Cracker Jack, THE Unix Password Cracker [Read Me]

June 1993        Doc’s for Cracker Jack v 1.4

 

DISCLAIMER

==========

The copyright of this software is owned by the author, Jackal.

Please feel free to make copies and share them with your friends.

I can under no circumstances be held responsible for any consequences

of your use/misuse of this package, whatever that may be (system crash,

you going to jail, world war, etc..). Nor can I guarantee any functionality,

just take it or leave it.

 

 

What is Cracker Jack?

=====================

Cracker Jack is a Unix password checker/cracker, running on PC’s.

As humble as I am, I don’t think you’ll find other Unix password

crackers for PC’s, who will beat it in speed (if you do, I’ll appreciate

if you let me know).

It is currently available in 2 versions (for 8086/88 and 80386.

I’ve dropped the 286 version, it wasn’t significantly faster than

the 8086 version).

The 386 version is far faster than the other, please use that, if

you have a 386 or 486 CPU. Besides, the 386 version has no 640 kb limit,

so you can load a lot more accounts. The 386 version also runs under

OS/2 v. 2.0.

(Special versions for 486 and 586/Pentium might be available in the future.

Likewise, I might port it to other CPU’s on other O/S’es than DOS and

OS/2, but don’t count on it).

 

 

What’s new in Cracker Jack 1.4?

===============================

I finally got that Borland C++ v 3.1, but I’m rather disappointed,

‘coz in the meantime I’ve got hold on the GNU C compiler – IT’S GREAT!

After porting Jack to this compiler, it runs about 8% faster, at least

on my PC. I believe, however, that the speed increase is varying,

depending on your CPU type, cache RAM etc. Anyway, it now runs in

protected mode (and it REQUIRES a 386/486!), so there’s no 640 kb limit.

Thanks to the EMX port of GNU C, it also runs under OS/2 2.0.

Furthermore, I’ve (once again) rearranged the account loading and

sorting algorithm, so there’s virtually no startup delay, even when

loading several thousand accounts.

 

I have included a sort utility, JSORT. It doesn’t have the 64 kb limit

as DOS SORT has. Currently it doesn’t support single crack wordlists,

but I’m working on that.

 

JPP can now insert a dot BEFORE the password, with option -dot:0

 

That’s basically it, no real news, but I thought this was worth

releasing.

 

 

What’s new in Cracker Jack 1.3

==============================

– Rearranged and optimized the account loading/checking routines, thus

gaining faster loading and space for more accounts per session.

– Added the -noname switch, which prevents Jack from loading the login

names into memory, and thus lets you load even more accounts per

session. The more accounts, the more comparisons/second.

– In single crack mode, it now checks ALL the accounts with

same salts as the account being processed. This takes almost no extra

time, so why not do it? It has given ME some accounts. 🙂

– It now checks the keyboard for Ctrl-C, so you don’t have to wait eras

when you wanna abort the session.

– Status is now only showed when you press a key (and on exit), so you get a

bigger chance of seeing cracked passwords, before they scroll off the screen.

– It is now possible to restore an aborted single crack session.

 

 

Jackal’s future plans:

– Fix JSORT to support single crack wordlists

– Implement password generator

– Add ‘free crack’ option to load accounts with same salts from other

pwfiles (and/or same pwfile when using the -u option)

– Implement more options into JPP.

– Possibly implement the features of JPP into Jack itself, to avoid the

need of lot of harddisk space for the DOS pipe, especially when you

use -gecos:8

– Improve the docs

 

Files in the archive

====================

The following files are included in the archive:

 

JACK.EXE        Cracker Jack

JPP.EXE         Jack PreProcessor, manipulates words

JACKPOT.EXE     Shows you the passwords cracked so far

XTRACT.EXE      Extracts words from any file

JSORT.EXE       Sorts standard wordfiles (NOT single crack wordlists!)

JACK14.DOC      Hmmm, what can this be? 🙂

EMX.EXE         *) EMX runtime/system interface for DOS

EMX.DLL         *) EMX runtime/system interface for OS/2

 

*) Note: Only included in the 386 version.

Beware, that all executables are NOT the same in the 386

version as in the 8086 version, although the names are the

same.

 

 

How to use Cracker Jack

=======================

I guess you’ll figure it out yourself, but there are some things that

might require a word of explanation.

 

Jack saves all cracked passwords in a file called JACK.POT, in the same

directory as JACK.EXE. Be aware of this, if you run Jack from a floppy

(who would do that?), don’t write protect it.

Jack uses this file to check, if any of the passwords were cracked

previously, and won’t try to crack them again. So, please don’t delete

this file (it’s readonly for the same reason).

