version 1.0b1
by
The SOrCErEr
(July 1997)
[ Additionnal tools ] . [ Where to find new versions ? ] . [ Credits ]
Disclaimer
(July 1997)
Disclaimer
STAR CRACKER (noted *C) is a Unix password cracker designed for both
administrators and hackers. It includes several cracking modes and uses
Solar Designer's DES routines, probably the fastest ever coded. Its behaviour is very
similar to Cracker Jack's or John The Ripper's... In fact, I must say that
for this version, I've taken the good features of John and added my own...
This time, I'm going to consider that you are already experimented on Unix
crackers, that'll be more simple for me. If you have problems to understand
this, get some documentations on Unix and Unix crackers, don't ask me obvious
questions...
As said before, STAR CRACKER's interface is similar to Cracker Jack's.
To run a crack session, you have to specify at least a password file and
a cracking mode. *C supports the following modes :
You can specify several cracking modes at the same time, and they will be ran in a row, in the order they are listed above. (Extended single mode overrides single mode if both are specified). Guessed passwords will be printed on the screen and stored in starcrak.potSingle crack mode and extended single crack mode (use login and gecos) Wordlist mode (Tries each word of a wordlist, possibly with rules) Grammar mode (Tries words generated according to grammar rules) Combination mode (Tries words generated according to statistics)
STAR CRACKER supports the following options :
Command line flags
-pwfile:<file>[,..] (-p:<file>[,..])
This flag is used to specify the password file(s) you want to use in the
session. A simpler way is just to specify the filename directly, without
any flag.
-single (-si)
This option turns on single crack mode.
-xingle (-xi)
This one turns on extended single crack mode. It's similar to single crack
mode except that it tests each word on *all* passwords.
-wordfile:<file> -stdin (-w:<file> -std)
Turn on wordlist mode and read passwords from <file> or STanDard INput.
-grammar:<rule>[,..] (-gra:<rule>[,..])
Turn on grammar mode and use specified grammar rules.
-combination[:<mode>] (-c[:<mode>])
Turn on combination mode and use [combination:<mode>] section in
starcrak.ini, or use [combination:all] by default.
-stats:<new_mode> (-sta:<new_mode>)
Create a new combination mode, by scanning wordfiles or cracked passwords
to make statistics. A new file called <new_mode>.sta will be created, and
the corresponding section [combination:<new_mode>] will be inserted in
starcrak.ini.If no password files or wordfiles are specified, starcrak.pot
will be used. If you specify a password file, only the cracked passwords
from it will be used, and if you specify a wordfile, only the words it
contains will be used. You can also use -filter to filter out some words.
-rules (-ru)
Enable word rules for wordlist mode.
-norules (-nor)
Disable single crack modes rules. Useful with extended single crack mode,
as it can last very long.
-users:<login>|<uid>[,..] (-u:<login>|<uid>[,..])
Only load this (these) user account(s).
-groups:[!]<gid>[,..] (-gro:[!]<gid>[,..])
Only load users from or not from(!) this (these) group(s).
-shells:[!]<shell>[,..] (-she:[!]<shell>[,..])
Only load the users using or not using(!) this (these) shell(s).
It's possible to specify only the program name :
-shells:sh will match /usr/bin/sh or /foo/sh...
And -shells:/usr/bin/sh will match only /usr/bin/sh
-filter:<filter_name> (-f:<filter_name>)
Enable word filter stored in section [filter:<filter_name>] of starcrak.ini
-timeout:<min> (-t:<min>)
Set timeout delay in minutes.
-timestep:<min> (-ts:<min>)
Set timestep delay in minutes. *C will step to the next cracking mode
defined after this delay.
-stop:<n> (-sto:<n>)
Interrupt session after <n> passwords cracked.
-step:<n> (-ste:<n>)
Step to next cracking mode after <n> passwords cracked.
-restore[:<file>] (-re[:<file>])
Restore an interrupted session, using informations stored in <file>, or
in "restore" by default.
-show (-sho)
Display all cracked passwords from passwd files, according to starcrak.pot
contents.
-beep (-b)
Enable beep when a password is guessed.
-quiet (-q)
Disable beep when a password is guessed.
-test (-te)
Perform a raw speed benchmark.
-list (-l)
Display each word tested.
-salt (-sa)
Crack salt by salt. Salts will be sorted so that those containing many
accounts will be tested before those containing only a few ones, and all
the words will be tested on each salt independently. This often gets many
passwords earlier.
Caution : If you stop and restore a salt-by-salt session, some salts tested
before the interruption may be tested once again after the -restore if some
of their passwords have been cracked before you interrupt the session.
-disp (-d)
Display the current salt and the number of accounts it contains, when -salt
is specified.
