Thursday, 25 February 2010

RAR password cracking with cRARk

cRARk is a .rar archive password cracker, but unlike rarcrack, can be customised to a far greater extent to allow partial passwords, wordlists, complementing wordlists with characters and more.
Also this programme is CUDA enabled which allows for a vast increase in testing speed.
This of course only if you have a capable graphics card. (http://www.nvidia.com/object/cuda_gpus.html)


cRARk is not installed by default on BT4 Final, a shame really as it is more versatile than rarcrack in my opinion. To install it though is a piece of cake ;

apt-get install crark

! During the install, the program tried to install the CUDA dependacies as well, in order for this to work properly you will need to exit 'X'. To do this press Ctrl + Del + Backspace to get back into Command Line only.
So seems best way to install is to get online, then quit X with Ctrl + Del + Backspace, and then run the apt-get install from the command line interface.


The machine I installed it onto does not have any CUDA capabilities, so this post will only go through some of the functions of cRARk without testing the CUDA improvements on cracking speed.
I may later try to do a full HDD install on my desktop to see if I can get my 8800GTS to work.


So after installing cRARk, lets fire it up through either the menu;
Start/Dragon --> Backtrack --> Privilage Escalation --> Password Attacks --> OfflineAttacks --> Crark
or command line ;
cd /pentest/passwords/crark/

Lets check out the files the readme's and what general options are advised;
ls
./crark






BRUTEFORCE ATTACKS
================

To start off we need to create the password.def file. To do this simply copy either the english.def file or the crackme.def file to password.def ;
cp crackme.def password.def

Then to modify the password.def file to reflect the options we want to use.

Here I will be working with simple password protected files stored on my flashdrive (mounted on /media/8GB/)

Testing password protected test100.rar file with password 100 ;

nano password.def
Under the double hash enter the testing methods desired, in this case as only numbers ;
[$1] *
Save and exit






As my system cannot use CUDA I will disable it with the -c command when testing.

./crark -c /media/8GB/test100.rar



For checking password protected testabc.rar file with lowercase letters only ;

nano password.def
[$a] *
Save and exit.








./crark -c /media/8GB/testabc.rar





For checking a password protected test-ABC.rar with uppercase characters only ;

nano password.def
[$A] *
Save and exit









./crark -c /media/8GB/test-ABC.rar








To check all of the above on password protected testaB1.rar ;

nano password.def
[$a $A $1] *
Save and exit






./crark -c /media/8GB/testaB1.rar













!! It is important to note that cRARk will start checking based on the same sequence as the characters are entered in the definition file.
So in the above example entering the character information in the definition file as $1 $a $A would take a lot longer to find the password then if using $a $A $1 .

The end result will be the same, cRARk will find the password, but the time needed for checking will be severely affected.
(I thought I had messed up somewhere earlier on when I changed character sequence in definition file and it took longer than previous attempts).


To go all out and also include special characters ;
nano password.def
[$a $A $1 $!] *
Save and exit.

To test the password.def file and see whether the commands are going to work OK, the programme can test run the definitions using the -v option ;

./crark -c -v /media/8GB/test100.rar

This wont actually start the cracking process, but will print the characters on screen so you can check whether its doing what you want it to.



To specify the number of  characters, the options -l & -g can be used.
So to specify a minimum of 3 characters and a maximum of 5 characters;

./crark -c -l3 -g5 /media/8GB/testabc.rar

The bruteforce attempts resulted in an average of around 60 pass/sec on my netbook and around 160 pass/sec on my desktop (windows version of cRARk).
With CUDA this will be greatly enhanced, but have to see if/when I can get that going.


WORDLIST/DICTIONARY ATTACKS
======================

cRARk also has the option to check passwords from a wordlist file.
To do this the password.def file needs to be adjusted to specify the location of the wordlist with $w, in this case I have copied a small english wordlist called english.dic into cRARk's directory.
(You can of course also specify an alternative location where the wordlist is)
  
Then we need to specify that cRARk will use a wordlist in password.def ;

nano password.def
$w = "english.dic"
##
$w
Save and exit.





./crark -c /media/8GB/testAmsterdam.rar



The dictionary attacks averaged around 20 pass/sec on my netbook and I understand that there is no CUDA support for the dictionary attacks..
So having a focussed wordlist is a must !


