===============
MDcrack
===============

MD5 is a one way hash algorithm providing a final 128 bits length hash  
whatever was the original text length.  The resulting hash is often used 
to sign a document thus giving a way to certify that the original content
wasn't altered by a third party.  Today many applications (most of them
are network oriented) use MD5 for authentication purpose avoiding any
plain text password on the wire. In such a case, clients typically send    
a password hash over the network to the server which in turn, make its own
client password hash to compare the two hashes.  If they match together,
the server considere the client know the good password and the
authentication process is ended althought the server may be totaly wrong !
MD5 can not theoricaly be reversed that is to say nobody can guess the   
original text from its hash (even with little strings like passwords) but
since the number of resulting hash is fixed (2^128), many strings will  
give the same hash.  Surveys about the predictibility of such collisions 
have never, till now, proved that somebody could arbitrary choose another
text giving the same MD5 signature.  In the worst case, a third party may
change the original text with something that has no signification at all
and the well known birthday attack is easily defeated with some few
precautions.  Nevertheless if a random collision is not really a problem
for a letter that needs to have sense, it may be a valuable threat for a
MD5 password authentication scheme.  Imagine that a user A authenticate 
himself sending his hash on the wire to the server B while being sniffed
by an attacker X who easily catch the hash.  Our attacker doesn't only  
want the hash but need an original plain text password ( this is the case
with the hotmail messenger vulnerability, I reported to bugtraq this month
).  He doesn't actually need the same password but any collision that can 
be typed from a real client.  If the chance are low for your password to  
have a collision in the first hashes generation, the probability is not   
null and the attacker can still bruteforce your original password.
This is the purpose of MDcrack, it will give you any found collision in
the range you will have previously defined and could be usefull to test
the strongness of your password hash.  Because MD5 will always give the
same result for a given input, user may easily compute every combinaison
of a fixed password length in advance to do further collision search
using egrep. For big password size, many cray and a lot of time should be
usefull ;)

The mdcrack homepage is located at:

	http://mdcrack.multimania.com/

=================
Usage
=================

MDCrack version 0.8
T00l to bruteforce password MD5 hashes.
Usage: MDCrack [-h] [-d] [-W file -F] [-t secs] [-v | -V] [-b string] [-e string] [-a] [-s charset] [digest] 
-h : (h)elp, this text
-d : (d)elete any resume-file
-W : file where to (w)rite all computed hashes
-F : (F)ast write (Hashes file is no longer human readable)
-t : set benchmark mode (t)imer to secs seconds
-v : set (v)erbose mode
-V : more (V)erbose
-b : passwords (b)egin with string
-e : passwords (e)nd with string
-a : find (a)ll collisions (won't stop to the first found)
-s : feed a custom charset (s)tring for passwords
No option at all will force mdcrack to resume a previously stopped session

Author: Gregory Duchemin 
Email: c3rb3r@hotmail.com
WWW: http://mdcrack.multimania.com
greetings to Simeon Pilgrim

*******************************************
derived from the RSA Data Security Inc.
MD5 Message-Digest Algorithm
*******************************************



=================
Version History
=================


Version 0.8

*Simeon Pilgrim has shared his works on MD5, the new generator is twice as fast as before (100% !). Thanks to him for his very helpfull hand and valuable work on the topic. (more details will be available on the web soon)
*-V/-v two verbosity level.
*statistics was still incorrect in some case, the problem is now definitly closed by using a float type variable.
*A symlink attack was possible playing with the RESUME_FILE if this one was in a public read/write directory (like /tmp), mdcrack will now check for any symlink before any RESUME_FILE creation. Anyway it's recommended to use a private directory and to configure the Makefile accordingly.
*Dumps to screen and files are little_endian by default (Intel arch.),otherwise it's possible to change that in the Makefile.
*minor optimizations in the code with a gain of 7.3% on my k6/233.
*A bad segfault has been fixed. It occured when mdcrack was called with at least one option but without hash to crack.




==============================
Version 0.7:

Always more options available.
* -d will delete any old resume file, now defined in the Makefile.
* Serious things are going now with option -W that write all hashes in a file and in a human readable form so that a simple egrep may be able to find a match among all precomputed hashes.
* Generated files are really enormous and should quickly become useless with standard tools. -F like "Fast" will force every write operation to be in a raw form for further pattern-matching session with mdcrack. -F will increase general performance up to about 60% and will save a lot of disk space but bring compatibility problem between little and big endian architecture since hashes are written directly as integer.
Note: the specific read-file module will be soon available in the next release.
* Function ftime (deprecated) has been replaced by gettimeofday and possible compilation troubles on BSD4.3 based systems should be now corrected.
* benchmark default hash is now defined in the Makefile.
* minor bug fixes. 
  


==========================
Version 0.6:

* This version brings two new options -e & -b to append a fixed
size string to the end/start of the clear password being tested,
and thus in the same manner of most of authentication scheme
around here.  Typically if the server first give to its client
a random string to be appended, just catch it and try every hashes
provided by the duo (password in test, string).

Eg: if the server send the string 01333112.12121221 to be concatenated
to the end of the user password before generating the hash **CLIENT HASH**,
just try this:

	# mdcrack -e 01333112.12121221 **CLIENT HASH**

* A little bug in statistics has been fixed; it occured when
test was less than 1 millisecond so without real serious impact.
* A little bug in verbose mode, hashes are now correctly displayed to the screen.

==========================
Version 0.5:

* A benchmark mode "-t secs" is now available, it performs a
speed test during a customizable duration. Useful for bench
report / comparisons and my usual source optimization sessions.

==========================
Version 0.4:

* Complete optimization of the original rivest's  C implementation
of the md5 generator
* Other optimizations
* Overall performance enhancement, about 50% faster
* Makefile is more verbose
* statistics when CTRL-C or ending a crack are more reliable, using a precision
of one millisecond 
* Bug fix: Statistics won't be no longer weird after less than 1 second of crack

==========================
Version 0.3:

* Sources sanity check 
* Various optimizations/bug fixes

==========================
Version 0.2:

* When stopped with ctrl-c, any session will be automaticaly saved in a temp
file /tmp/.mdcrack.resume to be continued later. While starting without option, 
mdcrack now check for a temp file and will automatically resume a previously stopped session.
This can be really useful for multiboot systems and/or "multidays" crack jobs.
* option -h will show the help online.



================
Compilation
===============

tar -zvxf mdcrack-0.X.tar.gz
cd mdcrack
make

To test:

make test      --- crack password "toto" with a limited charset
make bigtest   --- idem with a full charset


================
Peformance
================

CPU/mhz         system        mdcrack	elapsed       average md5
                              version   time (sec)     hashes/s
PI 166          linux 2.2.x     0.1        75           76 910
AMD K6 233      linux 2.2.x     0.1        21           126 000
AMD K6 233      linux 2.2.x     0.3        21           179 302
AMD K6 233      linux 2.2.x     0.4        17           217 122
PIII 500        linux 2.2.x     0.1        20           298 000
PIII 500        linux 2.2.x     0.4	   8            427 000
PIII 666        win32/cygnus    0.1	   20           397 458
PIII 666        win32/cygnus    0.4        5            639 000
USparc IIi 360*	solaris 2.6     0.4        8            254 000
Celeron 333	Cygnus/win32    0.4        16           215 000
Celeron 333	win32           0.4        19           189 000

* This result is not realistic since mdcrack has never been
optimized specifically for sun sparc, and worse, the server was
busy during the tests. 

Please, send your benchmark scores to c3rb3r@hotmail.com. 

I'm particularly looking for "high speed configurations" or "unusual systems" benchmarks.

Thanks you.
and "Have a nice day"
 
Gregory Duchemin.


==============================
Questions, bugs reports, ideas for optimization
to c3rb3r@hotmail.com
