This tool comes in handy when you’ve gained access to a low-privilege user account but are allowed to su to other users. Many su implementations require a pseudo terminal to be attached in order to take the password from the user. This can’t be easily achieved with a simple shell script. This tool, written in C, is highly efficient and can attempt multiple logins at the same time.

Please be advised that using this tool will take a lot of the CPU performance and fill up the logs quite quickly. sucrack is so far known to be running on FreeBSD, NetBSD, Linux.


First of all, you’ll want to upload the source to the target system (assuming you don’t have a pre-compiled copy that will work):

$ tar xfz sucrack-1.2.3.tar.gz
$ cd sucrack-1.2.3
$ ./configure
$ make
$ cd src

Obviously, you won’t have the luxury of running “make install” yet as you’re not root.


sucrack 1.2.3 (LINUX) - the su cracker
Copyright (C) 2006  Nico Leidecker;

 Usage: ./sucrack [-char] [-w num] [-b size] [-s sec] [-u user] [-l rules] wordlist

 The word list can either be an existing file or stdin. In that case, use '-' instead of a file name

   h       : print this message
   a       : ansi escape codes not available.
             Use the --enable-statistics configure flag.
   s sec   : statistics display interval not available.
             Use the --enable-statistics configure flag.
   c       : only print statistics if a key other than `q' is pressed. (default)
   r       : enable rewriter
   w num   : number of worker threads running with
   b size  : size of word list buffer
   u user  : user account to su to
   l rules : specify rewriting rules; rules can be:
               A = all characters upper case
               F = first character upper case
               L = last character upper case
               a = all characters lower case
               f = first character lower case
               l = last character lower case
               D = prepend digit
               d = append digit
               e = 1337 characters
               x = all rules

 Environment Variables:
   SUCRACK_SU_PATH      : The path to su (usually /bin/su or /usr/bin/su)

   SUCRACK_AUTH_FAILURE : The message su returns on an authentication
                          failure (like "su: Authentication failure" or "su: Sorry")
   SUCRACK_AUTH_SUCCESS : The message that indicates an authentication
                          success. This message must not be a password
                          listed in the wordlist (default is "SUCRACK_SUCCESS")

   export SUCRACK_AUTH_SUCCESS="sucrack_says_hello"
   ./sucrack -a -w 20 -s 10 -u root -rl AFLafld dict.txt


Running a Dictionary Attack on an Account

On my dual-core test system, this 100-thread attack ran at around 50 guesses per second.

$ ./sucrack -w 100 -u root dict.txt
password is: test123

Bear in mind that if the target system has little memory or little CPU power, running 100 threads may DoS the system, so be careful.

Permuting the Dictionary

Check out the Usage page for list of options to alter the case, append digits, etc. to the dictionary. In the example below, we try each word in lower case and append a digit:

$ ./sucrack -w 100 -r -l ad -u smbguest dict.txt
password is: test123

Reading Passwords from STDIN

Besides of getting passwords from a dictionary or in the incremental mode, you can use the password generator of your choice and feed sucrack with passwords. John the Ripper’s great password generator can be used this way for instance:

$ john --stdout --incremental | sucrack -
Sucrack-1.2.3 Tar
April 26, 2013
109.5 KiB
MD5 hash: 6ebfe5e94577a53ce8dcabadd3581ec3

Request to be added to the Portcullis Labs newsletter

We will email you whenever a new tool, or post is added to the site.

Your Name (required)

Your Email (required)