Compendium of basic modes  

Warning: this software is not intended for any benighted PC users due to its specificity; therefore you can hardly expect to find some help file here bluntly instructing “what key should be pressed in order to crack the password to a hateful company’s server”. This help file is meant for getting acquainted  with its basic functions and the way to handle them, but not for answering the question “how and where can I get the hash values” (except pwdump methods).  

Refer to àn exhaustive information available in our forum. You will find there plenty of helpful hints and operational demos of the software.

Also see the document about new Hybrid Rainbow attack technique.


Brief overview of UDC

"The user is forbidden": no password search will be carried out for this hash value (although the enumeration rate at that will increase by a negligible margin).

The program automatically saves the passwords, and so there is no need to abuse the     "Save now" option at all.  


It allows to instantly detect the simplest passwords. It has no setups. It can verify all recently detected passwords and single-, double- and triple-character combinations. As well as 4 characters from the set  "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz", 5 characters from the set "0123456789abcdefghijklmnopqrstuvwxyz" and 6-7 characters from the set "0123456789". It is strongly recommended to run a pre-attack immediately upon importing hashes, which helps you not miss the simpler passwords.   

It successively searches all the strings from the designated Initial down to the designated Terminal one using a selected set of symbols: "aa, ab, ac... ba, bb, ..."

"Ignore a string up to" allows to select a string length up to which the initial and terminal combinations will be ignored while pressing the "Reset", and this value has no effect upon anything else.  

"Special set of characters" (if flagged) allows to assign a separate set of characters for each item in the string: For-1 for the first character, For-2 for the second, etc. If the string is shorter than N characters, then For-N and all subsequent For-* are not used.

The initial and terminal items should comply with the set of characters including a special set of characters (if flagged). It is handy to use the "Reset" for that, and then manually adjust the length of initial combination.  


It consecutively searches all strings from designated text dictionaries in a specified sequence.  

It is possible to add either .txt files, or in a special .dict format ensuring a higher operational while searching.

The "Remove" button enables to remove a selected dictionary from the list (not the file). The "Clear" enables to nullify the list.

The "Correct" enables to remove all inexistent dictionaries from the list and correct the relative paths to “live” files.  

The "Check uppercase also" checks up a word with a capitalized letter for each word in a dictionary derived from the initial one: example -> Example

It enables to generate from a specified pattern (“Original password”) all strings that differ from the original one as much as selected “errors” which number should not exceed the "Maximum number of errors".

The "Base set" is used by red items from the "Categories..."

HOW IT WORKS: for instance, if the "original password" is test, and we have selected only the missing letters and 2 as a number of errors, then the following strings will be checked: test, est, tst, tes, st, es, te, tt, ts, et

Actually the mode creates a dictionary where the original password is taken down with various errors, and then runs a dictionary attack accordingly.  

IT IS DESIGNED for recovery of ITS own password, if an input error occurs while entering a password (e.g. a letter was missed).

It handles this way each word from a specified text dictionary. You should not select a big number of errors; otherwise it takes lots of time. In most cases one or two errors will do.   

IT IS DESIGNED for searching passwords in unwitting users, and as the statistics shows they are plenty, and this mode proves quite effective to pick up passwords to a number of hash values taken from a single source.  

It combines the power of direct enumeration and efficacy of a dictionary attack. It’s one of the most sophisticated and functional methods.  

THE TAMPLATE determines a behavior of UDC in this mode. The following could be used in the template:
1) Blanks are used unboundedly just for typography purposes.
2) Character "@" designating a dictionary.
3) Symbols (one character) describing character sets (see explanations below).
4) Character "?", which signifies that the following character like 2 or 3 is optional and should be checked as a template with and without it. The questions might be more than one.  

(* /extract from a guest-book/
Character "?" should be followed by a letter denoting a character set.
The interrogative mark itself denotes that the next symbol will be optional,
i.e. both combinations with it and without it will be checked.
For instance:
"?@ B ?A" are the same as to start:
1) "B"
2) "B A"
3) "@ B"
4) "@ B A"
separately, successively.

During search each template position is stuffed with a character from the description of character sets or with a word from the dictionary. All these combinations are checked.  

Each used character set from a template should be described in the "List of Character Sets". For example, a template "AAA" is not just three letters À, but can contain any three characters ASCII subject to the description of character set A (in the table "List of Character Sets").

You can apply several filters to a dictionary. For instance, if the "convert" is selected, for each word from the dictionary this word written-in in reverse order symbol-by-symbol will be checked as well.  

If the template is "?A?@?B"; A = "12", B = "AB", @ (dictionary) = "test", the following combinations will be checked:
"test", "1", "2", "A", "B", "testA", "testB", "1A", "1B", "1test", "2test", "1testA", "2testA", "1testB", "2testB"

Some templates provide fairly good results, e.g. @?0?0?0?0, in which 0 = "0123456789", and @ (file) – names list. It will pick up "max88", "masha2005" and so on.  

In order to add the computer into the "search" area without conducting a search we should click the area with the right button, and select "Add manually..." and enter the IP of the computer in question (having the started distributed computing service). If you wish to add several computers manually, you can do so without waiting for the results of previous operation. If a computer is inaccessible, you will receive no error messages.  

In order to remove the computer from the "selected" just drag it back into the "search".

Upon the setting, press the "Restore.>Distribute>Direct enumeration", make the right click on the window emerged, and select "Start the attack". The attack’s interim results are stored, thus it can be continued any moment upon halting. This scheme is fault-tolerant, but not designed to handle a big number of hash values (above 500).  

Please note also that while launching the Distributed Attack you have a very low speed, and the completion time is very long. It is not an error, it’s just because computers will be joining the attack as far as service operations (protocol initialization) are being completed, and the initial speed will be growing. Hence, you should not rely upon information made available at the first minute of the Distributed Attack performance.  

In addition, it is recommended to refer to the tab *Distribution*, item "Network Log". "Silence" in the log used to denote inability to establish a connection.      

Enumerating bounds are symbol codes; the space between the first and second one will be used for the attack similar to a direct enumeration.  

Appended file contents is what needs to be attached to the modified file in order that its hash to be equal to the hash of source file, i.e. to solve the task.  


© The [SNS] Technologies, 28 April, 2007