output when KC has

            already cracked the account in question or if the account had

            been flagged as "inactive."  KC will skip the encryption/

            comparison as a result.



       "*"  This symbol is printed to the standard output when KC is

            skipping the particular encryption/comparision because the

            guess tested would repeat a previous comparision using the

            same word in a different configuration. See "Examples Of

            Guesses" for information.





Quitting Killer Cracker

-----------------------

    Normally, Killer Cracker will continue cracking until it has

completed the last word (in the default format) or the last account

(in the optional format).  If cracking must be aborted in the middle of

a job, the normal terminate key sequence Control-C for MS/DOS machines,

Control-\ for Un*x can be used to stop the job, close all files

properly, and create a restorefile (named "restore") for future

continuation of the crack (if desired).  If any other method is used to

terminate the crack job (powerdown, warm/cold boot, kill -9, etc) the

files may not be updated properly and data may be lost.  If you are not

familiar with Un*x job control, and KC places itself in the background,

you can either send a SIGQUIT/SIGINT to the KC pid or you can bring

the KC process into the foreground and then type Control-C.

    Also note that when KC is running under suppressed output mode,

the response to hitting Control-C may take up to several minutes on

MS/DOS machines; just hit Control-C like three times, then sit back

and wait for KC to abort (patience, my friend!).





Restorefile Format

------------------

    Killer Cracker's option to restore aborted sessions or to "read"

options from a normal (ASCII) file can come in handy in many

circumstances.

    The following text describes the format of this file and how KC

interprets the information in it.  Note that the BASIC format of the

restorefile is "IDENTIFIER=TOKEN<newline>" where <newline> is either

a CR/LF pair or a LF (depending on system implementation).  Case is

ignored in the IDENTIFIER but the TOKEN's case may be important in

filenames, accountnames, and words in a particular wordfile.



    Example: Filename "restore"

    ---------------------------

    Passwordfile=/etc/passwd

    Wordfile=crackwords.txt

    Validfile=valid.txt

    Prefixes=abc

    Suffixes=123

    Flags=1rc

    Timeout=0

    Lastaccount=daemon

    Lastword=phoenix



    Description Of Identifiers

    --------------------------

        Passwordfile    Filename of the passwordfile (same as -p<file> from

                        the command line).



        Wordfile        Filename of the wordfile (same as -w<file> from the

                        command line).



        Validfile       Filename of the validfile (same as -v<file> from

                        the command line).



        Prefixes        The characters which would be used to prefix the

                        words being tested (same as -1<chars> from the

                        command line).



        Suffixes        The characters which would be used to suffix the

                        words being tested (same as -2<chars> from the

                        command line).



        Flags           Flags which are currently active (same flags as

                        offered on the command line).



        Timeout         The minutes before Killer Cracker will abort the

                        restored session.



        Lastaccount     Last account cracked during an aborted session; the

                        first account to begin cracking when the session

                        begins (skip all preceding accounts).  This

                        identifier is only read if the session is based on

                        users (if the -u flag is specified).  If the -u

                        flag is specified in the "Flags" identifier and

                        this field does not exist or the account does not

                        exist in the passwordfile, KC will yield an error.



        Lastword        Last word cracked during an aborted session; the

                        first word to begin cracking from when the session

                        begines (skip all preceding words in the given

                        wordfile).  This identifier is only read if the

                        session is based on words (default, no -u flag).

                        If this identifier is missing and cracking is based

                        on words, KC will yield an error.  If the Lastword

                        word does not occur in the wordfile, the session

                        will start and end without cracking anything.





System Dependent Information

----------------------------

    Implementation  Options/Restrictions

    --------------  -------------------------------------------------------

        MS/PC-DOS   Killer Cracker has an upper account limit of around

                    2000-3000 accounts per session (max accounts per

                    passwordfile) depending on how much system memory

                    you have free at the time of execution.



        BSD Un*x    If the '-o' flag is used, Killer Cracker will

                    automatically fork itself into the background and

                    the NOHUP flag (ignore HUP, hangup signal) will be set.

                    NOTE: KC has a special command line flag which can

                    be used ('-h') to "hog" all available system resources

                    to KC during any given session.  This is a flag which

                    should be used with caution, because when KC hogs

                    resources, KC HOGS resources! (ie. on one system,

                    w/o resource hogging, KC got 12 crypts/second... with

                    hogging on, it got 37 crypts/second) This could arouse

                    suspicion upon the superuser's part as other users of

                    the system find they can't do shit while the cracker

                    is running.  The timeout feature is enabled.



        SYSV Un*x   If the '-o' flag is used, Killer Cracker will fork

                    itself into the background as in BSD Un*x.  The timeout

                    feature is enabled.



        STRIPPED    Signal processing (CONTROL-C) is ignored (hitting

                    CONTROL-C will not save KC's process state,

                    terminating the session "abruptly").





Notes

-----

 1. When using the default format for cracking, Killer Cracker will

skip accounts which already have been cracked in the following

hypothetical format:



    Default Format, Hypothetical Situation: 10 words, 10 users.



    Word #1,  Users Tested: 1,2,3,4,5,6,7,8,9,10

    Word #2,  Users Tested: 1,2,3,4,5,6,7,8,9,10

    Word #3,  Users Tested: 1,2,3,4,5,6,7,8,9,10  (Valid For User #3)

    Word #4,  Users Tested: 1,2,4,5,6,7,8,9,10

    Word #5,  Users Tested: 1,2,4,5,6,7,8,9,10

    Word #6,  Users Tested: 1,2,4,5,6,7,8,9,10    (Valid For User #9)

    Word #7,  Users Tested: 1,2,4,5,6,7,8,10      (Valid For User #5)

    Word #8,  Users Tested: 1,2,4,6,7,8,10

    Word #9,  Users Tested: 1,2,4,6,7,8,10

    Word #10, Users Tested: 1,2,4,6,7,8,10



    When using the [u] option, Killer Cracker will jump to the next

account when (if) a valid password is cracked for the current user.



 2. When cracking accounts using Killer Cracking in "by-word" format,

encryption/comparisions take place up to 100% (2x) faster than when

cracking by users.  This is due to an optimization in BCRYPT/XFDES which

allows KC to remember the mask of the current word being cracked and

the calculation does not have to be re-done for all other comparisions

with that same word.  Note: these optimizations will not be as apparent

when cracking a small amount of users and/or when cracking the login/gecos

fields, as each user is tested against a different guess anyway.



 ------------------------------------------------------------------------------

   Thanx to Razor, So76, Scooter, PLAGUE, VIz, and all others who aided in the

               research and development of this password cracker.

 -(c) 1991-----------------------------------------------------------------EOF-