FAST START

Compendium of basic modes

Warning: this software is not intended for any benighted PC users due to its specificity; therefore you can hardly expect to find some help file here bluntly instructing “what key should be pressed in order to crack the password to a hateful company’s server”. This help file is meant for getting acquainted with its basic functions and the way to handle them, but not for answering the question “how and where can I get the hash values” (except pwdump methods).

Refer to аn exhaustive information available in our forum. You will find there plenty of helpful hints and operational demos of the software.

Also see the document about new Hybrid Rainbow attack technique.

Brief overview of UDC

Hash function is an algorithm for which passwords will be searched; the same algorithm is set for all attack modes and accessory utilities.
A detailed info is available here.
The *Progress* tab in the window center contains a list of hash values, the right click on it allows to run operations with a selected value. A double click activates a mode of modifying the hash value or user’s name.

"The user is forbidden": no password search will be carried out for this hash value (although the enumeration rate at that will increase by a negligible margin).

The program automatically saves the passwords, and so there is no need to abuse the "Save now" option at all.

Password import could be performed in the following six manners:

Pwdump2 on a local machine – triggers the pwdump2 utility, and copies the hashes from it
Using Pwdump3... – triggers the pwdump3 utility, and copies the hashes from it
From a text format / files type: PwDump Text
From a text format / files type: hashes from SamInside
From a text format / files type: Autoimport from the text -- "digs" the hashes out of any text file (irrespective of the file format). Hashes should be presented in hexadecimal form, to that their length should conform to the width of current hash function. It disregards users’ names.
From a text format / files type: user=hash – list of equations looking like user’s_name = one’s_hash

To initiate searching one has to press "Restore>Local>*" (function of each point will be described hereunder). To halt searching one has to select "Restore>Halt". Don’t press this point immediately after initiation of searching, otherwise the program might buzz.
Each of the attack modes stated below is located on the tab with an appropriate name and triggered through a corresponding entry from the "Restore>Local>..." of the main menu. "Reset" allows to restart the attack upon its forced halting, but not to proceed from the point where the attack was halted.

Pre-attack

It allows to instantly detect the simplest passwords. It has no setups. It can verify all recently detected passwords and single-, double- and triple-character combinations. As well as 4 characters from the set "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz", 5 characters from the set "0123456789abcdefghijklmnopqrstuvwxyz" and 6-7 characters from the set "0123456789". It is strongly recommended to run a pre-attack immediately upon importing hashes, which helps you not miss the simpler passwords.

Direct enumeration (Bruteforce, mask attack)

It successively searches all the strings from the designated Initial down to the designated Terminal one using a selected set of symbols: "aa, ab, ac... ba, bb, ..."

"Ignore a string up to" allows to select a string length up to which the initial and terminal combinations will be ignored while pressing the "Reset", and this value has no effect upon anything else.

"Special set of characters" (if flagged) allows to assign a separate set of characters for each item in the string: For-1 for the first character, For-2 for the second, etc. If the string is shorter than N characters, then For-N and all subsequent For-* are not used.

The initial and terminal items should comply with the set of characters including a special set of characters (if flagged). It is handy to use the "Reset" for that, and then manually adjust the length of initial combination.

Hi-speed mode. It increases expedition by 15 to 25% (occasionally on the peak it rises by 30%) in case of the direct enumeration under NTLM without use of special sets of characters and letters of national alphabets. It should be noted that when this mode is activated, the search of combinations is effected beginning from the first character of a string but not with the last one as in a customary mode, i.e. the "bbb" will be followed by "cbb", not "bbc".

Dictionary attack (dictionary attack, direct dictionary search)

It consecutively searches all strings from designated text dictionaries in a specified sequence.

It is possible to add either .txt files, or in a special .dict format ensuring a higher operational while searching.

The "Remove" button enables to remove a selected dictionary from the list (not the file). The "Clear" enables to nullify the list.

The "Correct" enables to remove all inexistent dictionaries from the list and correct the relative paths to “live” files.

The "Check uppercase also" checks up a word with a capitalized letter for each word in a dictionary derived from the initial one: example -> Example

Typing-mistake correction

"Original password or something like that"

It enables to generate from a specified pattern (“Original password”) all strings that differ from the original one as much as selected “errors” which number should not exceed the "Maximum number of errors".

The "Base set" is used by red items from the "Categories..."

HOW IT WORKS: for instance, if the "original password" is test, and we have selected only the missing letters and 2 as a number of errors, then the following strings will be checked: test, est, tst, tes, st, es, te, tt, ts, et

Actually the mode creates a dictionary where the original password is taken down with various errors, and then runs a dictionary attack accordingly.

