Version 4.0 coded by Daniel Flam (c)1999
Concept and original code by DiTTo (c)1998
This program is FREEWARE and MAY NOT BE SOLD.
Introduction to Webcracker
Warning and Disclaimer
New Features
Using Webcracker
Credits
Revision History
Obtaining Updates
Welcome to Webcracker! This software will allow you to test your restricted-access website to make sure that only authorized users are able to get in. Webcracker is a security tool that allows you to attempt to "crack" id and password combinations on your web site. If you're able to guess a user's password with this program, chances are some hacker will be able to also. Webcracker helps you find these vulnerablilities and fix them before they're exploited by some unknown attacker.
Web Cracker was designed for Web Masters to test the vulnerability of their own sites. It SHOULD NOT be used by unauthorized persons to hack into web sites. Such use is ILLEGAL and could have SEVERE PENALTIES. Neither myself nor anyone involved with the development of Web Cracker will be liable for the misuse of this program. Use Web Cracker ONLY at your own risk, ONLY for lawful purposes, and ONLY on your own web site.
Webcracker 4.0 has many features which make it stand out above the competition:
- New multi-thread processing allows more cracks at once, for faster results. Multi-threading utilizes the full potential of available bandwidth, so you can spend less time finding security problems, and more time fixing them.
- Support for HUGE password lists, by reading the lists directly from disk. Optionally, you can read smaller files into memory to eliminate hard disk access and speed up cracking.
- New non-default url format available for testing cgi/isapi/nsapi type sites. Crack sites which were uncrackable in previous versions of Webcracker.
- Combination ID/Password files. You can optionally use special "combo" files which contain user id / password pairs, so one specific ID is paired up with one password. For example, ID: Mickey Password: Mouse. This opens up a whole new realm for password attacks.
- The ability to "translate" IDs and passwords into various forms, like all caps or all lowercase.
- The use of "Replacement Variables". These special variables allow you to try passwords based on the current user ID, for example, the ID John could generate passwords John1, 1John, JohnJohn, etc. This allows very specific attacks on a known user ID, and broadens the chances of a successful attack.
- Minimum password length. If your site requires password to be X number of characters in length, use this setting to eliminate trying shorter passwords in your dictionary, thereby reducing total cracking time.
- Optional sound effects tell you when you've cracked a password, or when all your IDs and passwords have been tried.
- Proxy server support
Understanding
the Basics
Using
Combo Files
CGI and "Non-standard" Cracking
The
settings screen
ID / Password Translation
Using
Replacement Variables
To use Web Cracker, you will need at least a list of user IDs. If you have a list of users on your system, extract all the user IDs and save them to a text file. Many users who are allowed to choose their own user IDs on a system use their first name, so if you want an attack from an outsider's point of view, try using a list offirst names.
Optionally, you may include a list of passwords to test. Web Cracker by default will try the userid as the first password, as a lot of people tend to use the same word for both. If your system allows this, you've already got a big security problem.
If you have a list of common passwords to test, you can load them into Web Cracker. The program will then run through the entire list of passwords for each user id.
Use the "Files & Location"
tab to load User ID's and Passwords into Web Cracker. You must
load a list of user IDs and passwords. In combo mode you may
enter a tab/space seperated user/password list. In this mode you
enter only a Userid list.
Once the files are loaded, you must enter the URL of the site you
wish to crack. The easiest way of getting a URL is to use a
browser such as Netscape or Internet Exploder to surf to the
target site. Then, right click on the link that throws up the
"User Login" box. Select "Copy link location"
on the popup menu, then paste this URL into WebCracker's "Target
URL" box. If you have already loaded your User ID list, you
can now click on Start and the cracking will begin.
NOTE: In order to use Webcracker,
you must specify one of the following:
- a User ID file, a password file, and a URL.
- a User ID file, and select the "Options" tab and
select the "Try userid as password"
- a User ID file, and select the "Use combo files"
option
If either one of these is not specified, the Start button will be
disabled and you will not be able to crack.
While cracking, you should see the
progress as many messages are reported in the status bar. Once a
minute the progress graph is updated.
