This is a simple dictionary cracker for shadowed passwords on Linux. Since john and PasswordsPro do not support the new SHA-encrypted ones (implemented in newer Ubuntu and Fedora distros), the author added that functionality.
921fe9da46f5cf89174c68f9b076f2c98bb89e067daa8c3ee2b0b8929f17142a/*
gw-scrack.c: a dictionary shadow file cracker
that is able to crack SHA passwords ($5$/$6$)
Since it is based on glibc's crypt() you've got
to compile it on a platform whose glibc
supports those methods (e.g newer Ubuntu or Fedora)
You need to compile it like that:
cc gw-scrypt.c -o gw-scrypt -lcrypt
You may wish to do a static build hoping that it will run
on a platform with older glibc,e.g:
cc gw-scrypt.c -o gw-scrypt -lcrypt -static
By Milen Rangelov (gat3way-at-gat3way-dot-eu)
*/
#include <unistd.h>
#include <stdio.h>
#include <stdlib.h>
#include <fcntl.h>
#include <string.h>
// I think 5000 must be 'nuf
#define MAX 5000
void usage(char *argv[])
{
printf("Usage: %s <shadow> <wordlist>\n",argv[0]);
printf("\nshadow: the shadow file to crack\n");
printf("wordlist: the wordlist file\n\n");
exit(1);
}
void badfile(char *argv[])
{
printf("Cannot open %s\n",argv[1]);
exit(2);
}
void baddict(char *argv[])
{
printf("Cannot open %s\n",argv[2]);
exit(2);
}
int main(int argc, char *argv[])
{
FILE *fd;
// hoooooly shit!
char *buf=malloc(4096);
char *buf1=malloc(4096);
char *buf2=malloc(4096);
char *buf3=malloc(4096);
char *buf4=malloc(4096);
char *buf5=malloc(4096);
// number of loaded hashes
int pnum=0;
// authentication data struct
struct t_uinfo {
char *user;
char *meth;
char *enc;
char *salt;
} uinfo[MAX];
// counters
int a,b=0;
if (argc!=3) usage(argv);
fd=fopen(argv[1],"r");
if (!fd) badfile(argv);
while (!feof(fd))
{
buf=fgets(buf,4096,fd);
strcpy(buf1,strtok(buf,":"));
strcpy(buf2,strtok(NULL,":"));
// do we have a real passhash...or this is disabled user? Check length!
if (strlen(buf2)>6)
{
// buf1=user buf2=hash, we have to explode buf2 into $method$salt$encrypted
strcpy(buf3,strtok(buf2,"$"));
strcpy(buf4,strtok(NULL,"$"));
strcpy(buf5,strtok(NULL,"$"));
pnum++;
uinfo[pnum].user=malloc(100);
strcpy(uinfo[pnum].user,buf1);
uinfo[pnum].meth=malloc(5);
strcpy(uinfo[pnum].meth,buf3);
uinfo[pnum].enc=malloc(500);
strcpy(uinfo[pnum].enc,buf5);
uinfo[pnum].salt=malloc(100);
strcpy(uinfo[pnum].salt,buf4);
/* printf("user: %s\n",uinfo[pnum].user);
printf("method: %s salt: %s encrypted: %s\n",uinfo[pnum].meth,uinfo[pnum].salt,uinfo[pnum].enc);*/
}
}
fclose(fd);
if (pnum==0)
{
printf("\nNo password hashes found!\n");
exit(3);
}
printf("\n%d password hashes loaded:\n--------------------------\n",pnum);
for (a=1;a<=pnum;a++)
{
printf("%s",uinfo[a].user);
if (strcmp(uinfo[a].meth,"1")==0) printf(" (MD5)\n");
else if (strcmp(uinfo[a].meth,"2a")==0) printf(" (Blowfish)\n");
else if (strcmp(uinfo[a].meth,"5")==0) printf(" (SHA-256)\n");
else if (strcmp(uinfo[a].meth,"6")==0) printf(" (SHA-512)\n");
else printf(" (unknown)\n");
}
printf("--------------------------\n");
printf("\nTrying to crack the passwords...\n\n");
// for all loaded hashes...
for (a=1;a<=pnum;a++)
{
fd=fopen(argv[2],"r");
if (!fd) baddict(argv);
while (!feof(fd))
{
buf4=fgets(buf4,1024,fd);
// strip newlines
*(buf4+strlen(buf4)-1)=0;
// prepare salt as needed by crypt()
sprintf(buf2,"$%s$%s$%s",uinfo[a].meth,uinfo[a].salt,buf4);
sprintf(buf5,"$%s$%s$%s",uinfo[a].meth,uinfo[a].salt,uinfo[a].enc);
// crypt() them...do we have the same encripted string?
buf3=(char *)(crypt(buf4,buf2));
if (!buf3)
{
printf("Warning: your glibc does not support this hashing method!\n");
exit(3);
}
// great...we've got some password here?
if (strcmp(buf3,buf5)==0)
{
printf("User %s has password: %s\n",uinfo[a].user,buf4);
b++;
goto goodjob;
}
}
goodjob:
fclose(fd);
}
printf("\nDone,%d passwords cracked.\n\n",b);
// free all the memory we've consumed for nothing
free(buf);free(buf1);free(buf2);free(buf3);free(buf4);free(buf5);
for (a=1;a<=pnum;a++)
{
free(uinfo[a].meth);
free(uinfo[a].enc);
free(uinfo[a].user);
free(uinfo[a].salt);
}
}
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed