Nutcracker version 1.9 (beta test phase for 2.0) 

Released under the GNU GPL (http://www.fsf.org/copyleft/gpl.html)
Copyleft 2001 by Ryan T. Rhea (this is open source, hack away...)
ryan@northernlightsgroup.hypermart.net

Check http://northernlightsgroup.hypermart.net for new versions of this 
program and for other computer security related tools and information.

--------------------------------------------------------------------------

Nutcracker is a very simple password checker/cracker for Unix/Linux.  It
has been tested on Digital UNIX, RedHat Linux, Mandrake-Linux, Caldera 
OpenLinux, Slackware, Solaris, and FreeBSD.  It should work on any system
that uses the standard Unix/C system calls.  

The weakest and most vulnerable part of any system is the users' choice of 
passwords.  Hackers have long known that a simple dictionary attack can be
very effective in breaking into an otherwise secure system.  The best
method of protecting those systems, then, is to use the tools a hacker
would use to find and change any vulnerable passwords.  I have found that
on many systems checked, over half of the passwords can be found with this
method.

Nutcracker will report any disabled accounts, as well as accounts with no
passwords.  It will crack either '/etc/passwd' or '/etc/shadow' files,
and can use any dictionary file available.  A simple dictionary of around
2400 words is included, as well as a sample '/etc/passwd' file.  

This tool was written for administrators to test and improve their own
system's security.  In fact on most newer systems, where '/etc/shadow' 
files are used, you will have to have root access to read the file.  Do 
not, under any circumstances, use this tool for malicious purposes.  It is 
illegal to attempt to break the security of systems you do not own.

That said, I hope you find the program useful.


INSTALLATION

Nutcracker is an executable Perl program.  Copy it somewhere in your 
path, preferably into '/sbin'. 


USAGE

nutcracker password_file dictionary_file [-p(X)] [-s(X)]


-p(X)  Turn on prefix modification.  Add the digits 0 through X.  If X
       is not specified nutcracker defaults to 99.

-s(X)  Turn on suffix modification.  Add the digits 0 through X.  If X
       is not specified nutcracker defaults to 99.


EXAMPLES

nutcracker /etc/shadow /usr/dict/words

nutcracker /etc/shadow /usr/dict/words -p9 -s

The last example above will try the prefix and suffix modification
algorithms if the plain dictionary attack fails for a given password. The
prefixes 0 through 9 and the suffixes 0 through 99 (the default because
no number was specified with '-s') will be added to each dictionary word
before it is encrypted. 

A sample password file and dictionary are included.  Most Linux systems
have a bigger dictionary file in '/usr/dict/', although the larger the
dictionary file, the longer the wait.  The included 2400 word file is
often big enough!


NEW IN VERSION 1.9

- Removed sloppy ncurces interface from version 1.5 to insure broad 
  UNIX compatibility.

- Added new abstracted prefix and suffix modification routines, and the
  ability to specify the range of the modifications on the command line.

- Added new statistics information (Thanks Jason Burke)


NOTES ON SOURCEFORGE BETA VERSION

This is a test version of Nutcracker that is soon to be released as
'Nutcracker 2.0' on freshmeat.net.  This program is also in the process
of being slightly modified to work as a module on the SourceForge.net
security project 'Piper'.  In releasing this as 1.9, my major goal was
to promote testing of Nutcracker to ensure that it works effectively
across all UNIX and Linux platforms.  Please email any bugs, comments,
or suggestions to the email address above.