To allow an easier choice of options, it is also possible to prepare some definition files and then specify these with the -p option.
For instance you can prepare a .def file which will use a wordlist file as follows and then keep there for future use ;

cp password.def wordlist.def











Then to specify to use the newly created wordlist.def file, the -p option is included ;

./crark -c -pwordlist.def /media/8GB/testAmsterdam.rar





















There are a huge number of options to play with when it comes to the wordlist usage, extra options can be included to capitalize / invert / mashup / add numbers etc etc etc

I may update the post to show some of these options on a test wordlist.

It will be interesting to see how far I can get with the CUDA side of things, however that would mean a full HDD install on the desktop (doesnt work in VMware).



ADVANCED DICTIONARY OPTIONS

Following some queries in the comments I got to checking how the wordlist and the wordlist
manipulations work.
It truly is fantastically (and terrifyingly) customizable..

If for instance you have a list of words and you know that the password is a combination
of a couple of these words, then you can tell crark to do that in the .def file as follows;
For 2 words from the wordlist in succession;

wordlist.def
$w = "wordlist.txt"
##
$w $w



For 3 words from the wordlist in succession;

wordlist.def
$w = "wordlist.txt"
##
$w $w $w















If you have 2 wordlists and you know that the password will be a combination of
words of the 2 lists (only 1 way, so words from 2nd list appended to words from 1st list for instance)
then you can identify the 2nd wordlist with the $u function ;

wordlist.def
$u = "wordlist1.txt"
$w = "wordlist2.txt"
##
$u $w

So in the above all words from wordlist2.txt will be suffixed/appended to each word in wordlist1.

And of course any number of combinations of the above can be made.

In the below example ;
wordlist.def
$w = "test1.txt"
$u = "test2.txt"
##
$u$w$u
















Author's Helpfile & Linkage ;
http://www.crark.net/cRARk.html


Video on the above ; 
http://blip.tv/file/3275276
or
http://www.youtube.com/watch?v=viYdoZiCYaA

49 comments:

  1. Hi,

    Have you tested this tool with wordlists >2GB? Hope it keeps improving on speed, good to see it has already implemented cuda stuff.

    DiabloHorn

    ReplyDelete
  2. Hey there,

    Actually no I have not tested with wordlists larger than 2Gig,
    however I have not read that there is a limitation on size, so would imagine that it is possible.

    When / If I manage to spend some cash on a new setup I will definately be doing a dual install and be trying out the CUDA goodness :)

    ReplyDelete
  3. well most tools usually break on os memory constraints cause of how they try to read the word list file. Hope it all works out with ya new setup.

    ReplyDelete
  4. Thanks for this tutorial. I've lost the password to a couple of my rars. I hope this helps me get them open again!

    ReplyDelete
  5. where i was to put crark.rar in BT4 folder ... ( i was to put and extract on the desktop ) because i have problem like this :

    root# apt-get install crark
    Reading package lists... Done
    Building dependency tree
    Reading state information... Done
    E: Couldn't find package crark

    how to fix this problem ???? help please :(

    ReplyDelete
  6. Strange, I cant recall doing anything other than a ;

    apt-get update
    apt-get install crark

    You did do an 'apt-get update' beforehand ?

    ReplyDelete
  7. I have just tested the install in BT4 R2 ;

    apt-get update
    apt-get install crark

    Installs fin, and crark can then be found in ;

    /pentest/passwords/crark/

    ReplyDelete
  8. I have written a Tutorial for cRARk on Mac OSX in German. Look Here: http://appleundich.wordpress.com/2011/03/30/howto-passwortgeschutzte-rar-dateien-mit-crark-offnen/

    ReplyDelete
  9. Hi,
    Thanks for the nice guide, Not many CRARK guides out there.
    I have two queries,
    1. How to use CRARK when I may (doubtful) know a part of the password like a word. eg : If I know part of the password is 'apple', how to use the crark with bruteforce for all alphabets with the word 'apple'.

    2. When I use CUDA, I get error
    cudaThreadSynchronize() failed: Out of memory and the program stalls.


    Expecting your reply.

    ReplyDelete
  10. Hey Abishek,

    First make sure you check out full details on ;
    http://www.crark.net/cRARk.html

    I have not tried it out, however there are so many options, I would suggest you go through it all and pls post a comment if you figure it out !

    ReplyDelete
  11. I have been trying to get this to work
    under all the #s
    I have
    $123
    $421
    $dumb
    $butt
    $Iam
    what am I doing wrong? It says invalid macro at line 36
    thanks

    ReplyDelete
  12. You are not following the correct syntax...

    If you want to use pre-defined charsets for
    lowercase, uppercase or numeric values, then do so.

    If you want to use a dictionary attack, then u should go for that, you seem to be confusing those items.

