Webcracker 4.0

Version 4.0 coded by Daniel Flam (c)1999
Concept and original code by DiTTo (c)1998
This program is FREEWARE and MAY NOT BE SOLD.

Table of Contents

Introduction to Webcracker
Warning and Disclaimer
New Features
Using Webcracker
Credits
Revision History
Obtaining Updates

Introduction

Welcome to Webcracker! This software will allow you to test your restricted-access website to make sure that only authorized users are able to get in. Webcracker is a security tool that allows you to attempt to "crack" id and password combinations on your web site. If you're able to guess a user's password with this program, chances are some hacker will be able to also. Webcracker helps you find these vulnerablilities and fix them before they're exploited by some unknown attacker.

Warning

Web Cracker was designed for Web Masters to test the vulnerability of their own sites. It SHOULD NOT be used by unauthorized persons to hack into web sites. Such use is ILLEGAL and could have SEVERE PENALTIES. Neither myself nor anyone involved with the development of Web Cracker will be liable for the misuse of this program. Use Web Cracker ONLY at your own risk, ONLY for lawful purposes, and ONLY on your own web site.

Version 4.0 Features

Webcracker 4.0 has many features which make it stand out above the competition:

- New multi-thread processing allows more cracks at once, for faster results. Multi-threading utilizes the full potential of available bandwidth, so you can spend less time finding security problems, and more time fixing them.

- Support for HUGE password lists, by reading the lists directly from disk. Optionally, you can read smaller files into memory to eliminate hard disk access and speed up cracking.

- New non-default url format available for testing cgi/isapi/nsapi type sites. Crack sites which were uncrackable in previous versions of Webcracker.

- Combination ID/Password files. You can optionally use special "combo" files which contain user id / password pairs, so one specific ID is paired up with one password. For example, ID: Mickey Password: Mouse. This opens up a whole new realm for password attacks.

- The ability to "translate" IDs and passwords into various forms, like all caps or all lowercase.

- The use of "Replacement Variables". These special variables allow you to try passwords based on the current user ID, for example, the ID John could generate passwords John1, 1John, JohnJohn, etc. This allows very specific attacks on a known user ID, and broadens the chances of a successful attack.

- Minimum password length. If your site requires password to be X number of characters in length, use this setting to eliminate trying shorter passwords in your dictionary, thereby reducing total cracking time.

- Optional sound effects tell you when you've cracked a password, or when all your IDs and passwords have been tried.

- Proxy server support

Using Webcracker

Understanding the Basics
Using Combo Files
CGI and "Non-standard" Cracking
The settings screen
ID / Password Translation
Using Replacement Variables

Understanding The Basics

To use Web Cracker, you will need at least a list of user IDs. If you have a list of users on your system, extract all the user IDs and save them to a text file. Many users who are allowed to choose their own user IDs on a system use their first name, so if you want an attack from an outsider's point of view, try using a list offirst names.

Optionally, you may include a list of passwords to test. Web Cracker by default will try the userid as the first password, as a lot of people tend to use the same word for both. If your system allows this, you've already got a big security problem.

If you have a list of common passwords to test, you can load them into Web Cracker. The program will then run through the entire list of passwords for each user id.

Use the "Files & Location" tab to load User ID's and Passwords into Web Cracker. You must load a list of user IDs and passwords. In combo mode you may enter a tab/space seperated user/password list. In this mode you enter only a Userid list.

Once the files are loaded, you must enter the URL of the site you wish to crack. The easiest way of getting a URL is to use a browser such as Netscape or Internet Exploder to surf to the target site. Then, right click on the link that throws up the "User Login" box. Select "Copy link location" on the popup menu, then paste this URL into WebCracker's "Target URL" box. If you have already loaded your User ID list, you can now click on Start and the cracking will begin.

NOTE: In order to use Webcracker, you must specify one of the following:
- a User ID file, a password file, and a URL.
- a User ID file, and select the "Options" tab and select the "Try userid as password"
- a User ID file, and select the "Use combo files" option
If either one of these is not specified, the Start button will be disabled and you will not be able to crack.

While cracking, you should see the progress as many messages are reported in the status bar. Once a minute the progress graph is updated.

