From: Eric Murray <ericm@lne.com>
Date: Thu, 26 Dec 1996 07:58:11 -0800 (PST)
To: fygrave@freenet.bishkek.su (Fyodor Yarochkin)
Subject: Re: Unix Passwd
In-Reply-To: <Pine.LNX.3.91.961226155652.3979T-100000@freenet.bishkek.su>
Message-ID: <199612261556.HAA05096@slack.lne.com>
MIME-Version: 1.0
Content-Type: text/plain


Fyodor Yarochkin writes:
> 
> 
> Anyone has any success in breaking this?
> -f

Many people have tried breaking the cipher, I have not heard
of anyone being successful.

There is however a number of programs that attempt a brute-force
of passwords, the best is called 'crack' and is written by Alec Muffet.
He's just announced a new release (see below).

Crack is commonly used by system administrators to check users passwords
for easily-cracked passwords (since it's one of the first things that a hacker
breaking into your system might try, the sysadmin can get users to change
'Crack'able passwords before they're hacked).

Crack uses a set of word dictionaries that you supply, and rules
to use to permute each word (add a '1' on the end, capitalize the first
character, etc). for more attempts.  It also included a re-written
version of the crypt algorithim that's faster than what comes in
many UNIXes.



Reply-To: Alec Muffett <alecm@crypto.dircon.co.uk>
Sender: Bugtraq List <BUGTRAQ@NETSPACE.ORG>
Subject:      ANNOUNCE: Crack v5.0a available...
X-To:         bugtraq@fc.net
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@NETSPACE.ORG>

Eschewing the media-friendly hype which surrounded the release of
SATAN some time ago (Hi Dan!) and bemused by the fact that some of the
code he wrote years ago has since crept into the Linux-based operating
system of the machine he is composing this message on (as a standard
part of the authentication libraries, no less) - the author is pleased
to announce the release of:

                  Crack v5.0a - The Password Cracker
             Crack v6.0 - The Minimalist Password Cracker
           Crack v7.0 - The Brute-Forcing Password Cracker

                           available from:

                http://www.users.dircon.co.uk/~crypto/

(just like a London bus, you wait ages and then three turn up at once)


In the expectation that some kind soul will be good enough to retrieve
copies and place them up for FTP at various well-connected mirror
sites (the sundry CERTs, COAST, et al), the MD5 checksum for the first
distribution is:

                   6511dca525b7b921ea09eca855cc58f2

- but please be patient if you *do* suffer problems downloading; it's
not like Crack is a new piece of technology, so you shouldn't panic
about upgrading.


NOTE: Discussion of issues relating to running this version of Crack
should be directed to the newsgroup "comp.security.unix" - mention
"Crack5" in the subject line.


        - alec

------------------------------------------------------------------

New features.

   * Complete restructuring - uses less memory

   * Ships with Eric Young's "libdes" as standard

   * API for ease of integration with arbitrary crypt() functions

   * API for ease of integration with arbitrary passwd file format

   * Considerably better gecos-field checking

   * More powerful rule sets

   * Ability to read dictionaries generated by external commands

   * Better recovery mechanisms for jobs interrupted by crashes

   * Easier to control (eg: to put to sleep during working hours)

   * Bundled with Crack6 (minimalist password cracker)

   * Bundled with Crack7 (brute force password cracker)

   * Tested on Solaris, Linux, FreeBSD, NetBSD, OSF and Ultrix







-- 
Eric Murray  ericm@lne.com  ericm@motorcycle.com  http://www.lne.com/ericm
PGP keyid:E03F65E5 fingerprint:50 B0 A2 4C 7D 86 FC 03  92 E8 AC E6 7E 27 29 AF