    Read post again ;)

    ReplyDelete
  13. will a dictionary attack combine the different words/numbers as that is what I need or does it just go through them all once and not find the right combo?

    ReplyDelete
  14. Im sorry to take up so much of your time.
    I used them in a file like so
    /some
    /word
    /532
    what I need to know is how to make the crark test combos of the words like some532word
    thanks

    ReplyDelete
  15. Hey there, no worries ;)

    What I think you first need to figure out is what
    your wordlist needs to look like.

    If you have an idea of what the password may look like, then you can really drastically reduce time required to check.

    You could check my post on crunch or on wordlist manipulation to create a wordlist to suit your encrypted rar file,
    Then use the $w option as below in the password.def file to crack with cRark ;

    password.def ;
    $w = "wordlist.txt"
    ##
    $w


    Hope the above makes sense.

    ReplyDelete
  16. I've read the files to read and am still confused.
    What should my password.def look like since that is the part that the program is telling me doesn't exist even though I am looking right at it
    I do crark-hp -ppassword.def a1.rar
    and it gives me that error
    the file IS there
    I have a word.txt created with just the pass word phrases no symbols just the words seperated by a newline not /n.
    I am totally confused.
    Thanks

    ReplyDelete
  17. Are u on linux/BT or using the windows version ?

    ReplyDelete
  18. I have checked it in windows as I think you are using that version.
    It works fine for me, I extracted CRARK files to
    c:\crark\

    Created a wordlist and moved to directory c:\crark\

    Created a wordlist.def file in the same directory c:\crark\
    with contents as follows ;


    # Wordlist definition file
    # Definitions begin under the ## break
    # Enter the wordlist name above the ## break
    $w = "abc.txt"
    ##
    $w


    Then ran crark ;
    crark-hp -d3 -pwordlist.def test.rar

    (I needed the -d3 for CUDA to avoid errors)


    It all works, so I think you are doing something wrong with either the directories, typoes etc..

    ReplyDelete
  19. It ended up testing 18 passwords.
    I am using the windows version.
    How do I get it to test combinations of the words in the "abc.txt" not just test individual words?
    I know that it is some combination of these words but I don't know which ones or when they occur.
    Thanks for helping me so much. Sorry to be a pest.

    ReplyDelete
  20. Hey again, I think I may have found an answer for you, check the above post for the last change at the bottom ;

    Use the wordlist.def file as follows ;
    # Wordlist definition file
    $w = "wordlist.txt"
    ##
    $w $w


    Remember though that depending on the size of the wordlist, it may be a looong operation ;)

    Hope it helps !

    ReplyDelete
  21. Thanks
    so I just keep adding $w for more words to be tested?
    Thanks I think that it is working
    I added 4 $w's so it will be awhile.
    Thankyou for helping me and being so patient with me.

    ReplyDelete
  22. Thanks it worked!!!

    ReplyDelete
  23. Thats great ;)

    Was running out of ideas :D

    Glad it worked and we both learned something new in the process hey !

    ReplyDelete
  24. I think that I will try to write a GUI for it as I am learning C and have yat to write my first app.
    Thankyou so much, the passwords would never have been found without this and I really needed those files
    Thank you so much

    ReplyDelete
  25. I am glad my meager knowledge helped you out :)

    Its all about looking at the tools available and using these to your best advantage..

    Good luck with your C programming and looking forward to seeing the progress ;)

    ReplyDelete
  26. Hi
    Good Day
    Is there is a way to define space character in password.def in other words to look up words with spaces
    Thanks in Advance

    ReplyDelete
  27. Read the documentation on ;
    http://crark.net/cRARk.html#42

    It appears that for space character you have to escape it. (with backslash)

    ReplyDelete
  28. Would you please give an example, how to write that in password.def
    While my password.def as follows
    ##
    [$a $A $1 $!] *

    ReplyDelete
  29. Have you read the documentation ?!
    Done any tests yourself ?

    If you read the documentation and look at the contents of the files, you will see that the special character set is not including the space character.

    You can either include it in the charset by including "\ " in the actual character set..

    or

    You can include it in the password definitions, in your case ;
    ##
    [$a $A $1 $! \ ] *

    That worked in my test.

    ReplyDelete
  30. That worked fine
    Thanks a lot

    ReplyDelete
  31. Hey there, glad it helped :)

    Sorry my previous msg seemed a bit agitated.. sleep deprivation gets to us all ;)

    ReplyDelete
  32. hello,

    1.when i create a file.rar in windows i can crack it, but when i create with rar in linux it fails and crack nothing

    2. i want to use czech letters which i set up in the password.def as $i=[ščř] and so on - also found nothing

    3. when i use "\ " as a space on the output with option -v is " " there, example:"a b" but found nothing, unless i my password is "a b"

    so whats wrong with my setup? does anyone know?

