NAME:		GUESS
COPYRIGHT:	by Christian Beaumont, 1991
		Program is free for distribution

START:		guess vax.pwd dict.txt
LANGUAGE:	Englisch

INSTRUCTIONS:
Zuerst mssen Sie die Kennwortdatei von Ihrer UN*X Maschine kopieren. Die Kennwortdatei sollte diesem hnlich aussehen:
------------
iseth:vFIuJ58ZzHYhU:100:10:I Seth:/usr/users/iseth:/bin/csh
lgrosso:CVKBTPn5FAy8I:101:10:L Grosso:/usr/users/lgrosso:/bin/csh
lingham:*Q2aBQv7l23Tls:102:20:L Ingham:/usr/users/lingham:/bin/csh
..
.. Weitere Kennwrter hier!!
..
mbrown:*M7QXgy5RjfGDg:381:70:M Brown:/usr/users/mbrown:/bin/sh
------------
Sie brauchen auch ein Wrterverzeichnis von oft gebrauchten Kennwrtern (siehe auf dieser CD das Verzeichnis "WORDLIST").
Sagen wir also, da wir das Kennwort VAX.PWD und das Wrterverzeichnis DICT.TXT haben. Sie knnen durch die folgende Befehlszeile sehen, ob einige der Kennwrter aus VAX.PWD in DICT.TXT waren:
guess vax.pwd dict.txt



-----------------------------------------------------------------------------
               GUESS: Copyright 1991 Christian Beaumont

       Preliminary Documentation for GUESS (Unix password checker)
                            [FAST VERSION]
               (C) Christian Beaumont 4th November 1991
-----------------------------------------------------------------------------

Sorry all this is a bit vague. I really haven't got time to spend on
documenting this program just at the moment as I am very busy at work.
I wanted to release this beta version to see what interest it would
generate. This is a second release. The first release was a binary only
release to fidonet UK, and now I am releasing source and binaries to
internet.

The program will run only on 386-SX or higher machines at the moment
but I have code dating back to my earlier 80x86 version which could
easily be incorporated if needs be.

The algorithm takes the usual table driven DES algorithm one step further
by taking advantage of the 386 extended addressing modes to give typical
speeds of around the 800 crypts/second mark.

I enclose a machine readable version of the internet-worm password
file to get everyone started. This list and many other dictionary
abstracts are freely available on many internet sites.

Please note that although the program is free for distribution, it is
designed as a beta-test program only. It is not designed to aid in the
illegal penetration of UN*X, but as a tool to highlight passwords which
are insecure for systems administrators. I give no warranty with this
program and do not guarantee its fitness for any particular purpose.

Having said that this faster version manages 800+ crypts/second on my
Planet 386DX-33Mhz (64k cache) pc and I generally find that 23%+ of all
id's are insecure.

For the future I plan a DPMI version which gives some sort of windowing
interface possibly using the MS-Windows or Turbo Vision platform with
much improved functionality but why keep it from you when it works
perfectly well as is ?

The program was inspired by many of the fast des routines that became
available in 1989 and 1990. The program itself is in fact derived from
one of these routines, and I am indebted to the author for his work.
However the algorithm has been extensively changed from the original
code to such an extent that I believe that it can be considered to
be a totally new piece of work. The majority of the reworking has been
done in the DES function, but a great speed increase was achieved by
initially reversing the ASCII password to its output format of 4 dwords.
There is currently a small problem with compiling the thing - TASM reports
three segment overflow errors which should be ignored, this is the result
of me declaring three segments of exactly 64k in length which TASM balks at
for some unknown reason. The reason I do this anyhow is because I was lazy
and would rather do a 65536 dup(?) than a farmalloc. This is why the
executable comes to 200k+ in length if you don't use Exepack on it!
Hey, I'll spare you the details tho, the source is not very readable and
not very well documented (Traditional for fast crypt sources <grin>), but
I'll give anyone who documents it for me a beer and anyone who gives it
an extra 10% throughput two beers!!


How to use:
===========

First you will need to copy the password file for inspection from
your UN*X machine onto the 386 machine that you plan to use. The
password file should look similar to this:

------------
iseth:vFIuJ58ZzHYhU:100:10:I Seth:/usr/users/iseth:/bin/csh
lgrosso:CVKBTPn5FAy8I:101:10:L Grosso:/usr/users/lgrosso:/bin/csh
lingham:*Q2aBQv7l23Tls:102:20:L Ingham:/usr/users/lingham:/bin/csh
..
.. Loads more passwords here!!!
..
mbrown:*M7QXgy5RjfGDg:381:70:M Brown:/usr/users/mbrown:/bin/sh
------------


You will also need a dictionary of often used passwords. This is required
because the program is NOT capable of 'reversing' a password. I have included
the internet-worm dictionary which has often been distributed on alt.security
in the past.

So, say we had the password file VAX.PWD and the dictionary DICT.TXT
you could see if any of the passwords in VAX.PWD were equal to any of the
words in DICT.TXT by the following command line:

   guess vax.pwd dict.txt

If you had multiple password files, say DICT1.TXT DICT2.TXT etc... you could
specify these to be used sequentialy with:

   guess vax.pwd dict1.txt dict2.txt ...

Obviously even at 800 crypts per second the program will take some time
on large dictionaries and/or password files. So you can interrupt the
program at any time by hitting a key. If you do this, remember the word
that it had reached so you can catch up later if neccessary ie:

  guess vax.pwd -cFish dict.txt
                   ^
                   Begin compare with file dict.txt starting at word FISH

You can try matching a single word with the entire password file if you like
with:

  guess vax.pwd -sjugnose -sfishhead -ssnepper

Or you can match a whole dictionary with one username from the password file:

  guess vax.pwd -ulucy dict.txt    (Attacks the user name 'lucy' only)

The final option is the algorithmic check of passwords. This trys both
username and usernameusername as a guess. So if the username was 'john'
it would guess at 'john' being a password as well as 'johnjohn'. This
feature could be taken a great deal further and I am hoping that someone
out there will do just that.

  guess vax.pwd -a

Thanks for putting up with my awful documentation and hope to hear
some response soon.

Christian Beaumont +44-81-883-5683 (home) +44-680-1066 (work)
29 Cambridge Gardens, Muswell Hill, London, England,  N10 2LL
C_BEAUMONT@UK.AC.LUT.HICOM

