Blog literacki, portal erotyczny - seks i humor nie z tej ziemi
Web Cracker v2.0 Beta 1.3
Copyright 1998 by DiTTo
Released 7/23/98
This program MAY NOT BE SOLD!
HOMEPAGE & EMAIL:
Visit the Web Cracker Home Page at http://webcrack.home.ml.org for the
latest version and release info. Email webcrack@bitsmart.com with suggestions
or bugs.
WHAT IS WEB CRACKER?
This program exploits a rather large hole in web site authentication methods.
Password protected websites can be easily brute-force hacked, because there is
no set limit on the number of time an incorrect password or User ID can be tried.
Web Cracker was designed for Web Masters to test the vulnerability of their own
sites. It SHOULD NOT be used by unauthorized persons to hack into web sites. Such
use is ILLEGAL and could have SEVERE PENALTIES. Neither myself nor anyone involved
with the development of Web Cracker will be liable for the misuse of this program.
Use Web Cracker ONLY at your own risk, ONLY for lawful purposes, and ONLY on your own
web site.
USING THE PROGRAM:
To use Web Cracker, you will need at least a list of user IDs. If you have a
list of users on your system, extract all the user IDs and save them to a text file.
Many users who are allowed to choose their own user IDs on a system use their first
name, so if you want an attack from an outsider's point of view, try using a list of
first names.
Optionally, you may include a list of passwords to test. Web Cracker will always try
the userid as the first password, as a lot of people tend to use the same word for
both. If your system allows this, you've already got a big security problem.
If you have a list of common passwords to test, you can load them into Web Cracker.
The program will then run through the entire list of passwords for each user id.
Use the File menu to load User ID's and Passwords into Web Cracker.
You must at least load a list of user IDs, the password list is optional.
Once the files are loaded, you must enter the URL of the site you wish to crack.
The easiest way of getting a URL is to use a browser such as Netscape or Internet Exploder
to surf to the target site. Then, right click on the link that throws up the "User Login"
box. Select "Copy link location" on the popup menu, then paste this URL into
WebCracker's "Target URL" box. If you have already loaded your User ID list, you can now
click on Start and the cracking will begin.
While cracking, you should see the highlight bars in the User ID and Password list boxes
move as each new pair is attempted. Any message returned will be shown in the left panel
of the status bar at the bottom of the WebCracker window. Usually this panel will read
"Code 401: Unauthorized", but it will change (very briefly) if a different error is
encountered or if an account was cracked. When an account is cracked, an entry will be made
in the Log window and the log will automatically be saved to "Webcrack.log".
At any time during the cracking process you may click on the Stop button and the process
will be halted.
After all user id/password combinations are tried, Web Cracker will display a message
box to that effect, and a final log entry will be made.
If you click Stop before a cracking session is complete, Webcracker will log the last user id
that was attempted, so you know where to start next time. To start from that point onward,
highlight that user id in the list box before you start the next cracking session. WebCracker
will skip to that ID and begin cracking from there.
THE SETUP SCREEN:
Convert USer ID's/Passwords: Web Cracker will automatically convert the user IDs or Passwords
lists to all caps, or all lower case if one of these options is selected. The Default, NONE, is
probably satisfactory for most cracking sessions.
USE REPLACEMENT VARIABLES:
If the option "Use Replacement Variables" is checked, Web Cracker will automatically
replace any occurrance of "%USERID" (case sensitive, no quotes) with the current user id
being tried. This allows you to create a list of passwords based on the current user id.
Example: if the current user ID was mike, then %USERID98 would be sent as password mike98.
IMPORTANT NOTE:
Web Cracker no longer requires Netscape in order to run, as previous versions did. Version
2.0 and later of WebCracker includes native code to make all HTTP requests itself.
CREDITS:
Web Cracker 2.0 designed and coded by DiTTo.
Thanks to the guys who volunteered their sites as file mirrors:
Lee / The house of Ill Compute - http://www.thoic.com
Rob Harmon / The Forbidden Zone - http://www.forbidden-zone.net
Web Cracker 1.0 was orginally written by Doug Good, who gave the source to me so the project
could continue.