    ReplyDelete
    Replies
    1. Hey there zbyn2k,

      1.
      I have tested creating a password protected rar file in vmware BT5R1 ;
      rar a -pQWERTY test.rar test.txt
      (so rar file test.rar created, test.txt added, password included "QWERTY")
      and I had no issues using cRARk on it with a dictionary attack in windows;
      crark -d3 -pwordlist.def M:\test.rar
      (with wordlist.def pointing to my dictionary file)

      Perhaps you are using an unsupported program to create the rar or using incorrect syntax ?

      2.
      Sorry I am afraid I cannot help you much with foreign characters as I dont ever use them !
      But as long as you enter the characters correctly and specify them ABOVE the ## break,
      and specify "$i *" UNDER the ## break I dont see why it shouldn't.
      So in password.def ;
      $i=[blahblahblah]
      ##
      $i *

      3.
      I dont understand what you are trying to explain.

      Delete
  33. plz help me
    icant istall crark on backtrack5
    apt-get install crark
    Reading package lists... Done
    Building dependency tree... 50%


    Building dependency tree
    Reading state information... Done
    E: Couldn't find package crark
    root@bt:~#

    ReplyDelete
    Replies
    1. Yeah, it seems that cRARk is not included in the latest Backtrack, so just download manually from crark.net

      Delete
  34. Is it really working ? I think the process is very difficult.Do you have any application or utility which can crack password with just a click away?

    ReplyDelete
    Replies
    1. You could have a look at Elcomsoft Archive Password Recovery.

      That is a windows based utility which is more point and click.

      Delete
  35. You helped me out before, I am the guy who needed to crack my passwords made up of little words. My question is how do I use it if the number of smaller words is not known? Lets say for instance that I have a password made up of words up down east west 123 but I dont know which ones and I don't know how many. How would I be able to do this easily? I could just do $w $w and keep adding a $w after every failed try but my word list is long.
    Thanks

    ReplyDelete
    Replies
    1. Hmm.. you do always come with nice questions ;)

      Havent looked at CRARK for a while and after having had another
      quick peek at the manual, I cant see an option that would immediately
      accomplish what you are looking to do.

      Will see if I have some time this week to play around a little, but
      dont expect anything soon.. Looks like it may not be possible the way
      you want it.

      Delete
  36. Can you tell me where to get cRARk?
    I can't find it anywhere.
    Contact me at Unnamedno1@yahoo.com.vn

    ReplyDelete
  37. well what can i say just thank you man this is the best blog :))))

    btw thx again for this great info dude ''and i wish backtrack include this tool with backtrack6''

    iam sure that this tool is very gooooood and i wish that in future that they make like this tool for wifi crack

    its good cus its not brutforce that maybe u find it or not but this tool going to fing it anyway what ever its was so thx again for tool maker and that brain who think about this great tool and for you who make that turutal

    sorry for my bad english << iam woring on it :)

    ReplyDelete
  38. Hi there!
    Does the dictionary has to have a specific format? I just put a lot of syllables one under the next in different lines in a .txt file, even tried renaming it to .dic to no avail, the program is not getting my user defined dictionary,.
    password def file looks like this;

    $w = "main.dic" # main dictionary
    ##
    #$w$w

    ReplyDelete
  39. Any text file will work fine, extension wont matter as long as it is a text file.

    Looks like you forgot to uncomment the $w$w ;)

    So password file should be like ;

    $w = "wordlist.txt"
    ##
    $w$w


    ReplyDelete
  40. omg! yes, shame on me!

    but now, with that dic attack -l6 -g9 it froze on processing line 3 of pswd def file... Guess 9 chars are too much for this, also noticed windows task manager will show only 50% of cpu usage, guess program is designed that way, any way to up that to 70 or 80% ? Thanks for ur help, ure awesome! =)

    ReplyDelete
  41. Crark can handle 9 characters fine, max is I believe 28 characters.

    If you are using a wordlist, then no need to enter -l / -g though ?

    Not sure if possible to increase the load on CPU, I havent found an option for that anyway.

    ReplyDelete
  42. Is it opensource? And if it is opensource, where can I have the source code?

    ReplyDelete
    Replies
    1. If you are incapable of using Google.. what on earth are you going to do with source...

      Delete

 
Google Analytics Alternative