• web cracker


    最新是4.0
    Web Cracker v2.0 Final
    Copyright 1998 by DiTTo
    Released 12/02/98
    This program MAY NOT BE SOLD!
    
    IMPORTANT: Please see the end of this document for Version History and Recent Changes! 
    
    
    HOMEPAGE & EMAIL:
    
    Visit the Web Cracker Home Page at http://webcrack.home.ml.org for the
    latest version and release info.  Email webcrack@bitsmart.com with suggestions
    or bugs. DO NOT send requests for hacking utils, sites, passwords, cracks, etc.
    
    WHAT IS WEB CRACKER?
    
    This program exploits a rather large hole in web site authentication methods.
    Password protected websites can be easily brute-force hacked, because there is
    no set limit on the number of time an incorrect password or User ID can be tried.
    
    Web Cracker was designed for Web Masters to test the vulnerability of their own
    sites.  It SHOULD NOT be used by unauthorized persons to hack into web sites.  Such
    use is ILLEGAL and could have SEVERE PENALTIES.  Neither myself nor anyone involved
    with the development of Web Cracker will be liable for the misuse of this program.  
    Use Web Cracker ONLY at your own risk, ONLY for lawful purposes, and ONLY on your own
    web site. 
    
    USING THE PROGRAM:
    
    To use Web Cracker, you will need at least a list of user IDs. If you have a 
    list of users on your system, extract all the user IDs and save them to a text file.
    Many users who are allowed to choose their own user IDs on a system use their first
    name, so if you want an attack from an outsider's point of view, try using a list of
    first names.  
    
    Optionally, you may include a list of passwords to test.  Web Cracker by default will try
    the userid as the first password, as a lot of people tend to use the same word for
    both.  If your system allows this, you've already got a big security problem.  
    If you have a list of common passwords to test, you can load them into Web Cracker.
    The program will then run through the entire list of passwords for each user id.
    
    Use the File menu to load User ID's and Passwords into Web Cracker.
    You must at least load a list of user IDs, the password list is optional.  
    
    Once the files are loaded, you must enter the URL of the site you wish to crack.
    The easiest way of getting a URL is to use a browser such as Netscape or Internet Exploder
    to surf to the target site.  Then, right click on the link that throws up the "User Login"
    box.  Select "Copy link location" on the popup menu, then paste this URL into
    WebCracker's "Target URL" box.  If you have already loaded your User ID list, you can now
    click on Start and the cracking will begin.
     
    While cracking, you should see the highlight bars in the User ID and Password list boxes 
    move as each new pair is attempted.  Any message returned will be shown in the left panel
    of the status bar at the bottom of the WebCracker window.  Usually this panel will read
    "Code 401: Unauthorized", but it will change (very briefly) if a different error is 
    encountered or if an account was cracked.  When an account is cracked, an entry will be made
    in the Log window and the log will automatically be saved to the log file ("WC-xxx.LOG). 
    
    At any time during the cracking process you may click on the Stop button and the process
    will be halted, or you may save the session so you can stop and resume your cracking later, right
    where you left off.
    
    After all user id/password combinations are tried, Web Cracker will display a message
    box to that effect, and a final log entry will be made.
    
    If you click Stop before a cracking session is complete, Webcracker will log the last user id
    that was attempted. To start from that point onward, save your session so you can load it and
    continue at a later time.
    
    
    THE SETUP SCREEN:
    
    Convert USer ID's/Passwords: Web Cracker will automatically convert the user IDs or Passwords
    lists to all caps, or all lower case if one of these options is selected.  The Default, NONE, is
    probably satisfactory for most cracking sessions.
    
    
    USE REPLACEMENT VARIABLES:
    If the option "Use Replacement Variables" is checked, Web Cracker will automatically
    replace any occurrance of "%USERID" (case sensitive, no quotes) with the current user id
    being tried.  This allows you to create a list of passwords based on the current user id.
    Example:  if the current User ID was mike, then %USERID98 would be sent as password mike98.
    
    
    IMPORTANT:  See the Revision History at the end of this document for updated and new features, bug fixes, etc.
    
    CREDITS:
    
    Web Cracker 2.0 was designed and coded by DiTTo.
    