When an account is cracked, an entry will be made in the Log
window and the log will automatically
be saved to the log file ("WC-xxx.LOG).
At any time during the cracking process you may click on the Stop
button and the process will be halted.
After all user id/password combinations are tried, Web Cracker
will return to the start mode.
One option is to use Combo files. This
allows you to use files where a userid is paired with a specific
password, such as Mickey / Mouse, or Denver /Broncos.
The combo file must have a TAB between the user ids and passwords.
In other words, it must be a TAB-DELIMITED file, with one user id/password
pair PER LINE. If it's not in this exact format, it will not load
correctly and you'll send me email wondering why. An example file,
COMBO.TXT is included with WebCracker, so you can see what a good
file looks like.
If you want to try ISAPI/NSAPI/CGI type
logins you can choose "Custom (keywords)" in the"Files
& locations" tab, and then supply the login format
yourself
(such as "http://www.test.com/cgibin/test.exe?userid=USERID%!password=PASSWORD%"
Web Cracker will automatically convert the user IDs or Passwords lists to all caps, or all lower case if one of these options is selected. The Default, NONE, is probably satisfactory for most cracking sessions.
If the option "Use Replacement
Variables" is checked, Web Cracker will automatically
replace any occurrance of "%USERID" (case sensitive, no
quotes) with the current user id being tried. This allows you to
create a list of passwords based on the current user id. Example:
if the current User ID was mike, then %USERID98 would be sent as
password mike98.
You can make a password list which looks like this:
%USERID1
1%USERID
%USERID%USERID
99%USERID99
If the current ID being attacked was "Bill", these combinations would be tried:
Bill / Bill1
Bill / 1Bill
Bill / BillBill
Bill / 99Bill99
The current replacement variables are:
%USERID : Returns the current User ID being tried
%REVUID: Returns the current User ID reversed
Learning to use this feature is very important, as MANY passwords are chosen based on the User ID.
WebCracker 4.0 was designed by Daniel
Flam with portions of code from DiTTo.
WebCracker 3.0 was designed by Daniel Flam with portions of code
from DiTTo.
WebCracker 2.0 was designed and coded by DiTTo.
Much thanks to Adel Radwan for creating the graphics for the
installer, the about box, and the web site.
Thanks to the guys who volunteered their sites as file mirrors:
Lee / The house of Ill Compute - http://www.thoic.com
Rob Harmon / The Forbidden Zone - http://www.forbidden-zone.net
Many thanx and greetz to those who helped Beta test WebCracker 2.0:
R0ver, DG, the IC guys in Building 309, Charles, Bartman/Abyss,
Anders Nielsen, fried frunk
Much thanks goes to Turtle for suggestions, info, and helping me
squash that "NetCracker" problem.
Some code used in Web Cracker was developed by third parties, and
released as freeware
or shareware. Credits for those VCLs go to:
Internet Component Suite: Freeware by François Piette http://www.rtfm.be/fpiette
Tan Qunzhao for his Tfire component that really dresses up the
About box.
Webcracker 3.0 was written in Delphi 4.0, by Inprise
-Version 4.0 release 11/17/1999
This is a MAJOR Facelift, and major improvements went into the threading mechanism, that was giving a lot of trouble. Also many small annoying bugs have been fixed.
-Version 3.0 Beta - release 4/4/1998
This is a MAJOR rewrite of Webcracker.
Most of the code is brand new, as is the User Interface. Because
of this major change, the revision history starts with Version 2.0
final. Most everything before 3.0 is now irrelevant. :)
- New UI
- Multi threading in order to utilize thefull bandwidth of the
connection
- Support for huge lists via directreading from disk
- New non-default url format available for testing cgi/isapi/nsapi
type sites.
- Version 2.0 Final - released 12/02/98
You can get the latest WebCracker program and news/info from our page at http://www.webcracker.net
If you have legitimate bugs or problems,
you can email us: info@webcracker.net
DO NOT email us questions about other security utilities, or
"How do I hack into..." or "Can you hack this site
for me", etc. All such emails will be deleted with no
response.
You may want to use the famous search engine at http://astalavista.box.sk to look for related topics such as dictionaries, tools etc.