IT IS DESIGNED for recovery of ITS own password, if an input error occurs while entering a password (e.g. a letter was missed).

"Use several words consecutively"

It handles this way each word from a specified text dictionary. You should not select a big number of errors; otherwise it takes lots of time. In most cases one or two errors will do.

IT IS DESIGNED for searching passwords in unwitting users, and as the statistics shows they are plenty, and this mode proves quite effective to pick up passwords to a number of hash values taken from a single source.

Hybrid attack (Hybrid attack, dictionary hybridize)

It combines the power of direct enumeration and efficacy of a dictionary attack. It’s one of the most sophisticated and functional methods.

THE TAMPLATE determines a behavior of UDC in this mode. The following could be used in the template:
1) Blanks are used unboundedly just for typography purposes.
2) Character "@" designating a dictionary.
3) Symbols (one character) describing character sets (see explanations below).
4) Character "?", which signifies that the following character like 2 or 3 is optional and should be checked as a template with and without it. The questions might be more than one.

(* /extract from a guest-book/
Character "?" should be followed by a letter denoting a character set.
The interrogative mark itself denotes that the next symbol will be optional,
i.e. both combinations with it and without it will be checked.
For instance:
"?@ B ?A" are the same as to start:
1) "B"
2) "B A"
3) "@ B"
4) "@ B A"
separately, successively.
*)

During search each template position is stuffed with a character from the description of character sets or with a word from the dictionary. All these combinations are checked.

Each used character set from a template should be described in the "List of Character Sets". For example, a template "AAA" is not just three letters А, but can contain any three characters ASCII subject to the description of character set A (in the table "List of Character Sets").

You can apply several filters to a dictionary. For instance, if the "convert" is selected, for each word from the dictionary this word written-in in reverse order symbol-by-symbol will be checked as well.

If the template is "?A?@?B"; A = "12", B = "AB", @ (dictionary) = "test", the following combinations will be checked:
"test", "1", "2", "A", "B", "testA", "testB", "1A", "1B", "1test", "2test", "1testA", "2testA", "1testB", "2testB"

Some templates provide fairly good results, e.g. @?0?0?0?0, in which 0 = "0123456789", and @ (file) – names list. It will pick up "max88", "masha2005" and so on.

Distributed attack enables to use several computers for a direct enumeration. Setting procedure is described on the page *Direct Search*. Computers are selected for the attack on the *Distribution* tab through a drag transfer of their icons from the "search" into the "selected". On these computers the distributed computing service should be launched (conducting a search): "Restoration>Distributed>Start the service".

In order to add the computer into the "search" area without conducting a search we should click the area with the right button, and select "Add manually..." and enter the IP of the computer in question (having the started distributed computing service). If you wish to add several computers manually, you can do so without waiting for the results of previous operation. If a computer is inaccessible, you will receive no error messages.

In order to remove the computer from the "selected" just drag it back into the "search".

Upon the setting, press the "Restore.>Distribute>Direct enumeration", make the right click on the window emerged, and select "Start the attack". The attack’s interim results are stored, thus it can be continued any moment upon halting. This scheme is fault-tolerant, but not designed to handle a big number of hash values (above 500).

Please note also that while launching the Distributed Attack you have a very low speed, and the completion time is very long. It is not an error, it’s just because computers will be joining the attack as far as service operations (protocol initialization) are being completed, and the initial speed will be growing. Hence, you should not rely upon information made available at the first minute of the Distributed Attack performance.

In addition, it is recommended to refer to the tab *Distribution*, item "Network Log". "Silence" in the log used to denote inability to establish a connection.

Hash-total correction is designed to modify the file’s contents in such a manner that its hash-total remains unchanged. It smoothly interacts only with CRC* and XOR* functions (having a small digit capacity).

Enumerating bounds are symbol codes; the space between the first and second one will be used for the attack similar to a direct enumeration.

Appended file contents is what needs to be attached to the modified file in order that its hash to be equal to the hash of source file, i.e. to solve the task.

Menu item "Find the entry" enables to find the target log on the list of hash values. The search could be based on a user’s name, hash or password. When the "Precisely" is flagged, the search is conducted with reference to the exact register of a set point and appropriate field. When the "Precisely" is deactivated, the first entry featuring the set point is selected as a substring.

The purposes of other items from the main menu directly conform to their names. Should you have any doubts as to their application, refer your queries to the Forum.