    Thanks to the guys who volunteered their sites as file mirrors:
    Lee / The house of Ill Compute - http://www.thoic.com
    Rob Harmon / The Forbidden Zone - http://www.forbidden-zone.net
    
    Many thanx and greetz to those who helped Beta test WebCracker 2.0:
    R0ver, DG, the IC guys in Building 309, Charles, Bartman/Abyss, Anders Nielsen, fried frunk
    
    Much thanks goes to Turtle for suggestions, info, and helping me squash that "NetCracker" problem.
    
    Web Cracker was written in Delphi 3.02, by Borland (now Inprise)
    
    Some code used in Web Cracker was developed by third parties, and released as freeware
    or shareware.  Credits for those VCLs go to:
    
    Internet Component Suite: Freeware by Fran鏾is Piette http://www.rtfm.be/fpiette
    
    Jan Goyvaerts, JG's Home Page, for his excellent URL Label component.
    http://www.ping.be/jg/
    
    Tan Qunzhao for his Tfire component that really dresses up the About box.
    
    Marcus Tettmar of MJT Software, for his SendKeys component, the heart of Web Cracker 1.0.
    http://www.mjtnet.com/ (Used only in WebCracker 1.0)
    
    
    REVISION HISTORY
    
    - Version 2.0 Final - released 12/02/98
    
    	- Hardly anything done on this version.  No bug fixes, only a few small cosmetic issues cleared up,
    	and only 1 new feature added - the ability to play a WAV file when a password is cracked or when
    	all the ids and passwords are tried and cracking is complete.  To use this feature, just put a 
    	.WAV file in the same directory as Webcrack.exe.  The files MUST be named WCFOUND.WAV and
    	WCDONE.WAV or they simply won't be played.  I've included two small WAVs just for kicks, you
    	can replace them with something better if you wish.  This feature was requested.
    
    	- This version has a few changes to discourage losers from hacking my work and calling it their own.
    	After I saw copies of "NetCracker" floating around, I decided that all future versions would be hack
    	proof, at least for hex-editing lamers.  Go ahead lamers, try to hex edit version 2.0.
    
    	- I think my work on Webcracker is about complete.  The program does everything I really wanted it
    	to (and more) right now, and my coding time = nil. If someone is interested in working on the 
            WebCracker project, drop me a line.  Does this mean WebCracker is dead? No. As I said, I have no coding
            time, and I could use some help.  One much requested feature is CGI-based attack capability.  I don't have 
            time to research and code this feature, but if someone else does, and can provide me with some Delphi
            code to work this magic, I will put out a new version as soon as it's working.  If you want this 
            feature, and your name on the WebCracker credit screen, go write some code.  It could be months before
    	*I* have a chance to do it...
    
    
    - Version 2.0 Beta 1.5 - released 09/09/98
    
    	- IMPORTANT: SESSION FILES CREATED WITH BETA VERSIONS 1.4, 1.4a or 1.4b ARE NOT COMPATIBLE WITH  or 1.5!!
    	You can load them, but if you do make sure you save them to convert them to 1.5 format.
    
    	- There will probably only be one more "bug fix" release before version 2.0 final.  My coding time is
    	getting short, as I'm getting married and moving next month.  I've still got a huge list of features 
    	I'l love to add, but they probably won't make it into v2.0.  In fairness, a TON of new features and fixes
    	have been added.  Just keep reading...
    
            - Support for Combination User ID/Password files.  Numerous people have asked for the ability to load a 
    	file in the format userid:password, like mickey:mouse so that the passwords will be tried only with their
    	associated user ids.  I thought this was a pretty good idea, so it's now a part of WebCracker.  In order to
    	use Combo Cracking, you will need to turn on Combo Mode under the tools menu.  This clears the user IDs and
    	passwords and rearranges the menus so you can load in a file in combo format. 
            *** IMPORTANT: The combo file must have a TAB between the user ids and passwords.  In other words, it must
    	be a TAB-DELIMITED file, with one user id/password pair PER LINE.  If it's not in this exact format, it will
    	not load correctly and you'll send me email wondering why. An example file, COMBO.TXT is included with 
            WebCracker, so you can see what a good file looks like.  While in Combo Mode, you can save your session, 
            and when you load it you will automatically be put back in Combo Mode.  Use the tools menu to turn Combo Mode
            on or off manually.  There will probably be some bugs with this, since it's all	new code.  Email me if you 
            find one so I can squish it.
    
