Crack (password software)

The first public release of Crack was version 2.7a, which was posted to the Usenet newsgroups alt.sources and alt.security on 15 July 1991. Crack v3.2a+fcrypt, posted to comp.sources.misc on 23 August 1991, introduced an optimised version of the Unix crypt() function but was still only really a faster version of what was already available in other packages.

The release of Crack v4.0a on 3 November 1991, however, introduced several new features that made it a formidable tool in the system administrator's arsenal.

• Programmable dictionary generator
• Network distributed password cracking

Crack v5.0a{{cite web | url = http://www.crypticide.com/alecm/software/crack/ | title = Crack v5.0 | access-date = 2012-02-17 | last = Muffett | first = Alec}} released in 2000 did not introduce any new features, but instead concentrated on improving the code and introducing more flexibility, such as the ability to integrate other crypt() variants such as those needed to attack the MD5 password hashes used on more modern Unix, Linux and Windows NT{{cite book|author=Sverre H. Huseby|title=Innocent code: a security wake-up call for Web programmers|url=https://books.google.com/books?id=RjVjgPQsKogC&pg=PA148|access-date=17 February 2012|date=15 March 2004|publisher=John Wiley & Sons|isbn=978-0-470-85744-1|pages=148–}} systems. It also bundled Crack v6 - a minimalist password cracker and Crack v7 - a brute force password cracker.

Randal L. Schwartz, a notable Perl programming expert, in 1995 was prosecuted for using Crack{{cite book|author1=Simson Garfinkel|author2=Gene Spafford|author3=Alan Schwartz|title=Practical UNIX and Internet Security|url=https://books.google.com/books?id=50maN7VmpusC&pg=PA608|access-date=17 February 2012|date=17 May 2011|publisher=O'Reilly Media, Inc.|isbn=978-1-4493-1012-7|pages=608–}}{{citation | first = Anthony | last = Hakim | contribution = Global Information Assurance Certification Paper Global Information Assurance Certification Paper | title = Intel v. Randal L. Schwartz | publisher = SANS Institute | pages = 5 | date = 2004-10-10| contribution-url = http://www.giac.org/paper/gsec/4039/intel-v-randal-l-schwartz/100935 | type = PDF | access-date = 2012-02-17}} on the password file of a system at Intel, a case the verdict of which was eventually expunged.{{cite web | url = http://yro.slashdot.org/story/07/03/02/0117257/randal-schwartzs-charges-expunged | title = Randal Schwartz's Charges Expunged - Slashdot| date = March 2007| access-date = 2012-02-17}}

Crack was also used by Kevin Mitnick when hacking into Sun Microsystems in 1993.{{cite book|title=Ghost in the Wires|url=https://archive.org/details/ghostinwiresmya00mitn_0|url-access=registration|publisher=Little, Brown|year=2011|isbn=978-0-316-03770-9|chapter=Here comes the Sun|last1=Mitnick|first1=Kevin|author-link1=Kevin Mitnick}}

While traditional password cracking tools simply fed a pre-existing dictionary of words through the crypt() function, Crack v4.0a introduced the ability to apply rules to this word list to generate modified versions of these word lists.

These could range from the simple (do not change) to the extremely complex - the documentation gives this as an example:

: X<8l/i/olsi1so0$=

: Reject the word unless it is less than 8 characters long, lowercase the word, reject it if it does not contain both the letter 'i' and the letter 'o', substitute all i's for 1's, substitute all o's for 0's, and append an = sign.

These rules could also process the GECOS field in the password file, allowing the program to use the stored names of the users in addition to the existing word lists. Crack's dictionary generation rule syntax was subsequently borrowed{{cite web | url = http://www.openwall.com/john/doc/CREDITS.shtml | title = John the Ripper - credits | access-date = 2012-02-17 | last = Designer | first = Solar | publisher = Solar Designer}} and extended{{cite web | url = http://www.openwall.com/john/doc/RULES.shtml | title = John the Ripper - wordlist rules syntax | access-date = 2012-02-17 | last = Designer | first = Solar | publisher = Solar Designer}} by Solar Designer for John the Ripper.

The dictionary generation software for Crack was subsequently reused by Muffett{{cite book|author=David N. Blank-Edelman|title=Automating system administration with Perl|url=https://books.google.com/books?id=daks78g9Pg0C&pg=PA461|access-date=17 February 2012|date=21 May 2009|publisher=O'Reilly Media, Inc.|isbn=978-0-596-00639-6|pages=461–}} to create [https://github.com/cracklib/cracklib CrackLib], a proactive password checking library that is bundled with Debian{{cite web | url = http://packages.debian.org/search?keywords=libpam-cracklib | title = Debian Package Search | access-date = 2012-02-17}} and Red Hat Enterprise Linux-derived{{cite web | url = http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/6.1_Technical_Notes/cracklib.html | title = CrackLib Enhancement Update | access-date = 2012-02-17 | archive-url = https://web.archive.org/web/20120421041552/http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/6.1_Technical_Notes/cracklib.html | archive-date = 2012-04-21 | url-status = dead }} Linux distributions.

As password cracking is inherently embarrassingly parallel Crack v4.0a introduced the ability to use a network of heterogeneous workstations connected by a shared filesystem as parts of a distributed password cracking effort.

All that was required for this was to provide Crack with a configuration file containing the machine names, processing power rates and flags required to build Crack on those machines and call it with the -network option.

• Computer security
• Password cracking
• Aircrack-ng
• Cain and Abel
• DaveGrohl
• Hashcat
• John the Ripper
• L0phtCrack
• Ophcrack
• RainbowCrack

{{Reflist}}

• [https://web.archive.org/web/20131203145204/http://www.securitynet.org/password-cracking-quick-guide-success/ Password cracking - A quick guide to success]

{{Password_Cracking Software}}

Category:Unix security-related software

Category:Password cracking software

Category:Linux security software