-min:<l> -max:<l> (-mi:<l> -ma:<l>)
Set minimum and maximum word length. Defaults are 1 and 8.
-noname (-non)
Don't load login names in memory. Use it only if you're lacking memory.
-nohash (-noh)
Don't use hash tables. This will probably slow your stuff, but this can
allow you to use *C even if you are short in memory...
Single crack mode
Single crack mode is a simple mode which uses login and gecos fields of the
passwd entry. This is a very fast mode, as it only tests the informations
on the account it took them from and on the accounts of the same salt.
This mode uses word rules, complying to Crack v5.0 syntax, with extra stuffs
explained below. These rules allow you to modify every word as you want,
and so try many many words variations without storing all of them on your
disk.
This mode is the same as the previous one, except that it tests each word
on all salts instead of just testing it on the salt of the account it comes
from. This is much longer, but can sometimes get many more passwords,
especially when users can choose their logins.
You can reduce the time by disabling the word rules (-norules)
This mode is very classic, so there's not much to say about it. You just
specify the wordlist to use with -w:<wordlist>.
As usual, the wordlist is a file with one word per line.
You can enable word rules with -rules.
NOTES :
This mode uses the section [grammar] in starcrak.ini to generate words
according to the grammar rules. You must specify the rules on the command
line with -grammar:<rule1>[,<rule2>,..]
Notes :
Combination mode tries characters combinations on passwords. It uses a
section of starcrak.ini ([combination:<mode>]), where the following
parameters are defined :
Examples :
In addition, you can modify the usage of the statistics by filling the
extra characters set in the section of your combination mode :
Extra characters will be added to those from the stats file, and will be
tested first. The character following an extra character is considered as
being the beginning of a word. If an extra character is already in the
stats file, it will be used instead of the stats one. In fact, extra
characters are considered to be more probable than statistics characters.
Extended single crack mode
Wordlist mode
ftp://sable.ox.ac.uk/pub/wordlists
ftp://ftp.fu-berlin.de/pub/unix/security/dictionaries (mirror)
ftp://coast.cs.purdue.edu/pub/dict
Grammar mode
The syntax for the grammar rules is the following :
<rule> ::= <item1> [|] [<item2>] [...]
An item can be :
A rule can be defined several times.
Example : A rule generating days of january from 1950 to 1997 in formats
1jan97 and 01jan97 could be written like this :
<date> ::= 1..31 "jan" 50..97
it's equivalent to
<date> ::= 0 1..9 "jan" 50..97
<date> ::= 1..31 "jan" 50..97 | 0 1..9 "jan" 50..97
Have a look in the [grammar] section of starcrak.ini, it's very easy to
understand...
( note that the implicit AND between items has priority over the '|' )
Combination mode
STAR CRACKER uses a powerful statistics system :
Different tables are used depending on the place of the letter (1st place,
2nd place, middle or last)
This system allows the combination mode to often run in a reasonable time
(hours or days).
Extra_1st = {...}
You can also specify that the word has to be considered as truncated
(So that middle-tables will be used instead of last-tables) :
Extra_2nd = {...}
Extra_middle = {...}
Extra_last = {...}
Trunc = Yes
NOTE : Extra characters must always be put {into brackets}.
To use the characters '{' and '}', you don't need to prefix them with
a '\'.
starcrak.ini contains the following parameters :
Specify if you want or don't want to hear a beep when a password is guessed.
STAR CRACKER logs some stuffs in the file starcrak.log
When it loads passwords from the passwd files, *C checks if there are no
doubles (login:passwd dupes). While it takes almost no extra time in a normal
session, it can take a very long time if -nohash is specified when you load
a huge passwd file. So this option allows you to limit this feature.
This section is used to run programs after certain events.
The syntax is :
This is a simple filter system. You just have to define all allowed
characters for first, middle and last letters. Words will pass thru
the filter after word rules.
NOTE : The second letter of a combination word will be filtered by the
'middle' line of a filter (if enabled).
These sections contain word rules for single crack and wordlist modes.
Word rules comply to Crack v5.0 syntax, with some more things...
I added a preprocessor, like in John the Ripper by Solar Designer,
as it's very useful to write only one line for one hundred rules :
In order to avoid to write several rules only differing by a few characters,
you can write just one rule containing the varying characters within
brackets. So $[*!0-3] will expand to the 6 rules $* $! $0 $1 $2 $3.
$[0-9]$[0-9] will append the numbers 00 thru 99, and $[a-z]$[z-a] will
append the couples of letters az thru za.
You can also use the preprocessor like this: :[lucCr] will generate 5
distinct rules :l, :u, :c, :C and :r
Once again, Solar_Diz idea was good, so I took it... but modified it a bit.