    	- Changed the message given in the log when a valid User ID/Password is found.  The message now includes
    	the *size* of the page recieved when the correct id/pass was sent.  This makes it extremely easy to determine
    	valid accounts on those systems which expire old accounts, but still allow those users to log in.  When you
    	use WebCracker on such a site, you used to recieve only a FOUND: message, and you had to try each user ID and
     	password combination to see which were actually valid, and which were expired.  The Page Size number now
    	tells you instantly.  If you've never needed this feature, you won't miss it, but if you've ever tried to
    	sort through 50 valid accounts, only to find all but one was expired, you'll LOVE this! (Hint:  an expired
    	page and an active account page probably won't be the same size!)
    
    	- Added another Replacement Variable - %REVUID.  This returns the REVERSE of the user id.  There seems to be
    	some confusion as to how these replacement variables work.  THere are currently 2 variables: %REVUID and 	%USERID.  These can be used in PASSWORD files.  When WebCracker sees one of them, it replaces it with the
    	current user ID, or the reverse thereof.  This lets you try passwords like joe1, joejoe, joeeoj, eoj1 for the
    	user ID "joe".  Many people base passwords on their user id, so these replacement variables allow you to
    	formulate an attack based upon the current user id. To see this in action, load up your favorite user-id
    	list and load in PASSWORDS.TXT (included in the WebCracker archive) as your password file.  Start cracking,
    	and it will all make sense.  REMEMBER: Replacement variables are CASE SENSITIVE!!!
    
    	- Fixed the Minimun Password Length checking routine, so it now works.  Passwords of equal or greater length
    	than this number will be tried, smaller will be skipped.  This setting does not have any affect in Combo mode.
    	If "Try User ID as First Password" is on, and that password is smaller than the minimum, it will still be
    	tried.  This will be fixed in a later version.
    
            - Changed the "Error" response messges (such as URL moved temporarily, or No Content, etc) to include the
    	user id and password being tried at the time of the error. Requested. 
    
    	- Fixed a bug with the Start/Stop buttons, in that when you were cracking and clicked stop, then
    	clicked start, the session would resume at the next user ID rather than the one you stopped on.  This
    	problem also occurred if you saved a session then reloaded it and clicked Start.  
    
    	- Re-enabled the ability to click on a User ID or password in the listboxes, in order to have it become
            the current one. This feature was missing from version 1.4 for some reason, but is back and seems to work OK.
    	This is handy if you want to jump ahead or jump back in your wordlists. 
    
    	- Fixed problem that arose when all user IDs & passwords were tried.  If you clicked on Start, you'd get a
    	"List box out of bounds" error.  Now, when cracking is completed, the user ID and Password counters are reset 
    	to 0 so if you clicked Start, you'd start from the beginning again.
    
    	- Certain menu items are now disabled during cracking. You will have to click Stop first if you are currently
    	cracking in order to enable the disabled menus.  This fixes a lot of problems, and was long overdue.
    
    	- Fixed a nasty bug that caused WebCracker to lock up if a crack attempt returned a page that was too large.
            Certain web sites have large pages, and they literally choked WebCracker's HTTP buffer.  I changed the program
            to dynamically allocate memory as it's needed, and this fixes the problem. Not sure how this affects speed, 
            but it doesn't seem to slow the program down any.
    
    	- Found and fixed another bug with sessions. If you loaded a password file, then cleared the password list
            box, then saved your session, the password file would be loaded in again when the session was next loaded,
    	even though it shouldn't have been.  Same thing happened with the user id list box.  Both are now fixed. 
    