 

JACKPOT.EXE shows you these passwords.

Since this is similar to the “validfile” output in previous versions of

Jack, I have removed this option. Some of you might miss it, but it

requires a lot of core, which I felt could be better used for cracking

more accounts.

JACKPOT.EXE HAS TO BE IN THE SAME DIRECTORY AS JACK.EXE!

 

With Jack it is possible to crack more than 1 passwd file, without you

have to combine them into one single. You can even use wildcards.

 

Every 10 minutes (and upon completion), Jack saves point information to

a file (RESTORE, unless you specified another name with the -r option).

In case the system crashes, you don’t have to start all over.

But if you interrupt a session and start a new one, the old information

is overwritten. Therefore, always rename the file, if you want to use

it.

 

The -user option lets you specify the login names or user id’s of the

accounts you want to crack. F.ex. -user:0 would load all accounts with

root priv’s, whereas -user:root would just load the root account itself.

 

The single crack option (-single) in JACK is used in conjunction with

the login (-login) and gecos (-gecos:#) options of JPP. F.ex. would

JPP -gecos:1 -lower pwfile | JACK -stdin -single pwfile

lowercase each word in the gecos fields and try it on the accounts

to whom it belongs AND to other accounts with the same salt.

 

There is one thing, you have to be aware of, when using single crack

mode; It is not adviced to direct the output from JPP to a file, and

then use this file as input for Jack. Because Jack does not load the

accounts it has cracked previously, the inputfile has to provide

login/gecos words from the UNCRACKED accounts ONLY! Otherwise JACK gets

out of syncronization, and tries the supplied words on the wrong

accounts. In other words, if you have cracked some accounts AFTER the

creation of the inputfile, you have to recreate it with JPP. This is

also the case if you restore a single crack session.

If you always PIPE the output from JPP into Jack, there’s no problems.

JPP.EXE HAS TO BE IN THE SAME DIRECTORY AS JACK.EXE!

 

To illustrate the gecos option of JPP, suppose we have a passwd file

with the following account:

 

billy:EncrPassword:123:10:Billy The Kid:/usr/billy:/bin/csh

 

There are 4 levels of gecos manipulation.

 

1: Each word

e.g. “Billy”, “The”, “Kid”

2: Combination of any 2 words

e.g. “BillyThe”, “BillyKid”, “TheBilly”, “TheKid” ,…

4: Combination of 1 word and up to 2 initials

e.g. “BillyTK”, “BillyKT”, “TKBilly”, “TBillyK”, “BKid” ,…

8: Combination of substrings of up to 3 words

e.g. “BiThKid”, “BillKi”, “BilTheKi”, “TheBillyK”, “BTK” ,…

 

Level 1, 2 and 4 can be added together. F.ex. if you want to get level 1

and level 4 in one run, specify -gecos:5.

Level 8 is an outsider; it always includes the other levels as well,

except that the output from level 8 is never more than 8 chars, to cut

down disk usage. Speaking of disk usage, remember to set the DOS TEMP

variable to a disk big enough to store the temporary file, created by

the DOS pipe (|). Preferrably the disk should be cached as well.

 

The XTRACT program was created for a specific need I had (to retrieve

fancy words from a game).

Usage: XTRACT MYFILE.XXX | SORT | JPP -include > WORDS.XXX

The reason to pipe it through JPP, is that JPP unique’s it’s output.

Another purpose for it, could be if you just had a couple of words

to pass to Cracker Jack, but didn’t want to create a wordfile:

ECHO secret abc123 haleluja password | XTRACT | JACK -stdin pwfile

 

 

Known bugs/restrictions

=======================

You cannot specify more than one wordfile to JACK (although you

can to JPP)

 

You cannot use spaces in the parameters to JPP, but since only

the 7 lower bits of each char in the password is used, you can

use char # 160 ( = AltGr+1+6+0) instead. e.g:

JPP -gecos:4 -dot:1 pwfile | JPP -translate:. | JACK -stdin -single pwfile

 

JSORT doesn’t support single crack wordlists yet. In these wordlists,

generated by JPP’s -login or -gecos options, there are some strings,

“***!***”, which tells Jack to switch to the next salt. JSORT doesn’t

recognise this string as anything special, and just treats it as a normal

input line.

 

…………….

 

 

 

Have phun, Jackal.

 

 

 

Contacting the author / How to get help / Dist. site

====================================================

The official distribution site for CrackerJack is Freeside, +45-3-122-3119.

Here you may contact the author, as well as obtain the latest version.

 

Zephyr, Freeside Sysop.