Here are some rules to use the two first words of the gecos field
(usually the name and surname) to make some stuffs...
Concerning numeric values in the rules, you can use characters 0 thru 9
and A thru Z to specify numbers 0 thru 36.
The position of the first character of the word is 0.
Beep
Log level
The "log level" parameter defines what kind of things it has to log :
Log=0 logs nothing.
Every log entry is dated.
Log=1 logs session start, session end, and status reports.
Log=2 also logs errors.
Log=3 also logs cracked passwords.
Unique level
Unique=0 never uniques.
Unique=1 uniques only when -nohash is NOT specified.
Unique=2 always uniques.
Launch
<event>=<program name> [<parameters>]
There are 4 events :
For each event you can run a separate program, and pass to it some useful
arguments thru the keywords LOGIN, PASSWD, DATE and ERROR, which will be
replaced with the appropriate datas.
(Start=...)
(End=...)
(Crack=...)
(Error=...)
For example, it can be useful to automagically inform an user that its
password is weak by mailing him a standard message ("Crack" by Alec Muffett
already does that).
For that you would put the following line in the section [Launch] :
Crack=nastygrm LOGIN
Notes :
Word filters
Word rules
Because the characters '[' and ']' are used by the preprocessor, you must
prefix them with a '\' to use them the usual way (command or character).
Same thing for the dash ('-') within a preprocessor block. That implies
that the '\' itself must be prefixed with a '\'.
One last thing : The line musn't begin with a '[', or it would be
confused with a section title; so use ':' before it in this case.
: NoOp. Do nothing.
^X Prefix the word with the character X.
$X Suffix the word with the character X.
\[ Delete the first character.
\] Delete the last character.
Dx Delete character at position x and shift left the rest of the word.
{ Rotate the word left.
} Rotate the word right.
r Reverse the word.
d Append to the word a copy of itself.
f Append to the word a reversed copy of itself.
u Uppercase the word.
l Lowercase the word.
c Capitalize the word.
C Non-capitalize the word. (1st lowercase, all others uppercase)
t Toggle lower to uppercase and upper to lowercase.
'N Truncate the word at length N.
>N Reject the word if its length is not greater than N.
<N Reject the word if its length is not lower than N.
/X Reject the word if it doesn't contain the character X.
/?C Reject the word if it doesn't contain a member of class C.
!X Reject the word if it contains character X.
!?C Reject the word if it contains a member of class C.
%NX Reject the word if it doesn't contain at least N instances of X.
%N?C Reject the word if it doesn't contain N+ instances of members of C.
(X Reject the word if its initial is not character X.
(?C Reject the word if its initial is member of class C.
)X Reject the word if its last character is not X.
)?C Reject the word if its last character is not member of class C.
=NX Reject the word if the character number N (starting from 0) is X.
=N?C Reject the word if the character number N is member of class C.
sXY Substitute all the instances of character X with Y.
s?CY Substitute all the instances of members of class C with Y.
xMN Extract the string starting at character number M and of length N.
oNX Overstrike the character at position N by X.
iNX Insert the character X at position N, right-shifting the rest.
@X Remove all instances of character X from the word.
@?C Remove all instances of members of class C from the word.
Single crack mode specific rules
Character classes
1 Select the first gecos word as current word.
2 Select the second gecos word as current word.
+ Add the second gecos word to the first one. The first gecos word
becomes the concatenation of both words, while the second one is unchanged.
(You can do this several times in the same rule)
| Swap the 2 gecos words. Like with the preeceeding command, the current
word becomes the (new) first one.
The complementary of a class can be specified by uppercasing its character.
Thus, as ?d matches digits, ?D matches non-digits.
?a alphabetics (a thru z and A thru Z)
?d digits (0 thru 9)
?x alphanumerics (a thru z, A thru Z and 0 thru 9)
?l lowercase (a thru z)
?u uppercase (A thru Z)
?v vowels (aeiouAEIOU)
?c consonants (bcdfghjklmnpqrstvwxyzBCDFGHJKLMNPQRSTVWXYZ)
?p punctuation (!`.,;:"?')
?s symbols ($-*=|_%^()@/{}#&+[\]~)
?w whitespace (<space> and <tab>)
?? the character '?'
Numbering
Ok, now you want to use STAR CRACKER, ok ?...