    	- Finally found a use for the Edit menu, which has been disabled since WebCracker was born.  You can now use
    	that menu to sort the user IDs and/or password list boxes.  By default, the password and user id list boxes are 
            NOT sorted.  Every time you clear one of the list boxes, or load a new files into them, they revert to NOT
    	sorted.  However, if you sort one or both of them, then save the session, they will remain sorted when you 
    	load the session back in.  If you sort the listboxes, then turn off sorting, they will STILL remain in sorted 
    	order unless you re-load them again (using load Passwords or Load user IDs, NOT Load Session) It's possible to 
            screw yourself up if you sort and start a session, then turn off sorting and save the session.  The next time 	the session is loaded, it won't be sorted, so all the cracking you did will be out of order.  The general rule
    	is, if you sort a session, NEVER un-sort it. You'll be missing out or repeating a lot of ID/Password 
    	combinations if you do. Remember:  Once a session is sorted, KEEP it sorted.
    
    	- One more time: SESSION FILES CREATED WITH BETA VERSIONS 1.4, 1.4a, or 1.4b ARE NOT COMPATIBLE WITH 1.5!!
            You can load them, but if you do make sure you save them again to convert them to 1.5 format.
    
    - Versions 1.4a Beta and 1.4b Beta 
    	- These versions were privately distributed to beta testers for feedback.  Not "official" beta releases.
    	If you are using one of these versions, upgrade to beta 1.5.
    
    -  Version 2.0 Beta 1.4 - Released 08/28/98 - MAJOR CHANGES in this version!
    
    	- Sessions! Sessions! Sessions!  The long awaited ability to save and load cracking sessions
            is now here.  Use the file menu to load and save sessions, which consist of 2 files each - 
            one is a session data file, with a WCK extension, the other is a session LOG file, with a LOG
            extension.  Get WebCracker loaded with your URL and password lsts, and crack if you want.  When
            you stop, save the session so the next time you can pick up from right where you left off.
            If you experience any SERIOUS problems with sessions, please drop me a line. I didn't have time to
            do exhaustive tests, so report any problems... 
    
    	- Fixed a bug which appeared when Convert User IDs was set on.  The IDs appeared as
            unconverted in the ID edit box, even though they were actually being sent to the target
            system correctly in the converted format.
    
            - Changed the results code handler to display a message and abort cracking if HTTP code 404 
            ("URL not found") was returned.  Otherwise, if a connection to the net was dropped, WebCracker
            just ran through the IDs and Passwords until it was done, and there was no way to tell where it
            left off. Now it will log the user ID and password it was trying when it got the error. 
    
    	- Added support for multiple instances.  Instead of logging to "Webcrack.Log" as in previous
            versions, WebCracker now logs to WC-xxxx.LOG.  The xxxx is replaced with 0000,0001,0002 etc.  This
            allows many instances of WebCracker to be run at once, and each will log to a seperate file.
            NOTE: if you let 10,000 log files accumulate, Webcracker will stop auto-numbering and just
            log to WC-LOG.OUT. When you save a session, the name of the log file is saved as well, so 
            WebCracker won't create a new log file each time. The Log file is automatically saved by the
            program whenever a valid account is cracked, or when a cracking session is stopped.  If you
            lose power, you won't lose all your found passwords.  :)
    
    	- WebCracker now tests the target URL to see if it's password protected or not.  If it doesn't
            appear to be protected, you'll be notified with a message. This usually means you picked the
            wrong URL to attack, so you'll need to find a protected one.
    
    	-Progress indicators now tell you which User ID/Password you are on, out of the total.  This
            gives you an idea as to how far along the session is.  Nothing fancy, but it's a start.
    
    	- Other misc internal changes which you couldn't care less about.
    
    	- A few users pointed out that the size of the password lists are limited to about 32,767 lines.
            This is a limitation of the Delphi listbox control, and is one I had hoped to overcome before
            releasing this version, but things didn't work out the way I had planned.  So, that will be a
            future enhancement.  If anyone has Delphi code for buffered line input which allows for unlimited
            file sizes, by all means drop me a line.  :)
    
    	- I do want to say thanks to the handful of folks who have written with suggestions and bugs.
            This program is still a long way from where I'd like it to be, but we're getting there.  Without
            your input, bugs won't get squashed and cool features won't get thought up.  Keep 'em coming!
    
    
     - Version 2.0 Beta 1.3 - Released 7/23/98
    	- Major changes to the internal code.  Someone suggested enabling "batch" support,
            so you could line up 50 URLs in a row to crack, and move to the next after you hit X number
    	of valid accounts. WebCracker wasn't built with that in mind, but I like the idea.  I also
    	want to enable "sessions", so you can stop then resume cracking right where you left off.
    	The program needs a lot of work to get these features implemented, but it's moving in
    	that direction.
    