Many thanx and greetz to those who helped Beta test WebCracker 2.0:
R0ver, DG, the IC guys in Building 309, Charles, Bartman/Abyss, Anders Nielsen
Web Cracker was written in Delphi 3.02, by Borland (now Inprise)
Some code used in Web Cracker was developed by third parties, and released as freeware
or shareware. Credits for those VCLs go to:
Internet Component Suite: Freeware by François Piette http://www.rtfm.be/fpiette
Jan Goyvaerts, JG's Home Page, for his excellent URL Label component.
http://www.ping.be/jg/
Tan Qunzhao for his Tfire component that really dresses up the About box.
Marcus Tettmar of MJT Software, for his SendKeys component, the heart of Web Cracker 1.0.
http://www.mjtnet.com/ (Used only in WebCracker 1.0)
REVISION HISTORY
- Version 2.0 Beta 1.3 - Released 7/23/98
- Major changes to the internal code. Kursad Terekli suggested enabling "batch" support,
so you could line up 50 URLs in a row to crack, and move to the next after you hit X number
of valid accounts. WebCracker wasn't built with that in mind, but I like the idea. I also
want to enable "sessions", so you can stop then resume cracking right where you left off.
The program needs a lot of work to get these features implemented, but it's moving in
that direction.
- Fixed some bugs with the two new options added in beta 1.2. Hopefully I got them all.
(Yes, the one that jumped out when the password list was empty has been squashed)
- The User ID no longer shows up in the password list box, even when "Try ID as first
password" is turned on. The ID will still show up in the text box, but constantly
adding and deleting IDs from the password list box was a lot of overhead that really
didn't need to be. Hopefully this adds to the speed of the program. It will make future
coding easier, if nothing else.
- Changed the font in the Log windows to Courier New, 8 point. I think it's easier to
read, and looks a little better.
- CRAXD has offered to write a help file for WebCracker. This should take care of yet
one more missing feature.
KNOWN LIMITATIONS AND ISSUES IN THIS VERSION:
- You might find the program doesn't act right when you first run it. Go into the SETUP
screen, and verify that the new options are set the way you want. Click OK, and they will
be saved. Everything should now work normally, if it didn't before. This is a registry
issue I need to clear up. Not a biggie though.
-User ID and Password file sizes are limited to 65536 (or so) lines. This is a Delphi
limitation, not mine. If anyone can suggest a workaround, I'm all ears. Even so, I
think most folks will find that 65000 is enough... (except for that one guy... :)
- If you don't load any passwords, and have "Try ID as first password" toggled off, the
program shouldn't enable the "start" button cause there's nothing to crack... but it does.
That's just a little annoyance, and will be stomped later.
- The Edit menu option is disabled. I'm still not sure if I'm going to use it... but it's
there for now. Just ignore it.
- Version 2.0 Beta 1.2 (Not Publically Released)
- Problem: when an account was cracked, WebCracker would continue using the
same account with the rest of the passwords, possibly returning a "cracked"
result for each of the remaining passwords in the list. Changed the code so
when an account is cracked, the remaining passwords are skipped and the
cracking moves on to the next user ID. Speeds things up, especially with
long password files, and fixes the bug.
- Finished coding Proxy Support. Seems to work well. Thanks goes to
Charles and Bartman/Abyss for testing.
- Added an option to turn off trying User ID as the first password.
- Added an option to Optimize Webcracker for speed. This disables the auto-scrolling
of the list boxes as passwords and user IDs are tried. Seems to make a difference.
Thanks to Anders Nielsen for pointing this out.
- Version 2.0 Beta 1.1
First public beta of version 2. A few bugs, not all features implemented, but
I wanted to get it out there for testing.
- Version 2.0 Beta 1.0
Private beta release, not publically distributed. This version has nag screens
stating that it's a beta, if you have this version upgrade to get rid of the
nags.
- Version 1.0
Original version by Doug Good, used Netscape for HTTP functions. Slow and
had less functionality than version 2.0. If you have this version, upgrade!