So let's start with a little password file, let's say "victim.psw"
starcrak -single victim.pswNow you got some passwords, and want to see them...
starcrak -show victim.pswYou can redirect the output to a file :
starcrak -show victim.psw > crackedMost of the time, if you have several password files, it's better to attack them simultaneously :
starcrak -single victim.psw target.psw cia.psw nsa.pswOr you can use wildcards :
starcrak -single *.pswAnd then, as well :
starcrak -show *.pswBut maybe you don't wanna see all the cracked passwords, because some of them have inactive shells, or because you want to have the password of a particular account (root ? ;-)
starcrak -show -shells:/bin/csh *.pswTo show the passwords of the users using csh, in any directory :
starcrak -show -shells:csh *.pswOr, with other shells in any directories :
starcrak -show -shells:csh,bash,sh *.pswIf you notice that disabled accounts have /bin/false instead of their shell, you just do :
starcrak -show -shells:!/bin/false *.pswOr, if you want to exclude several shells :
starcrak -show -shells:!false,noshell *.pswTo see only passwords of users named 'root' :
(Note that you must use only one '!')
starcrak -show -users:root *.pswTo see root-privileged users passwords (UID 0) :
starcrak -show -users:0 *.pswTo see passwords of the users belonging to the group of GID 0 :
starcrak -show -groups:0 *.pswOr to see the passwords of all the users except those from groups 10 and 100 :
starcrak -show -groups:!10,100 *.psw(The options -users -shells and -groups can be applied to the cracking mode itself, not only while showing the cracked passwords)
With large password file where users can choose their own login, it's often payful to try the extended single crack mode :
starcrak -xingle *.psw...but this will take a *very* long time, so you could try to disable word rules :
starcrak -xingle -norules *.pswYou can also set a timeout at 5 minutes :
starcrak -xingle -timeout:5 -norules *.psw
starcrak -w:words.lst *.pswBut the real power of this mode is the wordrules option :
starcrak -w:words.lst -rules *.pswWith all the modes except the single and extended single ones, you can tell STAR CRACKER to crack the passwords salt by salt. It will sort the salts according to their number of passwords, and crack separately each salt. This will often give you many passwords earlier.
starcrak -w:words.lst -rules -salt *.pswYou can also filter out some words... For example, keep only capitalized words :
starcrak -w:words.lst -filter:capital *.psw
Of course, you can make you own filters...
To try dates in the english format (month/day/year), with different separators, and with both formats 01/01/97 and 1/1/97 :
starcrak -grammar:edate *.pswTo try numbers from 0 to 99999999 in the formats 1, 01, 001, 0001 ... :
starcrak -grammar:number *.pswYou can define all the grammar rules you want... The two rules above are just given as examples... It would be a good idea to make a rule generating number plates of the state the password file comes from...
starcrak -c *.pswThis will use the combination mode named 'all'. It uses a statistics file made from my own starcrak.pot. It doesn't use the 95 possible characters.
starcrak -c -filter:alpha *.pswYou can try other combination modes, like the 'english' one, generated according to a large english words list :
starcrak -c:english *.pswOnce again, you can crack salt by salt :
starcrak -c:english -salt *.pswIf you want to make you own combination mode, named 'mymode', and based on a wordlist :
starcrak -stats:mymode -w:wordlistMaybe you just want to make statistics on some words... If you want to keep only lowercase words :
starcrak -stats:mymode -w:wordlist -filter:lowerIf you want to make a combination mode based on your entire starcrak.pot :
starcrak -stats:mymodeOr if you want to make a mode based on the cracked passwords of a particular passwd file :
starcrak -stats:mymode victim.pswThe three last commands will generate a statistics file named 'mymode.sta', and add a section [combination:mymode] in starcrak.ini. You'll just have to customize this section for your own needs.
| retrieve | Retrieves your passwords bases made with previous versions. |
| xtract | Makes dictionnary from text files (includes -r option). |
| dos2unix | Converts text files from DOS format to Unix format. |
| unix2dos | guess... |
Every new version of STAR CRACKER will be put on The official STAR CRACKER's page. If there are problems with it, you can always use a search engine or even ask me by email.
Greetings to these people, who helped me a lot improving *C :
Solar Designer, Jackal, Blitz, Nick, Cracked, Christian Tellinghuisen, Paul Dautzenberg, Andrew Haveland-Robinson.
Some ideas and code sections used in *C were taken in the following programs :
"John the Ripper" by Solar Designer (DES routines, hash tables algorithm, some word-rules ideas, little features...)"Crack" by Alec Muffett (Word rules syntax, nastygram)"Cracker Jack" by Jackal (Command line interface)
Sandrine, my parents, my brother, all my family, Zed, Sylvain, James, Julien, Franky, Radu, JT, Vincent, Cacolac, Daneel, The MaraboO, Blitz, nfx, Tocoli, The*faT, Guillaume, Loule, Solar Designer, CoreD, Ron, Spock69, Thierry, Franck, and all those I forget...