    	- Fixed some bugs with the two new options added in beta 1.2.  Hopefully I got them all.
     	(Yes, the one that jumped out when the password list was empty has been squashed)
    
    	- The User ID no longer shows up in the password list box, even when "Try ID as first 
            password" is turned on.  The ID will still show up in the text box, but constantly
    	adding and deleting IDs from the password list box was a lot of overhead that really
    	didn't need to be.  Hopefully this adds to the speed of the program.  It will make future
    	coding easier, if nothing else.
    
    	- Changed the font in the Log windows to Courier New, 8 point.  I think it's easier to
    	read, and looks a little better.  
    
    	- CRAXD has offered to write a help file for WebCracker.  This should take care of yet
    	one more missing feature. 
    
    	KNOWN LIMITATIONS AND ISSUES IN THIS VERSION:
    
    	- You might find the program doesn't act right when you first run it.  Go into the SETUP
    	screen, and verify that the new options are set the way you want.  Click OK, and they will
    	be saved.  Everything should now work normally, if it didn't before.  This is a registry 
    	issue I need to clear up.  Not a biggie though.
    
    	-User ID and Password file sizes are limited to 65536 (or so) lines.  This is a Delphi
    	limitation, not mine.  If anyone can suggest a workaround, I'm all ears.  Even so, I
    	think most folks will find that 65000 is enough...  (except for that one guy... :)
    
    	- If you don't load any passwords, and have "Try ID as first password" toggled off, the
    	program shouldn't enable the "start" button cause there's nothing to crack... but it does.
    	That's just a little annoyance, and will be stomped later.
    
    	- The Edit menu option is disabled.  I'm still not sure if I'm going to use it... but it's
    	there for now.  Just ignore it.
    
     - Version 2.0 Beta 1.2 (Not Publically Released)
    	- Problem: when an account was cracked, WebCracker would continue using the 
    	same account with the rest of the passwords, possibly returning a "cracked"
            result for each of the remaining passwords in the list.  Changed the code so
            when an account is cracked, the remaining passwords are skipped and the 
            cracking moves on to the next user ID.  Speeds things up, especially with
    	long password files, and fixes the bug.
    	
    	- Finished coding Proxy Support.  Seems to work well. Thanks goes to
    	Charles and Bartman/Abyss for testing.
    
    	- Added an option to turn off trying User ID as the first password.
    
    	- Added an option to Optimize Webcracker for speed.  This disables the auto-scrolling
    	of the list boxes as passwords and user IDs are tried.  Seems to make a difference.
            Thanks to Anders Nielsen for pointing this out.  
    
    
    - Version 2.0 Beta 1.1
    	First public beta of version 2.  A few bugs, not all features implemented, but
    	I wanted to get it out there for testing.
    
    - Version 2.0 Beta 1.0
    	Private beta release, not publically distributed.  This version has nag screens
    	stating that it's a beta, if you have this version upgrade to get rid of the
    	nags.
    
    - Version 1.0
    	Original version by Doug Good, used Netscape for HTTP functions.  Slow and
    	had less functionality than version 2.0.  If you have this version, upgrade!
  • 相关阅读:
    更新整理本人所属博客文章的示例代码和工具组件(Java 和 C++)
    【端午呈献】通用高性能 Windows Socket 组件 HPSocket v2.2.1 悄然发布
    REST手记(一):对URI隧道技术以及CRUD操作的理解
    Jquery+JSON消费REST WCF4.0 服务(带源码)
    对REST架构 风格下WCF的一点补充
    REST与SOA两种架构下WCF的异同比较(含源码)
    REST笔记(三):一种标准的超媒体格式:Atom
    REST WCF 使用Stream进行Server与Client交互
    REST笔记(六)通过缓存架构可伸缩性与容错性的Service
    深入理解WCF系统体系(之二:WCF客户端如何构建?(上))
  • 原文地址:https://www.cnblogs.com/jjkv3/p/1443226.html
Copyright © 2020-2023  润新知