Content:

Home

InstantCracker

What's it?

Here's a small program to demonstrate how easy it is to find passwords by an brute force attack. It is possible to use different password generators for a simple word comparison, a external program or a telnet connection.

The program can be run as applet or application. Even so, it can't be run in the most browsers, because is uses Java 1.2 . If you want to display it, you need the Java-Plug-In .

The program uses a library to variate passwords. It is possible to evaluate how easy fast a password can be guessed if the character probability is taken into account. The algorithms is developed by myself and is called 'Raincode'. It's certainly not the optimum solution, so if someone has found a better one, please let me know.

Caution: The 'InstantCracker' is only developed for demonstration purposes and can not be used for real attacks, because they can easily be detected.

Sourcecode

Sourcecode

executable class files

(start with 'java -jar InstantCracker.jar')

IBM Visual Age for Java Repository

Applet:

Description of the Raincode

To clarify the advantages of the Raincode, here is an simplified example. We assume to have an alphabet that contains only the three characters 'a', 'b' and 'c', wordlength of three characters. 'a' should be the most and 'c' the least probable character. So a simple variation and the Raincode produce the following words.

Simple Variation Raincode
aaaaaa
aabaab
aacaba
abaabb
abbbaa
abcbab
acabba
acbbbb
accaac
baaacb
bababc
bacbbc
bbaaca
bbbacb
bbcbca
......

It can be seen, that the Raincode leads first to all charactercombinations consisting of the probable characters 'a' and 'b'. The variation doesn't take the probabilities into account.

The difference will be bigger if a bigger alphabet is used, e.g. 'a' - 'f'.

Simple Variation Raincode
aaaaaa
aabaab
aacaba
aadabb
aaebaa
aafbab
ababba
abbbbb
abcaac
bbdacb
bbeabc
bbfbbc
bcaaca
bcbacb
bccbca
......

It can be seen, that the simple variation creates a lot of improbable words in the beginning. The Raincodes output doesn't differ from the small alphabets one. That is a another important feature. At the beginning of the iterations, you don't need to know all the characters of the alphabet. You can start with just an small alphabet and add more characters, if you didn't succeed. This is impossible for a simple variation. You can't easily exclude the characters previously used. It is also possible to take the biggest possible alphabet in the beginning, the codes performance doesn't change. A simple variation of the complete ASCII character set is very ineffective. The raincode has no problem with it.

The Raincode fully implemented in the class 'com.lbo.hacktools.algorithms.RaincodeIterator', but it is not very well optimized to fit in the object oriented model. So is the memory for each new word new allocated. The performance can be tremendous increased in an application optimized implementation. It is also easily possible to exclude words that are containing impossible character counts, for example if the character 'q' appears 3 times in a word. By doing this I could achieve 2 million passwords per second on a Pentium 133 and Java 1.1.7.

Please enjoy the program and give me some feedback!


Michael Habermann