When an account is cracked, an entry will be made in the Log window and the log will automatically
be saved to the log file ("WC-xxx.LOG).

At any time during the cracking process you may click on the Stop button and the process will be halted.

After all user id/password combinations are tried, Web Cracker will return to the start mode.

Using Combo Files

One option is to use Combo files. This allows you to use files where a userid is paired with a specific password, such as Mickey / Mouse, or Denver /Broncos.

The combo file must have a TAB between the user ids and passwords. In other words, it must be a TAB-DELIMITED file, with one user id/password pair PER LINE. If it's not in this exact format, it will not load correctly and you'll send me email wondering why. An example file, COMBO.TXT is included with WebCracker, so you can see what a good file looks like.

CGI and "Non-standard" Cracking

If you want to try ISAPI/NSAPI/CGI type logins you can choose "Custom (keywords)" in the"Files & locations" tab, and then supply the login format yourself
(such as "http://www.test.com/cgibin/test.exe?userid=USERID%!password=PASSWORD%"

The settings screen

User ID / Password Translation

Web Cracker will automatically convert the user IDs or Passwords lists to all caps, or all lower case if one of these options is selected. The Default, NONE, is probably satisfactory for most cracking sessions.


Use Replacement Variables

If the option "Use Replacement Variables" is checked, Web Cracker will automatically replace any occurrance of "%USERID" (case sensitive, no quotes) with the current user id being tried. This allows you to create a list of passwords based on the current user id. Example: if the current User ID was mike, then %USERID98 would be sent as password mike98.

You can make a password list which looks like this:

%USERID1
1%USERID
%USERID%USERID
99%USERID99

If the current ID being attacked was "Bill", these combinations would be tried:

Bill / Bill1
Bill / 1Bill
Bill / BillBill
Bill / 99Bill99

The current replacement variables are:
%USERID : Returns the current User ID being tried
%REVUID: Returns the current User ID reversed

Learning to use this feature is very important, as MANY passwords are chosen based on the User ID.

Credits and Kudos

WebCracker 4.0 was designed by Daniel Flam with portions of code from DiTTo.

WebCracker 3.0 was designed by Daniel Flam with portions of code from DiTTo.

WebCracker 2.0 was designed and coded by DiTTo.

Much thanks to Adel Radwan for creating the graphics for the installer, the about box, and the web site.

Thanks to the guys who volunteered their sites as file mirrors:
Lee / The house of Ill Compute - http://www.thoic.com
Rob Harmon / The Forbidden Zone - http://www.forbidden-zone.net

Many thanx and greetz to those who helped Beta test WebCracker 2.0:
R0ver, DG, the IC guys in Building 309, Charles, Bartman/Abyss, Anders Nielsen, fried frunk

Much thanks goes to Turtle for suggestions, info, and helping me squash that "NetCracker" problem.

Some code used in Web Cracker was developed by third parties, and released as freeware
or shareware. Credits for those VCLs go to:

Internet Component Suite: Freeware by François Piette http://www.rtfm.be/fpiette

Tan Qunzhao for his Tfire component that really dresses up the About box.

Webcracker 3.0 was written in Delphi 4.0, by Inprise

REVISION HISTORY

-Version 4.0 release 11/17/1999

This is a MAJOR Facelift, and major improvements went into the threading mechanism, that was giving a lot of trouble. Also many small annoying bugs have been fixed.

-Version 3.0 Beta - release 4/4/1998

This is a MAJOR rewrite of Webcracker. Most of the code is brand new, as is the User Interface. Because of this major change, the revision history starts with Version 2.0 final. Most everything before 3.0 is now irrelevant. :)

- New UI
- Multi threading in order to utilize thefull bandwidth of the connection
- Support for huge lists via directreading from disk
- New non-default url format available for testing cgi/isapi/nsapi type sites.

- Version 2.0 Final - released 12/02/98

Obtaining Updates

You can get the latest WebCracker program and news/info from our page at http://www.webcracker.net

If you have legitimate bugs or problems, you can email us: info@webcracker.net
DO NOT email us questions about other security utilities, or "How do I hack into..." or "Can you hack this site for me", etc. All such emails will be deleted with no response.

You may want to use the famous search engine at http://astalavista.box.sk to look for related topics such as dictionaries, tools etc.